BayL­DA: Use of Mail­chimp without veri­fi­ca­ti­on of addi­tio­nal mea­su­res con­tra­ry to the GDPR

On March 15, 2021, the Bava­ri­an Data Pro­tec­tion Agen­cy (BayL­DA) sta­ted that. the use of Mail­chimp was unlaw­ful in the asses­sed case (LDA-1085.1 – 12159/20-IDV).

The decisi­ve fac­tor was that Mail­chimp, alt­hough it does con­clu­de the EU stan­dard con­trac­tu­al clau­ses, is an “Elec­tro­nic Com­mu­ni­ca­ti­ons Ser­vice Pro­vi­der” wit­hin the mea­ning of § 1881 (b) (4) of the U.S. For­eign Intel­li­gence Sur­veil­lan­ce Act At least, the BayD­LA saw “indi­ca­ti­ons” for this (and it also cor­re­sponds to Mailchimp’s own view). As a result, data under the con­trol of Mail­chimp might be. Access by US aut­ho­ri­ties Sus­pen­ded under the pro­vi­si­ons of §1881a FISA, i.e., to the extent that it is suspec­ted of con­tai­ning “for­eign intel­li­gence infor­ma­ti­on,” under §1801(e) FISA.

(1) infor­ma­ti­on that rela­tes to, and if con­cer­ning a United Sta­tes per­son is necessa­ry to, the abi­li­ty of the United Sta­tes to pro­tect against-
(A) actu­al or poten­ti­al attack or other gra­ve hosti­le acts of a for­eign power or an agent of a for­eign power;
(B) sabo­ta­ge, inter­na­tio­nal ter­ro­rism, or the inter­na­tio­nal pro­li­fe­ra­ti­on of wea­pons of mass dest­ruc­tion by a for­eign power or an agent of a for­eign power; or
(C) clan­de­sti­ne intel­li­gence acti­vi­ties by an intel­li­gence ser­vice or net­work of a for­eign power or by an agent of a for­eign power; or
(2) infor­ma­ti­on with respect to a for­eign power or for­eign ter­ri­to­ry that rela­tes to, and if con­cer­ning a United Sta­tes per­son is necessa­ry to-
(A) the natio­nal defen­se or the secu­ri­ty of the United Sta­tes; or
(B) the con­duct of the for­eign affairs of the United States.

This sce­n­a­rio is pro­bab­ly not very likely, espe­cial­ly to Mail­chimp appar­ent­ly only email addres­ses had been trans­mit­ted. Also Mail­chimp had after own state­ments Dis­c­lo­sed con­tent data in two cases in 2018 and none in 2019, and meta­da­ta in only nine cases in 2019 (num­bers are not known for 2020), with more than 10 mil­li­on custo­mers alrea­dy in 2019:

The BayL­DA nevertheless found that the Use of Mail­chimp inad­mis­si­ble was (quo­tes from the deci­si­on after GDPRhub):

Accord­ing to our assess­ment, the use of Mail­chimp by FOGS Maga­zi­ne in the two cases men­tio­ned – and thus also the trans­fer of your email address to Mai­chimp, which is the sub­ject of your com­p­laint – was unlaw­ful under data pro­tec­tion law becau­se [the con­trol­ler] had not exami­ned whe­ther, in addi­ti­on to the EU stan­dard data pro­tec­tion clau­ses (which were used), “addi­tio­nal mea­su­res” wit­hin the mea­ning of the ECJ deci­si­on “Schrems II” (ECJ, Judg. v. 16.7.2020, C‑311/18) are necessa­ry to make the trans­fer com­pli­ant with data protection […].

In the mat­ter, the BayL­DA thus fol­lows the Recom­men­da­ti­ons of the EDSAwhich, as is well known, do not – unfor­tu­n­a­te­ly – inclu­de or per­mit any risk assess­ment (“risk-based approach”), but to infer direct­ly from the legal pro­tec­tion, which is clas­si­fied as ina­de­qua­te in the USA, the inad­mis­si­bi­li­ty of an insuf­fi­ci­ent­ly secu­red data dis­clo­sure, without con­si­de­ring the pro­ba­bi­li­ty of occur­rence and con­se­quen­ces of an access (“rights-based approach„).

This is shocking:

  • Whe­ther this rights-based approach is at all com­pa­ti­ble with the GDPR is very que­stion­ab­le and will be the sub­ject of much dis­cus­sion. In prac­ti­ce, on the con­tra­ry, com­pa­nies often con­duct risk assess­ments (as “Trans­fer Impact Assess­ment” or “Schrems II assess­ments”) and pri­ma­ri­ly exami­ne the­re the con­cre­te risks ari­sing for the data sub­ject from the transfer.
  • Not only are EDSA’s recom­men­da­ti­ons not legal­ly bin­ding, but they are also only a draft. The respon­si­ble per­son con­cer­ned had even plea­ded befo­re the BayL­DA that the­se recom­men­da­ti­ons were only avail­ab­le as a draft, but unfor­tu­n­a­te­ly unsuc­cess­ful­ly; at least this hel­ped him to avert a fine.

At least the BayL­DA refrai­ned from a fine. First, the per­son con­cer­ned had no legal enti­t­le­ment to a fine at the expen­se of the respon­si­ble par­ty:

Beyond this deter­mi­na­ti­on of the inad­mis­si­bi­li­ty of the abo­ve-men­tio­ned data trans­fers, we do not con­si­der super­vi­so­ry mea­su­res pur­suant to Arti­cle 58 (2) of the GDPR to be necessa­ry in this spe­ci­fic case by way of a dis­cre­tio­na­ry deci­si­on. We have made it clear to the com­pa­ny that the abo­ve-men­tio­ned trans­mis­si­on of your e‑mail address was ille­gal under data pro­tec­tion law. We do not con­si­der it necessa­ry to impo­se a fine – as reque­sted by you. In this respect, we her­eby inform you, that, in our opi­ni­on, a data sub­ject has no legal right to impo­se a fine in the event of a data pro­tec­tion bre­achIn our opi­ni­on, the­re is also no enti­t­le­ment to a deci­si­on on punish­ment with a fine that is free of dis­cre­tio­na­ry errors. […]. Con­se­quent­ly, a data sub­ject has no sub­jec­ti­ve right against the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties to a deci­si­on on the impo­si­ti­on of a fine pur­suant to Arti­cle 58(2)(i) of the GDPR.

Moreo­ver, in the pre­sent case only E‑mail addres­ses affec­ted and thus data “who­se Sen­si­ti­vi­ty still rela­tively mana­ge­ab­le is”, and fur­ther­mo­re the – but nevertheless app­lied! – Gui­de­li­nes of the EDSA yes only a draft:

Howe­ver, even if one were to reco­gni­ze such a sub­jec­ti­ve right of a data sub­ject, the­re would be no enti­t­le­ment on your part to impo­se a fine on FOGS Maga­zi­ne in the pre­sent case. This is becau­se, taking into account the rele­vant fac­tors listed in Art. 83 GDPR, which play a role in this deci­si­on, it is rea­son­ab­le to refrain from impo­sing a fine in this case. This is par­ti­cu­lar­ly the case becau­se only a few cases of unaut­ho­ri­zed data were trans­mit­ted in this case, and second­ly becau­se the data – in the form of e‑mail addres­ses – is still rela­tively mana­ge­ab­le in terms of its sen­si­ti­vi­ty.The lat­ter alo­ne would not be suf­fi­ci­ent to justi­fy a wai­ver of the fine. As a result, howe­ver, the wai­ver of the fine is free of dis­cre­tio­na­ry error in the pre­sent case, in par­ti­cu­lar against the back­ground that the above-mentioned
Recom­men­da­ti­ons of the Euro­pean Data Pro­tec­tion Board are decla­red to be still in a public con­sul­ta­ti­on and the­re­fo­re not yet avail­ab­le in the final ver­si­on.The infrin­ge­ment in que­sti­on must the­re­fo­re be clas­si­fied as minor in view of its natu­re and gra­vi­ty (Arti­cle 83(2)(a) GDPR) and, in par­ti­cu­lar, only a slight degree of negli­gence at most (Arti­cle 83(2)(b) GDPR).

datenrecht.ch used fur­ther­mo­re Mailchimp.