On March 15, 2021, the Bavarian Data Protection Agency (BayLDA) stated that. the use of Mailchimp was unlawful in the assessed case (LDA-1085.1 – 12159/20-IDV).
The decisive factor was that Mailchimp, although it does conclude the EU standard contractual clauses, is an “Electronic Communications Service Provider” within the meaning of § 1881 (b) (4) of the U.S. Foreign Intelligence Surveillance Act At least, the BayDLA saw “indications” for this (and it also corresponds to Mailchimp’s own view). As a result, data under the control of Mailchimp might be. Access by US authorities Suspended under the provisions of §1881a FISA, i.e., to the extent that it is suspected of containing “foreign intelligence information,” under §1801(e) FISA.
(1) information that relates to, and if concerning a United States person is necessary to, the ability of the United States to protect against-
(A) actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign power;
(B) sabotage, international terrorism, or the international proliferation of weapons of mass destruction by a foreign power or an agent of a foreign power; or
(C) clandestine intelligence activities by an intelligence service or network of a foreign power or by an agent of a foreign power; or
(2) information with respect to a foreign power or foreign territory that relates to, and if concerning a United States person is necessary to-
(A) the national defense or the security of the United States; or
(B) the conduct of the foreign affairs of the United States.
This scenario is probably not very likely, especially to Mailchimp apparently only email addresses had been transmitted. Also Mailchimp had after own statements Disclosed content data in two cases in 2018 and none in 2019, and metadata in only nine cases in 2019 (numbers are not known for 2020), with more than 10 million customers already in 2019:
The BayLDA nevertheless found that the Use of Mailchimp inadmissible was (quotes from the decision after GDPRhub):
According to our assessment, the use of Mailchimp by FOGS Magazine in the two cases mentioned – and thus also the transfer of your email address to Maichimp, which is the subject of your complaint – was unlawful under data protection law because [the controller] had not examined whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, Judg. v. 16.7.2020, C‑311/18) are necessary to make the transfer compliant with data protection […].
In the matter, the BayLDA thus follows the Recommendations of the EDSAwhich, as is well known, do not – unfortunately – include or permit any risk assessment (“risk-based approach”), but to infer directly from the legal protection, which is classified as inadequate in the USA, the inadmissibility of an insufficiently secured data disclosure, without considering the probability of occurrence and consequences of an access (“rights-based approach„).
This is shocking:
- Whether this rights-based approach is at all compatible with the GDPR is very questionable and will be the subject of much discussion. In practice, on the contrary, companies often conduct risk assessments (as “Transfer Impact Assessment” or “Schrems II assessments”) and primarily examine there the concrete risks arising for the data subject from the transfer.
- Not only are EDSA’s recommendations not legally binding, but they are also only a draft. The responsible person concerned had even pleaded before the BayLDA that these recommendations were only available as a draft, but unfortunately unsuccessfully; at least this helped him to avert a fine.
At least the BayLDA refrained from a fine. First, the person concerned had no legal entitlement to a fine at the expense of the responsible party:
Beyond this determination of the inadmissibility of the above-mentioned data transfers, we do not consider supervisory measures pursuant to Article 58 (2) of the GDPR to be necessary in this specific case by way of a discretionary decision. We have made it clear to the company that the above-mentioned transmission of your e‑mail address was illegal under data protection law. We do not consider it necessary to impose a fine – as requested by you. In this respect, we hereby inform you, that, in our opinion, a data subject has no legal right to impose a fine in the event of a data protection breachIn our opinion, there is also no entitlement to a decision on punishment with a fine that is free of discretionary errors. […]. Consequently, a data subject has no subjective right against the data protection supervisory authorities to a decision on the imposition of a fine pursuant to Article 58(2)(i) of the GDPR.
Moreover, in the present case only E‑mail addresses affected and thus data “whose Sensitivity still relatively manageable is”, and furthermore the – but nevertheless applied! – Guidelines of the EDSA yes only a draft:
However, even if one were to recognize such a subjective right of a data subject, there would be no entitlement on your part to impose a fine on FOGS Magazine in the present case. This is because, taking into account the relevant factors listed in Art. 83 GDPR, which play a role in this decision, it is reasonable to refrain from imposing a fine in this case. This is particularly the case because only a few cases of unauthorized data were transmitted in this case, and secondly because the data – in the form of e‑mail addresses – is still relatively manageable in terms of its sensitivity.The latter alone would not be sufficient to justify a waiver of the fine. As a result, however, the waiver of the fine is free of discretionary error in the present case, in particular against the background that the above-mentioned
Recommendations of the European Data Protection Board are declared to be still in a public consultation and therefore not yet available in the final version.The infringement in question must therefore be classified as minor in view of its nature and gravity (Article 83(2)(a) GDPR) and, in particular, only a slight degree of negligence at most (Article 83(2)(b) GDPR).
datenrecht.ch used furthermore Mailchimp.