On March 15, 2021, the Bavarian Supervisory Authority (SA)[1] issued a decision regarding the use of Standard Contractual Clauses (SCCs) to transfer personal data from the EU to the U.S. without supplementary security measures. The SA found the data transfer to be unlawful in this case, although it did not impose an administrative fine. The SA’s findings could indicate how European regulators approach the use of SCCs post-Schrems II.
Background
On July 16, 2020, the European Court of Justice (ECJ), in its Schrems II judgement (C-311/18), determined stricter rules for the transfers of personal data based on SCCs. The ECJ stipulated that, if necessary, additional measures should accompany the SCCs in order to compensate for shortcomings of the third country legal system (see our client alert, “ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses”).
In this case, the Bavarian SA examined a complaint against FOGS Magazin, a Munich-based company, which used Mailchimp, an online email marketing service, to send newsletters. FOGS Magazin was accused of sharing a customer’s email address with Mailchimp in the U.S. solely based on SCCs, i.e., without assessing and adopting supplementary security measures.
Unlawful Transfer but No Fine Imposed
The Bavarian SA found that FOGS Magazin failed to comply with the requirements articulated by the ECJ in Schrems II because it did not assess whether it needed to implement supplementary measures. The SA argued that Mailchimp may be subject to FISA 702 as an “electronic communications service provider,” meaning that FOGS Magazin should have assessed and—ultimately—implemented supplementary measures for the data transfer.
Notwithstanding the fact that the Bavarian SA considered the data transfer to be unlawful, it did not impose an administrative fine and pointed to the following mitigating factors:
- FOGS Magazin immediately ceased using Mailchimp;
- FOGS Magazin did not transfer the personal data to Mailchimp for any other additional purpose;
- The personal data concerned only included an email address which was transferred to the U.S. twice;
- The EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data are not yet finalized.[2]
The SA therefore concluded that the nature of the infringement and FOGS Magazin’s actions sufficiently mitigated the negative impact to the concerned individual’s privacy. However, the SA’s reliance on the non-final nature of the EDPB Recommendations signals that its decision not to impose a fine here might have differed if the Recommendations were final.
Implications
Some of the German SAs have recently announced closer monitoring of data transfers to the U.S. after Schrems II. For instance, the Hamburg SA is considering sending questionnaires to companies in order to check their implementation of the ECJ ruling regarding Schrems II.
The Bavarian SA’s decision confirms that the use of the SCCs to transfer data outside the EU may be unlawful if companies do not assess and implement supplemental measures. U.S. service providers should be particularly mindful of these requirements. The decision also shows that an immediate reaction to the SA’s queries, such as the immediate discontinuation of data transfers, is likely to have a mitigating effect on a potential fine.
A final version of the EDPB’s Recommendations is expected soon. The Recommendations will articulate a methodology that should be followed when transferring EU personal information. The real test will be how SAs and the EDBP deal with the scenario where data importers are subject to FISA 702, and specifically, whether a risk-based approach will be allowed if access by U.S. surveillance agencies is unlikely to be detrimental to individuals’ privacy in practice. It remains to be seen whether the new set of the Standard Contractual Clauses, which are also expected soon, will address some of these data transfer concerns.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Jan Dhont, or another member of the firm’s privacy and cybersecurity practice.
[1] One of the 16 supervisory authorities in Germany.
[2] The EDPB is currently working on evaluation of contributions that were received during the public consultations, closed on December 21, 2020.