The Bavarian data protection commissioner has spoken out against Mailchimp and the Schremps II judgment concerning the transfer of data to the USA.

This is not a penalty, nor a punishment, but a legal precedent that could cause, in the future, numerous levers for further motions in the European context. But what is it about, exactly? And why might this ruling be so important?

We are talking about Mailchimp, one of the most famous bulk email tools on the market, e of sending personal data outside the European territoryspecifically in the United States of America. An illegitimate procedure even if based on certain contractual clauses – especially if the same are not followed up with further measures. And it is precisely these "further measures", never really specified, that are causing discussion.

Schrems II judgment: what happened?

La BayLDA, or the Bavarian DPA, the Bavarian privacy guarantor, has recently ruled against Mailchimp due to failure to comply with the indications found in the Schrems II judgment regarding the transfer of data to the United States of America.

The decision sets a very important precedent in the field of digital law. While there were no monetary or prison penalties, this is the first post-Schrems II case subject to a formal decision by the authorities. But let's go in order.

What is Schrems II, the ruling that invalidates the privacy shield?

The CJEU (Court of Justice of the EU) sent a request for clarification on data protection through activist lawyer Schrems, in 2015. The aim was to ask the Irish data protection supervisor to force Facebook to transfer data from EU to US, based on the Standard Contractual Clauses.

We are talking about the period before the release of the GDPR and all the clauses on data processing. The ruling came on July 16, 2020, and Schrems II invalidated the Privacy Shield as a mechanism for data transfers from the EU to the US, providing important guidance for US companies regarding US data. 'Europe.

In short, in order to grant the transfer to the USA, it was necessary ensure an adequate level of data protection. How do you do? Large companies, such as Google and Microsoft, have data centers strategically located all over the world. However, the laws on personal data in the USA are different from those in the EU. In other words: the NSA security agency can access it at any time.

That's what the exceptions to the GDPR are for: they're about clauses approved by the European Commission and by the Supervisory Authority which are approved at the request of the company, and have specific value only for the activity described in the ordinance. Among the various machines for data protection there is also that of the SCC, or the Standard Contractual Clauses. In practice, both the company located in Europe and the foreign one must agree to use a specific contract which must first be approved by the EU. The SCC will then need to be signed in order for the data exchange to take effect.

Yet the Schrems II ruling has somehow downsized the standard procedures normally used, imposing “additional measures”. The vagueness of this matter has led many companies to avoid the knot, simply bypassing it to ignore it. However, the authorities have to do something and perhaps, with the BayLDA ruling, a new step towards the agreement can be reached.

What happened in Bavaria? What about the "further measures"?

A Bavarian citizen, having received a mailing list on behalf of a local magazine via Mailchimp, decided to file a complaint with the competent authority. This authority has put its hands forward by saying that sending EU data to the USA is not always illegitimate, however it is if the dictates of the GDPR as interpreted by the European Court of Justice are not respected. In short: Mailchimp did this thing, but it is not said that the data transfer to the USA was fraudulent. First you need to demonstrate it, by deepening the transfer methods used.

Mailchimp, an American company, has brought its own interpretation of “additional measures” which we talked about earlier. Of which, however, from Schrems II, a final version has not yet been published.

Although the supervisory authority has in some way endorsed Mailchimp's motion, the company should at least have addressed the problem of sending data to US territory, carrying out at least one DPIA to assess the degree of risk of the operation. Needless to say, this assessment has never been made.

It is precisely by virtue of the failure to publish these "additional measures" in full that the Authority has decided not to sanction Mailchimp. And neither is the data controller.

Why is this such an important decision?

Mailchimp's decision is fundamental because, if at first reading it may seem like the forerunner for a ton of fraudulent actions, it is instead a first step towards the application of the Schrems II sentence, which has remained gathering dust until now.

What type of fine was applied?

As we said, Mailchimp hasn't received any kind of fine. However, the Authority ascertained that, although the data were transferred using inadmissible methods, the authorized individual - i.e. the free citizen - had no power to request the sanction.

In short, a private individual it cannot move instance in a case like Mailchimp. After all, this case does not concern the rights and freedom of the interested party, but has as its objective that of asserting the public interest in enforcing the law.

What are the potential future scenarios of this decision?

It is difficult to say what the actual consequences of this sentence will be, which can only, for the moment, be considered a valid precedent. In fact, it could happen that other authorities lean towards decisions of illegitimacy not accompanied by monetary sanctions. Or the much hoped-for development of these “additional measures” could occur.

The only sure thing is that regardless of the fine, Mailchimp has made a bad impression in front of its customers, losing its image.