June 4, 2023

Volume XIII, Number 155


June 03, 2023

Subscribe to Latest Legal News and Analysis

June 02, 2023

Subscribe to Latest Legal News and Analysis

Bavarian DPA Holds SCCs Alone Not Enough for European Use of US Email Service

In a notable application of the European Court of Justice’s “Schrems II” decision, the data protection authority for the German state of Bavaria recently held that use by a German entity of US-based MailChimp (which use involved transferring personal information to the US) violated GDPR. As we previously wrote, the Schrems II decision turned on concerns around lack of sufficient safeguards under US law. The court cautioned, and the EDPB has since clarified further, that for standard contractual clauses to be used companies must determine whether the information will have the same level of protection under the laws of the receiving country. If not, additional “supplementary measures” must be implemented.

As many may be aware, MailChimp is a popular email vendor. Here, the German company that hired MailChimp sent its European customers’ email addresses to MailChimp, in the US, so that MailChimp could then send the customers email newsletters. Even though the transfer was made pursuant to standard contractual clauses, the Bavarian DPA held that the transfer failed to adequately protect EU data subject rights.

In reaching its decision, the Bavarian DPA pointed to the potential of US intelligence services’ ability to access information held by MailChimp under US law. This was a concern for the DPA. It concluded that this failed to provide European individuals “protection” from such access, thus not giving the same level of protection as if the information remained in the EU. The Bavarian DPA did not provide direction on what supplemental measures could have been used. The EDPB, though, has suggested (para 48) that in such circumstance a technical measure may be the only option. Faced with the DPA’s determination, the data controller promised to stop using MailChimp.

Putting it into Practice: When sending personal data from the EU to the US using standard contractual clauses, businesses should evaluate whether the SCCs alone will provide the same level of protection for the data as under EU law. If not, businesses should consider whether they can employ additional security measures. Although no direction was provided in this case by the Bavarian DPA, the EDPB guidance can be of help.

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 103

About this Author

Tenaya Rodewald, Litigation Lawyer, Sheppard Mullin

Tenaya Rodewald is an associate in the Business Trial Practice Group in the firm's Palo Alto office. 

Areas of Practice

Ms. Rodewald’s practice focuses on litigation and counseling related to intellectual property, technology and online businesses, including copyright, patent and trademark litigation, and First Amendment and privacy law.

Ms. Rodewald has experience in complex intellectual property and commercial litigation, including patent, copyright, trademark and trade secret litigation, unfair competition and consumer class-action litigation.  She...

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...