Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

German Data Protection Authority Decides on Supplementary Measures for International Data Transfers

By Björn Vollmuth, Ana Hadnes Bruder & Ondrej Hajda on April 8, 2021
Email this postTweet this postLike this postShare this post on LinkedIn

A decision issued on 15 March 2021 by the Bavarian Data Protection Authority (“BayLDA”, publication pending) is the first German enforcement action in connection with last year’s decision of the Court of Justice of the European Union (“CJEU”, “CJEU’s Decision”) on the validity of the European Commission’s Standard Contractual Clauses (“SCCs”) and the EU-US Privacy Shield (C-311/18, more information available in our client alert). In the CJEU Decision, the court held that a transfer of personal data from the EU to third countries outside the European Economic Area (“EEA”) under the EU Standard Contractual Clauses will be permissible under the General Data Protection Regulation (“GDPR”) only if the level of protection of the transferred data is adequate. When assessing whether the level of protection is adequate, companies have to take into account the wording of the SCCs and the legal system of the third country where the recipient of the personal data is located, in particular, with regards to access to the transferred data by public authorities in the third country. Depending on the outcome of this assessment, the data exporter and the data importer may be required to implement adequate supplementary measures in order to safeguard the transferred data.

Subsequently, the European Data Protection Board (“EDPB”) issued preliminary recommendations for public consultation as to what constitutes adequate supplementary measures. The EDPB pointed out that from its perspective there are currently no such supplementary measures available if the recipient is located in the USA and is an electronic communication service provider who needs access to the personal data in the clear in order to render the agreed services. This is due to the fact that US law enforcement agencies have far-reaching access rights to the transferred data under the Foreign Intelligence and Surveillance Act (“FISA”) when such a provider is involved (see our client alert for more information).

Facts of the BayLDA Decision

A German publishing company based in Munich used the online service “Mailchimp”. Mailchimp is a marketing automation platform and email marketing service provided by the US-based provider The Rocket Science Group LLC. For the purposes of distributing newsletters, the Bavarian publishing company transmitted e-mail addresses to the Mailchimp platform in two cases. The data transfer was based on the SCCs for data processors in third countries.

The complainant, a data subject who received a newsletter via the Mailchimp platform, lodged a complaint with the competent local data protection authority, BayLDA, and requested the authority to impose a fine. The authority came to the conclusion that the transfer of the complainant’s email address to the Mailchimp platform was unlawful under the GDPR because the publishing company had not examined whether, in addition to the SCCs, supplementary measures within the meaning of the CJEU’s Decision were necessary to ensure that the transfer meets the GDPR requirements. BayLDA furthermore stated that there were at least certain indications that Mailchimp might qualify as an “electronic communication service provider” under FISA 702 (50 U.S.C. § 1881). Therefore, the transferred email addresses were potentially in danger of being accessed by US intelligence services. In the light of the CJEU’s decision, the publishing company had failed to assess if supplementary measures were needed to ensure that the transferred data was protected from US surveillance and, if required, to implement such supplementary measures.

The publishing company replied that it had used Mailchimp only twice and confirmed that it would immediately stop using the service. In light of this, BayLDA refrained from imposing a fine or taking any other enforcement action. It informed the complainant that in its opinion a data subject had no legal entitlement to the imposition of a fine in the event of a data protection violation. Unlike some of the other remedial powers referred to in Article 58(2) GDPR, the power to impose a fine under Article 83 GDPR did not serve to safeguard the rights and freedoms of the data subject, but rather the public interest in enforcing the law. Consequently, a data subject did not have a subjective right against data protection authorities to decide on the imposition of a fine. Also, the case at hand did not justify the imposition of a fine in BayLDA’s opinion because the violation was still to be classified as minor with regard to its nature and gravity, and merely involved a slight degree of negligence at most. This was due to the fact that the EDPB’s recommendations on supplementary measures were still undergoing public consultation and were therefore not yet available in the final version. Moreover, the personal data involved (i.e., EU data subject’s e-mail addresses) was not of a particularly sensitive nature, and the violation was limited to the two cases.

Recommendations

This decision shows that German data protection authorities take the CJEU’s Decision seriously and interpret it with the EDPB’s (preliminary) recommendations on supplementary measures in mind. The publishing company avoided a fine because the case involved a minor and temporary violation only, and the company stopped using the Mailchimp service. However, the recent developments described in the present update represent a great challenge for companies in the EEA and the UK that routinely use US-based service providers falling within the scope of FISA and requiring access to the personal data in the clear (as opposed to encrypted, anonymous or aggregate data).

In addition to the EDPB’s preliminary recommendations, the draft new SCCs published by the European Commission in November 2020 also envisage that transfers of personal data to jurisdictions that are not subject to an adequacy decision by the European Commission will require the data exporter and data importer to carry out a local law assessment and, where required, implement the supplementary measures identified before the personal data is transferred outside the EEA (see our client alert for more information).

Once the EDPB’s recommendations on supplementary measures are finalised, and if there are still no adequate supplementary measures available in EDPB’s point of view to safeguard transfers to cloud service providers or other processors falling under FISA who require access to the personal data transferred in the clear, the EEA data protection authorities will most likely no longer tolerate repeated and/or large-scale personal data transfers which do not meet the GDPR requirements for international personal data transfers.

In the UK, the Information Commissioner’s Office is expected to issues its own guidance on the implications of the CJEU’s Decision which is expected to clarify the regulatory approach and enforcement in the UK.

As a priority, companies whose processing activities are subject to the GDPR should therefore map their international personal data transfers and, where required, explore legally and practically feasible alternatives to such transfers.

 

This article was originally published on AllAboutIP – Mayer Brown’s blog on relevant developments in the fields of intellectual property and unfair competition law.

Photo of Ana Hadnes Bruder Ana Hadnes Bruder

Ana Hadnes Bruder is a senior associate in Mayer Brown’s Frankfurt office and an active member of the global Cybersecurity & Data Privacy practice. She is also a member of the firm’s Intellectual Property practice. Ana advises clients on data privacy and cybersecurity…

Ana Hadnes Bruder is a senior associate in Mayer Brown’s Frankfurt office and an active member of the global Cybersecurity & Data Privacy practice. She is also a member of the firm’s Intellectual Property practice. Ana advises clients on data privacy and cybersecurity matters, including preparing for and reacting to cyber-attacks, assessing and making required data breach notifications, analyzing data protection implications of new products and tools and providing strategic advice with a focus on cross-border data processing. Ana further advises on Technology Transactions including cloud services, data and software licensing agreements, SaaS agreements, software development projects, e-commerce, and related Cybersecurity & Data Privacy questions.

Ana is a registered lawyer in Germany and Brazil and has ten years of international experience as legal counsel in Brazil, France and Germany. Ana started her career at Mayer Brown in the Dispute Resolution practice where she represented clients in litigation and arbitration proceedings involving complex commercial, intellectual property and liability matters.

Before joining Mayer Brown, Ana gained experience representing foreign clients in judicial proceedings in Brazil and also worked as in-house counsel for a leading French company in Paris.

Read full bio

Read more about Ana Hadnes BruderEmail
Show more Show less
  • Posted in:
    Intellectual Property
  • Blog:
    All About IP
  • Organization:
    Mayer Brown
  • Article: View Original Source

LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • The FTI Award Journal
  • International Dispute Resolution
  • China Law Update Blog
  • Law of The Ledger
  • Antitrust Law Blog
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo