The Bavarian Data Protection Authority (DPA) recently ruled that a German publisher should cease using a US-based email marketing platform to send newsletters to its subscribers. The Bavarian DPA found that transfers of email addresses of EU subscribers by the German publisher to the US-based platform to be unlawful. When using the platform, the German publisher relied on the Standard Contractual Clauses (SCCs) for its data transfers from Germany to the US.
In the unpublished decision, which was summarised by the German DPA in its letter to the complainant, the Bavarian DPA stated that the platform could qualify as an ‘Electronic Communications Service Provider’ under US surveillance law (FISA 702). Therefore the transferred email addresses were at risk of being accessed by US intelligence services.
In light of the Schrems II decision, the Bavarian DPA found that the German publisher should have assessed whether any supplementary measures could be put in place in addition to the SCCs, to ensure the transfer met the GDPR’s requirements, but had failed to do so. The Bavarian DPA did not impose a fine on the grounds that the German publisher had stopped using platform and the infringement was minor (the unlawful transfers were only occasional and concerned non-sensitive data (i.e. EU data subject email addresses)).
It is important to note that the Bavarian DPA did not find that transfers of personal data to the US-based platform were unlawful per se. Rather, in this particular case, the transfer was unlawful because the German publisher had not carried out any risk assessment and determined whether any supplementary measures could be adopted to ensure that the personal data was protected from access by US intelligence services.
As a priority, companies whose processing activities are subject to the GDPR should:
- Review their data flows.
- Identify the third countries to which they transfer personal data under SCCs.
- Assess whether the third country provides an adequate level of protection (in particular with respect to the third country’s surveillance laws), taking account of the EDPB Recommendations 02/2020 on Essential Guarantees for Surveillance Measures & the considerations listed in Article 45 GDPR).
- Consider whether “supplementary measures” can be adopted where SCCs are adjudged not to be capable of ensuring an adequate level of protection on their own (having regard to the EDPB Draft Recommendations 01/2020 on Supplementary Measures).
- Document the assessment and the decision made.