Navigating EU Data Transfers: Effects of Schrems II Start to Bite

Risks of non-compliance with the GDPR keep increasing with data protection authorities (DPAs) now ordering suspension of transfers of personal data to the U.S. In March, the Bavarian DPA found there was an unlawful transfer of personal data from a German controller to the e-mail marketing service Mailchimp in the U.S. A month later, the Portuguese DPA ordered a public authority to suspend all transfers of personal data to the U.S. and other third countries within 12 hours.

Portuguese Decision to Suspend Transfers to Cloudflare in the U.S.

The Portuguese DPA’s investigation was triggered by complaints against Portugal’s National Institute of Statistics (INE) regarding the conditions for collecting data for the Census 2021. INE gathers data from Portuguese residents from 2021 Census surveys and transfers it to Cloudflare in the U.S. for processing. According to the Portuguese DPA, the parties relied on SCCs to legitimize the transfers of personal data to the U.S.

The Portuguese DPA concluded that Cloudflare is directly subject to U.S. surveillance laws for national security purposes (e.g., FISA 702), which may expose EU data to the surveillance activities of U.S. intelligence and law enforcement entities. According to the Portuguese DPA, the SCCs in place between the INE and Cloudflare were insufficient to protect the data (which included religious and health data), and the parties did not implement any supplementary measures to provide adequate protection for the data. The DPA ordered INE to suspend the transfer of data to the U.S. or any other third country without first establishing adequate protection for the data. The DPA ordered the suspension to start within 12 hours of the decision. The DPA did not impose fines on the INE.

The Portuguese DPA decision rested on the Schrems II finding that U.S. surveillance laws do not provide protections that are “essentially equivalent” to the protections in the EU. In its ruling, the Portuguese DPA followed the requirement for DPAs to suspend or prohibit a transfer of personal data to a third country pursuant to SCCs if, in the DPA’s view, the SCCs are not or cannot be complied with in the third country, and the parties cannot ensure adequate protection of the data by other means.

The press release and decision is available here (only in Portuguese).

Bavarian Decision in Relation to Mailchimp Transfers

The Bavarian DPA’s investigation was triggered by a complaint against the controller regarding the use of Mailchimp to send newsletters to the controller’s customers. The complaint alleged that the transfer of customer personal data (email addresses) to Mailchimp’s servers in the U.S. was unlawful under the GDPR. During the investigation, the Bavarian DPA found that the controller relied on SCCs for the transfer of personal data to Mailchimp in the U.S.

The Bavarian DPA held that, as an e-mail marketing service, Mailchimp could qualify as an “electronic communication service provider” under U.S. FISA 702 (50 U.S.C. § 1881). For this reason, the controller was required to adopt supplementary measures to protect EU personal data from U.S. surveillance, in line with the EDPB’s Recommendations on supplementary measures post Schrems II (EDPB Recommendations).

The Bavarian DPA found that the controller failed to assess whether any supplementary measures were needed in relation to the transfer of personal data to Mailchimp. In its letter to the complainant, the Bavarian DPA stated that it informed the controller that the transfer of personal data to the U.S. was unlawful. The DPA did not impose a fine because the controller committed to stop using Mailchimp’s services immediately. The DPA also considered the violation to be minor, given that the controller used Mailchimp only twice to send newsletters and the non-sensitive nature of the data.

The DPA did not identify what specific supplementary measures would have been appropriate.

The Bavarian decision is available here.

The Bavarian DPA’s decision followed statements from the Berlin DPA, which called for Berlin-based controllers storing personal data in the U.S. to bring the data back to the EU (available here, only in German).

Key Takeaways

• Companies should expect further investigations by DPAs into the steps they take to legitimize transfers of personal data out of Europe. Recently, the Conference of the DPAs of Germany (known as Datenschutzkonferenz or DSK) announced that the German DPAs are planning to carry out random checks using an “agreed questionnaire” with specific queries on how controllers are implementing the CJEU’s decision and the EDPB Recommendations regarding cross-border data transfers.
  
  
• To the extent they haven’t done so, companies should develop an understanding of how they transfer data out of Europe or received data from Europe, and identify the GDPR transfer mechanisms on which they rely to legitimize these transfers (such as SCCs, BCRs, derogations, etc.).
  
  
• Companies should also conduct Transfer Impact Assessments to help establish essential equivalency of the protections they offer, and consider implementing additional safeguards to supplement those existing transfer mechanisms, or to determine that such additional safeguards are not necessary.
  
  
• In the near term, businesses should expect increased scrutiny by customers and DPAs with respect to cross-border data compliance. Well thought out TIAs will be important to efficiently address data transfer queries.
  
  
• In the meantime, the hope is that the final versions of the EDPB Recommendations and the European Commission’s new SCCs (expected to be issued in the near future) will provide much needed clarification on the uncertainties that continue to challenge businesses in the aftermath of Schrems II.