Following a complaint regarding non-compliance with Art.44 GDPR, the German Supervisory Authority (BayLDA) considered it illegal for a German company (FOGS Magazin, Munich) to use Mailchimp 's services (The Rocket Science Group LLC, USA) to send newsletters, as Mailchimp may qualify as an "electronic communications service provider" under US surveillance law, and the EU data controller has not assessed this risk.
German Supervisory Authority (BayLDA) presented the following arguments:
- Mailchimp qualifies as an "electronic communications service provider" under US surveillance law (FISA702 (50 USC § 1881)). Therefore, transferred email addresses may be in danger of being accessed by US intelligence services.
- In the light of the CJEU decision "Schrems II" (C-311/18), the respondent failed to assess whether there are additional measures in place to ensure that the transferred data was protected by US surveillance.
- The data transfer was based only on EU standard data protection clauses (Standard contractual clauses - CCS).
As FOGS Magazin stated that it would immediately stop using Mailchimp, the German Supervisory Authority (BayLDA) did not impose a fine or a corrective measure.
"Following our investigation, the controller informed us that it used Mailchimp twice to send newsletters. Due to our intervention, the company has now announced that it will stop using Mailchimp with immediate effect. The company also informed us that informed that it sent e-mail addresses only to Mailchimp and stated that the recommendations of the European Data Protection Board on additional measures for the transfer of personal data to third countries are not yet in the final version, but are subject to consultation ( https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en), is shown in the document sent by the authority to the applicant.
"According to our assessment, the use of Mailchimp by FOGS Magazin in the two cases mentioned was inadmissible from the point of view of data protection legislation, as FOGS did not verify whether "additional measures" were required for transmission to Mailchimp within the meaning of the CJEU decision. "Schrems II" (CJEU, judgment of 16 July 2020, C-311/18), in addition to the EU standard data protection clauses. "
Analyzing this transfer from the point of view of compliance with data protection regulations, in the present case, there are indications that Mailchimp qualifies as an "electronic communications service provider" in accordance with US surveillance law (FISA702 (50 USC § 1881)). ) and thus US intelligence services can access these databases. This transfer could only be allowed by taking additional measures.
What does Art.44 GDPR and the Schrems II Decision provide? Are there any solutions?
We remind you that any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of Regulation 679/2016, the conditions laid down in Chapter 5 are complied with by the data controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in Chapter 5 from GDPR shall be applied in order to ensure that the level of protection of natural persons is not undermined.
On 16 July 2020, the CJEU, in Case C-311/18 (Schrems II), invalidated Decision 2016/1250 on the adequacy of the protection afforded by the EU-US Privacy Shield , because it considered that it did not provide the level of protection offered by the GDPR (adequate safeguards, enforceable rights and effective remedies) due to the excessive degree of intrusion by the US authorities (NSA, FBI). At the same time, the decision validated Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to data controllers established in third countries. Moreover, the Court ruled that the decision is immediately applicable, without creating a legislative vacuum because the RGPD offers alternative ways to transfer personal data legally.
"For transfers we may continue to make use of the derogations in Article 46 of the RGPD which state that in the absence of a Commission decision, transfers may be made to third countries or international organizations on the basis of appropriate guarantees and subject to opposable rights and in addition to appropriate safeguards involving either the supervisory authority or the Commission or the mandatory corporate rules, we find in paragraph 3 ( a) “ contractual clauses between the controller or the processor and the controller, the person authorized by the controller or the recipient of personal data from the third country or the international organization ' , subject to authorization by the competent supervisory authority.
Even if, as the Court has pointed out, it is the primary responsibility of data exporters and data importers to ensure that the legislation of the third country of destination allows the data importer to comply with standard data protection clauses or mandatory corporate rules before transferring personal data to that third country, supervisors will also play a key role when applying the GDPR and when issuing decisions on transfers to third countries.
Article 49 of the GDPR also offers us another solution, in the absence of a Commission decision and appropriate safeguards, namely transfers of personal data to a third country or an international organization can only take place under one of the following conditions:
“(a) the data subject has explicitly agreed to the proposed transfer, after being informed of the possible risks that such transfers may involve for the data subject due to the lack of a decision on the adequacy of the level of transfer; protection and adequate safeguards;
b) the transfer is necessary for the execution of a contract between the data subject and the controller or for the application of pre-contractual measures adopted at the request of the data subject;
c) the transfer is necessary for the conclusion of a contract or for the execution of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
d) the transfer is necessary for important reasons of public interest;
e) the transfer is necessary for the establishment, exercise or defense of a right in court;
f) the transfer is necessary for the protection of the vital interests of the data subject or of other persons, when the data subject does not have the physical or legal capacity to express his / her consent;
g) the transfer is made from a register which, according to Union or national law, is intended to provide information to the public and which can be consulted either by the general public or by any person who can prove a legitimate interest, but only in so far as the conditions for consultation laid down by Union or national law in that specific case are fulfilled . "
Regarding the thesis in letter a), respectively the consent of the data subject, EDPB recalls the conditions regarding the consent, in particular the consent must be explicit, specific and informed.
Are there solutions for companies to continue to operate normally?
There are solutions for the continued transfer of personal data to third countries or international organizations. We appreciate that many of the transfers made up to the Court's judgment have ceased or will cease, but the truly substantiated transfers can still be made in compliance with the restrictions and conditions imposed, with the aim of defending the rights and interests of European citizens. We look forward to the EDPB recommendations for data controllers and authorized persons, until their appearance we make some recommendations for personal data controllers in order to comply with the decision to invalidate the Privacy Shield:
- In the case of newsletter solutions, you can replace US applications with solutions from the European Union or even from Romania.
- Wordpress sites, for example, provide Google Analytics-like traffic analysis tools, and this type of cookie can be removed.
- We recommend removing yahoo and gmail addresses for business purposes and replacing them with email domains hosted in the European Union. Domains hosted in third countries should also be moved to servers in the European Union.
- Website platforms hosted in the US can be replaced with platforms hosted in the European Union.
- We recommend replacing document transfer applications with EU-hosted solutions.
- Also, online payment services such as Paypal can be replaced by card payment processors in Romania, remarketing services from Google can be eliminated and used services in the EU, the same solution being valid for cloud services.
Whenever transfers are made to the US, users must be informed transparently, in accordance with Article 13 of the RGPD, and if the processing / transfer is based on consent, data controllers must ensure that they have obtained valid consent.
As a general recommendation, we advise Romanian personal data controllers to re-analyze their list of service providers as authorized persons and to verify the countries to which the processed data is transferred, and, in case of identification of transfers to third countries, to evaluate situation and decide on the opportunity to change these providers with service providers in the European Union. "
What were the implications of invalidating Privacy Shiled at European level? But in Romania?
Daniela Cireașă, Senior Partner NeoPrivacy Romania: "Following the CJEU decision in Schrems II, the European supervisory authorities took a position on the transfer of personal data to the USA. The Swiss supervisory authority, a country that had its own agreement with the United States, The Switzerland-US Privacy Shield agreement, which transferred the personal data of Swiss citizens to the US, has been invalidated, and the Swiss authorities announced on September 8, 2020 that the United States had been removed from the list of countries providing adequate protection under certain conditions. provides the necessary protection.
The Convention Committee 108 and the Council of Europe's Commissioner for Data Protection have also called for the adoption of international legal standards for data protection following the Schrems II judgment. In a joint statement, they stated that " Countries must agree at international level on the extent to which surveillance by intelligence services may be authorized, under what conditions and under what safeguards, including independent surveillance and efficient ”.
The supervisory authorities in Berlin, Hamburg but also the Dutch authority recommend the cessation of transfers to the USA. The Berlin authority even recommends withdrawing data from the US. Several supervisors emphasize the need for further analysis and case-by-case assessments.
Please note that the Irish supervisory authority has instructed Facebook to stop data transfers to the United States. Following this summons, on 11 September 2020, Facebook took legal action against the Irish Data Protection Commission (IDPC), launching an appeal in Ireland in an attempt to stop IDPC's preliminary order to suspend the use of standard contract terms ( CCS) in EU-US data transfers.
CNIL has called on the French authorities to stop hosting Microsoft's health data research platform as soon as possible, given the recent invalidation of the Privacy Shield. The Secretary of State for Digital announced on the same day that he was working with the Minister of Health to repatriate this platform to French or European infrastructures.
Facebook considered the proposal premature and urged the Irish regulator to take a pragmatic and proportionate approach until a long-term solution can be reached, as it claims that the preliminary order was decided before Facebook received guidance from European Data Protection Board.
In Romania, during the school year, under restrictive conditions for all subjects involved, the authorities decided conducting online meetings and online classes. Most platforms used in Romania transferred data to the United States. The Ministry of Education and Research announced on September 2, 2020 that, in collaboration with Google (Meet) and Microsoft (Teams), it provides free educational platforms, both platforms belonging to American companies. We add to the list of platforms that transfer data to the US and the new facility of ANAF (National Agency for Fiscal Administration), visual identification through Zoom platform,
An additional proof that in Romania the data controllers, both from public and private sectors, have not assimilated the information of the invalidation of the Privacy Shield are the online stores or simple presentation sites that still use the suite of analysis cookies from Google, American solutions for newsletter or payment etc. Even the websites of candidates in local elections have such cookies installed. We appreciate that most date controllers use these solutions without being fully aware of the implications.
We believe that we are still far from a new agreement between the EU and the US, although the US recommendations have become even more urgent: (1) the adoption of comprehensive federal privacy legislation, (2) the establishment of an independent data protection agency and (3) ratification Council of Europe Convention on Confidentiality. The current situation of uncertainty affects both European and American companies and the rights and interests of European citizens.
Between July and September 2020, NYOB conducted a survey of 33 companies that transfer data to the US and their reactions ranged from a lack of response to vague or substanceless responses. Companies such as Airbnb, Netflix or Whatsapp have not responded at all, while others have responded by referring to Privacy Policies that do not answer specific questions or by making standard Contract Terms that are manifestly uncovered because those companies are subject to intrusive US law. .
We recommend all personal data controllers in Romania to turn to specialists in the field of personal data protection, the only ones who, at present, are up to date with news in the field and are able to explain to data controllers all the implications and offer solutions in accordance with data protection legislation."
