A Scandal in Bavaria

A court in Germany has ruled that an organisation should not use Mailchimp to send out their e-mail communications, because it unlawfully transmits e-mail addresses outside the EU.

The Background

Back in August the EJC (The European Court of Justice) ruled the US-EU Privacy Shield is no longer valid, as it does not offer sufficient protection for EU citizens and their data.

In that case, Standard Contractual Clauses (SCCs) provided enough cover for MailChimp’s UK and EU customers. That is not the case this time.

The Defence

Only email addresses were shared with Mailchimp for sending email.

Recommendations for additional safeguards on top of SCCs are not yet final.

The Assessment

Because there was a transfer of personal data outside the EU on the basis of the model contracts (SCCs), the organisation should have assessed whether additional guarantees were needed.

US intelligence agencies are known to have access to data from cloud parties, therefore additional safeguards were needed to ensure lawful transfers.

What Happens Next?

Keep an eye on the recommendations the EDPB is coming up with.

Monitor negotiations between the European Commission and the US government with a renewed vigour. There is talk of a successor to the Privacy Shield. The question then is how long that agreement will last.