Can Mailchimp be used in a way that is permissible under data protection law?

Key Facts

The BayLDA considers Mailchimp to be inadmissible if no additional data protection compliance measures are taken.
Transmission of e-mail addresses could be problematic under data protection law without further measures.
Mailchimp 's privacy policy does not mention complete encryption of user data.
The only encryption instructions are contained in "Data Export Conditions".
Mailchimp 's privacy policy does not offer sufficient protection from US authorities.
The BayLDA did not consider a fine to be necessary in this case.
The transmitted e-mail addresses are considered to be relatively insensitive data, which leads to lenient measures.

In line with my article today regarding Cloudflare(see here), due to a recent decision by the Bavarian State Office for Data Protection Supervision, I would also like to briefly highlight Mailchimp, which is almost omnipresent in the WordPress universe and is still used by many providers to send email newsletters.

In the opinion of the BayLDA, Mailchimp is at least unlawful if, as a user, one does not check whether, in addition to the EU standard data protection clauses (which were used), “additional measures” within the meaning of the ECJ decision “Schrems II” (ECJ, judgment of 16.7.2020, C-311/18) are necessary to make the transfer compliant with data protection, in particular because, in the opinion of the BayLDA, there are indications that Mailchimp may in principle be subject to data access by U.S. intelligence services on the basis of U.S. law FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be permissible by taking such additional measures (if suitable).

After looking at Mailchimp’s privacy statement, there is nothing about encryption anywhere there. Even in the document that Mailchimp calls “GDPR compliance”, which is only available in German, there is nothing about encryption.

The only reference to encryption is a document called “Data Export Conditions”.

Mailchimp has, where and to the extent technically feasible, implemented encryption technologies across its infrastructure to help protect user data from unauthorized access when it’s processed internally by Mailchimp. For example, all Mailchimp production pages use transport layer security (TLS), a secure encryption protocol, and Mailchimp’s internal wireless network utilizes 128bit WPA2 encryption. Further, Mailchimp email (256bit), all VPN connections (256bit), and the internal chat application (256bit) are also encrypted. Login pages use TLS and have brute-force attack protection. This also applies to mobile Mailchimp applications and the Mailchimp API.

Translated then:

Mailchimp has implemented, where and to the extent technically feasible, encryption technologies throughout its infrastructure to protect User Data from unauthorized access when processed internally by Mailchimp. For example, all Mailchimp production pages use Transport Layer Security (TLS), a secure encryption protocol, and Mailchimp’s internal wireless network uses 128bit WPA2 encryption. In addition, Mailchimp emails (256bit), all VPN connections (256bit) and the internal chat application (256bit) are also encrypted. Login pages use TLS and have protection against brute force attacks. This also applies to Mailchimp mobile apps and the Mailchimp API.

When you get right down to it, this is probably not a sufficient assurance that user data is fully encrypted, even from access by Mailchimp itself. Rather, Mailchimp limits that data would be protected from “unauthorized access.” However, access by US authorities, for example, would precisely NOT be unauthorized.

The magazine affected by the aforementioned proceedings at the BayLDA only escaped a fine due to an appropriateness consideration.

The BayLDA on this:

Supervisory measures going beyond this determination of the inadmissibility of the above-mentioned data transfers pursuant to Art. 58 Par. 2 DSGVO, we do not consider it necessary in the specific case at hand by way of a discretionary decision. We have made it clear to the company that the above-mentioned transmission of your e-mail address was not permitted under data protection law. We do not consider it necessary to impose a fine, as you have requested. In this respect, we hereby inform you that, in our opinion, a data subject has no legal entitlement to the imposition of a fine in the event of a data protection violation, and in our opinion, no entitlement to a discretionary decision on punishment with a fine.
For unlike some other of the provisions of Art. 58 para. 2 GDPR (such as the power to instruct the controller to comply with requests from the data subject to exercise his or her rights (Article 58(2)(c) GDPR), the power to impose a fine under Article 83 GDPR (Article 58(2)(i) GDPR) does not serve to safeguard the rights and freedoms of a data subject, but the public interest in the enforcement of the law. Consequently, a data subject has no subjective right against the data protection supervisory authorities to decide on the imposition of a fine pursuant to Art. 58 para. 2 letter i DSGVO to. However, even if one were to recognize such a subjective right of a person concerned, there would be no claim on your part to imposition of a fine against XXXX given. Taking into account the relevant factors listed in Article 83 of the GDPR that play a role in this decision, it is within the scope of discretion to refrain from imposing a fine in this case. This is particularly the case because only a few cases of unauthorized data were transmitted in the present case, and secondly because the data involved – in the form of e-mail addresses – is still relatively manageable in terms of its sensitivity; the latter alone would not be sufficient to justify a waiver of the fine. As a result, however, the waiver of the fine is free of discretionary error in the present case, particularly against the background that the above-mentioned Recommendations of the European Data Protection Board are declared to be still in a public consultation and therefore not yet available in the final version, so that the present infringement is still to be classified as minor with regard to its nature and gravity (Article 83 (2) (a) GDPR), and in particular only a slight degree of negligence at most is to be affirmed (Article 83 (2) (b) GDPR).

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.

Tags: Chat Compliance Data protection Law E‑mail Email Mail Privacy Sicherheit