If you’re based in Europe and use Mailchimp for connecting with your eCommerce customers, take note. The Bavarian State Office for Data Protection Supervision (BayLDA) prohibited a company based in Munich, Germany, from using the US service provider Mailchimp to send newsletters.

The order may make it illegal for European companies to use Mailchimp and similar US-based providers under the General Data Protection Regulation (GDPR).

What Is Mailchimp?

Mailchimp is one of the most popular providers of email and other marketing services in the US and worldwide. Provided by a company called Rocket Science Group LLC, its software-as-a-service (SaaS) solution is easy to use and includes a range of functions. As a SaaS solution, users don’t have to install anything to use the service.

Instead, users log in to an online account, create communications, and upload email recipients’ addresses. Mailchimp then processes the addresses and sends the emails from its servers.

The challenge is that all of Mailchimp’s servers are located in the US, meaning that email addresses are sent to US servers and communications originate from those servers.

Events that Led to the New Action

In the July 16, 2020 ruling, the ECJ declared the so-called EU-US Privacy Shield to be ineffective. Data transfers to the US could therefore no longer be based on this legal basis.

After the July ruling, many US companies, such as Mailchimp, based data transfer on so-called standard contractual clauses, which in the case of Mailchimp were used toward the prohibition.

About the New Prohibition on Mailchimp

The ban came after a complaint from the recipient of a newsletter sent by a German-based company using Mailchimp as its sender.

BayLDA’s prohibition order concluded that:

  • The information transferred to the US falls under the standard contractual clauses (SCCs) ruled on in the Schrems II ruling in July 2020 (see ECJ, judgment of July 16, 2020, Az. C-311/18).
  • Because Mailchimp can be seen as an “electronic communications service provider,” the information could be accessed by US surveillance agencies.
  • The company sending the newsletter hadn’t checked whether Mailchimp took “additional measures” to protect the data from those agencies as required in the Schrems II ruling.

Steps to Take to Protect Your Company

The ruling has considerable uncertainty for any European company exporting data out of Europe and into the US. Even though:

  • The company against which the complaint was filed has stopped using Mailchimp,
  • No fine was levied,
  • The BayLDA hasn’t ruled that it’s illegal for European companies to use Mailchimp and similar services in the US.

Unfortunately, the company hasn’t taken any legal action against BayLDA’s order, which means that the matter won’t be clarified in court. A judicial ruling might have provided some clarity. Thus, the uncertainty that has applied to European companies since the Schrems II ruling remains.

Since the July Schrems II ruling, some, but not all, US service providers have used servers located in Europe or encrypted transmissions. Companies are reluctant though to provide information about their additional protective measures, which makes it difficult, if not impossible, to assess whether the measures are suitable and sufficient according to the standards of ECJ and BayLDA.

What companies need to do is attempt to ensure that any US-based provider is taking added measures to protect data from being accessed by US surveillance agencies.

What to Ask Your Provider

European companies that use Mailchimp or other US service providers to send newsletters and email communications want to clarify the following with their providers:

  • What data is transmitted to Mailchimp or the other service provider, such as only e-mail address or, if necessary, other data such as names, dates of birth, etc.?
  • Does Mailchimp or the other service provider use tracking functions?
  • Is the provider subject to US surveillance that may conflict with ECJ rulings?
  • What additional measures does the service provider use to protect data?
  • Which EU alternative providers can the company consider? Do these have any functional disadvantages compared to Mailchimp?
  • What costs and what effort would be expected if the newsletters had to be converted to EU service providers? For example, technical connection, changing interfaces, training employees, etc.

Whether there’s a need for action or a change in providers is something companies will want to clarify by consulting with a lawyer that specializes in data protection law or the company’s data protection officer or both.

This article is based on a translation of the original article that was posted on datenschutzerklaerung.info.

About the Author

Felix Gebhard is a lawyer and certified data protection officer. Since 2013, he has worked for the law firm BPM Legal in Munich, Germany. BPM Legal primarily advises companies in eCommerce and IT on all relevant legal issues and with a special focus on data protection.