Mailchimp is used for marketing distribution by many EU-based businesses. However, the ability to continue using Mailchimp lawfully under the GDPR has been thrown into serious doubt. This follows a recent decision by the Bavarian Data Protection Authority that transfers of personal data (including in the form of email addresses) to the United States when using Mailchimp (as a data processor) is unlawful.
As Mailchimp confirm in their website’s data export compliance page, personal data it processes is indeed transferred to the United States. The safeguard adopted for this transfer is the use of the EU’s Standard Contractual Clauses in Mailchimp’s data processing addendum.
But since the decision of the European Court of Justice in Schrems II, the use of these Standard Contractual Clauses is more onerous. Data controllers (the customers who use Mailchimp) must now to take additional measures to ensure the relevant data transfer is compliant.
In the Mailchimp complaint, the authority determined that Mailchimp could be subject to data access by U.S. intelligence services as an electronic communications service provider (on the basis of U.S. law FISA702 (50 U.S.C. § 1881)). This meant the data controller should have taken “additional measures”. Whilst the additional measures that should have been taken were not identified, the transfer (and so the use of Mailchimp under its present terms) was determined to be unlawful.
The data controller in this case was required to immediately cease the use of Mailchimp. However, the data protection authority exercised its discretion not to impose a fine.
What next?
This is another example of how the Schrems II case has impacted the ability of data controllers to blindly rely on Standard Contractual Clauses. It also reiterates the need to avoid transfers of personal data from the EU to the United States wherever possible and, where a transfer is necessary, to ensure the safeguards in place really are “adequate”.
Mailchimp users need to consider the risks associated with the continued use of the service in the light of this decision. For the moment, Mailchimp do not appear to have directly responded to its consequences, but it is interesting that it coincided with Mailchimp CEO’s commitments message (published on the same day of the decision), addressing some of the internal issues the business has faced. I suspect commitments will now also be needed to address data transfers – and quickly too.
References
You can read the Bavarian Data Protection Authority’s decision here: https://gdprhub.eu/index.php?title=BayLDA_-_LDA-1085.1-12159/20-IDV&mtc=today
You can view Mailchimp’s data export information page here: http://Mailchimp and European Data Transfers: https://eepurl.com/dyikdv
