Bavarian supervisory authority prohibits the use of Mailchimp

The transfer of e-mails to third countries was not a problem for a long time. However, with the introduction of the GDPR, this has changed fundamentally. Above all, e-mail marketing and the use of tools for sending e-mails are affected. With the Schrems-II ruling of the ECJ (EU overturns Privacy Shield) in 2020, the situation is exacerbated even further. Now the authorities are also taking action and prohibiting the use of Mailchimp.

With the Schrems-II judgment of 16 July 2020, the European Court of Justice prohibits the transfer of personal data to the USA as a first step. This overturns the Privacy Shield Agreement. The reason given is a lack of protection by US law. In exceptional cases, however, it remains possible to forward personal data to third countries. However, only as long as the level of protection can also be guaranteed in the third country. This is no longer the case in the USA since the latest findings.

We have already reported on the verdict here.

In the meantime, this ruling is also enforced by the supervisory authorities:

The Bavarian State Office for Data Protection prohibits the transfer of e-mail contacts to the Mailchimp tool. Thus, the e-mail dispatch via the newsletter tool is no longer possible. Sending a newsletter requires a list of customers including all e-mail addresses. This is, at least in the case of Mailchimp, no longer GDPR compliant. The data will be transferred to the USA.

How does Mailchimp work?

Mailchimp is a SaaS tool that enables automation for creating newsletters. This tool is particularly relevant in marketing. Companies can create email lists, use templates or templates, create dynamic content, and even tailor their email marketing to customers’ time zones. Put simply, it is an all-in-one marketing platform for newsletters.

With its functionality and flexibility, Mailchimp offers easy handling for companies. At the same time, there is even a free version with the basic package and the price-performance ratio of the premium packages is also good.

Therefore, Mailchimp was and is very popular with many users

But Mailchimp is also a web-based email marketing tool. The email marketer is forced to create lists and share personal data.

What legal changes does the Schrems-II ruling entail?

First of all, many things remain the same. Active consent by the customer is still required if personal data is processed. The transfer of data to third countries also remains possible in principle.

For this purpose, one of the three requirements from the short paper of the Federal Commissioner for Data Protection and Freedom of Information (BfDI) must still be met:

• The determination of the adequacy of the level of data protection in the third country (Art. 45 GDPR)
• The existence of suitable guarantees, for example through a standard contractual clause (Art. 46 GDPR)
• Exceptions for certain cases (Art. 49 GDPR).

However, there is also a serious change. The obligation to provide proof of the level of protection of the third country no longer lies with the Commission, but with the companies themselves. Both the sending company and the recipient must be able to guarantee data protection. If this is not the case, further protective measures must be taken.

In addition, with the Schrems-II ruling, the Privacy Shield was suspended in a second step. The Privacy Shield previously enabled the transfer of personal data to companies based in the USA and thus represented a general standard contractual clause. The reason for the suspension is a lack of protection in the US. Access by an authority cannot be ruled out.

What is the problem with using Mailchimp?

In principle, the use of Mailchimp through the double opt-in function is GDPR-compliant. However, since Mailchimp is an American SaaS solution, personal data (such as the list of e-mail addresses) is also passed on to an American company.

This has been inadmissible since Schrems-II. What was previously possible through the Privacy Shield is no longer allowed. Although the problem could theoretically be solved by an individual standard contractual clause, there is no legal protection for this. The authorities in the USA are authorised to access all data in exceptional situations. The citizen cannot defend himself against this, neither privately nor in court.

Under no circumstances is it possible for companies to guarantee data protection at EU level.

It does not matter where the provider’s servers are located, because the authorities of the USA are authorized by the legislation to access the data. Regardless of the legislation at the server location. It is enough if the company’s headquarters are located in the USA.

More information about data protection in the USA can be found here.

This problem does not only apply to Mailchimp. Mailchimp was certainly just a coincidence at first. In the long term, all providers based in the USA or another critical third country will be targeted by the authorities.

Are there privacy-compliant Mailchimp alternatives?

In principle, any provider that hosts both its headquarters and its servers in an EU country is a potential Mailchimp alternative. These providers and their tools must comply with the guidelines of the GDPR and it can therefore be trusted that no authority has unauthorized access to the data. This is how online marketing works in the EU.

Three German alternatives are, for example, Cleverreach, Rapidmail or Sendinblue. In addition, you will find an overview of all German marketing automation providers on our landscape.

When choosing a provider from a third country, on the other hand, it is essential to ensure a GDPR-compliant data transfer. For this purpose, the following points must be clarified:

1. Do international data transfers arise in third countries?
2. If so, can a standard contractual clause be used?
3. Are the standard contractual clauses enforceable by the contractual partner?
4. If not, are there any additional measures (e.g. data encryption) that can be taken to guarantee the contractual clause?
5. What consequences do I have to draw from the result?

Finally, even after the decision, the legal situation should be regularly reviewed.

If doubts arise here, the cooperation with a foreign provider should be absolutely omitted or then terminated.

The colleagues from activeminds, the experts for topics relating to data protection, explain why this is so critical.

4 US laws that allow access to the data from the point of view of the Americans

The activeminds author Julia Peidli writes: “For the transfer of personal data to the USA and other third countries, the recipient country must actually (and not only on paper) have a corresponding level of data protection. This is what the European Court of Justice (ECJ) has said in its judgment on the EU-U.S. Privacy Shield made clear. Guarantees such as EU standard contractual clauses are therefore not sufficient if local laws undermine them. But that is exactly the case in the USA.

Anti-privacy legislation in the US

In the UNITED States, there are four laws that regulate the access of American authorities to data and that are of particular relevance for the evaluation of international data transfers:

• Foreign Intelligence Surveillance Act (FISA) of 1978;
• USA Patriot Act of 2001;
• USA Freedom Act of 2005 and
• CLOUD Act (Clarifying Lawful Overseas Use of Data Act) of 2018.”

“However, a server location in the EU does not protect against US laws: the CLOUD Act also authorises US authorities to access data stored by US service providers and their subsidiaries outside the US – even if this constitutes a conflict with local national law.”

Conclusion of the author of activeminds: The risk of sanctions is increasing

(Excerpt from an article – as of 29.03.2021)

Our conclusion: Companies must act!

The Schrems-II ruling and the associated tightening of the GDPR have enormous significance. Marketing is getting more complicated. Especially American providers and their customers will suffer. Even marketing solutions from other countries without sufficient data protection can no longer be used in the future.

At the latest through the controls, companies must act. Mailchimp is no longer an alternative in the current constellation as a provider of e-mail marketing in the future. There is no way to legally secure yourself as a customer and user of the marketing tool and to protect yourself from penalties. These restrictions will extend to other providers. The eyes will be on potential providers outside this risk circle.

But all the disadvantages and changes also bring advantages to light. Above all, European providers will benefit from this, because they are already subject to the criteria of the GDPR anyway.

Note: This is a machine translation. It is neither 100% complete nor 100% correct. We can therefore not guarantee the result.