Can I use Mailchimp compliantly if I am based in the UK?14th April 2021
Bavarian DPA v Mailchimp
Mailchimp is an American technology company which specialises in email broadcasting that enables its users (mostly small businesses) to send marketing emails to people in their own databases. It was named in the 2021 Top 10 of Global software sellers by G2.com.
Mailchimp is big business. The latest figures we have suggest their total number of active users is more than 12 million, with almost 11,000 emails being sent every SECOND. That is a lot of emails, and a lot of data.
But is Mailchimp compliant with the GDPR?
Recently a company in Germany who was utilising the Mailchimp service received a complaint after uploading a customer’s email address to the platform.
The complaint was regarding the forwarding of the email address to Mailchimp and that insufficient checks had been performed on the Mailchimp service
The affected (private) individual was unhappy that the German company was utilising Mailchimp to send them newsletters and submitted a complaint to the Bavarian Data Protection Authority (BayLDA).
The complainant argued that the transfer of the email addresses of subscribers of the respondent’s newsletter to the provider Mailchimp, was unlawful under GDPR Article 44.
The issue is that the USA is deemed to be a ‘Third Country’ and with the failure of the Privacy Shield certification scheme, there is insufficient basis to transfer personal data such as the email address of a German citizen to an American company without the explicit, freely given and informed consent of the person concerned.
We have previously covered the shock waves which came about as a result of the Schrems II judgement (see ICO interpretation) which invalidated the Privacy Shield scheme back in July 2020, and there are still many questions pending in terms of data protection and data transfer to not only the USA but other insecure Third Countries. Thankfully it looks like the UK will soon receive an adequacy decision to allow data to flow freely both to and from the EU and UK.
The decision by the BayLDA clarified that transmission of an email address to Mailchimp without the consent of the owner of this email address is not allowed, however, we must remember that their decision only applies to Controllers and Processors established within their jurisdiction. The consistency mechanism means that this view should be considered by other DPAs, however other EU and UK Regulators may take a different view.
Also, it should be noted that the BayLDA held that the use of Mailchimp by the Germany company was unlawful as Mailchimp receives email addresses of newsletter subscribers and might qualify as “electronic communication service provider” under US surveillance law.
There is a question as to whether Mailchimp actually falls within this definition of an electronic communication service provider under the US’s Foreign Intelligence Surveillance Act (FISA). The GDPR and implications of s.702 FISA and Executive order 12333 and the implications for US based companies is considered in the white paper issued by US Department of Commerce in September 2020.
Regardless, the BayLDA decision reinforces that Controllers in European and UK organisations can no longer automatically store email newsletters in email broadcast companies located in insecure Third Countries.
Part of the BayLDA reasoning was that the German company should have checked whether, in addition to EU standard data protection clauses, ‘additional measures’ within the meaning of the Court of Justice of the European Union (CJEU) “Schrems II” decision were taken, in other words, the influence of the legal system in the US and their laws should have been considered.
Had the German company taken FISA and EO12333 into account in the BayLDA’s view they would have realised that “… there are at least indications that Mailchimp can in principle be subject to data access from US intelligence services and that the transmission could therefore only be permitted by taking such additional measures.” (replicated by the EDPB in English)
The Controller in question decided to refrain from using Mailchimp with immediate effect and the BayLDA did not impose a fine.
So, what does this mean for Mailchimp and all companies using the platform who are within the EU?
Mailchimp’s own guidelines on this matter are very helpful. If you are in the EU you should have the individual data subject’s consent before uploading their personal details to the platform. And that consent needs to be based on the individual knowing what you are planning to do with their data – which includes using Mailchimp, whose servers are in the US. Ideally this consent should be double opt-in
|What is Double opt-in?
Double opt-in is where a user signs up for a service using opt-in consent, and is then sent an email or text, usually with links to more information, but crucially asking for confirmation of the opt-in. Only if this second opt-in link is clicked (the double opt-in) is the consent valid.
You might be asking yourself, “Can I use Mailchimp compliantly if I am based in the UK?”
Unfortunately, the answer is not clear cut.
The decision by the German court is not binding on UK Controllers, only those within its jurisdictions, but it is a factor which we have to take into account.
Therefore in order to gauge if you can or cannot use Mailchimp you should consider:-
- Are we storing consumer or corporate data?
- What is the purpose of the processing?
i.e. Is the user signing up for a wholly voluntary free newsletter that if they did not sign up to would not cause them any detriment (true consent), or
Is this a compulsory part of a service sign-up, in other words, you state this is how we advise you of essential alerts, take it or do not use our service.
The CJEU ruling further protected the privacy and data protection rights of EU (and UK) citizens against the actions of insecure Third Country state actors. The CJEU ruling is not saying you cannot use any company in the USA to process personal data, only those that fall within the definition of an “electronic communication service provider”, or indeed any Controller or Processor falling within the scope of FISA.
It was the view of the German DPA that Mailchimp does fall within that definition and it would take a review by the EDPB and/or CJEU to change this (which we cannot see happening, but never say never).
Therefore, to be safe, we would not be able to recommend to any client the use of a MailChimp type email broadcast company or any other similar company in an insecure Third Country.
The mood music is not good with regards to a Privacy Shield replacement and I feel we can rule out any adequacy decision or certification scheme to the US in the short to medium term.
Please do contact us if this affects your business and you would like some advice tailored to your individual circumstances. You can take advantage of a complimentary discover call by booking your 30 minute slot >>here<<.
You might also like to consider our Marketing and the Law Foundation Course in Data Protection.