Mailchimp under fire because of GDPR

Ecommerce would not be possible without email marketing. And when you think of email marketing you quickly think of Mailchimp, one of the most used platforms to bring your newsletters and updates to the attention of your clients. But Mailchimp is under fire. After all, the platform runs on American servers. So its use seems to violate Dutch and European privacy laws. You have been warned!

Mailchimp is the most popular email marketing software in the world. What started in 2001 as a hobby by developers Ben Chestnut and Mark Armstrong, grew into big business. The most important boost was the decision in 2009 to offer the service free of charge to a certain extent. The number of users grew rapidly. Mailchimp is now responsible for the worldwide distribution of billions of emails per month. But there is now a serious threat to European users. Mailchimp is not AVG-proof.

Mailchimp in breach of AVG

The General Data Protection Regulation (GDPR), applicable in EU countries since 2018, is starting to get in the way of the popular cloud solution for email campaigns. For a long time, nothing seemed wrong. But then the louse in the armoury of the global data industry, the NOYB, set its sights on a random organisation in Germany because of its use of Mailchimp. The passing on of e-mail addresses to the American company Mailchimp was said to violate the AVG. Because the regulation prohibits the storage of data outside the EU.

The passing on of the addresses served no other purpose than the efficient and automated sending of e-mails. That was the defence of the organisation in question. However, this did not impress the privacy supervisor in the German state of Bavaria. The supervisor ruled that the transfer of personal data was unlawful. In other words: the use of Mailchimp was labelled as punishable. There was no actual punishment (fine), but the discussion about data exchange between Europe and the US has been reopened.

Gap in Privacy Shield

The sore point in the discussion is that intelligence services in the US can and may look into the databases of Cloud parties such as Mailchimp. Until 2020, the so-called Privacy Shield regulation existed for this. This was a series of agreements with the US to protect European citizens against the interest of American snoopers. The regulation was burnt down by the Court of Justice of the European Union due to the NOYB. Since then, data transport to the US is only permitted if the sender takes additional security measures. The German regulator ruled that the organisation that the NOYB had now tackled on a trial basis did not build in sufficient safeguards to prevent Big Brother from looking in.

However, building in such safeguards is not as simple as that. The umbrella organisation of European privacy supervisors (EDPB) is working on protocols, but these exist only in draft form. The organisation that was reprimanded - the name has not been disclosed - indicated this in its defence, but to no avail. Although it was only a warning, Mailchimp was immediately jettisoned as an e-mail marketing tool and a new system had to be set up. The question now is: should all Ecommerce entrepreneurs who use Mailchimp rush to find a new software solution?

That question is not so easy to answer. Suppliers of e-mail marketing tools are of course grateful to the situation and seize the hassle around Mailchimp to promote their own products. And don't blame them. There are more and more lists circulating with paid best choices on the internet, with the introductory text: 'Mailchimp can go out the window, because software from the US does not comply with the GDPR.'

To continue with Mailchimp or not?

Perhaps this is a bit short-sighted, although such a list is never a bad thing if you want to be on the safe side by quitting Mailchimp in advance. But despite the ruling of the German privacy regulator, it is very questionable whether this is necessary at once. First of all, it is uncertain whether the ruling of the regulator would have stood if the organisation concerned had gone to a higher court. Mailchimp itself claims to comply with the regulations. In this respect, Mailchimp relies on the so-called Standard Contractual Clauses, Model contracts approved by both the European Commission.

Mailchimp has had a data center in the EU since 2022. That should eliminate the problem. Thirdly, the EU and the US are working on new agreements that should close the gap in the aforementioned Privacy Shield. But the ruling against Mailchimp from the Bavarian privacy watchdog can of course have consequences. Following the example of the German regulator, there is always a chance that the Dutch regulator, the Dutch Data Protection Authority, will also address companies about the use of Mailchimp or other tools and platforms that run on servers in the US.

Personal Data Authority remains silent

For that matter, there are no signs yet that point in that direction. On the website of the Dutch privacy watchdog, there is as yet no mention of any risks associated with the use of the popular e-mail marketing tool. But beware: this offers no guarantee of a carefree future in intercontinental data traffic. A general rule is: if you do not want trouble, it is better to store and process all your data in Europe. But the most important conclusion at the moment is that all the hassle around Mailchimp is creating confusion.

Replace email package?

As a precaution, you see more and more companies opting for European companies. So not only servers in the EU but also an entire EU company. Fortunately, there is also a lot to choose from in the EU and there are plenty of good alternatives available. Do you need help selecting the right solution? Please let us know. We're happy to help.