Ecommerce would not be possible without email marketing. And when you think of email marketing you quickly think of Mailchimp, one of the most used platforms to bring your newsletters and updates to the attention of your clients. But Mailchimp is under fire. After all, the platform runs on American servers. So its use seems to violate Dutch and European privacy laws. You have been warned!
Mailchimp is the most popular email marketing software in the world. What started in 2001 as a hobby by developers Ben Chestnut and Mark Armstrong, grew into big business. The most important boost was the decision in 2009 to offer the service free of charge to a certain extent. The number of users increased rapidly. Mailchimp is now responsible for the worldwide distribution of billions of emails per month. But there is now a serious threat to European users. Mailchimp is not AVG proof.
Mailchimp in breach of GDPR
The AVG, also known as General Data Protection Regulation (GDPR), applicable in EU countries since 2018, is starting to get in the way of the popular cloud solution for email campaigns. For a long time, nothing seemed wrong. Until the louse in the pits of the global data industry, the NOYB, set its sights on a random organization in Germany because of its use of Mailchimp. The passing on of e-mail addresses to the American company Mailchimp would violate the AVG. Because the regulation prohibits the storage of data outside the EU.
But the forwarding of the addresses served no other purpose than the sending of e-mails, was the defense of the organization in question. Unfortunately, this did not impress the privacy supervisor in the German state of Bavaria. The supervisor ruled that the transfer of personal data was indeed unlawful. In other words: the use of Mailchimp was labelled as punishable. There was no actual punishment (fine), but the discussion about data exchange between Europe and the US has been reopened.
Gap in Privacy Shield
The bone of contention is that intelligence services in the United States can and may look into the databases of cloud parties such as Mailchimp. Until 2020, the Privacy Shield regulation was in place for this purpose. This was a series of agreements with the U.S. to protect European citizens against the interest of American snoopers. The regulation was burned down by the Court of Justice of the European Union at the hands of the NOYB. Since then, data transport to the US is only permitted if the sender takes additional security measures. The German regulator ruled that the organization that the NOYB had now tackled on a trial basis did not build in sufficient safeguards to prevent Big Brother from looking in.
However, building in such safeguards is not as simple as that. The umbrella organisation of European privacy supervisors (EDPB) is working on protocols, but these exist only in draft form. The organisation that was reprimanded - the name has not been disclosed - indicated this in its defence, but to no avail. It was only a warning, but Mailchimp was immediately thrown overboard as an email marketing tool and a new system had to be set up. The question is: do all Ecommerce-entrepreneurs who use Mailchimp have to rush to find a new software solution?
That question is not so easy to answer. Suppliers of email marketing tools are of course grateful to the situation and seize the hassle around Mailchimp to promote their own products. And don't blame them. There are more and more lists circulating with paid best choices on the internet. Frankwatching recently published a handy list of alternative free mail programs. With the introductory text: 'Mailchimp can go out the window, because software from the US does not comply with the AVG'.
To continue or not to continue with Mailchimp?
Maybe this is a bit short-sighted, although such a list can never hurt you if you want to be on the safe side by quitting Mailchimp in advance. But despite the ruling of the German privacy regulator, it is very questionable whether this is necessary at all. First of all, it is uncertain whether the ruling of the supervisor would have been upheld if the organization in question had gone to a higher court. Mailchimp itself claims to comply with the regulations. In this respect, Mailchimp relies on the so-called Standard Contractual Clauses, model contracts approved by both the European Commission.
Secondly, Mailchimp recently announced to have a data center in the EU operational by 2022, which would solve the problem. Thirdly, the EU and the US are working on new agreements that should close the gap in the Privacy Shield. But the ruling against Mailchimp by the Bavarian privacy watchdog may have consequences. Following the German regulator, there is always a chance that the Dutch regulator, the Netherlands Authority for the Protection of Personal Data (Autoriteit Persoonsgegevens), will also call companies to account for the use of Mailchimp or other tools and platforms that run on servers in the United States.
Personal Data Authority remains silent
For that matter, there are no signs yet that point in that direction. On the website of the Dutch privacy watchdog, there is as yet no mention of any risks associated with the use of the popular email marketing tool. But beware: that offers no guarantee of a carefree future in intercontinental data traffic. A general rule is: if you don't want trouble, it's better to store and process all your data in Europe. But the most important conclusion at the moment is that all the hassle around Mailchimp is creating confusion.