In July 2020, the Court of Justice of the European Union declared the protection of personal data offered by the EU-US Privacy Shield inadequate. Privacy Shield, the court ruled, was not compliant with the GDPR. Many US companies that process European user data (such as Mailchimp, Active Campaign, Campaign Monitor and other leading email marketing software; Sendgrid, SMTP.com and Mailgun, as well as other professional SMTP services) have based their activity on Privacy Shield. They anticipated a kind of self-certification which only required a declaration to adopt adequate measures to protect data. With the abolition of this agreement between the US and the EU, the only way for US companies to continue operating here appears to be by moving their headquarters to Europe. The court ruling means that you may need to find European alternatives to Mailchimp which can ensure the protection of your personal data in accordance with the GDPR.
EU privacy rules for non-European companies
The Court of Justice of the European Union ruled against the EU-US shield on the grounds that US law does not provide sufficient guarantees for data protection. Contractual data clauses used by US companies are considered valid but only if they are accompanied by other guarantees that align contracts perfectly with the GDPR.
In any case, those who use Mailchimp or other US systems to send their emails must ensure that the recipient has given their explicit consent to the transfer of data outside the EU and after being informed of the possible risks.
In essence, the court ruling means that the level of data protection (i.e. all adequate safeguards, enforceable rights, and effective remedies) required to transfer data from Europe to third countries should be equivalent to the protection guaranteed in the Union. For this reason and because there may not be a real equivalence due to different legal systems, distance, and languages despite the validity of the clauses, many European companies may not feel comfortable giving their data to a US email marketing service.
GDPR and email marketing after Privacy Shield abolition
For email marketing platforms, data transfer is carried out on servers in the United States. Treatment of the data is subject to internal American regulations. It is difficult therefore for an American company to guarantee the same data protection standards as a European company aligned with the GDPR. The legal systems in force in European states are very different from those in force in the United States. In privacy protection, as elsewhere, national law always prevails.
The decision of the Court of Justice of the European Union helps European companies which have always been overshadowed by American ones, such as Mailchimp, that operate in the EU without having to comply with local tax regulations.
Conclusions
The Bavarian Data Protection Authority recently ruled against Mailchimp, considering the guarantees the company offered for the transfer of data to the United States insufficient. No financial penalty was imposed on the US company, but a simple warning given that nonetheless constitutes a precedent. The transfer of data to non-EU countries should, in fact, be considered illegitimate if the contractual clauses are not accompanied by additional measures that allow full compliance with the GDPR.