Mailchimp, FISA & GDPR

Privacy

Mailchimp, FISA & GDPR

by Priyanka FormentinLeave a Comment on Mailchimp, FISA & GDPR

It’s time to digest another Capsule! If I were to tell you using MailChimp is unlawful, you wouldn’t believe me, or would you? MailChimp is an email marketing company used around the world. How can it be unlawful? Well, turns out in one part of the world (Germany), a company had to stop using MailChimp. A decision from one of the German data protection authorities has cast doubt over whether the popular email marketing platform MailChimp is lawful under GDPR.

Background

MailChimp provided e-mail newsletter services to a German fashion magazine (acting as a controller,) which had used MailChimp’s e-mail marketing service only twice, to send newsletters to customers.

How it started

Following a complaint alleging that the magazine’s data transfers to the U.S. were illegal considering a recent judgment (Schrems II), the Bavarian DPA launched an inquiry.

Decision

  • The State Data Protection Authority of Bavaria declared the use of e-mail marketing service Mailchimp by the fashion magazine impermissible due to non-compliance with Schrems II mitigation steps in relation to the transfer of e-mail addresses to Mailchimp in the U.S.
  • The German company cooperated and committed that it will immediately stop using Mailchimp’s services.

What’s with transferring email addresses to Mailchimp?

  • We must talk about Section 702 of the Foreign Intelligence Security Act (FISA) to understand this.
  • US law enforcement agencies have far-reaching access rights to the transferred data under the Foreign Intelligence and Surveillance Act.
  • Section 702 of FISA is a statute that authorizes the collection, use, and dissemination of electronic communications content stored by U.S. internet service providers or traveling across the internet’s “backbone” (with the compelled assistance of U.S. telecom providers such as AT&T and Verizon.)

Bavarian DPA’s Observation

  • In reaching its decision that the use of MailChimp was unlawful, the Bavarian DPA made three findings:

1.The transfers to the USA were based on the SCCs (Standard Contractual Clauses)

2.There were “indications” that MailChimp is an “electronic communications service provider” under FISA 702 (one of the pieces of law that were the focus of Schrems II), and therefore information held by MailChimp is potentially subject to access by US surveillance agencies.

3.Following Schrems II, the respondent company had not assessed whether there were any additional measures in place to ensure that the data transferred to MailChimp was protected from such access.

  • Because the German company had stopped using MailChimp, the data (in the form of email addresses) was low in sensitivity, the Bavarian DPA concluded that the breach was minor in terms of nature and gravity. On that basis, no fine was imposed.

Analysis

  • Foreign Intelligence Surveillance Act (FISA) played the role of a silent player here. The Bavarian DPA was concerned that the US agencies would have access to data subject information.
  • While the DPA did not make an express finding on the point, MailChimp confirms that it is subject to FISA in its transparency reports.
  • The DPA did not rule that MailChimp is unlawful per se, but it ruled that the respondent company’s use of MailChimp was unlawful because the respondent company had failed to assess whether there were adequate supplementary measures in place to ensure the personal data was protected from access by US surveillance agencies.

Value

  • This case emphasizes a company must conduct privacy assessments to avoid privacy risks arising from a new project or a business relationship.
  • This decision is a warning to all organizations on the importance of carrying out appropriate diligence on transfers of personal data outside the European Union.
  • It also sheds light on the well-established fact that the Data Controllers do, in fact, have a lot more responsibility when it comes to data protection and data subject rights.
  • When collaborating with a potential EU partner, it would be prudent in the interest of transparency to conduct privacy assessments with respect to user data storage and transfer. Action such as this would safeguard from potential risks.
  • It is also the responsibility of the organization to stay updated on recent case laws to make sure they adhere to changes in regulatory guidelines set by precedents.

If you are interested in reading more about 702, FISA- https://www.eff.org/702-spying

Website https://privacypriyanka.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Back To Top