Mailchimp is out, even if…..

I am pretty creative when it comes to taking the GDPR legal stuff and working out how to make it work in practice. No business/organisation should hit a wall of what I call ‘GDPR paralysis’ because of something legal which prevents a business from functioning. Our livelihood depends upon a working economy and a healthy GNP. In fact if we didn’t have this, human rights starts to become problematic, because if we as private people do not have access to jobs we lose something which is the most important word in IMHO, and that is CHOICE.

Whenever I am presented with a stop, i.e. “no can’t do”, it is an opportunity to think new. Schrems II is one such example. I did not see it as a stop on international transfers over to the US. It just meant we needed increase diligence, document all and do those Transfer Impact Assessments (TIA) so we understand risks to the rights and freedoms of the natural person. Identify supplementary measures. We need to be realistic.

However, I must admit that the latest decision on Mailchimp in Germany is a show-stopper. From what I’ve dug out, it is only email addresses used in a mailing campaign which was in scope of the international transfer. Risk to the rights and freedoms of the natural person is zero/negligible. Yet due to indications that Mailchimp may in principle be subject to data access by US intelligence services on the basis of the US legal provision FISA702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken. “

My take on this previously was to assess risk to the rights and freedoms of the individual, however, now this approach has been kicked out, ignored. I wonder where is the logic, the balance in this decision? Clearly if Mailchimp was being used to send out marketing communications from a Sex Shop, or from a specialist group around a health condition, I could understand this… but an email address used in a standard non-personal communication?

I am wondering which monkey was behind this decision, or am I missing something?

Schrems-II and ePrivacy Regulation: beautiful mess?

It may occasionally seem that the EU laws look like a chicken with its head cut-off.

It’s been more than half year since Schrem-II substantially changed privacy world, with succinct EDPB FAQ issued a week later and controversial Recommendations 01/2020 still stuck at the stage of public consultations and leaving more questions than answers, especially for businesses operating globally.

A recent agreement (after how many reiterations?) on ePrivacy Regulation resembles a Christmas that does not really make happy as it raised clear concerns among privacy community and received a plenty of negative feedbacks, with this from the German Federal Commissioner probably being the most rampant. Surely, the deadlock has been broken, and this is undoubtedly a huge progress and achievement that should not be underestimated (regardless of any criticism voiced). At the same time, there is obviously a long way to go to reach true reconciliation.

Going back to Schrem-II stalemate, my impression is that many companies took a ‘wait and see’ approach, while taking careful first steps and probably nervously waiting for possible first cases of detected non-compliance in the industry. If you want to briefly recap on what’s happened in this realm since July 2020, here it is from IAPP.

#dataprotection #privacy #gdprcompliance #privacylaws #edpb #gdpr #privacylaw #privacyissues #dataprivacy #privacymatters #privacyprotection #compliance #law #politicsandlaw