On July 16, 2020, the Court of Justice for the European Union (CJEU) issued a ruling in a case invalidating the EU-US Privacy Shield Framework, one of the ways for companies to transfer data legally from the EU to the US. Additionally, on September 8, 2020, the Swiss Data Protection Authority (the Federal Data Protection and Information Commissioner, “FDPIC”), announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the U.S. We know that some of our customers may have questions about how these changes impact their use of Mailchimp.
First, we want to reassure our customers that they can continue using Mailchimp in compliance with EU law. We have long provided our customers with two layers of protection for data transfers from the EEA to the US in our Data Processing Addendum: compliance with the EU-US and Swiss-US Privacy Shield Frameworks and Standard Contractual Clauses (SCCs).
While the ruling and announcement invalidated the EU-US and Swiss-US Privacy Shield Frameworks, neither invalidated the SCCs, which remain a valid data export mechanism. Our agreements are structured in a way that the SCCs automatically take effect, so our customers are already protected by the SCCs. We will also continue to honor our obligations to protect EU, UK, and Swiss data in compliance with the Privacy Shield Principles.
We’re committed to protecting our customers' ability to transfer and process data on our platform. We're reviewing these decisions carefully. We're closely monitoring the situation for emerging guidance to determine whether we'll need to make any additional changes to our practices. Learn more about Mailchimp's data export compliance here.
Published July 16, 2020. Last updated on October 22, 2020.