Here we go again. The ever-changing world of data privacy is… well… ever-changing, and it’s sometimes hard to keep up with the laws and regulations that impact your business and the way you handle user data. Over the last few months, we’ve seen more and more questions about the invalidation of Privacy Shield and what that means to the transmission of consumer data between the EU and the US.
As always, and we wanted to make sure that we’re keeping you aware of the changes and helping you understand what these updates mean to you. Curious? Let’s dive in.
So what happened with the Privacy Shield?
You may have heard of the EU-US Data Privacy Shield, which, beginning in 2016, regulated the usage of consumer data in transactions between Europe and the United States. American companies were able to use the Privacy Shield to validate and accredit these transatlantic data transfers. Basically, using the Privacy Shield allowed American companies to actually do those transactions.
Okay, so does the Privacy Shield still protect these companies?
Not anymore. On July 16, 2020, the European Commission Court of Justice (CJEU) invalidated the adequacy of the EU-US Data Privacy Shield’s protection. In other words, American companies can no longer use the Privacy Shield as a way to “allow” transatlantic data transactions. You may wonder, what does this mean for Mailjet by Pathwire?
You wouldn’t be the first to ask. Since the ruling, some of our customers have asked about its impact on our services and our business. Because of these questions, we wanted to provide more detailed information on how our company deals with data protection, and how it is impacted by the CJEU’s recent decision.
A little background on the CJEU ruling
Under the European Union’s General Data Protection Regulation (GDPR), proper safeguards (basically, protections) must be in place for data transfers from any country outside of the European Union, including the United States. Until July 16, 2020, the Privacy Shield was considered an adequate GDPR protection and had complied with its requirements when transferring personal data to the United States.
To remind you, on July 16, 2020, the CJEU invalidated the adequacy of the protection provided by the EU-US Privacy Shield. For more information on this specific ruling, see the decision here.
Since the Privacy Shield framework is now considered inadequate, an alternative protection is required for all data transfers. These alternatives may include the Standard Contractual Clauses (SCCs), also called EU Model Clauses, or Binding Corporate Rules. Additional safeguards may also be required to provide a standard of protection for the data that is essentially equivalent to that provided by EU law.
Does Mailjet have alternative protection?
Yup! At Mailjet by Pathwire, we had already gone beyond the minimum requirements of the GDPR (yay!). In fact, we did so early on in the process and were the first company to be certified by AFNOR for respecting the main principles of GDPR. We did not only rely on the Privacy Shield, but we had already maintained (and continue to maintain) Standard Contractual Clauses (SCCs) for all our data transfers, including transfers with our sub-processors that processed our customers’ personal data. These SCCs, as per the CJEU ruling, continue to be a valid legal mechanism to transfer data under the GDPR. So, if you’re using Mailjet, your data is safe and valid.
To go one step further, we implement additional safeguards beyond the standard contractual clauses (sadly, these safeguards don’t include ninjas), and we make sure to have proper technical and organisational measures in place for any personal data transfers (including data encryption, data aggregation and separation of access keys).
Mailjet by Pathwire has a robust vendor management procedure in place, which we use to control and audit all of our sub-processors, including frequent audits on the sub-processors that process the personal data of our customers. This is basically a fancy way of saying that our data processes and data processors are safe, valid, and frequently inspected. We also perform audit risk assessments, and we implement the requisite technical and organisational measures to ensure that proper security and data protection are respected. For further details on our security and privacy measures, see our dedicated page here.
So, I’m good? Do I have to do or change anything related to data privacy?
No, you don’t have to do anything — we’ve already implemented all necessary protections. Mailjet by Pathwire has you covered. We have been, and remain, wholly committed to having a lawful basis for data transfers in compliance with applicable data protection laws. Both Mailjet and Mailgun by Pathwire continue to monitor the evolution of international data transfer mechanisms under the GDPR, and we are committed to ensuring a lawful basis for all our data transfers in compliance with all other applicable data protection laws.
We understand the concerns of our customers and remain steadfast in our commitment to ensure that our customers’ data is secure and protected. And, as long as we’re here, you can rest assured that we’ll be going above and beyond to protect that data—and its transfers—under international laws. So feel free to sit back, and leave data privacy to us.
Do you have any additional questions for our legal team? Feel free to drop them an email at email@example.com!
Email Marketing – SMTP services – Mailjet