Read the Blog

Email marketing and EU data protection

Synchromedia’s technical director, Marcus Bointon, spoke on data protection at the PHP[Tek] 2016 conference. Data protection is highly relevant to email marketing, far more than simple web access, because email senders have to know about data subjects (subscribers) in advance, and thus are subject to far more legislation – legislation that is currently seeing major upheavals.

The collapse of the safe harbour agreement in October 2015, in the wake of Edward Snowden’s revelations about the NSA’s PRISM mass intercept system, has meant something very significant to email marketers that they probably don’t realise: if you are storing data about EU citizens in a US-based email marketing system, you are breaking the law!

While the legal world is collectively holding its breath, there have already been prosecutions penalising companies continuing to export data to the US under safe harbour (via bing German translation). The negotiations over safe harbour’s supposed replacement, “Privacy Shield”, have ground to a halt because the underlying problems that caused the collapse persist. Given that this is being applied to big companies like Facebook, Google, Twitter, Microsoft and others, you can be pretty sure it applies to smaller companies too. What’s more, the penalty limit for data protection breaches will rise to €20 million per instance from May 2018 under the new EU General Data Protection Regulations. It’s not even safe to use US companies that have an EU presence – US courts have ruled that hotmail messages stored in an Irish citizen’s account, on a server in Ireland, owned by an Irish company, which happened to be a Microsoft subsidiary, constitute Microsoft’s “business records”, and are thus subject to US search warrants. This may even extend to EU companies using cloud-based hosting services that are US-owned, such as Amazon EC2, even if they are using EU data centres! This kind of heavy-handed action by the US government is undermining US companies in the EU, and so we are seeing them fight back, as recent cases involving Apple, Google and Microsoft demonstrate.

While the scary talk about safe harbour is one thing, it really reflects on the poor standard of privacy and data protection that most services provide. Smartmessages has always been heavily in favour of strong privacy protection – as you can see in our actions over the last 15 years – for example Smartmessages is the only ESP we know of that has integrated support for the UK’s subject data access requirements, and fulfils Germany’s extensive double-opt-in requirements. You don’t have to believe everything we say either – you can test some of our technical abilities here and here – and contrast with our competitors!

So what can you do? The absolute simplest solution is of course to switch to an entirely EU-based ESP (we happen to be one, though there are many others too :)). Smartmessages uses physical dedicated servers located in London, operated by a UK company, hosted in a UK-owned data centre. Switching ESPs can be very simple, especially if the service already supports other systems’ mailing list and template formats (hint hint!), so ask us if you would like to know more.