skip to Main Content

In the wake of the Snowden revelations and US laws like the PATRIOT and CLOUD Act, organizations particularly in the EU are becoming more concerned about the jurisdiction where their data is stored and processed. No other marketing automation software gives you as much control over where it’s hosted as the Mautic Community Edition on the Autoize™ custom infrastructure for agencies.

Although it’s welcome that some other email and marketing automation vendors have introduced EU regions for their SaaS-based offerings, their parent companies may still be based in the US — making them liable to US laws such as the CLOUD Act. When the CLOUD Act was passed in 2018, it represented an unprecedented extension of US extraterritoriality. Under the Act, technology companies that are incorporated or managed in the US can be compelled to disclose the data of their clients stored in data centers abroad, even where it might be contrary to local privacy laws.

As a business, you are obligated to protect your customer’s data under your own privacy policy and any laws which might apply to the markets you serve, such as the EU GDPR or national data protection laws. Under the GDPR, any organization that collects personal data is known as a “data controller”, and European residents with rights under the Regulation are known as “data subjects.” The vendors that you choose to store and provide other services based on the data, such as hosting or payment processing are known as “data processors.” Email and marketing automation providers are classified as “data processors.” 

Even though the GDPR doesn’t strictly require that personal data is stored or processed exclusively within the European Economic Area (EEA), it does make controllers responsible for vetting the data protection practices of the processors (and sub-processors) that they contract with outside Europe.

A service which is owned and operated within Europe is more likely to already have practices which are in-line with the GDPR. Now that a simplified framework called the EU-US Privacy Shield has been invalidated by the European Court of Justice (CJEU) in 2020, controllers transferring data outside the EEA, including to the US, must incorporate Special Contractual Clauses (SCCs) into their Terms of Service. The CJEU found that US laws, particularly the self-certifications of US companies under the Privacy Shield, were inadequate to guarantee that Europeans’ privacy rights would be upheld abroad.

Incorporating SCCs can be legally complex, as it puts the onus on European data controllers to verify through time-consuming and costly Transfer Impact Assessments (TIAs) that a data transfer to a US processor won’t infringe upon European privacy rights. It is hoped that the EU and US will come to a revised agreement in 2023 known as “Privacy Shield 2.0” to once again, simplify the cross-border transfer of data.  

With the Autoize™ marketing automation infrastructure for agencies, you and your clients can sidestep many of the issues of contracting with data processors outside the EU/EEA. The solution, based on Mautic open source marketing automation, can be set up on hosting regions wholly within Europe, on European cloud providers. It can also be configured with email delivery services that are in the EU/EEA.

Many European companies prefer to keep their business and customer data within Europe to reduce the administrative burden and legal risks of complying with the GDPR. As a reseller of marketing automation services (and a data processor for your clients), you’ll be able to attract more clients in Europe by highlighting the advantage that your infrastructure is entirely based in Europe.