Bodle Law

Website Legal Requirements – Cookies – New Guidelines

admin — Mon, 14 May 2012 09:00:18 +0000

From the 26th of May 2012 the UK Information Commissioners Office (ICO) will start prosecuting companies for breaches of the Privacy and Electronic Communications (Amendment) Regulations. These set out the obligations of website operators to provide users with information about cookies and obtain their consent when using cookies. Failure to comply with the rules can result in a fine of up to £500,000.

What is a Cookie?

Cookies are small text files placed on a user’s computer which record online activity. The majority of websites use cookies to measure visits and the use of websites (analytics cookies). Cookies are often also used to save user names, passwords and user preferences to make repeated use of a website more comfortable for the user. However, increasingly cookies are being used to collect information about users for the purposes of targeted marketing.

The New Rules

The new rules apply to the use of all cookies or similar technologies for storing information such as flash cookies, web beacons or bugs. No distinction is made between different types of cookies in the rules. They apply to both session and persistent cookies and first party and third party cookies.

Consent

Consent must be freely given, specific and informed, unless the cookie is ‘necessary’ for the delivery of the service, for example, where the cookie takes the user from a product page to a payment page. This generally means that a user needs to “opt in” to the use of cookies.

The more specific the consent is the less likely it is that you will be in breach of the rule. For example, if you obtain consent before the cookie is set you will have specific consent. If you rely on implied consent you will need to show that the user has taken some positive action to imply consent. The UK Chamber of Commerce has provided some suggested wording for use on websites.

Cookie Information

Clear and comprehensive information about the type of cookies being used and the purposes for which these are being set must be provided. The UK Chamber of Commerce suggests categorising cookies into 4 groups – strictly necessary, performance, functionality and targeting/ or advertising cookies.

Who do the Rules Apply to?

The Regulations do not define who is responsible for complying with the rules so primarily it is the person/company setting the cookie. Where third party cookies are used both parties will have a responsibility for ensuring users are clearly informed about cookies and for obtaining consent.

Organisations based in the UK will be subject to the rules even if their website is hosted outside of the UK. If organisations are based outside of the EU but their websites are designed or products and/or services are directed at EU customers they should provide information and choices about cookies that comply with the rules.

Guidance on How to Comply with the New Rules

The ICO has issued non-binding guidance suggesting ways in which consent to the setting of cookies can be obtained and the International Chamber of Commerce (ICC) UK’s guidance also suggests various methods for complying with the notice requirements. A summary of these suggestions and some examples from the guides have been set out below.

Terms and Conditions: When users sign-up for using a website, consent to the use of cookies should be obtained on registration, specifically or by reference to a privacy policy, cookie policy or terms and conditions. This does not however cover the problem of obtaining consent from existing users.
Banners /Footers: Where websites have cookies built into the landing page the use of cookies should be highlighted in a prominent place on the landing page i.e. via a banner – as on the ICO home page, or in a footer or information box – as on the bt.com website.
Pop-ups: Each time a cookie is to be set a pop-up will inform the user. By continuing to use the website, the user will be deemed to have consented to the cookie. However in practice, these are not a very practical solution, particularly where numerous cookies are used.
Settings /Features: Where users can choose preferences when using a website for example via the use of videos that remember how users personalise their interaction, these settings/feature could be used to obtain consent.

Additionally, the Internet Advertising Bureau Europe (IAB) has developed a voluntary code using the display of an icon on a website whenever an advert tracks a users’ behaviour. By clicking on the icon the user can switch off behavioural adverts. However this only apples to the adverts of companies who are members of the scheme.

How to Avoid Fines

Despite the impending May deadline, many companies have not taken any action to amend their websites and are simply waiting to see what happens. In light of the guidance from the ICO this is not advisable.

You should be carrying out a cookie audit, if you have not already done so to review the use of cookies on your website. You will need to assess what type of cookies you use, how long they are being used and remove any redundant or unnecessary cookies.

Thereafter you should update the information you provide about cookies in your privacy policy or create a separate cookie policy, ensuring that this information is easy to find on your website. You need to state the type of cookies you use, why you use them and how users can opt out of you using such cookies.

You also need to review the steps that you take to obtain consent to any cookies you use. How and when the consent is obtained. Is it implied, or specific. Also do not forget to provide information about any third party cookies that are placed and provide links to information about these that third parties may provide.

Enforcement by the ICO

From 26^th May 2012 you must comply with the new rules and the ICO will start taking formal action. The ICO has stated that they will be selective. For example, they have clearly indicated that they are unlikely to prosecute companies who only use analytic cookies and will concentrate on websites where no steps have been taken towards collecting consent or where particularly intrusive cookies are used.

Help

Irene Bodle is an IT lawyer specialising in Internet Law and SaaS Agreements with over 10 years experience in the IT sector. If you require assistance with any Internet Law, SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Data Protection – The UK Patriot Act

admin — Mon, 30 Apr 2012 09:00:49 +0000

Recently SaaS suppliers have seen a marked increase in EU customers raising concerns about disclosure of their data to US law enforcement authorities under the Patriot Act – an American anti-terrorism law – particularly where the SaaS supplier has a parent company in the USA or data is being hosted or processed in the USA. Now to add to your problems, the UK Government plans to introduce its own “Patriot Act” type law in the near future.

Proposed Increase in E-Mail and Web Monitoring in the UK

According to the BBC and Guardian websites, a controversial new English law is expected to be announced in the Queen’s speech on the 9^th of May. The proposed new law will allow the UK police and security services to access the Web and Internet phone traffic of all UK residents. This will include access to all phone calls (made via the Internet), emails, social media exchanges and website visits.

Information that may be Disclosed

The proposals will grant UK police and security services the right to see:

the time of a call, email, or website visit;
the duration of the call or visit;
which websites or phone numbers were called; and
details of the sender and recipient of emails, such as IP addresses;

without any need for first obtaining a court warrant.

If a warrant is obtained, then the content of such messages will also be disclosed upon request.

Justifications for the New Law

The proposed legislation will loosen the existing surveillance arrangements set out in the Regulation of Investigatory Powers Act. The Government claims these new rights are needed to give the police and security services extended powers to enable them to investigate serious crime and terrorism. The same argument used in the USA prior to the introduction of the Patriot Act. The new law will in effect give the UK police and security services rights very similar to those granted to US authorities under the Patriot Act.

Problem for SaaS Suppliers

If this proposed new law is adopted, UK based SaaS suppliers will face increased difficulties in:

persuading customers to move across from more traditional suppliers to the SaaS model; and
allying customer concerns about the security and confidentiality of data.

Previous problems raised by SaaS customers over the application of the Patriot Act will fade into insignificance in comparison with these new UK rights.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Patriot Act – Renewed Customer Concerns

admin — Mon, 16 Apr 2012 09:00:39 +0000

High Profile Cases

Microsoft recently admitted that United States law enforcement authorities can access their European customer data without having to obtain a court order, ask for consent or even inform data subjects of the disclosure under the terms of the Patriot Act. To add to SaaS suppliers worries it is believed that BAE recently withdrew from contract negations for a Microsoft SaaS product due to fears that defence secrets could be accessed by the US authorities under the Act.

The recent publication of the new proposed EU data protection regulation has also added to customer fears that data is not safe from disclosure under the Patriot Act. The new regulation attempts to counter the application of the US Patriot Act by stating that non-EU companies will have to comply with EU data protection rules when accessing EU citizen data.

The Patriot Act v European Data Protection Laws

The provisions of the Patriot Act conflict directly with English and EU data protection laws.

The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing their customers that they have had to hand over their personal data.

Data protection laws in the 27 countries of the EU all prohibit the disclosure of personal data without a data subject’s consent or knowledge.

Therefore if a EU company is faced with a Patriot Act disclosure request it is impossible to comply with both the US law and the EU company’s local data protection laws. In practice the US law usually prevails. Some of the largest global software and search engine companies have admitted that EU customer data has already been disclosed by them as a consequence of requests under the Patriot Act.

The Cloud is not the Problem

SaaS customers often falsely believe that their data is not safe from disclosure due to the cross-border nature of cloud computing. However this problem applies to all data whether or not it is stored or processed in a SaaS model. Most countries (the UK, France, Spain and Belgium to name a few) have laws similar to the Patriot Act that all, not just SaaS suppliers must comply with i.e. in the UK the Regulation of Investigatory Powers Act 2000 (RIPA) requires disclosure of the content of communications to police forces.

Also data stored or processed anywhere outside of the EEA, in a country which does not have equivalent protection will be subject to all local disclosure laws i.e. in China and India, and such local laws may be less restrictive than the Patriot Act with regard to the type of data that must be disclosed.

In any event, regardless of whether or not the Patriot Act applies to customer data, the US authorities can access customer data even when it is hosted outside of the USA and there is no company presence in the USA under Mutual Assistance Legal Treaties (MLAT)

Assessing the Actual Risk of Disclosure

SaaS customer concerns about the Patriot Act are valid but these must be considered in light of:

The type of data covered by a request for disclosure under the Patriot Act;
The likelihood of the customer data ever being requested; and
The fact that customer data is already subject to similar disclosure obligations to the UK government and foreign governments under other existing laws.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

SaaS Agreements – FAQs – Hosting

admin — Mon, 02 Apr 2012 08:30:46 +0000

When negotiating a SaaS agreement you may come across the term hosting. What is hosting and is a hosting agreement necessary?

SaaS and Hosting

Under the terms of your SaaS agreement you will be storing, processing and publishing customer content and data on the Internet using servers located and operated at the data centre of a third party. The third party operating the servers is known as a hosting provider. The hosting services are provided from a data centre owned and operated by the hosting provider.

Usually the hosting provider owns and maintains the servers in the data centre, however increasingly it is becoming more common for SaaS suppliers to rent “space” in a data centre and then store and maintain their own servers there.

The type, scope and specific nature of the hosting services to be supplied by the hosting provider will be set out in a hosting agreement.

Hosting Agreement

The hosting agreement specifies:

the scope, type and nature of the hosting services being provided to the SaaS supplier; and
the terms on which the SaaS software, content and customer data will be stored on behalf of the SaaS supplier.

The agreement is entered into between the SaaS supplier and the hosting provider.

As the customer has no agreement with the hosting provider it is essential that the relevant terms of the hosting agreement are reflected in the service level agreement (SLA) between the SaaS supplier and the customer, as hosting problems could have a critical impact on the customer’s business.

Negotiating a Hosting Agreement

Hosting providers are usually large telecoms or Internet service providers (ISPs). They use standard terms and conditions which are usually non-negotiable and very favourable to them. However, depending upon your bargaining power it may be possible to individually negotiate some terms of the hosting agreement for example, service credits, availability, liability and exclusions.

Dedicated or Shared Services

Depending on the price paid for the hosting services and the industry sector in which your customers operate, you may need “dedicated” rather than “shared” hosting services. Dedicated hosting services involve the storage of each individual customer’s website and content on a single server. If you decide to use a shared hosting option the content and websites of multiple customers will be stored on the same server.

Most SaaS suppliers use shared servers, where this is acceptable to customers, as hosting on dedicated servers is more expensive.

Location of the Data Centre

The physical location of the data centre used by your hosting provider is very important to SaaS customers. Due to ever increasing and evolving security and data protection laws, rules and guidelines, it is essential that you consider:

the needs and requirements of your customers;
your long term business expansion plans;
relevant data protection laws; and
the physical location of your customers;

when selecting your hosting provider.

If you decide to use a hosting provider with servers located outside of the UK for a UK government customer, even if the hosting provider itself is located within the UK you will encounter serious issues. Conversely, if you decide to use a hosting provider with servers located in the UK for a German customer, you will also encounter problems.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – SaaS, PaaS, IaaS – Is There a Difference?

admin — Thu, 22 Mar 2012 09:30:53 +0000

Cloud computing services comprise of – Platform as a Service (PaaS), Infrastructure as a Service (IaaS) and Software as a Service (SaaS). These terms are commonly used to describe the different levels and combinations of services which are together commonly referred to as “cloud computing”.

SaaS – Software as a Service

Sometimes referred to as “software on-demand”, SaaS is a software delivery model in which software and data are hosted centrally and accessed using a web browser via the Internet.

Examples of common SaaS applications are:

email accounts such as Hotmail or Google;
CRM (customer relationship management) systems such as Salesforce;
HCM (human capital management or talent management) systems.

Important features of SaaS are that:

customer data can be added to the software application;
the software application can be accessed without the need to use additional hardware or software;
data and the software application are hosted centrally.

PaaS – Platform as a Service

PaaS provides developers with a platform to write and create their own SaaS application. PaaS provides developers with the necessary tools to create, test, host and maintain the applications they have created. This alleviates the need for developers to buy and maintain the underlying hardware, software and hosting facilities for their SaaS applications.

The most well known PaaS is Facebook.

Within the classic layered structure of cloud computing PaaS forms the middle layer sitting between between SaaS at the top and IaaS at the bottom.

Important features of PaaS are:

application hosting, development, testing and deployment environment;
other integrated services such as database integration, security and storage.

IaaS – Infrastructure as a Service

Sometimes referred to as “hardware as a service”, IaaS is an outsourcing model under which users rent equipment accessed via the Internet to support their operations.

One of the most well known forms of IaaS is Amazon.com, which provides the computing power behind many major online services, for example Foursquare.

The IaaS supplier owns all equipment and is responsible for housing, running and maintaining the equipment. The user simply pays a usage rental fee for accessing the outsourced services via the Internet.

Summary

SaaS is a software distribution model in which a third party hosts and makes software applications available to end users via the Internet. PaaS is a framework for delivering operating systems and associated services via the Internet, which does not involve any software downloads or installation. IaaS is a form of equipment outsourcing via the Internet used to support a company’s operations.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Data Protection – New Proposed EU Rules – Part 2

admin — Mon, 12 Mar 2012 09:30:59 +0000

On the 25^th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. Following on from my first article – part 1, I have summarised the remainder of the major changes this will make to EU data protection law below and how this will effect SaaS suppliers and customers.

Data Protection Officer

An independent data protection officer must be appointed by public authorities and businesses with 250 or more employees or businesses whose core activities involve processing operations which require regular and systematic monitoring. The data protection officer must maintain an internal register which the DPA has the right to inspect.

Data Controller

Stricter express duties will be imposed on data controllers. For example they must:

maintain documents regarding all processing;
implement specific data security requirements;
perform data processing impact assessments; and
obtain prior authorisation for certain processing activities.

Data Processor

The obligations and duties of data processors will be more specifically defined. For example they should:

only employ staff who have given confidentiality undertakings or commitments;
obtain the permission of the data controller before employing a sub-processor;
ensure that security measures are implemented; and
maintain documentation of all processing operations.

Consent

Explicit consent must be obtained from data subjects by SaaS customers. It will not be acceptable for customers to assume consent from a data subject’s silence or inactivity or through generic terms and conditions. Consent must be given by a data subject in a clear statement or via an affirmative action (i.e. ticking a consent box when visiting a website). The data subject must have the right to withdraw consent at any time.

There is an additional requirement that explicit parental consent must be given when processing the data of a child under the age of 13.

Right to be Forgotten

Data subjects will have the right to be forgotten. This will allow individuals to have all personal data that a SaaS supplier holds on them deleted. This will include all photos and any public links to, or copies of, personal data that can be found on the Internet, for example in social networks or via search engines. SaaS suppliers will be required to permanently delete the individual’s data unless there are legitimate grounds for retaining it.

Right to Copy of Personal Data

In certain circumstances individuals will be able to obtain a copy of their personal data. They will also have the right to have their data transferred automatically between SaaS suppliers, for example from one social network to another. This means that SaaS suppliers will need to implement data exporting tools to enable users to download their data and move it to another provider.

When will the Rules Change

The draft Regulation must be approved by all EU countries and the European Parliament before it comes into effect, probably in about 3 years time. The rules will introduce significant and onerous new obligations upon SaaS suppliers, who will need to implement time consuming measures to ensure compliance, in order to avoid the risks of facing substantial fines.

Preparing for Change

Although the proposals could be substantially amended before they are approved, it is advisable that businesses start to prepare for the proposed changes now. For example by appointing a data protection officer (where appropriate), devising a documentation system for recording data processing activities, reviewing how consent is obtained from data subjects and revising all data processing agreements.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Data Protection – New Proposed EU Rules – Part 1

admin — Fri, 02 Mar 2012 09:30:33 +0000

On the 25^th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. I have summarised the major changes this will make to EU data protection law in two articles, part 1 of which is set out below and how this will effect SAAS suppliers and customers.

Data Protection Authority

Currently each EU country has its own data protection agency which enforces that country’s law. Processing of personal data by businesses established in more than one EU country will in the future be monitored by one single data processing authority (DPA) – the “lead authority”. Generally the lead authority will be the DPA of the country where the business has its main establishment.

The main establishment of a business will be determined according to objective criteria, such as where the central administration of a business is located i.e. the headquarters where management decisions are usually made. However, individuals located in other EU countries, will still be able to refer privacy complaints to their local supervisory DPA.

One EU-wide Data Protection Law

If the Regulation is adopted, there will be one EU data protection law that SaaS suppliers will need to comply with. The new rules will apply throughout the EU and SaaS suppliers established in more than one EU country will no longer need to cope with the national rules of each relevant EU country. In the long term this means that current local data protection provisions – mainly exemptions that have been introduced by EU countries for national reasons – would disappear.

Non-EU Companies

The new data protection rules will also apply to non-EU based businesses who offer their goods or services to EU customers based in the EU (or who monitor their behaviour). For example a US company with a subsidiary in the EU will be required to comply with the new EU data protection law as well as their own local US laws.

There are exceptions where the data controller (SaaS customer) is established in a country outside the EEA that ensures an adequate level of protection (for example a business registered under the Safe Harbor scheme in the USA), or if the data controller acts for a small or medium sized business or public authority.

Penalties for Breaches

A breach of the new data protection rules could result in a fine of up to €1 million or 2% of the global annual turnover of a company. Fines will be imposed by the DPA. Currently the maximum fine in the UK for a breach of data protection law is £500,000.

Notification

Serious data protection breaches must be notified to both the DPA and data subjects, although it is not clear whether the lead authority or the company itself will be obliged to inform the public of data protection breaches.

Notification should be without undue delay and, where feasible, within 24 hours. Companies will need to have adequate procedures in place to deal with these new requirements and it may be worth considering purchasing obtaining cyber risk insurance.

When will the Rules Change

The draft Regulation must be approved by all EU countries and the European Parliament before it comes into effect, possibly in about 3 years time. The rules will introduce significant and onerous new obligations upon SaaS suppliers and customers, who will need to implement time consuming measures to ensure compliance, in order to avoid the risks of facing substantial fines.

Preparing for Change

Although the proposals could be substantially amended before they are approved, it is advisable that SaaS suppliers and customers start to prepare for the proposed changes. For example, by devising a documentation system for recording data processing activities, reviewing how consent is obtained from data subjects and revising all data processing agreements.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Liability – Online Comments

admin — Sun, 19 Feb 2012 10:00:55 +0000

New proposed UK defamation laws recommend that web hosts (SaaS suppliers) and ISPs (internet service providers) should be allowed to keep allegedly defamatory comments online, as long as the author of the comment is identified and a notice of complaint is published next to the comment.

Current Law and Liability

Currently web hosts and ISPs must immediately remove online comments upon gaining actual knowledge that the comments are defamatory. Failure to remove defamatory comments exposes the web host/ISP to a claim for damages for defamation. Actual knowledge is deemed to occur once the web host/ISP is informed that the comments are defamatory or the web host/ISP moderates comments on the website.

Under the E-Commerce Regulations SaaS suppliers are usually exempt from liability for defamation if they merely act as conduit or cache or host material, provided that they:

do not initiate the transmission of defamatory comments;
do not select who receives the comments; or
do not select or modify information in the transmission of the comments.

New Proposed Rules

Currently most web hosts/ISPs do not moderate comments or content on websites in order to take advantage of the exclusion set out above. Thus they avoid having “actual knowledge” of any defamatory comments on websites that they host.

The proposed change to defamation laws aims to incentivize web hosts and ISPs to moderate comments and/or content. SaaS suppliers should comply with the rules set out below taking into account the new distinction between anonymous and identified author comments.

Anonymous Comments

Upon receipt of a complaint a SaaS supplier should immediately taken down anonymous comments unless;

the SaaS supplier believes that it is in the public interest for the material to remain on the website i.e. whistle blowing; or
the author promptly responds positively to a request to identify themselves, then a notice of complaint should be posted.

Identified Author Comments

Upon receipt of a complaint a SaaS supplier should;

publish a complaint notice beside the comment; and
then have a judge decide whether or not the comment should be removed.

Avoiding Liability

If a SaaS supplier complies with the above rules they should not be liable for online comments. However, if the SaaS supplier fails to comply with the above, they could be sued as publisher of the content or comment along with the anonymous author – who may not be identifiable.

Regardless of whether or not the proposed changes are implemented, SaaS suppliers should always include a clause in their SaaS agreement permitting them to remove content from customer websites they are hosting in order to enable them to minimise the risks of being pursued for a defamation claim.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Distributor or Agent?">Other related articles:

SaaS Agreements – Software – Copyright Protection

admin — Fri, 10 Feb 2012 10:00:01 +0000

SaaS Software with the same functionality can co-exist without there being an infringement of copyright, following the recent opinion of the Advocate General in SAS Institute and World Programming Ltd. The Advocate General advised that it is the methods used to create the means for the software to carry out its functions, not the functions of the software and the programming language which can be protected by copyright.

What is Copyright?

Copyright is the right to stop others from copying works without permission. Copyright in SaaS software derives from the software being an original literary work. Copyright protects the expressions of ideas in the SaaS software NOT the ideas themselves.

SAS Institute and World Programming Ltd

The High court referred this case to the European Court of Justice (ECJ). World Programming Ltd was accused of infringing copyrights in SAS Institute software as a result of using information contained in the SAS Institute manuals (not the source code) to develop rival software. SAS Institute argued that the functions of its software were copyright protected pursuant to the Computer Programs Directive. This Directive protects copyright in the expression in any form of a computer programme. It does not however cover ideas and principles which underlie any element of a computer programme, including those which underlie a computer programme interfaces.

Are Software Functionalities Protected by Copyright?

The Advocate General ruled that the functionalities of software are simply “the service which the user expects” from the computer programme. For example, when using software to book an airline ticket the functionalities of the booking process will be the same regardless of which company’s software you use. Such services cannot be protected by copyright. However, what can be protected by copyright, is the means by which the functionalities are achieved as this reflects the author’s own intellectual creation. Protection will depend upon the degree of originality in the writing of the software.

This is not the end of the matter, as the ECJ still has to make a ruling on this case. However the ECJ usually follows the opinion of the Advocate General. In which case, the ability of SaaS software suppliers to prevent the functionality of their software being replicated in the future will be limited, if it is not the SaaS software source code that is replicated.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

SaaS Agreement - Distributor or Agent?">Other related articles:

SaaS Agreements – Data Protection – Data Stored in the USA

admin — Wed, 01 Feb 2012 09:50:23 +0000

SaaS suppliers who use data centres physically located in the USA to store or process data should be aware of a recent US Court of Appeals ruling that the Electronic Communications Privacy Act (ECPA) – an American law – protects the data of non-USA citizens when their data is stored on servers in the USA.

Suzlon Energy Ltd

A Korean firm, Suzlon Energy Ltd, applied for a court order for Microsoft to disclose email documents belonging to an Indian citizen which were stored on a server used by Microsoft which was located in the USA. Suzlon argued that the emails should be disclosed as part of a litigation process because the privacy protections of the ECPA only applied to the data of US citizens.

The US court determined that the ECPA covered “any person” and not just a US citizen. Part of the reason for this was the impracticality of expecting Microsoft to assess whether or not its account holders were US citizens, when receiving a disclosure request. The court decided that the ECPA applied to any data stored in the USA, regardless of the citizenship of the owner of the data.

Increased Protection for EU Customer Data?

Following this decision any SaaS customer data stored in the USA will be protected by the provisions of the ECPA, regardless of the citizenship of the data owner and must not be disclosed as part of a US litigation process. This decision may help to alleviate some of the concerns being raised by SaaS customers in Europe about the inadequacy of data protection provisions in the USA. However, if the server on which the SaaS customer’s data is stored is physically located outside of the USA the data will not be protected by the ECPA.

On a practical level, SaaS suppliers will need to know exactly where each customer’s data is geographically stored in order to correctly respond to disclosure requests and to determine whether or not such a request can be rejected under the provisions of the ECPA.

Help

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: