Archive for April, 2012

SaaS Agreements – Data Protection – The UK Patriot Act

Recently SaaS suppliers have seen a marked increase in EU customers raising concerns about disclosure of their data to US law enforcement authorities under the Patriot Act – an American anti-terrorism law – particularly where the SaaS supplier has a parent company in the USA or data is being hosted or processed in the USA.  Now to add to your problems, the UK Government plans to introduce its own “Patriot Act” type law in the near future.

Proposed Increase in E-Mail and Web Monitoring  in the UK

According to the BBC and Guardian websites, a controversial new English law is expected to be announced in the Queen’s speech on the 9th of May. The proposed new law will allow the UK police and security services to access the Web and Internet phone traffic of all UK residents. This will include access to all phone calls (made via the Internet), emails, social media exchanges and website visits.

Information that may be Disclosed

The proposals will grant UK police and security services the right to see:

  • the time of a call, email, or website visit;
  • the duration of the call or visit;
  • which websites or phone numbers were called; and
  • details of the sender and recipient of emails, such as IP addresses;

without any need for first obtaining a court warrant.

If a warrant is obtained, then the content of such messages will also be disclosed upon request.

Justifications for the New Law

The proposed legislation will loosen the existing surveillance arrangements set out in the Regulation of Investigatory Powers Act. The Government claims these new rights are needed to give the police and security services extended powers to enable them to investigate serious crime and terrorism. The same argument used in the USA prior to the introduction of the Patriot Act. The new law will in effect give the UK police and security services rights very similar to those granted to US authorities under the Patriot Act.

Problem for SaaS Suppliers

If this proposed new law is adopted, UK based SaaS suppliers will face increased difficulties in:

  • persuading customers to move across from more traditional suppliers to the SaaS model; and
  • allying customer concerns about the security and confidentiality of data.

Previous problems raised by SaaS customers over the application of the Patriot Act will fade into insignificance in comparison with these new UK rights.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Patriot Act – Renewed Customer Concerns

Recently SaaS suppliers have seen a marked increase in EU customers raising concerns about disclosure of their data to US law enforcement authorities under the Patriot Act – an American anti-terrorism law – particularly where the SaaS supplier has a parent company in the USA or data is being hosted or processed in the USA.

High Profile Cases

Microsoft recently admitted that United States law enforcement authorities can access their European customer data without having to obtain a court order, ask for consent or even inform data subjects of the disclosure under the terms of the Patriot Act. To add to SaaS suppliers worries it is believed that BAE recently withdrew from contract negations for a Microsoft SaaS product due to fears that defence secrets could be accessed by the US authorities under the Act.

The recent publication of the new proposed EU data protection regulation has also added to customer fears that data is not safe from disclosure under the Patriot Act. The new regulation attempts to counter the application of the US Patriot Act by stating that non-EU companies will have to comply with EU data protection rules when accessing EU citizen data.

The Patriot Act v European Data Protection Laws

The provisions of the Patriot Act conflict directly with English and EU data protection laws.

The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing their customers that they have had to hand over their personal data.

Data protection laws in the 27 countries of the EU all prohibit the disclosure of personal data without a data subject’s consent or knowledge.

Therefore if a EU company is faced with a Patriot Act disclosure request it is impossible to comply with both the US law and the EU company’s local data protection laws. In practice the US law usually prevails. Some of the largest global software and search engine companies have admitted that EU customer data has already been disclosed by them as a consequence of requests under the Patriot Act.

The Cloud is not the Problem

SaaS customers often falsely believe that their data is not safe from disclosure due to the cross-border nature of cloud computing. However this problem applies to all data whether or not it is stored or processed in a SaaS model. Most countries (the UK, France, Spain and Belgium to name a few) have laws similar to the Patriot Act that all, not just SaaS suppliers must comply with i.e. in the UK the Regulation of Investigatory Powers Act 2000 (RIPA) requires disclosure of the content of communications to police forces.

Also data stored or processed anywhere outside of the EEA, in a country which does not have equivalent protection will be subject to all local disclosure laws i.e. in China and India, and such local laws may be less restrictive than the Patriot Act with regard to the type of data that must be disclosed.

In any event, regardless of whether or not the Patriot Act applies to customer data, the US authorities can access customer data even when it is hosted outside of the USA and there is no company presence in the USA under Mutual Assistance Legal Treaties (MLAT)

Assessing the Actual Risk of Disclosure

SaaS customer concerns about the Patriot Act are valid but these must be considered in light of:

  • The type of data covered by a request for disclosure under the Patriot Act;
  • The likelihood of the customer data ever being requested; and
  • The fact that customer data is already subject to similar disclosure obligations to the UK government and foreign governments under other existing laws.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – FAQs – Hosting

When negotiating a SaaS agreement you may come across the term hosting. What is hosting and is a hosting agreement necessary?

SaaS and Hosting

Under the terms of your SaaS agreement you will be storing, processing and publishing customer content and data on the Internet using servers located and operated at the data centre of a third party. The third party operating the servers is known as a hosting provider. The hosting services are provided from a data centre owned and operated by the hosting provider.

Usually the hosting provider owns and maintains the servers in the data centre, however increasingly it is becoming more common for SaaS suppliers to rent “space” in a data centre and then store and maintain their own servers there.

The type, scope and specific nature of the hosting services to be supplied by the hosting provider will be set out in a hosting agreement.

Hosting Agreement

The hosting agreement specifies:

  • the scope, type and nature of the hosting services being provided to the SaaS supplier; and
  • the terms on which the SaaS software, content and customer data will be stored on behalf of the SaaS supplier.

The agreement is entered into between the SaaS supplier and the hosting provider.

As the customer has no agreement with the hosting provider it is essential that the relevant terms of the hosting agreement are reflected in the service level agreement (SLA) between the SaaS supplier and the customer, as hosting problems could have a critical impact on the customer’s business.

Negotiating a Hosting Agreement

Hosting providers are usually large telecoms or Internet service providers (ISPs). They use standard terms and conditions which are usually non-negotiable and very favourable to them. However, depending upon your bargaining power it may be possible to individually negotiate some terms of the hosting agreement for example, service credits, availability, liability and exclusions.

Dedicated or Shared Services

Depending on the price paid for the hosting services and the industry sector in which your customers operate, you may need “dedicated” rather than “shared” hosting services. Dedicated hosting services involve the storage of each individual customer’s website and content on a single server. If you decide to use a shared hosting option the content and websites of multiple customers will be stored on the same server.

Most SaaS suppliers use shared servers, where this is acceptable to customers, as hosting on dedicated servers is more expensive.

Location of the Data Centre

The physical location of the data centre used by your hosting provider is very important to SaaS customers. Due to ever increasing and evolving security and data protection laws, rules and guidelines, it is essential that you consider:

  • the needs and requirements of your customers;
  • your long term business expansion plans;
  • relevant data protection laws; and
  • the physical location of your customers;

when selecting your hosting provider.

If you decide to use a hosting provider with servers located outside of the UK for a UK government customer, even if the hosting provider itself is located within the UK you will encounter serious issues. Conversely, if you decide to use a hosting provider with servers located in the UK for a German customer, you will also encounter problems.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

  
Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close