Archive for February, 2013

SaaS Agreements – Terms and Conditions – Need for an Arbitration Clause

SaaS customers and suppliers entering into business to business (BTB) contracts are increasingly using arbitration clauses in their SaaS agreements to avoid going to court to resolve disputes. If you do not already have an arbitration clause in your SaaS agreement it is worth considering adding one for the following reasons.

Costs of Litigation

Court fees charged by the UK courts for dealing with commercial disputes have been substantially increased in the last few years. In addition to court fees, you will need to pay solicitors and barristers to represent you in court. Legal fees for defending a SaaS dispute can easily run into millions of pounds in a large intellectual property dispute. Also, the English law principle of the “loser pays” will add substantially to the costs of the losing party.


Litigating a dispute is not a fast process. It can take months to prepare a claim before court proceedings are even issued. Following the issuing of the court proceedings, it could then take a couple of years for the SaaS dispute to be decided at trial. Thereafter the parties may be able to dispute the court’s decision, thus making the process even longer, unlike an arbitration decision which is final and can only be disputed in very limited circumstances.


Court proceedings are open to the public (i.e. your competitors) who will have access to details about the operation of your SaaS business, prices and products. Such information is confidential information but may have to be disclosed in litigation. Arbitration proceedings are held in private and details about the existence of the dispute or any of your confidential information revealed in the process can usually remain confidential.

Brussels I Exemption

Currently arbitration proceedings can be delayed, blocked or disputed by one of the parties simply issuing court proceedings in their own courts (due to the application of Regulation (EC) 44/2001 on the jurisdiction and the recognition and enforcement of judgments). Once the Regulation is revised and in force it will specifically exclude arbitration from its scope and the aforementioned tactic will no longer be of any practical use.


Whether or not you decide to include an arbitration clause in your SaaS agreement will depend upon the importance of the above factors to your SaaS business and the types of matters that you envisage being disputed. Also bear in mind that you should carefully consider the type of expert to be used in the arbitration process and how the costs of the arbitrator should be allocated between the parties to the dispute.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:


SaaS Agreements – Data Protection – Changes to BCRs

The Article 29 Working Party, which represents the European data protection authorities (DPAs), recently announced that data processors (i.e. SaaS suppliers) can now use binding corporate rules (BCRs) to transfer personal data outside the European Economic Area (EEA). Previously the use of BCRs was limited to data controllers (i.e. SaaS customers).

What are BCRs?

BCRs are a set of rules adopted within a particular company or corporate group that set out legally binding obligations in relation to data processing within a company or group which cover global data transfers of personal data. BCRs include amongst other matters, details of:

  • data protection policies;
  • commitments to data protection training;
  • data protection audits.

BCRs must be approved by a lead national data protection authority (DPA), typically determined by the location of the European headquarters of a SaaS supplier. Once the lead national DPA approves the BCRs they are then responsible for coordinating approval of the BCRs with all other DPAs across Europe.

Current Use of BCRs

Around 30 organisations currently have BCRs in place (e.g. eBay, BP and American Express).  By extending the use of BCRs to data processors SaaS suppliers may wish to review the possibility of using BCRs particularly in light of the proposed new Data Protection Directive.

Advantages for SaaS Suppliers

Under the Data Protection Act personal data cannot be transferred to countries outside of the EEA, unless the receiving country has adequate protection. To date only, Andorra, Argentina, Australia, Canada, Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay have been deemed “adequate”. Individual companies located in the USA are also accepted as having equivalent protections if they are registered under the Safe Harbor regime. This means that a transfer of data to any other country is not permitted, unless data subjects have given their consent.

The main advantage to SaaS suppliers of using BCRs is that they create a framework under which personal data can be transferred outside of the EEA without the need to negotiate the terms relating to data processing for each SaaS agreement with customers.

If a SaaS supplier has BCRs in place SaaS customers (data controllers) will be able to rely on these BCRs to show that they comply with their duties as a data controller under the Data Protection Act.

Disadvantages for SaaS Suppliers

The major obstacle to the use of BCRs is the time it takes to negotiate and agree their form with the DPAs. Some DPAs still require a permit to be issued before they will allow the transfer of data from that member state. There is also a considerable cost involved in obtaining the approval of the BCRs, as the whole procedure can last a number of years.

Alternatives to BCRs

For the reasons set out above most businesses do not currently use BCRs and choose one of the following options to overcome the obstacles to transferring data outside of the EEA:

  • Safe Harbor arrangement when transferring data to the USA;
  • model contractual clauses with data processors;
  • transfer to a country that is approved by the European Commission as having adequate levels of data protection in place i.e. New Zealand.
  • obtaining specific consent to the transfer from individuals via privacy policies.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:


SaaS Agreements – Data Protection – Recent ICO Fines

The Information Commissioner’s Office (ICO) has started to issue very high fines to a number of companies and individuals, not just for serious breaches of the Data Protection Act (DPA), but also for breaches of the Privacy and Electronic Communications Regulations (PECR). Below is a summary of the recent fines and the reasons for them being imposed.

Tetrus Telecoms – Fined £440K for sending Illegal Spam Text Messages

Tetrus sent unsolicited text messages to individuals whose numbers they had purchased from lists. Once individuals responded to the spam text, their numbers were then sold on to a third party.

In breach of the PECR, Tetrus were found to be transmitting unsolicited marketing messages (including concealing the identity of the sender). The ICO found that Tetrus was in serious, deliberate and informed breach of the PECR due to the:

  • volume of text messages it sent; and
  • the number of complaints received.

In addition a criminal prosecution is being pursued against the two individuals for breaches of the DPA.

Scottish Council – Fined £250k for failing to Manage Outsourcers

A Scottish council hired a third party to electronically archive its paper employee pension records. Over 600 paper files containing Council employees names, addresses, national insurance numbers, salary and bank account details were dumped in a supermarket’s paper recycling bank once the records had been electronically stored.

The Council was fined for breaching the DPA due to its failure to:

  • have a written contract with the outsourcing company governing the scope of the processing activities; and
  • set out its data security requirements.

In particular, the Council failed to have in place proper technical and organisational security measures governing the processing. It also failed to take reasonable steps to ensure compliance of the third party with these obligations. i.e. that the third party would return or destroy the paper documents after digitally archiving them.

Sony – Fined £250K for Security Lapses

The personal data of millions of UK Sony customers (including names, addresses, email addresses, dates of birth and passwords) was stolen when hackers accessed the Sony PlayStation Network Platform.

The ICO found that in breach of the DPA Sony did not have an appropriate standard of security in place to protect the personal data as it had:

  • failed to take appropriate technical measures (such as cryptographic controls to protect passwords) to prevent the loss of vast amounts of personal data; and
  • stored excessive amounts of personal data.

Sony is currently appealing the decision.

Why these Cases are Important

As a SaaS supplier you will be storing and processing personal data on behalf of your SaaS customers. Under the DPA you are a data processor and you must ensure that you comply with your obligations under the DPA. SaaS customers will often require you to indemnify them for breaches of the DPA in your SaaS agreement i.e. you could become directly liable for ICO fines imposed on your SaaS customers.

How to Avoid Fines

Choose a reputable organisation when outsourcing personal data processing i.e. to a hosting centre.

Have a written contract with the SaaS outsourcer which specifies:

  • that appropriate technical and organisational measures are in place to prevent the unauthorised or unlawful processing of personal data and to protect them against accidental loss, destruction or damage; and
  • that your outsourcer is obliged to report any security breaches or other problems to you.

Note that under the new proposed EU Data Protection Directive (which has not yet been finalised) the ICO will be given the authority to impose much higher fines for breaches of the DPA – up to 2% of a company’s turnover.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:



Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.