Archive for August, 2013

SaaS Agreements – Data Protection – Advantages of Hosting in Switzerland

SaaS suppliers are increasingly using data centres located in Switzerland to host SaaS software and store customer data. In light of recent media revelations about “prism” and the already existing concerns over access to customer data under the Patriot Act and FISA this could be an increasing trend. The advantages of hosting SaaS data in Switzerland are summarised below.

Why Switzerland?

Switzerland is often viewed internationally as representing the following values – stability, neutrality, discretion and trustworthiness based on its banking history. For this reason Swiss law is often accepted by non-European customers in international agreements when there is a disagreement about which law or arbitration rules should apply to the contract.

Confidentiality

Currently many global SaaS suppliers use data centres located in the USA. However, when dealing with European customers, SaaS suppliers often encounter problems with customers raising concerns about the application of:

  • the Patriot Act, a US law which permits US authorities to access EU customer data stored in the USA or EU customer data stored outside of the US where there is a US parent company such as Microsoft; and
  • FISA which allows the US government to access and monitor the personal data of non-US citizens held by US public cloud providers such as Amazon or Google.

An additional benefit of using a Swiss data centre is that generally data stored in Switzerland is not traceable to a named person, but only to a number.

Safe Harbor not Adequate

SaaS customers and data protection authorities, particularly in Germany, are raising concerns about the adequacy of the safe harbor status of US companies. It is often claimed that safe harbour certification is little more than a paper exercise which in practice does not comply with European levels of data protection.

Compliance with EU Data Protection Laws

An added advantage of using Swiss data centres is that Switzerland is accepted by the EU as having equivalent protection to EU data protection laws. Therefore no additional consents are required from SaaS customers to enable data to be stored and processed in Switzerland.

Language

Although English is not one of the official languages of Switzerland, it is widely spoken and is the language of preference for business transactions. In addition French, German and Italian are official languages providing the added bonus of SaaS suppliers being able to request hosting services in any, or all, of the four languages. This makes Switzerland very attractive to global companies who are often wary of hosting outside of their territory due to language barriers.

Summary

Under the provisions of the US Patriot Act and FISA, the personal data of SaaS customers based in the EU must be shared with US law enforcers without the customer being informed, even though this conflicts with EU data protection law.

By using a data centre located in Switzerland a SaaS supplier can process and store customer data in compliance with EU data protection rules, provided that the hosting company located in Switzerland, is not owned by a US parent company.

For the above reasons some well known global companies such as Swift, Yahoo and Hewlett Packard have in recent years relocated their hosting services to Switzerland.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – FAQs – Prism

In light of recent and ongoing “prism” revelations, SaaS suppliers are having to deal with numerous queries about the safety of SaaS customer data. Many customers mistakenly believe that by using a non-US data centre their SaaS customer data is protected against disclosure to the US authorities. Below is a summary of the relevant laws and most common concerns being raised by SaaS customers.

What is Prism?

“Prism” refers to the National Security Agency (NSA) secretly accessing personal data stored on the servers of Microsoft, Apple, Google, Yahoo, Facebook and some other major US public companies.

Prism, FISA and the Patriot Act

Prism is not the only problem. The US government has been secretly accessing SaaS customer data for years under the Foreign Intelligence Security Act (FISA) and the Patriot Act. Prism is just part of the whole range of tools that are being used by the US to access SaaS data of EU citizens.

What is FISA?

FISA allows the US government to access and monitor the personal data of non-US citizens (located outside of the USA) held by US public cloud providers. Public cloud providers such as Amazon and Google must secretly provide all assistance, facilities and information requested by the government if they request access to SaaS customer data. The public entity is not allowed to inform the SaaS supplier that it has disclosed or been asked to disclose personal data, nor that the data is being monitored.

The Patriot Act

The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing customers that they have handed over personal data. The Act applies not just to SaaS suppliers owned by a US company but also to any SaaS suppliers using the services of a US company i.e. a US data centre.

Safe Harbor

Safe Harbor does not protect SaaS customer data against secret access by the US authorities. Safe harbor, simply means that a US company registered under the “safe harbor” scheme is deemed to have data protection principles in place which are accepted in the EU as being adequate. This simply allows SaaS customer data to be legally transferred outside of the EU i.e. to be processed in a US data centre.

Summary

Many SaaS customers falsely believe that if their SaaS data is stored in a data centre located in the EU it will be protected against disclosure to the US authorities. Under the Patriot Act, FISA (and “prism” where applicable) the personal data of SaaS customers based in the EU must be shared with US law enforcers without the customer being informed, even though this conflicts with the EU Data Protection Directive and the data protection laws of the 28 EU member states.

Local EU data protection authorities and EU member state governments are currently investigating how to resolve this conflict, for example by adding provisions preventing disclosure in the draft proposed EU data protection regulation. While the position remains unresolved, SaaS suppliers should be considering how to minimise the risk this poses to their business model, whilst assuring SaaS customers that their concerns are being addressed.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

  
Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close