Archive for May, 2014

SaaS Agreements – Data Protection – Microsoft must disclose data on EU server

Many SaaS customers falsely believe that if their SaaS data is stored in a data centre located in the EU it will be protected against disclosure to the US authorities. This is incorrect. The recent US court ruling against Microsoft has confirmed the position, namely that SaaS suppliers and SaaS customers who use data centres located in the EU, owned by US companies, cannot prevent US authorities from accessing their data.

Microsoft Case

In April this year a New York court ruled that Microsoft must reveal email data stored on its servers at its Irish data centre. Microsoft received a search warrant issued pursuant to the Stored Communications Act (SCA) requiring them to disclose the data. Under the SCA a US company is obliged to produce information in its possession, custody, or control regardless of the location of that information.

Microsoft currently offers SaaS customers the option of storing all data at its data centre in Ireland, in an attempt to address valid EU customer concerns about the ability of the US authorities to access their data and in an attempt to comply with EU data protection laws. However this recent court decision undermines the effectiveness of this option, as following this decision it is clear that US authorities can access data located outside of the US.

Microsoft plans to challenge the court decision but regardless of the final outcome of this case, US authorities will still be able to access data stored in the EU using other US laws.

Prism, FISA and the Patriot Act

Ignoring the issue of “Prism” the US government can secretly access SaaS customer stored in the EU under the Foreign Intelligence Security Act (FISA) and the Patriot Act.

What is FISA?

FISA allows the US government to access and monitor the personal data of non-US citizens (located outside of the USA) held by US public cloud providers. Public cloud providers such as Amazon and Google must secretly provide all assistance, facilities and information requested by the government if they request access to SaaS customer data. The public entity is not allowed to inform the SaaS supplier that it has disclosed or been asked to disclose personal data, nor that the data is being monitored.

The Patriot Act

The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing customers that they have handed over personal data. The Act applies not just to SaaS suppliers owned by a US company but also to any SaaS suppliers using the services of a US company i.e. a US data centre.


Under the SCA, Patriot Act, FISA (and “prism” where applicable) the personal data of SaaS customers based in the EU must be shared with US law enforcers without the SaaS customer being informed, even though this conflicts with the provisions of the EU Data Protection Directive and the data protection laws of the 28 EU member states.

Local EU data protection authorities and EU member state governments are currently investigating how to resolve this conflict, for example by adding provisions preventing disclosure in the draft proposed EU data protection regulation. While the position remains unresolved, SaaS suppliers should be considering how to minimise the risk this poses to their business model, whilst assuring SaaS customers that their concerns are being addressed.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

Speaker at the Berlin CloudConf 2013.

To register for my newsletter click here


Other related articles:

SaaS Agreements – Data Protection – BYOD

Employees are increasingly using their privately owned devices (i.e. Ipads, tablets, mobile phones and laptops) for business purposes and may be accessing SaaS customer data using them. SaaS suppliers who allow staff to use such “bring your own devices” (BYOD) for work purposes should be aware of their duties to protect any SaaS customer personal data being accessed by staff using such BYODs.

ICO Guidelines

In March 2013 the Information Commissioner’s Office (ICO) published guidelines providing advice on how to protect personal data that is accessed using a BYOD. The Commissioner underlined the fact that SaaS suppliers are obliged to look after personal data for which they are responsible  under the Data Protection Act 1998 (Act) regardless of ownership of the device used to carry out the processing.

In order to protect SaaS customer data and to comply with their duties under the Act, SaaS suppliers who permit staff to access data on a BYOD should:

  • ensure that the BYOD is password-protected;
  • ensure that data is encrypted when it is transferred;
  • ensure that data is encrypted when it is stored; and
  • consider having a BYOD policy for staff.

BYOD Policy

SaaS suppliers should either prohibit BYOD and the ability to access SaaS customer data for work purposes on such devices entirely or they should permit access within the scope of a BYOD policy.

A BYOD policy should contain rules on the use of personal devices by staff, setting out:

  • which employees are allowed to use a BYOD, i.e. senior management;
  • what types of devices may be used;
  • which types of data may be accessed via the device;
  • how devices will be protected against loss, theft or hacking i.e. by requiring the use of passwords, pins and/or encryption;
  • how data should be deleted when an employee leaves or disposes of a device;
  • how and when use of the device will be monitored; and
  • sanctions for breach of the BYOD policy.

Ownership and Deletion of Data

A BYOD policy should also state that any work data i.e. contact details or content i.e. business documents will remain the property of the SaaS supplier. Employees should agree to the SaaS supplier being permitted to:

  • delete work data and content from the device; and
  • make copies of work data and content if an employee leaves the company’s employment.


SaaS customers are more likely to choose SaaS suppliers who demonstrate that they control and monitor the use of SaaS customer data on BYODs. Having a clear BYOD policy in place will often satisfy a SaaS customer’s concerns about the use and storage of personal data in accordance with the SaaS agreement terms.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

Speaker at the Berlin CloudConf 2013.

To register for my newsletter click here


Other related articles:

Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.