Archive for July, 2016

SaaS Agreements – Data Protection – Privacy Shield Approved

EU data protection law prohibits SaaS suppliers and SaaS customers from transferring personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. Below is a summary of the current position following the recent announcement that the EU-US Privacy Shield has been adopted by the European Commission and will now replace Safe Harbor.

Safe Harbor

In the past SaaS suppliers and SaaS customers had relied upon Safe Harbor (a self-certification standard) when transferring personal data from the EEA to the USA. But following a legal challenge to the adequacy of Safe Harbor, on the 6th of October 2015 the European Commission declared that Safe Harbor was invalid. This meant that Safe Harbor could no longer be relied upon by SaaS suppliers and customers when transferring personal data from the EEA to the USA.

Current Alternatives to Safe Harbor

Following the invalidation of the Safe Harbor scheme, SaaS suppliers and customers have three options for lawfully transferring personal data from the EEA to the USA:

  • obtain consent from each data subject to the transfer of data to the USA;
  • create and have approved binding corporate rules (“BCRs”) for transatlantic transfers of personal data within a company’s group of companies;
  • enter into EU Model Clauses with US entities to whom personal data was transferred.

EU – US Privacy Shield

A new privacy agreement called the Privacy Shield was agreed between the USA and EU to replace the safe harbour scheme to permit SaaS customers and suppliers to transfer personal data from the EEA to the USA. The Privacy Shield was adopted by the EU Commission on the 12th of July 2016 and will now replace Safe Harbor.

The EU-US Privacy Shield is based upon the safe harbour scheme in an amended format. It still requires entities to self-certify their compliance annually. However there are now additional obligations, such as:

  • displaying a privacy policy on websites;
  • complying with data subject access requests;
  • deleting personal data which is no longer being used for the purposes for which it was originally collected;
  • allowing data subjects to opt out where data is to be disclosed to a third party;
  • providing recourse for breaches to EU data subjects;
  • replying promptly to any complaints.

When can the Privacy Shield be Relied upon

The US Department of Commerce will now start to operate the Privacy Shield. SaaS supplier and SaaS customers wishing to import personal data from the EU need to apply for certification under the Privacy Shield. Before applying SaaS suppliers and customers should review the terms of the Privacy Shield and adjust their internal procedures to comply with the new rules. From the 1st of August 2016 the US Department of Commerce will start to process applications to certify.

EU based SaaS suppliers and SaaS customers should continue to use BCRs, consent or EU Model Clauses when transferring personal data to the USA, until the USA entities to whom personal data is being transferred have obtained certification under the Privacy Shield.

Potential Problems with the Privacy Shield

Although the EU Commission has adopted the Privacy Shield, EU data protection regulators still have the ability to investigate data exports irrespective of this adequacy decision of the European Commission. This means that even if a SaaS customer or SaaS supplier relies upon Privacy Shield certification in due course, the transfer could still be declared invalid by a local data protection authority.

Depending on the physical location of SaaS suppliers and SaaS customers it is worth SaaS suppliers and SaaS customers considering whether they need to keep any existing EU model clauses, binding corporate rules or consents in place in addition to use of the Privacy Shield in order to avoid the risk of a local data protection authority investigating compliance with EU data protection laws.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Data Protection – Brexit and the GDPR

SaaS suppliers and customers must currently comply with the terms of the Data Protection Act 1998 (DPA) which governs data protection law in the UK. SaaS suppliers and SaaS customers should be aware that from the 25th of May 2018, the General Data Protection Regulation (GDPR) will apply directly in all Member States of the European Union (EU). Currently the UK is a Member State of the EU and even if the UK gives the European Council notice of its intention to leave the EU, it has 2 years in which to negotiate the terms of a “Brexit”. It is therefore likely that the UK will still be part of the EU on the 25th of May 2018.

Will the GDPR apply to the UK

Whether or not the GDPR will apply to the UK following a Brexit, will depend upon the agreement reached between the UK and the EU on the terms under which the UK will leave the EU and the timing of the Brexit. Namely:

  • if the Brexit is after the 25th of May 2018, the GDPR will have direct effect in the UK;
  • if the Brexit is before the 25th of May 2018 the applicable data protection regime will depend upon the terms of the Brexit agreed with the EU.

The Brexit deal could require the UK to adopt EU laws in order to be part of the single market, similar to the rules applicable to members of the EEA who are not EU Member States, or the Brexit deal may not require the adoption of EU laws in the UK, but the UK may be required to amend UK laws to comply with EU legislation, similar to the rules.

GDPR will apply even if the UK leaves the EU

Regardless of when the UK leaves the EU, the GDPR rules will still apply to all UK SaaS suppliers and customers after a Brexit, as the GDPR applies to non-EU SaaS suppliers and customers who offer goods or services in the EU, or who monitor the behaviour of EU data subjects.

UK SaaS suppliers and customers will then:

  • be subject to fines of up to 4% of annual global turnover (or 20 million euros) for breaches of the GDPR;
  • need to appoint a data protection officer;
  • need to implement requests to be forgotten;

amongst the other obligations of the GDPR.

Summary

The current position with regard to a Brexit is unclear and subject to change, however SaaS suppliers and customers need to be aware that current UK data protection rules will change on the 25th of May 2018 or following a Brexit, whenever this occurs. SaaS suppliers and customers, particularly those doing business in the EU, should review their current data protection policies and procedures to check that they will comply with the rules of the GDPR, if this should become necessary in due course.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Legal Implications of Brexit

Brexit and SaaS

SaaS suppliers and SaaS customers wondering about the business implications of a Brexit and how to prepare for this should be aware of the following. Despite the result of the referendum in the UK indicating that the UK will leave the European Union (EU), currently this has no legal consequence or effect upon the business operations of SaaS suppliers or SaaS customers.

When will the UK leave the EU

No Member State has ever left the European Union, so although there is a process set out in Article 50 of the EU Treaty for leaving, the process of withdrawal is new and untested. In any event, under the Article 50 process, the UK has to give official notice to the European Union of its intention to leave the EU, before the process starts. Once notice is given, the UK has 2 years to negotiate the terms of its exit. If there is no agreement at the end of the 2 year period, the EU treaties will automatically cease to apply – unless all Member States agree to extend the 2 year period.

To date the UK government has indicated that they have no intention of giving an Article 50 notice before September 2016 at the earliest. It is therefore highly likely that negotiating the UK’s leaving terms will take some time, many months or even years.

How should SaaS Suppliers and Customers prepare for a Brexit

For the time being SaaS suppliers and customers should watch developments in relation to the UK giving notice under Article 50. SaaS suppliers should be aware that even after the notice is given, the UK will continue to be a member of the EU and subject to EU law until the date that the UK actually leaves the EU. For example, the New EU Data Protection Regulation (“GDPR“) will automatically become law in the UK in 2018 and will apply to SaaS suppliers and customers.

Further updates will be published on this site from time to time once the UK’s position on serving an Article 50 notice becomes clearer.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience in dealing with SaaS, cloud computing and IT law issues. If you require assistance with any SaaS agreements, cloud computing concerns or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

_________________________________________________

Other related articles:

  
Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close