Brexit Archives

SaaS Agreements – Brexit – EU Data Transfers to the UK after Brexit

Under EU and UK data protection laws, UK SaaS suppliers are lawfully permitted to transfer personal data of SaaS customers located in the EU to any country within the EEA. From the 30th of March 2019, when the UK leaves the EU (“Brexit Date”), the UK will no longer be part of the EEA and will become a “third country” for data protection purposes, like the USA.

The EU Commission recently confirmed in a Notice that on the Brexit Date, UK based SaaS suppliers can no longer lawfully transfer personal data of SaaS customers located in the EU (i.e. in France, Germany, Spain etc.) to the UK, unless SaaS suppliers have in place appropriate protection measures to make the transfer legal under the GDPR.

EEA Data Transfers

The EEA is the EU, Norway, Lichtenstein and Iceland. If the UK decides to become a member of the EEA in its own right, following Brexit, UK SaaS suppliers would be able to continue to transfer personal data of  SaaS customers located in the EU to the UK. However, the UK government has indicated that it does not intend to join the EEA after leaving the EU. This means that prior to the Brexit Date the UK government must agree alternative arrangements with the EU to allow personal data to be transferred from the EU to the UK or SaaS suppliers themselves will put alternative arrangements in place from the Brexit Date.

Alternative Arrangements

The alternative arrangements that could be used by UK SaaS suppliers are currently:

  • Standard model clauses;
  • Binding Corporate Rules;
  • Approved certification measures; or
  • Consent from data subjects.

Standard Model Clauses

Standard model clauses are designed to allow EU SaaS customers transfer personal data from the EU to SaaS suppliers located outside the EEA. If the UK is not a member of the EEA after leaving the EU, SaaS customers located in the EU will need to enter into EU model clauses with UK SaaS suppliers in order to  continue to transfer personal data to UK SaaS suppliers.

BCRs

Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA in compliance with EU data protection law. If the UK is not a member of the EEA after leaving the EU, then a UK based SaaS customer will not be able to use BCRs to cover transfers outside of the EEA to a data processor, unless the SaaS customer has another entity located within the EEA. In any event, BCRs only cover inter-company transfers of personal data, not transfers of data by a SaaS customer to a third party SaaS supplier located outside of the EEA.

Approved Certification Measures

The UK government could apply for an adequacy decision from the European Commission certifying that it provides adequate protection for data transfers under English law. Currently Andorra, Argentina, Canada, Faeroe Islands, Israel, Isle of Man, Jersey, Switzerland, New Zealand and Uruguay are considered as having “adequate” protection. However, it is unlikely that such a decision would be granted if the UK:

  • Does not continue to comply with the General Data Protection Regulation (GDPR) after the Brexit Date; or
  • Changes its existing data protection laws – which are based upon a EU directive and the GDPR from the 25th of May 2018.

In any event an adequacy decision would not be approved by the European Commission prior to the Brexit Date.

EU-UK Privacy Shield

Another option would be for the UK to enter into an agreement with the EU similar to the EU-US Privacy Shield. The EU-US Privacy Shield (which replaced the Safe Harbor framework) permits EU entities to lawfully transfer personal data from the EU to the US. The UK could negotiate its own privacy shield to cover personal data transfers from the EU to the UK. Again, it is unlikely that a UK-EU privacy shield would be negotiated, or finalised, prior to the Brexit Date.

Consent

Another method of compliance is to obtain specific consent from each data subject before the transfer to the UK takes place. If the data subject consents to the transfer outside of the EEA, the transfer to the UK SaaS supplier will be in compliance with EU data protection law. Consent is usually obtained by having a data subject agree to the transfer of its personal data outside of the EEA and full details about the transfer itself should be set out in the privacy policy of the SaaS customer and the SaaS supplier.

How to Prepare for Change

UK SaaS suppliers should start considering the specific changes that may need to be made to the data protection terms of their SaaS agreements and privacy policies in order to allow them to continue transferring personal data from the EU to the UK once the UK leaves the EU on the Brexit Date. This action should be taken now, regardless of which, if any, of the above actions the UK government decides to take deal in order to ensure that data transfers from the EU can continue to take place from the Brexit Date.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

 

SaaS Agreements – Brexit – How Brexit and the GDPR will affect SaaS Businesses

SaaS suppliers should be aware that from the 25th of May 2018, the General Data Protection Regulation (GDPR) will apply directly in all Member States of the European Union (EU).

Many SaaS suppliers are concerned about the changes the GDPR will impose upon their current data protection obligations, particularly in light of the uncertainties surrounding “Brexit”.  SaaS suppliers should be aware that they will be obliged to comply with the new rules imposed by the GDPR from May next year and post Brexit.

Will the GDPR apply in the UK after Brexit

Regardless of the timing of Brexit and any agreement reached between the UK and the EU on the terms under which the UK will leave the EU, the GDPR will automatically apply in the UK, until UK data protection laws are amended.

GDPR applies to UK SaaS Suppliers despite Brexit

Regardless of when and how Brexit takes place or any subsequent changes made to UK data protection laws, the GDPR will still apply directly to SaaS suppliers located within the UK if:

  • They offer goods or services to SaaS customers located within the EU (i.e. in any of the remaining 27 Member States); or
  • They monitor the behaviour of EU data subjects;

Even though UK SaaS suppliers will no longer be located within the EU themselves after a Brexit.

GDPR will apply to non-EU SaaS Suppliers

From the 25th of May 2018 the GDPR will automatically also apply to all SaaS suppliers located outside of the EU i.e. in the USA, if:

  • They offer goods or services to SaaS customers located within the EU; or
  • They monitor the behaviour of EU data subjects, even though the SaaS supplier is not located within the EU.

Complying with the GDPR

The following are the main obligations that all SaaS suppliers, who are subject to data processor obligations under the GDPR, will need to comply with:

  • Having specific minimum terms in a written data processing agreement with all customers;
  • Keeping records of all categories of processing activities that they carry out;
  • Obtaining prior written consent to the subcontracting of any data processing activities;
  • Notifying customers of any breach of their obligations, without undue delay, after becoming aware of the breach;
  • Appointing a data protection officer (DPO) in specific circumstances; and
  • Allowing customers to choose between deletion or return of all personal data.

Fines for Breach

Data subjects will be able to claim damages directly from SaaS suppliers who breach:

  • Any obligations under the GDPR; or
  • Any lawful instructions of the customer.

In addition data protection authorities will be able to fine SaaS suppliers up to 4% of annual global turnover or 20m Euros (whichever is higher) for breaches of the GDPR.

Preparing for Change

The current position with regard to Brexit is unclear and subject to change. However, all SaaS suppliers supplying SaaS services to customers located in the EU need to be aware that current data protection laws will change throughout the EU on the 25th of May 2018, and/or in the UK following Brexit.

SaaS suppliers who plan to provide SaaS services to individuals located in the EU after the 25th of May 2018, need to take the following action:

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Brexit – Amendments to Terms and Conditions

SaaS suppliers and SaaS customers are becoming increasingly concerned about the effect of “Brexit” upon the terms of their existing SaaS agreements, particularly where contracts are subject to English law or SaaS suppliers or customers are located within the UK. Below is a summary of the main issues that SaaS suppliers need to be aware of that may result in problems arising now or in the future with the terms of their existing SaaS agreements.

Territory

Where the EU or the EEA is used:

  • To define a territory in which rights are granted to the parties in a SaaS agreement, for example countries in which a SaaS reseller may resell SaaS services; or
  • As a general concept, for example in relation to the countries in which a data centre must be located;

The wording may need to be adapted to ensure that this includes or excludes the UK (as necessary).

The use of “EU” or “EEA” is of particular importance where rights are being granted for specific countries, some of which may be exclusive rights or where the applicable law depends upon the location of the SaaS customers being within or outside the EU/EEA.

Applicable Law

English law is often chosen as the applicable law in international SaaS agreements. Even after “Brexit” this position should not change as English law:

  • Will still be one of the most flexible laws with few mandatory restrictions on liability and other contractual obligations;
  • Historically forms the basis of local law in many countries worldwide; and
  • Is more similar to US laws and legal concepts than other European country’s laws.

Force Majeure

Force Majeure clauses set out special rules that apply if something beyond a party’s reasonable control effects that party’s ability to comply with its contractual obligations. Depending on how a SaaS supplier’s force majeure clause is worded “Brexit” could be considered to be a force majeure event. In most SaaS agreements, a force majeure event entitles the non-breaching party to terminate the SaaS agreement, without penalty and this could be used by a unhappy SaaS customer looking for a reason to terminate the SaaS agreement early.

Application of existing EU based law

Some EU laws apply to the UK directly, for example: interest on late payments and compensation for the termination of commercial agents. Following a Brexit, the application of such laws and UK compliance with such laws may change depending upon the exact circumstances of the Brexit and some laws will still apply extra-territorially to the UK despite a Brexit.

Compliance with new EU based law

Prior to the UK actually formally leaving the EU, the EU will continue to make laws that apply in the UK and the UK will be bound by any new laws at least until Brexit is complete. For example: the UK’s compliance with the General Data Protection Regulation (GDPR) will automatically apply from the 25th of May 2018 but the UK government may then remove the GDPR from English law or adapt its terms after “Brexit” under English law.

Identifying Potential Issues

While there is currently no immediate need for SaaS suppliers to amend existing SaaS agreement terms, as the government’s “Brexit” strategy has not been finalised or published, SaaS suppliers should be aware of the issues and should now be:

  • Reviewing existing SaaS agreements to identify potential problems; and
  • Addressing problems that are identified within any new SaaS agreements or renewals of existing SaaS agreements entered into with SaaS customers in the interim.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Brexit – EU Data Transfers

EU SaaS suppliers transfer personal data within the European Economic Area (EEA) when providing SaaS services, most commonly when using hosting services provided by AWS, Microsoft Azure or Google. Under EU and local data protection laws, EU SaaS suppliers are lawfully permitted to transfer personal data of SaaS customers in the EU to any country within the EEA.

Once the UK leaves the EU, the UK will no longer be a member of the EEA. UK SaaS suppliers will no longer be lawfully permitted to continue to transfer personal data of EU SaaS customers to the UK unless the UK government, or alternatively SaaS suppliers themselves, put in place measures to make the transfer legal under EU data protection laws.

EEA Membership

The EEA consists of the EU, Norway, Lichtenstein and Iceland. It is currently unclear whether or not the UK government intends to join the EEA after leaving the EU. If the UK decides to become a member of the EEA in its own right, following the Brexit, then SaaS suppliers will be able to continue to transfer personal data of EU SaaS customers to the UK. However, if the UK government decides:

  • Not to join the EEA in its own right; or
  • Does not agree alternative arrangements with the EU to allow personal data to be transferred from the EU to the UK;

SaaS suppliers will need to rely on other measures in order to lawfully continue to transfer personal data of EU SaaS customers to the UK.

Possible UK Government Actions

Adequacy

The UK may apply for an adequacy decision from the European Commission that it provides adequate protection for data transfers under English law. Currently Andorra, Argentina, Canada, Faeroe Islands, Israel, Isle of Man, Jersey, Switzerland, New Zealand and Uruguay are considered as having “adequate” protection. However, it is unlikely that such a decision would be granted if the UK does not continue to comply with the General Data Protection Regulation (GDPR) after a Brexit, or changes its existing data protection laws – which are based upon a EU directive and the GDPR in due course.

EU-UK Privacy Shield

Another option would be for the UK to enter into an agreement with the EU similar to the EU-US Privacy Shield. The EU-US Privacy Shield (which replaced the Safe Harbor framework) permits EU entities to lawfully transfer personal data from the EU to the US. The UK could negotiate its own Privacy Shield to cover personal data transfers from the EU to the UK.

SaaS Supplier Actions

BCRs

Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA in compliance with EU data protection law. If the UK does not choose to become a member of the EEA after leaving the EU, then a UK based SaaS supplier will not be able to use BCRs to cover transfers outside of the EEA, unless they have another entity located within the EEA. Also BCRs only cover inter-company transfers of personal data, not transfer of data to a third party located outside of the EEA.

EU Model Clauses

EU model clauses are designed to allow EU entities to transfer personal data from the EU to entities located outside the EEA. If the UK does not choose to become a member of the EEA after leaving the EU, UK SaaS customers will need to enter into EU model clauses with SaaS suppliers in order to be able to continue to lawfully transfer personal data to UK SaaS suppliers.

How to Prepare for Change

UK SaaS suppliers should start considering specific changes that may need to be made to the data protection terms of their SaaS agreements and privacy policies in order to allow them to continue transferring personal data from the EU to the UK once the UK leaves the EU. This action should be taken now, regardless of which, if any, of the above actions the UK government decides to deal with the issue of data transfers from the EU after Brexit.

Help

Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

  
Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close