Recently SaaS suppliers have seen a marked increase in EU customers raising concerns about disclosure of their data to US law enforcement authorities under the Patriot Act – an American anti-terrorism law – particularly where the SaaS supplier has a parent company in the USA or data is being hosted or processed in the USA.
Continue readingCategory: Data Protection
SaaS Agreements – Data Protection – New Proposed EU Rules – Part 2
On the 25th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. Following on from my first article – part 1, I have summarised the remainder of the major changes this will make to EU data protection law below.
Continue readingSaaS Agreements – Data Protection – New Proposed EU Rules – Part 1
On the 25th of January 2012 the European Commission published a proposal for a new Data Protection Regulation to replace the existing EU Data Protection Directive. The proposal sets out a general data protection framework aimed at unifying the current differing data protection rules in the EU. I have summarised the major changes this will make to EU data protection law in two articles, part 1 of which is set out below.
Continue readingSaaS Agreements – Data Protection – Data Stored in the USA
SaaS suppliers who use data centres physically located in the USA to store or process data should be aware of a recent US Court of Appeals ruling that the Electronic Communications Privacy Act (ECPA) – an American law – protects the data of non-USA citizens when their data is stored on servers in the USA.
Continue readingSaaS Agreements – Data Protection – Google Analytics in Germany
If your website uses Google analytics and you provide SaaS services to customers based in Germany you are now required to provide specific information to users in order to comply with recent changes to German data protection law. Google Analytics and German Data Protection Google analytics collects statistics about website
Continue readingWebsite Legal Requirements – Cookies – Non-compliance of Public Authority Websites
As a result of changes to the EU Privacy and Electronic Communications Directive it is unlawful to use cookies to collect user data without first obtaining explicit consent. In a recent audit of over 600 public sector websites only 1% complied with the new cookie law.
Continue readingSaaS Agreements – E-Discovery
As a SaaS supplier you may be ordered by a court as part of a litigation process to identify and disclose physical documents and electronically stored information (e-discovery). This creates problems for SaaS suppliers on a number of levels.
Continue readingSaaS Agreements – Data Protection – Patriot Act
Under the provisions of the US Patriot Act the personal data of SaaS customers based in the EU could be shared with US law enforcers without the customer being informed, although this conflicts with EU data protection laws. This Act applies not just to SaaS suppliers owned by a US company but any SaaS suppliers using the services of a US subsidiary for data processing or a US data centre.
Continue readingSaaS Agreements – Data Protection – Binding Corporate Rules
What are Binding Corporate Rules?
BCR’s are a set of rules adopted within a particular company or corporate group that provide legally binding protections for data processing within the company or group to cover global data transfers.
Continue readingSaaS Agreements – Data Protection – Further Fines by Data Commissioner
On the 8th of February 2011 Ealing and Hounslow Councils were fined £80,000 and £70,000 respectively by the Data Commissioner for serious breaches of the Data Protection Act (DPA) following the theft of two laptops from the house of an employee of Ealing Council.
Continue reading