EU SaaS suppliers transfer personal data within the European Economic Area (EEA) when providing SaaS services, most commonly when using hosting services provided by AWS, Microsoft Azure or Google. Under EU and local data protection laws, EU SaaS suppliers are lawfully permitted to transfer personal data of SaaS customers in the EU to any country within the EEA.
Once the UK leaves the EU, the UK will no longer be a member of the EEA. UK SaaS suppliers will no longer be lawfully permitted to continue to transfer personal data of EU SaaS customers to the UK unless the UK government, or alternatively SaaS suppliers themselves, put in place measures to make the transfer legal under EU data protection laws.
The EEA consists of the EU, Norway, Lichtenstein and Iceland. It is currently unclear whether or not the UK government intends to join the EEA after leaving the EU. If the UK decides to become a member of the EEA in its own right, following the Brexit, then SaaS suppliers will be able to continue to transfer personal data of EU SaaS customers to the UK. However, if the UK government decides:
- Not to join the EEA in its own right; or
- Does not agree alternative arrangements with the EU to allow personal data to be transferred from the EU to the UK;
SaaS suppliers will need to rely on other measures in order to lawfully continue to transfer personal data of EU SaaS customers to the UK.
Possible UK Government Actions
The UK may apply for an adequacy decision from the European Commission that it provides adequate protection for data transfers under English law. Currently Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan are considered as having “adequate” protection. However, it is unlikely that such a decision would be granted if the UK does not continue to comply with the General Data Protection Regulation (GDPR) after a Brexit, or changes its existing data protection laws – which are based upon a EU directive and the GDPR in due course.
EU-UK Privacy Shield
Another option would be for the UK to enter into an agreement with the EU similar to the EU-US Privacy Shield. The EU-US Privacy Shield (which replaced the Safe Harbor framework) permits EU entities to lawfully transfer personal data from the EU to the US. The UK could negotiate its own Privacy Shield to cover personal data transfers from the EU to the UK.
SaaS Supplier Actions
Binding Corporate Rules (BCRs) are designed to allow multinational companies to transfer personal data from the EEA to their affiliates located outside of the EEA in compliance with EU data protection law. If the UK does not choose to become a member of the EEA after leaving the EU, then a UK based SaaS supplier will not be able to use BCRs to cover transfers outside of the EEA, unless they have another entity located within the EEA. Also BCRs only cover inter-company transfers of personal data, not transfer of data to a third party located outside of the EEA.
EU Model Clauses
EU model clauses are designed to allow EU entities to transfer personal data from the EU to entities located outside the EEA. If the UK does not choose to become a member of the EEA after leaving the EU, UK SaaS customers will need to enter into EU model clauses with SaaS suppliers in order to be able to continue to lawfully transfer personal data to UK SaaS suppliers.
How to Prepare for Change
UK SaaS suppliers should start considering specific changes that may need to be made to the data protection terms of their SaaS agreements and privacy policies in order to allow them to continue transferring personal data from the EU to the UK once the UK leaves the EU. This action should be taken now, regardless of which, if any, of the above actions the UK government decides to deal with the issue of data transfers from the EU after Brexit.
Irene Bodle is an IT lawyer specialising in SaaS, with over 14 years experience dealing with SaaS, cloud computing matters and IT law issues. If you require assistance with any SaaS agreements, cloud computing matters or any other IT legal issues please contact me at:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Privacy Shield Approved
- SaaS Agreements – Data Protection – Binding Corporate Rules
- SaaS Agreements – Data Protection – EU Model Clauses
- SaaS Agreements – Data Protection – New General Data Protection Regulation (GDPR)
- SaaS Agreements – Data Protection – SaaS, Brexit and the GDPR
- SaaS Agreements – Brexit – Legal Implications
- SaaS Agreements – FAQs – What is SaaS and Essential Terms to include in a SaaS Agreement
- SaaS Agreements – FAQs – What is a SLA and Essential Terms to Include in a SLA
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained