SaaS suppliers are increasingly using data centres located in Switzerland to host SaaS software and store customer data. In light of recent media revelations about “prism” and the already existing concerns over access to customer data under the Patriot Act and FISA this could be an increasing trend. The advantages of hosting SaaS data in Switzerland are summarised below.
Why Switzerland?
Switzerland is often viewed internationally as representing the following values – stability, neutrality, discretion and trustworthiness based on its banking history. For this reason Swiss law is often accepted by non-European customers in international agreements when there is a disagreement about which law or arbitration rules should apply to the contract.
Confidentiality
Currently many global SaaS suppliers use data centres located in the USA. However, when dealing with European customers, SaaS suppliers often encounter problems with customers raising concerns about the application of:
- the Patriot Act, a US law which permits US authorities to access EU customer data stored in the USA or EU customer data stored outside of the US where there is a US parent company such as Microsoft; and
- FISA which allows the US government to access and monitor the personal data of non-US citizens held by US public cloud providers such as Amazon or Google.
An additional benefit of using a Swiss data centre is that generally data stored in Switzerland is not traceable to a named person, but only to a number.
Safe Harbor not Adequate
SaaS customers and data protection authorities, particularly in Germany, are raising concerns about the adequacy of the safe harbor status of US companies. It is often claimed that safe harbour certification is little more than a paper exercise which in practice does not comply with European levels of data protection.
Compliance with EU Data Protection Laws
An added advantage of using Swiss data centres is that Switzerland is accepted by the EU as having equivalent protection to EU data protection laws. Therefore no additional consents are required from SaaS customers to enable data to be stored and processed in Switzerland.
Language
Although English is not one of the official languages of Switzerland, it is widely spoken and is the language of preference for business transactions. In addition French, German and Italian are official languages providing the added bonus of SaaS suppliers being able to request hosting services in any, or all, of the four languages. This makes Switzerland very attractive to global companies who are often wary of hosting outside of their territory due to language barriers.
Summary
Under the provisions of the US Patriot Act and FISA, the personal data of SaaS customers based in the EU must be shared with US law enforcers without the customer being informed, even though this conflicts with EU data protection law.
By using a data centre located in Switzerland a SaaS supplier can process and store customer data in compliance with EU data protection rules, provided that the hosting company located in Switzerland, is not owned by a US parent company.
For the above reasons some well known global companies such as Swift, Yahoo and Hewlett Packard have in recent years relocated their hosting services to Switzerland.
Help
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
irene.bodle@bodlelaw.com
www.bodlelaw.com
To register for my newsletter click here
______________________________________________________
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – Data Protection – Microsoft must disclose data on EU server
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – FISA customer concerns
- SaaS Agreements – Data Protection – HIPAA
- SaaS Agreements – Data Protection – Safe Harbor Still Adequate
- SaaS Agreements – Data Protection – Cyber Security Issues
- SaaS Agreements – Data Protection – Recent ICO Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Anonymising Data
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Policies and Procedures
- SaaS Agreements – Data Protection – German Customers and Data Processing Agreements
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Customer Privacy Policies
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1
- SaaS Agreements – Data Protection – IT Security Requirements