SaaS Agreements – Data Protection – Microsoft must disclose data on EU server

Many SaaS customers falsely believe that if their SaaS data is stored in a data centre located in the EU it will be protected against disclosure to the US authorities. This is incorrect. The recent US court ruling against Microsoft has confirmed the position, namely that SaaS suppliers and SaaS customers who use data centres located in the EU, owned by US companies, cannot prevent US authorities from accessing their data.

Microsoft Case

In April this year a New York court ruled that Microsoft must reveal email data stored on its servers at its Irish data centre. Microsoft received a search warrant issued pursuant to the Stored Communications Act (SCA) requiring them to disclose the data. Under the SCA a US company is obliged to produce information in its possession, custody, or control regardless of the location of that information.

Microsoft currently offers SaaS customers the option of storing all data at its data centre in Ireland, in an attempt to address valid EU customer concerns about the ability of the US authorities to access their data and in an attempt to comply with EU data protection laws. However this recent court decision undermines the effectiveness of this option, as following this decision it is clear that US authorities can access data located outside of the US.

Microsoft plans to challenge the court decision but regardless of the final outcome of this case, US authorities will still be able to access data stored in the EU using other US laws.

Prism, FISA and the Patriot Act

Ignoring the issue of “Prism” the US government can secretly access SaaS customer stored in the EU under the Foreign Intelligence Security Act (FISA) and the Patriot Act.

What is FISA?

FISA allows the US government to access and monitor the personal data of non-US citizens (located outside of the USA) held by US public cloud providers. Public cloud providers such as Amazon and Google must secretly provide all assistance, facilities and information requested by the government if they request access to SaaS customer data. The public entity is not allowed to inform the SaaS supplier that it has disclosed or been asked to disclose personal data, nor that the data is being monitored.

The Patriot Act

The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing customers that they have handed over personal data. The Act applies not just to SaaS suppliers owned by a US company but also to any SaaS suppliers using the services of a US company i.e. a US data centre.


Under the SCA, Patriot Act, FISA (and “prism” where applicable) the personal data of SaaS customers based in the EU must be shared with US law enforcers without the SaaS customer being informed, even though this conflicts with the provisions of the EU Data Protection Directive and the data protection laws of the 28 EU member states.

Local EU data protection authorities and EU member state governments are currently investigating how to resolve this conflict, for example by adding provisions preventing disclosure in the draft proposed EU data protection regulation. While the position remains unresolved, SaaS suppliers should be considering how to minimise the risk this poses to their business model, whilst assuring SaaS customers that their concerns are being addressed.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

Speaker at the Berlin CloudConf 2013.

To register for my newsletter click here


Other related articles: