The GDPR prohibits SaaS suppliers and SaaS customers from transferring personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. Below is a summary of the current position under the EU-US Privacy Shield which has replaced the safe harbor scheme.
Until the 6th of October 2015, SaaS suppliers and SaaS customers relied upon Safe Harbor (a self-certification standard operated by the US Department of Commerce and enforced by the Federal Trade Commission) when transferring personal data to the USA.
Following the invalidation of safe harbor, the Art. 29 Working Party, which is comprised of European Data Protection regulators, (the “Working Party” now known as the EBDP) made clear that no actions would be taken against SaaS suppliers or SaaS customers relying upon on safe harbor until the end of January 2016. This grace period was agreed to allow the Working Party, EU countries and the European Commission time to find a suitable political, legal and technical solution to the problem of transferring personal data from EU countries to the United States in compliance with EU data protection laws.
However, national data protection authorities retain the right to exercise their powers to protect a data subjects’ rights upon receipt of individual complaints against SaaS suppliers or customers. For example, the German Federal and State Data Protection Commissioners (“the Commissioners”) stated that there would be no grace period and that they would immediately take action against data transfers which were based on Safe Harbor, unlike the UK Information Commissioner’s Office (“ICO”) which made it clear that SaaS suppliers and customers would be given time to adapt.
Accordingly, SaaS suppliers and customers had three options for continuing to lawfully transfer personal data from the EU to the USA:
- obtain consent from each data subject to the transfer of data to the USA;
- create and have approved binding corporate rules (“BCRs”) for transatlantic transfers of personal data within a company’s group of companies;
- enter into EU Model Clauses with US entities to whom personal data was transferred.
The grace period has now expired and a new privacy agreement called the Privacy Shield has been agreed by the US and EU to replace the safe harbour scheme. The Privacy Shield is based upon safe harbour but has additional protections, particularly with regard to public authority access to personal data. The Privacy Shield must now be reviewed by the European Commission before it can be relied upon and adopted by SaaS suppliers or customers. The European Commission is currently assessing whether or not the Privacy Shield provides adequate protection in accordance with EU data protection laws. This process is expected to take up to 3 months.
The Working Party has confirmed that for the time being EU Model Clauses and BCRs are valid for transfers of personal data from the EU to the USA. Accordingly, Saas suppliers and SaaS customers should continue to us BCRs, consent or EU Model Clauses when transferring personal data to the USA and whilst monitoring the status of the Privacy Shield with their local data protection authorities.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
Speaker at the Berlin CloudConf 2013.
To register for my newsletter click here
Other related articles:
- SaaS Agreements – GDPR – EU-US Privacy Shield Invalid
- SaaS Agreements – Data Protection – Privacy Shield Approved
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreement – Data Protection – New General Data Protection Regulation (GDPR)
- SaaS Agreements – Data Protection – The Future of Safe Harbor
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – Data Protection – Which Law Applies
- SaaS Agreements – Data Protection – Microsoft must disclose data on EU server
- SaaS Agreements – Data Protection – Update on new draft EU Data Protection Regulation
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Russian Data Centres