SaaS Agreements – Data Protection – EU US Privacy Shield

The GDPR prohibits SaaS suppliers and SaaS customers from transferring personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. Below is a summary of the current position under the EU-US Privacy Shield which has replaced the safe harbor scheme.

Safe Harbor

Until the 6th of October 2015, SaaS suppliers and SaaS customers relied upon Safe Harbor (a self-certification standard operated by the US Department of Commerce and enforced by the Federal Trade Commission) when transferring personal data to the USA.

Grace Period

Following the invalidation of safe harbor, the Art. 29 Working Party, which is comprised of European Data Protection regulators, (the “Working Party” now known as the EBDP) made clear that no actions would be taken against SaaS suppliers or SaaS customers relying upon on safe harbor until the end of January 2016. This grace period was agreed to allow the Working Party, EU countries and the European Commission time to find a suitable political, legal and technical solution to the problem of transferring personal data from EU countries to the United States in compliance with EU data protection laws.

Interim Enforcements

However, national data protection authorities retain the right to exercise their  powers to protect a data subjects’ rights upon receipt of individual complaints against SaaS suppliers or customers. For example, the German Federal and State Data Protection Commissioners (“the Commissioners”) stated that there would be no grace period and that they would immediately take action against data transfers which were based on Safe Harbor, unlike the UK Information Commissioner’s Office (“ICO”) which made it clear that SaaS suppliers and customers would be given time to adapt.

Interim Options

Accordingly, SaaS suppliers and customers had three options for continuing to lawfully transfer personal data from the EU to the USA:

  • obtain consent from each data subject to the transfer of data to the USA;
  • create and have approved binding corporate rules (“BCRs”) for transatlantic transfers of personal data within a company’s group of companies;
  • enter into EU Model Clauses with US entities to whom personal data was transferred.

Privacy Shield

The grace period has now expired and a new privacy agreement called the Privacy Shield has been agreed by the US and EU to replace the safe harbour scheme. The Privacy Shield is based upon safe harbour but has additional protections, particularly with regard to public authority access to personal data. The Privacy Shield must now be reviewed by the European Commission before it can be relied upon and adopted by SaaS suppliers or customers. The European Commission is currently assessing whether or not the Privacy Shield provides adequate protection in accordance with EU data protection laws. This process is expected to take up to 3 months.

Current Position

The Working Party has confirmed that for the time being EU Model Clauses and BCRs are valid for transfers of personal data from the EU to the USA. Accordingly, Saas suppliers and SaaS customers should continue to us BCRs, consent or EU Model Clauses when transferring personal data to the USA and whilst monitoring the status of the Privacy Shield with their local data protection authorities.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

Speaker at the Berlin CloudConf 2013.

To register for my newsletter click here


Other related articles: