SaaS Agreements – Data Protection – FISA Customer Concerns

SaaS suppliers who use US public cloud providers to store, process or host their SaaS customer’s data as part of their SaaS services may now experience customers raising concerns about the risk of disclosure to, and monitoring of, their data by the US government under the Foreign Intelligence Security Act (FISA).


FISA (a US law) gives the US government the right to access and monitor the personal data of non-US citizens (who are located outside of the USA) held by US public cloud providers (i.e. Amazon or Google), without a warrant for a period of up to one year, for the purposes of acquiring foreign intelligence information. Public cloud providers must secretly provide all assistance, facilities and information requested by the government. They are not permitted to inform SaaS suppliers that they have disclosed or been asked to disclose personal data or that it is being monitored.

Breach of European Data Protection Laws

Data protection laws in the 27 countries of the EU all prohibit the disclosure of personal data without a data subject’s consent or knowledge. The provisions of the FISA conflict directly with English and EU data protection laws.

The recent amendment to this US law adds to the concerns raised by the Article 29 Working Party last year in their opinion on cloud computing and data protection. In this opinion, which amongst other things the working party said that EU businesses using cloud services i.e. SaaS customers must ensure that non-EU providers i.e. SaaS suppliers comply with EU data protection laws and that simply relying on a US company’s safe harbor registration was not enough.

FISI is not the only Problem

SaaS customers often falsely believe that their data is “unsafe” due to the fact that SaaS supplier’s use third party data centres to store and process their data. However the risks of personal data being disclosed apply regardless of whether or not data is stored or processed in a SaaS model. Most countries including the UK, France, Spain and Belgium have data disclosure laws that all, not just SaaS suppliers, must comply with. For example in the UK the Regulation of Investigatory Powers Act 2000 (RIPA) requires companies to disclose the content of communications to police forces.

Also data stored or processed anywhere outside of the EEA, in a country which does not have equivalent protection, will be subject to all local disclosure laws i.e. in China and India, and such local laws may be much wider than FISA.

In addition, in the USA notwithstanding FISA, the US authorities can access customer data when it is hosted outside of the USA and there is no company presence in the USA under Mutual Assistance Legal Treaties (MLAT).

Assessing the Actual Risks

SaaS customer concerns about FISA are valid but these must be considered in light of:

  • The type of data SaaS customer’s are providing;
  • The likelihood of the customer data ever being monitored or requested; and
  • The fact that customer data is already subject to similar disclosure obligations to the UK government and foreign governments under other existing laws.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: