SaaS suppliers who use US public cloud providers to store, process or host their SaaS customer’s data as part of their SaaS services may now experience customers raising concerns about the risk of disclosure to, and monitoring of, their data by the US government under the Foreign Intelligence Security Act (FISA).
FISA (a US law) gives the US government the right to access and monitor the personal data of non-US citizens (who are located outside of the USA) held by US public cloud providers (i.e. Amazon or Google), without a warrant for a period of up to one year, for the purposes of acquiring foreign intelligence information. Public cloud providers must secretly provide all assistance, facilities and information requested by the government. They are not permitted to inform SaaS suppliers that they have disclosed or been asked to disclose personal data or that it is being monitored.
Breach of European Data Protection Laws
Data protection laws in the 27 countries of the EU all prohibit the disclosure of personal data without a data subject’s consent or knowledge. The provisions of the FISA conflict directly with English and EU data protection laws.
The recent amendment to this US law adds to the concerns raised by the Article 29 Working Party last year in their opinion on cloud computing and data protection. In this opinion, which amongst other things the working party said that EU businesses using cloud services i.e. SaaS customers must ensure that non-EU providers i.e. SaaS suppliers comply with EU data protection laws and that simply relying on a US company’s safe harbor registration was not enough.
FISI is not the only Problem
SaaS customers often falsely believe that their data is “unsafe” due to the fact that SaaS supplier’s use third party data centres to store and process their data. However the risks of personal data being disclosed apply regardless of whether or not data is stored or processed in a SaaS model. Most countries including the UK, France, Spain and Belgium have data disclosure laws that all, not just SaaS suppliers, must comply with. For example in the UK the Regulation of Investigatory Powers Act 2000 (RIPA) requires companies to disclose the content of communications to police forces.
Also data stored or processed anywhere outside of the EEA, in a country which does not have equivalent protection, will be subject to all local disclosure laws i.e. in China and India, and such local laws may be much wider than FISA.
In addition, in the USA notwithstanding FISA, the US authorities can access customer data when it is hosted outside of the USA and there is no company presence in the USA under Mutual Assistance Legal Treaties (MLAT).
Assessing the Actual Risks
SaaS customer concerns about FISA are valid but these must be considered in light of:
- The type of data SaaS customer’s are providing;
- The likelihood of the customer data ever being monitored or requested; and
- The fact that customer data is already subject to similar disclosure obligations to the UK government and foreign governments under other existing laws.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – Data Protection – Prism and US Laws
- SaaS Agreements – Data Protection – Microsoft must disclose data on EU server
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – HIPAA
- SaaS Agreements – Data Protection – Safe Harbor Still Adequate
- SaaS Agreements – Data Protection – Cyber Security Issues
- SaaS Agreements – Data Protection – Recent ICO Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Anonymising Data
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Policies and Procedures
- SaaS Agreements – Data Protection – German Customers and Data Processing Agreements
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Customer Privacy Policies
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1
- SaaS Agreements – Data Protection – IT Security Requirements