Many SaaS customers are concerned about using data centres located in the EU, which are owned by a US parent company i.e. Microsoft or Amazon,  that even though their SaaS data is stored in a data centre in the EU it is not protected against disclosure to US authorities. A recent US court ruling, won on appeal by Microsoft, has confirmed the position, namely that SaaS suppliers and SaaS customers who use data centres located in the EU, owned by US companies, can prevent US authorities from accessing their data under the Stored Communications Act (SCA).

Microsoft Case

Microsoft received a search warrant issued pursuant to the SCA requiring Microsoft to disclose data stored at its data centre in Ireland. Microsoft refused and in 2014 a New York court ruled that Microsoft must reveal the email data stored on its servers at the Irish data centre, as under the SCA a US company is obliged to produce information in its possession, custody, or control regardless of the location of that information.

Microsoft challenged the court decision and in July 2016 a US court ruled against the Department of Justice and agreed with Microsoft that data on servers located outside of the US could not be accessed, because the SCA limited the reach of warrants and the warrant was not applicable outside of the US.

Hosting in the EU

Microsoft and Amazon have for some time offered SaaS customers the option of storing all SaaS customer data at data centres located in the EU in an attempt to address valid EU SaaS customer concerns about the ability of US authorities to access their personal data. The original US court decision undermined the effectiveness of this option, but following this decision it is now clear that US authorities cannot access SaaS customer data located outside of the US pursuant to the SCA. However, US authorities can still access SaaS customer data pursuant to other US laws.

Prism, FISA and the Patriot Act

Despite the favourable outcome for Microsoft in this case, US authorities can still access SaaS customer data stored in the EU. The US government can secretly access SaaS customer stored in the EU under the Foreign Intelligence Security Act (FISA) and the Patriot Act.

What is FISA?

FISA allows the US government to access and monitor the personal data of non-US citizens (located outside of the USA) held by US public cloud providers. Public cloud providers such as Amazon and Google must secretly provide all assistance, facilities and information requested by the government if they request access to SaaS customer data. The public entity is not allowed to inform the SaaS supplier that it has disclosed or been asked to disclose personal data, nor that the data is being monitored.

The Patriot Act

The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing customers that they have handed over personal data. The Act applies not just to SaaS suppliers owned by a US company but also to any SaaS suppliers using the services of a US company i.e. a US data centre.

Summary

Under the Patriot Act and FISA the personal data of SaaS customers based in the EU must be shared with US law enforcers without the SaaS customer being informed, even though this conflicts with the provisions of the EU Data Protection Directive and the data protection laws of the 28 EU member states.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: