SaaS Agreements – Data Protection – Patriot Act

Under the provisions of the US Patriot Act the personal data of SaaS customers based in the EU could be shared with US law enforcers without the customer being informed, although this conflicts with EU data protection laws. This Act applies not just to SaaS suppliers owned by a US company but any SaaS suppliers using the services of a US subsidiary for data processing or a US data centre.

The Patriot Act

Under EU data protection laws SaaS suppliers must tell customers when they are asked to disclose personal data. However, such provisions conflict with SaaS supplier’s obligations to comply with the Patriot Act.

The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing their customers that they have had to hand over personal data.

Conflict with EU Data Protection Laws

If the Patriot Act applies to you, you should have procedures and measures in place to deal with any requests for information under the Patriot Act. These procedures need to be set out clearly in your SaaS agreement, bearing in mind your obligation to comply with this particular US law.

For example Microsoft states in its SaaS privacy policy “in a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).”


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: