SaaS Agreements – Data Protection – Prism and US Laws

SaaS suppliers should be aware of relevant US laws when outsourcing SaaS services (data storage and hosting) to US companies or companies located in the USA. SaaS customers are becoming increasingly concerned about outsourcing in the USA following media reports about “Prism”. Namely, that the National Security Agency (NSA) accesses personal data stored on the servers of Microsoft, Apple, Google, Yahoo, Facebook and a few other major US public companies. Below is a summary of the most relevant US laws that SaaS suppliers should be aware of.


If you outsource any SaaS services to a US public company the US government can access SaaS customer data pursuant to the Foreign Intelligence Security Act (FISA).

FISA allows the US government to access and monitor the personal data of non-US citizens (located outside of the USA) held by US public cloud providers (i.e. Amazon or Google). Public cloud providers must secretly provide all assistance, facilities and information requested by the government if they request access to SaaS customer data. The public entity is not permitted to inform the SaaS supplier that it has disclosed or been asked to disclose personal data, nor that the data is being monitored.

The Patriot Act

If you are a SaaS supplier owned by a US parent company or you outsource any SaaS services to a US located data centre or a US based company, US law enforcers can access SaaS customer data pursuant to the Patriot Act.

The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing their customers that they have handed over personal data. The Act applies not just to SaaS suppliers owned by a US company but also to any SaaS suppliers using the services of a US subsidiary for data processing i.e. a US data centre.


If you are a SaaS supplier providing SaaS services to a US customer who is a health care provider you, and your sub-contractors, must comply with the security and privacy obligations of the Health Insurance Portability and Accountability Act 1996 (“HIPAA”).

HIPAA applies to any SaaS supplier who creates, receives, maintains, or transmits protected health information (“PHI”), regardless of whether or not the SaaS supplier actually views the data. HIPAA applies even if the SaaS supplier is not located in the USA. Any subcontractors a SaaS supplier uses i.e. a data centre will also need to comply with HIPAA.

SaaS Suppliers must include the privacy and security obligations set out in HIPAA in their SaaS agreements with US health care provider customers. SaaS suppliers are directly liable for breaches of the HIPAA security and privacy rules, which includes failing to cooperate with DHHS investigations of HIPAA breaches. Liability is strict i.e. a SaaS supplier will be liable regardless of intent. The penalties for breach are severe and a SaaS supplier can be fined up to 1.5 million US dollars for all breaches in any calendar year.


Under the provisions of the US Patriot Act and FISA the personal data of SaaS customers based in the EU must be shared with US law enforcers without the customer being informed, even though this conflicts with English and EU data protection law. Under HIPAA SaaS suppliers must comply with detailed privacy and security provisions of a US law applicable to the health care industry or face severe fines.

It is therefore important that SaaS suppliers ensure they are aware of the extent of any US laws they will be subject to when:

  • contracting with US SaaS customers; or
  • outsourcing SaaS services to companies linked to or based in the USA; or
  • if they have a parent company based in the USA.

SaaS suppliers should have procedures and measures in place to deal with any applicable US laws. These procedures need to be set out clearly in the terms of the SaaS agreement with the Customer, bearing in mind mandatory obligations to comply with US laws.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles:

Other related articles: