SaaS suppliers should be aware of relevant US laws when outsourcing SaaS services (data storage and hosting) to US companies or companies located in the USA. SaaS customers are becoming increasingly concerned about outsourcing in the USA following media reports about “Prism”. Namely, that the National Security Agency (NSA) accesses personal data stored on the servers of Microsoft, Apple, Google, Yahoo, Facebook and a few other major US public companies. Below is a summary of the most relevant US laws that SaaS suppliers should be aware of.
If you outsource any SaaS services to a US public company the US government can access SaaS customer data pursuant to the Foreign Intelligence Security Act (FISA).
FISA allows the US government to access and monitor the personal data of non-US citizens (located outside of the USA) held by US public cloud providers (i.e. Amazon or Google). Public cloud providers must secretly provide all assistance, facilities and information requested by the government if they request access to SaaS customer data. The public entity is not permitted to inform the SaaS supplier that it has disclosed or been asked to disclose personal data, nor that the data is being monitored.
The Patriot Act
If you are a SaaS supplier owned by a US parent company or you outsource any SaaS services to a US located data centre or a US based company, US law enforcers can access SaaS customer data pursuant to the Patriot Act.
The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing their customers that they have handed over personal data. The Act applies not just to SaaS suppliers owned by a US company but also to any SaaS suppliers using the services of a US subsidiary for data processing i.e. a US data centre.
If you are a SaaS supplier providing SaaS services to a US customer who is a health care provider you, and your sub-contractors, must comply with the security and privacy obligations of the Health Insurance Portability and Accountability Act 1996 (“HIPAA”).
HIPAA applies to any SaaS supplier who creates, receives, maintains, or transmits protected health information (“PHI”), regardless of whether or not the SaaS supplier actually views the data. HIPAA applies even if the SaaS supplier is not located in the USA. Any subcontractors a SaaS supplier uses i.e. a data centre will also need to comply with HIPAA.
SaaS Suppliers must include the privacy and security obligations set out in HIPAA in their SaaS agreements with US health care provider customers. SaaS suppliers are directly liable for breaches of the HIPAA security and privacy rules, which includes failing to cooperate with DHHS investigations of HIPAA breaches. Liability is strict i.e. a SaaS supplier will be liable regardless of intent. The penalties for breach are severe and a SaaS supplier can be fined up to 1.5 million US dollars for all breaches in any calendar year.
Under the provisions of the US Patriot Act and FISA the personal data of SaaS customers based in the EU must be shared with US law enforcers without the customer being informed, even though this conflicts with English and EU data protection law. Under HIPAA SaaS suppliers must comply with detailed privacy and security provisions of a US law applicable to the health care industry or face severe fines.
It is therefore important that SaaS suppliers ensure they are aware of the extent of any US laws they will be subject to when:
- contracting with US SaaS customers; or
- outsourcing SaaS services to companies linked to or based in the USA; or
- if they have a parent company based in the USA.
SaaS suppliers should have procedures and measures in place to deal with any applicable US laws. These procedures need to be set out clearly in the terms of the SaaS agreement with the Customer, bearing in mind mandatory obligations to comply with US laws.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreement – Data Protection – New General Data Protection Regulation (GDPR)
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – Data Protection – Microsoft must disclose data on EU server
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – FISA customer concerns
- SaaS Agreements – Data Protection – HIPAA
- SaaS Agreements – Data Protection – Safe Harbor Still Adequate
- SaaS Agreements – Data Protection – Cyber Security Issues
- SaaS Agreements – Data Protection – Recent ICO Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Anonymising Data
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Policies and Procedures
- SaaS Agreements – Data Protection – German Customers and Data Processing Agreements
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Customer Privacy Policies
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1