EU data protection law prohibits SaaS suppliers and SaaS customers from transferring personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. Below is a summary of the current position following the recent announcement that the EU-US Privacy Shield has been adopted by the European Commission and will now replace Safe Harbor.
In the past SaaS suppliers and SaaS customers had relied upon Safe Harbor (a self-certification standard) when transferring personal data from the EEA to the USA. But following a legal challenge to the adequacy of Safe Harbor, on the 6th of October 2015 the European Commission declared that Safe Harbor was invalid. This meant that Safe Harbor could no longer be relied upon by SaaS suppliers and customers when transferring personal data from the EEA to the USA.
Current Alternatives to Safe Harbor
Following the invalidation of the Safe Harbor scheme, SaaS suppliers and customers have three options for lawfully transferring personal data from the EEA to the USA:
- obtain consent from each data subject to the transfer of data to the USA;
- create and have approved binding corporate rules (“BCRs”) for transatlantic transfers of personal data within a company’s group of companies;
- enter into EU Model Clauses with US entities to whom personal data was transferred.
EU – US Privacy Shield
A new privacy agreement called the Privacy Shield was agreed between the USA and EU to replace the safe harbour scheme to permit SaaS customers and suppliers to transfer personal data from the EEA to the USA. The Privacy Shield was adopted by the EU Commission on the 12th of July 2016 and will now replace Safe Harbor.
The EU-US Privacy Shield is based upon the safe harbour scheme in an amended format. It still requires entities to self-certify their compliance annually. However there are now additional obligations, such as:
- complying with data subject access requests;
- deleting personal data which is no longer being used for the purposes for which it was originally collected;
- allowing data subjects to opt out where data is to be disclosed to a third party;
- providing recourse for breaches to EU data subjects;
- replying promptly to any complaints.
When can the Privacy Shield be Relied upon
The US Department of Commerce will now start to operate the Privacy Shield. SaaS supplier and SaaS customers wishing to import personal data from the EU need to apply for certification under the Privacy Shield. Before applying SaaS suppliers and customers should review the terms of the Privacy Shield and adjust their internal procedures to comply with the new rules. From the 1st of August 2016 the US Department of Commerce will start to process applications to certify.
EU based SaaS suppliers and SaaS customers should continue to use BCRs, consent or EU Model Clauses when transferring personal data to the USA, until the USA entities to whom personal data is being transferred have obtained certification under the Privacy Shield.
Potential Problems with the Privacy Shield
Although the EU Commission has adopted the Privacy Shield, EU data protection regulators still have the ability to investigate data exports irrespective of this adequacy decision of the European Commission. This means that even if a SaaS customer or SaaS supplier relies upon Privacy Shield certification in due course, the transfer could still be declared invalid by a local data protection authority.
Depending on the physical location of SaaS suppliers and SaaS customers it is worth SaaS suppliers and SaaS customers considering whether they need to keep any existing EU model clauses, binding corporate rules or consents in place in addition to use of the Privacy Shield in order to avoid the risk of a local data protection authority investigating compliance with EU data protection laws.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – GDPR – EU-US Privacy Shield Invalid
- SaaS Agreements – Data Protection – Privacy Shield Update
- SaaS Agreements – Data Protection – New Obligations for SaaS Suppliers
- SaaS Agreements – Data Protection – New Obligations for SaaS Customers
- SaaS Agreements – Data Protection – Microsoft Irish Data Centre Decision
- SaaS Agreements – Legal Implications of a Brexit
- SaaS Agreements – Data Protection – Brexit and the GDPR
- SaaS Agreements – FAQs – What is SaaS and Essential Terms to include in a SaaS Agreement
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – Data Protection – New General Data Protection Regulation (GDPR)
- SaaS Agreements – Data Protection – The Future of Safe Harbor
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – Data Protection – Which Law Applies
- SaaS Agreements – Data Protection – Microsoft must disclose data on EU server
- SaaS Agreements – Data Protection – Update on new draft EU Data Protection Regulation
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Russian Data Centres