SaaS suppliers and SaaS customers currently have to comply with complicated rules and include onerous obligations in their SaaS agreements, data processing agreements and data privacy practices to lawfully make restricted transfers of personal data when providing SaaS services. Before making any restricted transfers of personal data, SaaS suppliers must ensure that the specific safeguards required under the UK GDPR and the EU GDPR are in place.
What is a Restricted Transfer
When a SaaS supplier sends or transmits personal data to an entity located in a country outside of the EEA which is not deemed “adequate” by the European Commission, this a restricted transfer.
Examples of restricted transfers that SaaS suppliers usually make are:
- Hosting of SaaS customer personal data, for example in data centres operated by entities established outside of the EEA, for example: AWS, Microsoft;
- Using technology services of suppliers located outside of the EEA, for example: Cloudflare, Google;
- Using sub-processors located outside of the EEA to provide services to SaaS customers, for example: Zendesk, Sendgrid, Zoom;
- Transferring or sharing access to personal data with group companies located outside of the EEA.
What is a Transfer Mechanism
SaaS suppliers and SaaS customers are required by European data protection authorities and the GDPR to use a recognised transfer mechanism in order to make their restricted transfers of personal data lawful.
In the past the following transfer mechanisms were recognized as providing “adequacy”:
- Safe Harbor – covered transfers of personal data to US companies signed up to the scheme until the mechanism was declared invalid in the Schrems I decision of the European Court of Justice in 2015;
- EU – US Privacy Shield – replaced Safe Harbor and covered transfers of personal data to US companies signed up to the scheme until the mechanism was declared invalid in the Schrems II decision of the European Court of Justice in 2020.
Following the Schrems II decision, the only transfer mechanisms now recognised by the EU as being “adequate” are:
- Standard Contractual Clauses, (SCCs) – standard contractual clauses drafted by the European Commission for EU personal data and standard contractual clauses drafted by the UK Data Commissioner for UK personal data; and
- Binding Corporate rules, (BCRs)
Following the Schrems II decision:
When using EU SCCs (or BCRs) as a transfer mechanism, EU SaaS suppliers and SaaS customers must also:
- Implement additional safeguards when making restricted transfers; and
- Carry out data transfer impacts assessments, (DTIAS).
When using UK SCCs (or BCRs) as a transfer mechanism, UK SaaS suppliers and SaaS customers must also:
- Implement supplemental safeguards when making restricted transfers; and
- Carry out data transfer assessments, (DTAs).
Also: note that in the UK there are 2 different types of UK SCCs that can be used:
Google and Meta Decisions
However, in spite of compliance with the above obligations, Google has been declared by various EU data protection authorities, and more recently Meta, to be in breach of the GDPR for making unlawful restricted transfers of EU personal data. Meta has been fined €1.2bn (£1bn) and ordered to suspend all restricted transfers to the USA.
Meta is currently appealing this decision, and the fine awarded, and is continuing to make restricted transfers of personal data to the USA as the suspension only comes into effect in October 2023, by which time the new EU-US Data Privacy Framework (DPF) should have been granted “adequacy” by the European Commission, making the continued transfers to the USA lawful.
EU-US Data Privacy Framework – DPF
The DPF is the replacement transfer mechanism for the invalidated EU-US Privacy Shield to enable EU personal data to be transferred to the USA. The European Commission has indicated its intention to grant the DPF “adequacy” but like its predecessors, the DPF will probably be challenged by Mr Schrems and could again be declared invalid by the European Court of Justice at some point in the future.
Important note: The DPF can only be used by US businesses regulated by the Federal Trade Commission or the US Department of Transportation. Such businesses would need to self-certify compliance with the DPF.
UK – US Data Bridge
As the UK is no longer part of the EU following Brexit, it needs to agree its own transfer mechanism with the USA – that is also acceptable to the EU. The UK is referring to this new transfer mechanism as the UK-US Data Bridge and it appears to be an extension to the DPF specifically for the UK.
SaaS suppliers and SaaS customers need to closely watch developments over the coming months on the progress of these new proposed data transfer mechanisms in the US, EU and the UK.
However, even if the new transfer mechanisms are granted “adequacy” by the EU, they will only apply to transfers of personal data to the USA. SaaS suppliers and SaaS customers will still need to :
- Have in place supplemental measures; and
- Document data transfer impact assessments, (DTIAs) for any restricted transfers of personal data that rely upon SCCs that they make to other countries outside of the EEA, for example: Australia, Singapore etc.
Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:
To register for my newsletter click here