Recently, the Department of Commerce’s International Trade Administration (ITA) – a US government body – published a document confirming that any SaaS suppliers based in the US (and/or SaaS suppliers using a data centre located in the US) who are “safe harbor” registered must be recognised as having an “adequate” level of data protection. The ITA rejected the view that EU data protection authorities can unilaterally refuse to recognise safe harbor certification as a valid means of demonstrating that a SaaS supplier based in the US (and/or SaaS suppliers using a data centre located in the US) has an adequate level of data protection.
Background
Under current EU data protection laws, SaaS suppliers cannot send personal data outside of the EEA (the 28 EU member states plus Norway, Iceland and Liechtenstein) unless adequate protections have been put in place or where the destination country is pre-approved as having adequate data protection. Only the following countries are pre-approved and recognised as having adequate protection: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan.
EU Position
Last year the Article 29 Working Party, a EU privacy body, claimed that SaaS customers based in the EU needed to see actual evidence that US SaaS suppliers (and/or SaaS suppliers using data centres in the US) complied with safe harbor standards. They claimed it was not enough for SaaS customers to simply rely on the fact that a SaaS supplier was registered under the safe harbor scheme.
ITA Position
The ITA disagrees with the above position. The ITA points out that the same rules apply to all SaaS suppliers under EU data protection laws regardless of whether or not they are located within the EEA, an ‘adequate’ country or are safe harbor registered. As the safe harbor framework is binding on all countries within the EEA additional requirements cannot be imposed exclusively on US SaaS suppliers (and/or SaaS supplier using data centres in the US).
Additionally, safe harbor SaaS suppliers (and/or SaaS suppliers using data centres in the US) are not obliged to use the EU model clauses in order to be recognised as adequate, as these are simply for use as an alternative approach to safe harbor. Moreover, they were specifically designed to address the adequacy requirement where safe harbor is not an option.
Additional Requirements
The ITA accepted that US SaaS suppliers (and/or SaaS suppliers using data centres in the US) must enter into a basic processing agreement with SaaS customers (which could form part of the SaaS agreement) but only to ensure that the SaaS supplier has sufficient instructions regarding use of the personal data. This requirement applies to all SaaS suppliers.
Additional requirements could only be imposed if these were required under other applicable laws. For example, under the Markets in Financial Instruments Directive (MiFID) if a US SaaS supplier (and/or SaaS supplier using data centres in the US) enters into a SaaS agreement with a SaaS customer who is providing financial services the terms of the SaaS agreement must guarantee the SaaS customer physical access to the US premises at which data is being processed.
Summary
SaaS suppliers who have SaaS customers querying their “adequacy” and compliance with EU data protection laws can use the ITA document to confirm that safe harbor registration does provide “adequate” protection. Along with the terms of the SaaS agreement, which will include specific data processing obligations, SaaS customers should be satisfied that processing in the US under safe harbor is adequate.
In addition, the European Commission has indicated that safe harbor will continue to be deemed “adequate” in the final version of the new proposed EU Data Protection Regulation.
Help
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
irene.bodle@bodlelaw.com
www.bodlelaw.com
To register for my newsletter click here
______________________________________________________
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – Data Protection – Privacy Shield Approved
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – Data Protection – Prism and US Laws
- SaaS Agreements – Data Protection – Microsoft must disclose data on EU server
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – FISA customer concerns
- SaaS Agreements – Data Protection – HIPAA
- SaaS Agreements – Data Protection – Cyber Security Issues
- SaaS Agreements – Data Protection – Recent ICO Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Anonymising Data
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Policies and Procedures
- SaaS Agreements – Data Protection – German Customers and Data Processing Agreements
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Customer Privacy Policies
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1
- SaaS Agreements – Data Protection – IT Security Requirements