SaaS Agreements – Data Protection – Safe Harbor Still Adequate

Recently, the Department of Commerce’s International Trade Administration (ITA) – a US government body – published a document confirming that any SaaS suppliers based in the US (and/or SaaS suppliers using a data centre located in the US) who are “safe harbor” registered must be recognised as having an “adequate” level of data protection. The ITA rejected the view that EU data protection authorities can unilaterally refuse to recognise safe harbor certification as a valid means of demonstrating that a SaaS supplier based in the US (and/or SaaS suppliers using a data centre located in the US) has an adequate level of data protection.


Under current EU data protection laws, SaaS suppliers cannot send personal data outside of the EEA (the 28 EU member states plus Norway, Iceland and Liechtenstein) unless adequate protections have been put in place or where the destination country is pre-approved as having adequate data protection. Only the following countries are pre-approved and recognised as having adequate protection: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and Japan.

EU Position

Last year the Article 29 Working Party, a EU privacy body, claimed that SaaS customers based in the EU needed to see actual evidence that US SaaS suppliers (and/or SaaS suppliers using data centres in the US) complied with safe harbor standards. They claimed it was not enough for SaaS customers to simply rely on the fact that a SaaS supplier was registered under the safe harbor scheme.

ITA Position

The ITA disagrees with the above position. The ITA points out that the same rules apply to all SaaS suppliers under EU data protection laws regardless of whether or not they are located within the EEA, an ‘adequate’ country or are safe harbor registered. As the safe harbor framework is binding on all countries within the EEA additional requirements cannot be imposed exclusively on US SaaS suppliers (and/or SaaS supplier using data centres in the US).

Additionally, safe harbor SaaS suppliers (and/or SaaS suppliers using data centres in the US) are not obliged to use the EU model clauses in order to be recognised as adequate, as these are simply for use as an alternative approach to safe harbor. Moreover, they were specifically designed to address the adequacy requirement where safe harbor is not an option.

Additional Requirements

The ITA accepted that US SaaS suppliers (and/or SaaS suppliers using data centres in the US) must enter into a basic processing agreement with SaaS customers (which could form part of the SaaS agreement) but only to ensure that the SaaS supplier has sufficient instructions regarding use of the personal data. This requirement applies to all SaaS suppliers.

Additional requirements could only be imposed if these were required under other applicable laws. For example, under the Markets in Financial Instruments Directive (MiFID) if a US SaaS supplier (and/or SaaS supplier using data centres in the US) enters into a SaaS agreement with a SaaS customer who is providing financial services the terms of the SaaS agreement must guarantee the SaaS customer physical access to the US premises at which data is being processed.


SaaS suppliers who have SaaS customers querying their “adequacy” and compliance with EU data protection laws can use the ITA document to confirm that safe harbor registration does provide “adequate” protection. Along with the terms of the SaaS agreement, which will include specific data processing obligations, SaaS customers should be satisfied that processing in the US under safe harbor is adequate.

In addition, the European Commission has indicated that safe harbor will continue to be deemed “adequate” in the final version of the new proposed EU Data Protection Regulation.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

To register for my newsletter click here


Other related articles: