SaaS Agreements – Data Protection – The Future of Safe Harbor

All SaaS customers and SaaS suppliers should be aware that Court of Justice of the European Union (CJEU) is to provide a decision on the adequacy of safe harbor and the legality of transferring the SaaS customer data from the EU to the US under the current safe harbour scheme.

What is Safe Harbor

EU data protection law prohibits the transfer of personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. Safe harbor is a self-certification standard operated by the US Department of Commerce and enforced by the Federal Trade Commission.

Safe harbor does not protect SaaS customer data against secret access by US authorities. Safe harbor just means that a US company registered under the safe harbor scheme is deemed to have data protection principles in place which are accepted in the EU as being adequate. Safe harbour therefore allows SaaS customer data to be legally transferred outside of the EU to the US. i.e. to be processed in a US data centre or accessed by a US parent company of an EU subsidiary.

Facebook Complaint

Following the Snowden revelations about mass surveillance by the US authorities of data held by US companies, an Austrian individual filed a complaint with the Irish Data Protection Commissioner against Facebook. The claimant alleged that Facebook Ireland had breached EU data protection laws when transferring his personal data to servers located in the USA. The complaint was based upon the fact that the USA does not offer any real protection to EU citizen’s against state surveillance of their personal data i.e. that safe harbour did not provide adequate protection.

Preliminary Opinion of AG

The issue was referred to the CJEU. On the 23rd of September 2015 Attorney General Bot (AG) issued a non-binding AG Bot opinion 23.09.2015 recommending that the CJEU make the following findings in their final decision in this case.

Despite the existence of Commission Decision 2000/520, in which the Commission accepts that safe harbour provides adequate protection, the AG believes that national supervisory data protection authorities (DPAs) should be permitted to:

  • investigate a complaint that safe harbor does not ensure an adequate level of protection; and
  • where appropriate, suspend the transfer of that personal data.

Further, the AG believes that Commission Decision 2000/520 on the adequacy of the protection provided by safe harbor should be declared invalid, as EU individuals do not have sufficient rights to challenge requests made to US companies by the US authorities to access their personal data.

Future of Safe Harbor Unclear

AG opinions are not binding and the final judgment of the CJEU can be significantly different from the AG’s opinion. The CJEU chooses whether or not to follow AG opinions when they make a binding ruling in each case. Statistically the CJEU agrees with the AG in most cases, however historically this is not necessarily the cases which involve highly political topics.

In any event, if SaaS suppliers are safe harbour registered or export SaaS customer personal data to a safe harbor registered US company the legality of such transfers is now unclear.

SaaS suppliers should bear in mind that:

  • the adequacy of safe harbor has been questioned by various national DPAs over the last 12 months;
  • the EU and USA are already involved in on-going negotiations about the shortcomings of the safe harbor scheme;
  • the draft new EU data protection regulation may regulate export of data from the EU to the USA; and
  • if the CJEU follows the AG’s opinion this could result in DPAs enforcing safe harbor differently in their own jurisdictions.

Act Now or Wait

The CJEU has announced in a very unusual move, that it will provide its final decision in this case on the 6th of October 2015. Usually a decision is made 3 – 6 months after the AG’s opinion has been delivered.

Any SaaS suppliers or SaaS customers who are involved in the transfer of personal data from the EU to the USA should consider now whether other grounds for transfer are available.

For example:

  • by signing EU approved model transfer contract clauses; or
  • obtaining specific consent to the transfer to the USA from data subjects.

It remains to be seen whether the Court follows the AG’s opinion in the next few days.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

Speaker at the Berlin CloudConf 2013.

To register for my newsletter click here


Other related articles: