SaaS Agreements – Data Protection – Which law applies?

UK SaaS suppliers who provide cloud computing services to SaaS customers located outside of the UK are increasingly being required to comply not just with UK data protection law, but also the data protection laws of the countries in which the SaaS customer and its clients are based. This increasingly creates problems for SaaS suppliers, as data protection laws generally assume that data is stored/processed in one place. However when operating in the cloud data is often moved between jurisdictions and it may be unclear exactly where data is being stored or processed and who is storing and processing it.

Two recent cases involving Facebook and Google show the extent of this developing problem.


In February 2014, Facebook, a US owned company, with its European headquarters in Ireland, was ordered to comply with German data protection law. A German court ruled that Facebook must comply with German data protection law before sending emails to German individuals i.e. by obtaining consent even though the processing of the German personal data was carried out by the Irish company.

The German court took the view that Irish data protection law did not apply, as although Facebook had its European headquarters in Ireland, a EU country, the US parent company Google Inc. controlled the processing and was the data controller. Even though the US parent company was located outside of the EU, as it was using ‘equipment’ situated in a EU country to process the personal data i.e. setting cookies on the devices of German users, the national data protection laws of Germany applied.


The European Court of Justice (ECJ) ruled in May 2014 that Google Spain, a Spanish subsidiary of the US parent company Google Inc, must comply with Spanish data protection law when processing Spanish user data, as the Spanish entity was “established” in the EU. Google had argued that because the processing of Spanish user’s personal data was carried out by the US parent company, EU data protection law did not apply.

The ECJ disagreed, arguing that Google Inc had set up a subsidiary in Spain which directed its activities towards Spanish citizens and therefore Spanish data protection law applied, even though Google Inc. was located in the USA.

EU Data Protection Directive

Both of the above cases are based upon the application of EU data protection law (Directive 95/46/EC), to companies who:

  • process personal data;
  • are a data controller; and
  • have an establishment, or use equipment in, a member state of the European Union.

Where a SaaS customer fulfils the above criteria, it will be subject to EU data protection law (and effectively the locally applicable national data protection law of the country in which the user whose personal data is being processed is based).


SaaS suppliers should be aware that the application of different national data protection laws in the cloud is primarily the problem of a SaaS customer – who is the data controller. However this becomes an issue for the SaaS supplier where the SaaS customer attempts to pass on its cross border data protection obligations to the SaaS supplier within the terms of the SaaS agreement.

Such obligations are usually disguised in the terms of the SaaS agreement by reference to the SaaS supplier complying with „all applicable laws“ or more specifically to the specific data protection laws of named countries. Such terms should not be agreed to, unless the SaaS supplier is:

  • aware of the obligations and penalties imposed by such data protection laws; and
  • sure of its ability to comply with such obligations.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 15 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

Speaker at the Berlin CloudConf 2013.

To register for my newsletter click here


Other related articles: