In light of recent and ongoing “prism” revelations, SaaS suppliers are having to deal with numerous queries about the safety of SaaS customer data. Many customers mistakenly believe that by using a non-US data centre their SaaS customer data is protected against disclosure to the US authorities. Below is a summary of the relevant laws and most common concerns being raised by SaaS customers.
What is Prism?
“Prism” refers to the National Security Agency (NSA) secretly accessing personal data stored on the servers of Microsoft, Apple, Google, Yahoo, Facebook and some other major US public companies.
Prism, FISA and the Patriot Act
Prism is not the only problem. The US government has been secretly accessing SaaS customer data for years under the Foreign Intelligence Security Act (FISA) and the Patriot Act. Prism is just part of the whole range of tools that are being used by the US to access SaaS data of EU citizens.
What is FISA?
FISA allows the US government to access and monitor the personal data of non-US citizens (located outside of the USA) held by US public cloud providers. Public cloud providers such as Amazon and Google must secretly provide all assistance, facilities and information requested by the government if they request access to SaaS customer data. The public entity is not allowed to inform the SaaS supplier that it has disclosed or been asked to disclose personal data, nor that the data is being monitored.
The Patriot Act
The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing customers that they have handed over personal data. The Act applies not just to SaaS suppliers owned by a US company but also to any SaaS suppliers using the services of a US company i.e. a US data centre.
Safe Harbor does not protect SaaS customer data against secret access by the US authorities. Safe harbor, simply means that a US company registered under the “safe harbor” scheme is deemed to have data protection principles in place which are accepted in the EU as being adequate. This simply allows SaaS customer data to be legally transferred outside of the EU i.e. to be processed in a US data centre.
Many SaaS customers falsely believe that if their SaaS data is stored in a data centre located in the EU it will be protected against disclosure to the US authorities. Under the Patriot Act, FISA (and “prism” where applicable) the personal data of SaaS customers based in the EU must be shared with US law enforcers without the customer being informed, even though this conflicts with the EU Data Protection Directive and the data protection laws of the 28 EU member states.
Local EU data protection authorities and EU member state governments are currently investigating how to resolve this conflict, for example by adding provisions preventing disclosure in the draft proposed EU data protection regulation. While the position remains unresolved, SaaS suppliers should be considering how to minimise the risk this poses to their business model, whilst assuring SaaS customers that their concerns are being addressed.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – EU Model Clauses
- SaaS Agreements – Data Protection – Microsoft must disclose data on EU server
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – FISA customer concerns
- SaaS Agreements – Data Protection – HIPAA
- SaaS Agreements – Data Protection – Safe Harbor Still Adequate
- SaaS Agreements – Data Protection – Cyber Security Issues
- SaaS Agreements – FAQs – Disaster Recovery
- SaaS Agreements – Data Protection – Recent ICO Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Anonymising Data
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Policies and Procedures
- SaaS Agreements – Data Protection – German Customers and Data Processing Agreements
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Customer Privacy Policies
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1
- SaaS Agreements – Data Protection – IT Security Requirements