Recently SaaS suppliers have seen a marked increase in EU customers raising concerns about disclosure of their data to US law enforcement authorities under the Patriot Act – an American anti-terrorism law – particularly where the SaaS supplier has a parent company in the USA or data is being hosted or processed in the USA.
High Profile Cases
Microsoft recently admitted that United States law enforcement authorities can access their European customer data without having to obtain a court order, ask for consent or even inform data subjects of the disclosure under the terms of the Patriot Act. To add to SaaS suppliers worries it is believed that BAE recently withdrew from contract negations for a Microsoft SaaS product due to fears that defence secrets could be accessed by the US authorities under the Act.
The recent publication of the new proposed EU data protection regulation has also added to customer fears that data is not safe from disclosure under the Patriot Act. The new regulation attempts to counter the application of the US Patriot Act by stating that non-EU companies will have to comply with EU data protection rules when accessing EU citizen data.
The Patriot Act v European Data Protection Laws
The provisions of the Patriot Act conflict directly with English and EU data protection laws.
The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing their customers that they have had to hand over their personal data.
Data protection laws in the 27 countries of the EU all prohibit the disclosure of personal data without a data subject’s consent or knowledge.
Therefore if a EU company is faced with a Patriot Act disclosure request it is impossible to comply with both the US law and the EU company’s local data protection laws. In practice the US law usually prevails. Some of the largest global software and search engine companies have admitted that EU customer data has already been disclosed by them as a consequence of requests under the Patriot Act.
The Cloud is not the Problem
SaaS customers often falsely believe that their data is not safe from disclosure due to the cross-border nature of cloud computing. However this problem applies to all data whether or not it is stored or processed in a SaaS model. Most countries (the UK, France, Spain and Belgium to name a few) have laws similar to the Patriot Act that all, not just SaaS suppliers must comply with i.e. in the UK the Regulation of Investigatory Powers Act 2000 (RIPA) requires disclosure of the content of communications to police forces.
Also data stored or processed anywhere outside of the EEA, in a country which does not have equivalent protection will be subject to all local disclosure laws i.e. in China and India, and such local laws may be less restrictive than the Patriot Act with regard to the type of data that must be disclosed.
In any event, regardless of whether or not the Patriot Act applies to customer data, the US authorities can access customer data even when it is hosted outside of the USA and there is no company presence in the USA under Mutual Assistance Legal Treaties (MLAT)
Assessing the Actual Risk of Disclosure
SaaS customer concerns about the Patriot Act are valid but these must be considered in light of:
- The type of data covered by a request for disclosure under the Patriot Act;
- The likelihood of the customer data ever being requested; and
- The fact that customer data is already subject to similar disclosure obligations to the UK government and foreign governments under other existing laws.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Data Protection – Prism and US Laws
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – Renewed Customer Concerns about the Patriot Act
- SaaS Agreements – Data Protection – Data Commissioner – UK Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code and Object Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – Hosting
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – SaaS, Software on Demand, Confused?
- SaaS Agreements – Cloud Computing and the Legal Cloud
- SaaS Agreements – Cloud based Technology and Services
- SaaS Agreements – Need for an NDA Prior to Signing a SaaS Agreement