European data protection authorities have recently raised serious reservations about the effectiveness of the safe harbor scheme and its ability to adequately protect SaaS customer data to the same standard as European data protection laws. If you are a SaaS supplier and are considering/or are already using a company located in the US to provide part of your SaaS services i.e. for hosting, you should be aware of the existence and limitations of the safe harbor scheme.
What is Safe Harbor
Safe Harbor allows an EU based SaaS supplier to lawfully transfer SaaS customer data concerning EU individuals to a sub-contractor located in the USA (usually a data centre), provided that the US sub-contractor has signed up to the principles of the safe harbor scheme.
Safe Harbor Registration
Safe harbor is a voluntary scheme and no company located in the USA is obliged to register. Companies chose to sign up to the safe harbor scheme by notifying the U.S. Department of Commerce that:
- they have committed to comply with the safe harbor principles in their privacy statement; and
- they agree to self-certify annually (to the Department of Commerce) that they comply with the principles.
In light of recent Prism revelations, national EU data protection authorities have voiced growing concerns about the adequacy of the safe harbor scheme. On the 27th of November 2013, the EU Commission published its own concerns about the scheme. The Commission made the following 13 recommendations which should apply to all safe harbor registered companies:
- publicly disclose their privacy policies;
- publish the privacy conditions of any contracts concluded with sub-contractors, e.g. cloud computing services;
- clearly flag on the Department of Commerce website all of their group companies which are not members of the scheme.
- privacy policies should include a link to the alternative dispute resolution (ADR) provider named;
- ADR should be readily available and affordable;
- the Department of Commerce should monitor ADR providers more systematically.
- following certification/recertification, a certain percentage of companies should be investigated for compliance with their privacy policies;
- if found to be non-compliant, the company should be subject to a follow-up investigation after 1 year;
- the competent EU data protection authority should be informed of doubts about a company’s compliance or any pending complaints;
- false claims of safe harbor adherence should be investigated.
Access by US Authorities
- privacy policies should include information on the extent to which US law allows public authorities to collect and process data transferred under the safe harbor scheme. In particular indicating when exceptions apply i.e. to meet national security, public interest or law enforcement requirements.
- the national security exception should only be used to the extent that it is strictly necessary or proportionate.
In light of the above and rising SaaS customer awareness of the limitations of safe harbor, if you are a SaaS provider using a sub-contractor based in the US you should be including additional provisions in the terms of your SaaS agreement to cover the above concerns. You should ensure that you are granted the right to check your sub-contractors actual compliance with its safe harbor obligations, for example: by adding the right to audit compliance with the provisions of its privacy statement.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
Speaker at the Berlin CloudConf 2013.
To register for my newsletter click here
Other related articles:
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – Data Protection – EU US Privacy Shield
- SaaS Agreements – Data Protection – Safe Harbor Still Adequate
- SaaS Agreements – Data Protection – Microsoft must disclose data on EU server
- SaaS Agreements – Data Protection – Update on new draft EU Data Protection Regulation
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – FISA customer concerns
- SaaS Agreements – Data Protection – HIPAA
- SaaS Agreements – Data Protection – Cyber Security Issues
- SaaS Agreements – Data Protection – Recent ICO Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Anonymising Data
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Data Protection – Policies and Procedures
- SaaS Agreements – Data Protection – German Customers and Data Processing Agreements
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Customer Privacy Policies
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1
- SaaS Agreements – Data Protection – IT Security Requirements