SaaS Agreements – Terms and Conditions – Safe Harbor Adequacy

European data protection authorities have recently raised serious reservations about the effectiveness of the safe harbor scheme and its ability to adequately protect SaaS customer data to the same standard as European data protection laws. If you are a SaaS supplier and are considering/or are already using a company located in the US to provide part of your SaaS services i.e. for hosting, you should be aware of the existence and limitations of the safe harbor scheme.

What is Safe Harbor

Safe Harbor allows an EU based SaaS supplier to lawfully transfer SaaS customer data concerning EU individuals to a sub-contractor located in the USA (usually a data centre), provided that the US sub-contractor has signed up to the principles of the safe harbor scheme.

Safe Harbor Registration

Safe harbor is a voluntary scheme and no company located in the USA is obliged to register. Companies chose to sign up to the safe harbor scheme by notifying the U.S. Department of Commerce that:

  • they have committed to comply with the safe harbor principles in their privacy statement; and
  • they agree to self-certify annually (to the Department of Commerce) that they comply with the principles.

EU Concerns

In light of recent Prism revelations, national EU data protection authorities have voiced growing concerns about the adequacy of the safe harbor scheme. On the 27th of November 2013, the EU Commission published its own concerns about the scheme. The Commission made the following 13 recommendations which should apply to all safe harbor registered companies:


Companies should:

  • publicly disclose their privacy policies;
  • always include a link to the Department of Commerce Safe Harbour website in their privacy policy;
  • publish the privacy conditions of any contracts concluded with sub-contractors, e.g. cloud computing services;
  • clearly flag on the Department of Commerce website all of their group companies which are not members of the scheme.


  • privacy policies should include a link to the alternative dispute resolution (ADR) provider named;
  • ADR should be readily available and affordable;
  • the Department of Commerce should monitor ADR providers more systematically.


  • following certification/recertification, a certain percentage of companies should be investigated for compliance with their privacy policies;
  • if found to be non-compliant, the company should be subject to a follow-up investigation after 1 year;
  • the competent EU data protection authority should be informed of doubts about a company’s compliance or any pending complaints;
  • false claims of safe harbor adherence should be investigated.

Access by US Authorities

  • privacy policies should include information on the extent to which US law allows public authorities to collect and process data transferred under the safe harbor scheme. In particular indicating when exceptions apply i.e. to meet national security, public interest or law enforcement requirements.
  • the national security exception should only be used to the extent that it is strictly necessary or proportionate.


In light of the above and rising SaaS customer awareness of the limitations of safe harbor, if you are a SaaS provider using a sub-contractor based in the US you should be including additional provisions in the terms of your SaaS agreement to cover the above concerns. You should ensure that you are granted the right to check your sub-contractors actual compliance with its safe harbor obligations, for example: by adding the right to audit compliance with the provisions of its privacy statement.


Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

Speaker at the Berlin CloudConf 2013.

To register for my newsletter click here


Other related articles: