SaaS suppliers who use data centres physically located in the USA to store or process data should be aware of a recent US Court of Appeals ruling that the Electronic Communications Privacy Act (ECPA) – an American law – protects the data of non-USA citizens when their data is stored on servers in the USA.
Suzlon Energy Ltd
A Korean firm, Suzlon Energy Ltd, applied for a court order for Microsoft to disclose email documents belonging to an Indian citizen which were stored on a server used by Microsoft which was located in the USA. Suzlon argued that the emails should be disclosed as part of a litigation process because the privacy protections of the ECPA only applied to the data of US citizens.
The US court determined that the ECPA covered “any person” and not just a US citizen. Part of the reason for this was the impracticality of expecting Microsoft to assess whether or not its account holders were US citizens, when receiving a disclosure request. The court decided that the ECPA applied to any data stored in the USA, regardless of the citizenship of the owner of the data.
Increased Protection for EU Customer Data?
Following this decision any SaaS customer data stored in the USA will be protected by the provisions of the ECPA, regardless of the citizenship of the data owner and must not be disclosed as part of a US litigation process. This decision may help to alleviate some of the concerns being raised by SaaS customers in Europe about the inadequacy of data protection provisions in the USA. However, if the server on which the SaaS customer’s data is stored is physically located outside of the USA the data will not be protected by the ECPA.
On a practical level, SaaS suppliers will need to know exactly where each customer’s data is geographically stored in order to correctly respond to disclosure requests and to determine whether or not such a request can be rejected under the provisions of the ECPA.
Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:
To register for my newsletter click here
Other related articles:
- SaaS Agreements – FAQs – Prism
- SaaS Agreements – Data Protection – Prism and US Laws
- SaaS Agreements – Essential Elements
- SaaS Agreements – Essential Elements – SLAs Explained
- SaaS Agreements – FAQs – Security
- SaaS Agreements – FAQs – Software Licence
- SaaS Agreements – FAQs – Source Code and Object Code
- SaaS Agreements – FAQs – Escrow
- SaaS Agreements – FAQs – Confidential Information
- SaaS Agreements – FAQs – Data Protection
- SaaS Agreements – Data Protection -New Proposed EU Rules Part 2
- SaaS Agreements – Data Protection – New Proposed EU Rules Part 1
- SaaS Agreements – Data Protection – Google Analytics in Germany
- SaaS Agreements – Data Protection – The Patriot Act
- SaaS Agreements – Data Protection – FISA Customer Concerns
- SaaS Agreements – Data Protection – Data Commissioner – UK Fines
- SaaS Agreements – Data Protection – Sub-Contractors, Model Clauses
- SaaS Agreements – Data Protection – Liability for Loss of Backup Tapes
- SaaS Agreements – Data Protection – Safe Harbor, German Customers
- SaaS Agreements – Data Protection – Transfer of Data Outside the EEA
- SaaS Agreements – Need for an NDA Prior to Signing a SaaS Agreement
- SaaS Agreements – Distributor or Agent – Is There a Difference?
- SaaS Agreements, Software on Demand – Confused?
- Cloud Computing and the Legal Cloud