SaaS Agreements – Data Protection – Data Stored in the USA

SaaS suppliers who use data centres physically located in the USA to store or process data should be aware of a recent US Court of Appeals ruling that the Electronic Communications Privacy Act (ECPA) – an American law – protects the data of non-USA citizens when their data is stored on servers in the USA.

Suzlon Energy Ltd

A Korean firm, Suzlon Energy Ltd, applied for a court order for Microsoft to disclose email documents belonging to an Indian citizen which were stored on a server used by Microsoft which was located in the USA. Suzlon argued that the emails should be disclosed as part of a litigation process because the privacy protections of the ECPA only applied to the data of US citizens.

The US court determined that the ECPA covered “any person” and not just a US citizen. Part of the reason for this was the impracticality of expecting Microsoft to assess whether or not its account holders were US citizens, when receiving a disclosure request. The court decided that the ECPA applied to any data stored in the USA, regardless of the citizenship of the owner of the data.

Increased Protection for EU Customer Data?

Following this decision any SaaS customer data stored in the USA will be protected by the provisions of the ECPA, regardless of the citizenship of the data owner and must not be disclosed as part of a US litigation process. This decision may help to alleviate some of the concerns being raised by SaaS customers in Europe about the inadequacy of data protection provisions in the USA. However, if the server on which the SaaS customer’s data is stored is physically located outside of the USA the data will not be protected by the ECPA.

On a practical level, SaaS suppliers will need to know exactly where each customer’s data is geographically stored in order to correctly respond to disclosure requests and to determine whether or not such a request can be rejected under the provisions of the ECPA.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles: