SaaS Agreements – GDPR – EU-US Privacy Shield Invalid

On the 16th of July 2020 the EU-US Privacy Shield was ruled invalid with immediate effect by the European Court of (“CJEU”). The steps that SaaS suppliers now need to take depend on the scale and type of international data flows and the transfer mechanisms used. If you rely solely upon the EU-US Privacy Shield for transfers to the US, you must replace the Privacy Shield with the EU Commission’s Standard Contractual Clauses (“SCCs”).

Continue reading

SaaS Agreements – Data Protection – Microsoft Irish Data Centre Decision

Many SaaS customers are concerned whne using data centres which are owned by a US parent company i.e. Microsoft or Amazon, that even if their SaaS data is stored in a data centre located in the EU it will not be protected against disclosure to US authorities. The recent US court of appeal ruling won by Microsoft has confirmed the position, namely that SaaS suppliers and SaaS customers who use data centres located in the EU, owned by US companies, can prevent US authorities from accessing their data in some circumstances.

Continue reading

SaaS Agreements – Data Protection – Microsoft must disclose data on EU server

Many SaaS customers falsely believe that if their SaaS data is stored in a data centre located in the EU it will be protected against disclosure to the US authorities. This is incorrect. The recent US court ruling against Microsoft has confirmed the position, namely that SaaS suppliers and SaaS customers who use data centres located in the EU, owned by US companies, cannot prevent US authorities from accessing their data.

Continue reading

SaaS Agreements – Data Protection – Safe Harbor Still Adequate

Recently, the Department of Commerce’s International Trade Administration (ITA) – a US government body – published a document confirming that any SaaS suppliers based in the US (and/or SaaS suppliers using a data centre located in the US) who are “safe harbor” registered must be recognised as having an “adequate” level of data protection. The ITA rejected the view that EU data protection authorities can unilaterally refuse to recognise safe harbor certification as a valid means of demonstrating that a SaaS supplier based in the US (and/or SaaS suppliers using a data centre located in the US) has an adequate level of data protection.

Continue reading