On the 16th of July 2020 the EU-US Privacy Shield was ruled invalid with immediate effect by the European Court of (“CJEU”). The steps that SaaS suppliers now need to take depend on the scale and type of international data flows and the transfer mechanisms used. If you rely solely upon the EU-US Privacy Shield for transfers to the US, you must replace the Privacy Shield with the EU Commission’s Standard Contractual Clauses (“SCCs”).Continue reading
As a SaaS Supplier or SaaS customer you will be aware that the UK plans to leave the EU on the 29th of March 2019 – Brexit. In light of the various leaving scenarios currently being discussed of which a “no deal Brexit” is looking likely, it is essentail that SaaS suppliers and SaaS customers take steps now to ensure that they can continue to lawfully process and transfer personal data between the EU and the UK following Brexit.Continue reading
Under EU and UK data protection laws, UK SaaS suppliers are lawfully permitted to transfer personal data of SaaS customers located in the EU to any country within the EEA. From the 30th of March 2019, when the UK leaves the EU (“Brexit Date”), the UK will no longer be part of the EEA and will become a “third country” for data protection purposes, just like the USA.
The European Commission recently confirmed in a Notice that on the Brexit Date, UK based SaaS suppliers can no longer lawfully transfer personal data of SaaS customers located in the EU (i.e. in France, Germany, Spain etc.) to the UK,Continue reading
SaaS suppliers and SaaS customers are becoming increasingly concerned about the effect of “Brexit” upon the terms of their existing SaaS agreements, particularly where contracts are subject to English law or SaaS suppliers or customers are located within the UK. Below is a summary of the main issues that SaaS suppliers need to be aware of that may result in problems arising now or in the future with the terms of their existing SaaS agreements.Continue reading
Once the UK leaves the EU, the UK will no longer be a member of the EEA. UK SaaS suppliers will no longer be lawfully permitted to continue to transfer personal data of EU SaaS customers to the UK unless the UK government, or alternatively SaaS suppliers themselves, put in place measures to make the transfer legal under EU data protection laws.Continue reading
SaaS suppliers and SaaS customers are increasingly relying upon the use of EU model clauses to enable them to lawfully export personal data outside of the EEA following the invalidity of Safe Harbor in 2016 and the current implementation of the EU-US Privacy Shield (which replaces Safe Harbor). SaaS customers often try to amend the terms of the EU model clauses when negotiating the SaaS agreement with the SaaS supplier. This can result in the EU model clauses being invalid as they do not provide adequate protection for the data transfer.
SaaS suppliers should therefore be aware of the risks of agreeing to any changes to EU model clause and know which changes are, and are not, permitted to ensure that they are not in breach of data protection laws.Continue reading
Similar to the rules under the Safe Harbor scheme, SaaS customer and SaaS suppliers need to self-certify their compliance with the principles of the Privacy Shield. The following are the core principles which must be adhered to.
Notice must be given to data subjects about specific issues;
Choice to opt out of disclosure of data to third parties;
Accountability for onward transfer to third parties;
EU data protection law prohibits SaaS suppliers and SaaS customers from transferring personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. Below is a summary of the current position following the recent announcement that the EU-US Privacy Shield has been adopted by the EU Commission and will now replace Safe Harbor.Continue reading
EU model clauses are standard data processing agreements that have been approved by the EU Commission as providing adequate protection. There are currently two sets of standard contractual clauses for transfers of personal data between data controllers and one set for transfers between a data controller and a data processor. EU model clauses must be used unamended (other than where specific details may be added, as set out in the notes to the clauses).
Where personal data is transferred from:
a data controller in the EU (SaaS customer) to a data processor outside of the EEA (SaaS supplier); or
a SaaS supplier within the EU to a sub-processor located outside of the EEA;
the SaaS supplier will need to enter into EU model clauses with the SaaS customer or SaaS sub-processor, as applicable.Continue reading
A new privacy agreement called the Privacy Shield has been agreed by the US and EU to replace the safe harbour scheme. The Privacy Shield is based upon safe harbour but has additional protections, particularly with regard to public authority access to personal data. The Privacy Shield must now be reviewed by the European Commission before it can be relied upon and adopted by SaaS suppliers or customers. The European Commission is currently assessing whether or not the Privacy Shield provides adequate protection in accordance with EU data protection laws. This process is expected to take up to 3 months.Continue reading