There has been an increase in compliance with data protection laws for SaaS service providers. Not only is data protection regulated by the domestic legislation of the parent company, but where there are subsidiaries in other jurisdictions, the respective data protection law in that state will also apply to the parent company.
Current data protection law presents a number of challenges to Software as a Service (SaaS) service providers and other cloud-related businesses. UK based SaaS providers are increasingly required to comply not just with UK data protection law under the Data Protection Act 1998 but also the data protection laws of the countries in which the SaaS customer is based.
Businesses selling software as a service must be aware of data protection laws to avoid regulatory breaches and the penalties that flow from compliance failures. Serious breaches of the Data Protection Act in the UK for example can incur fines of up to £500,000.
SaaS refers to licensing software under a service model hosted by a provider, and accessible over the internet. Put another way, the software is rented and available on demand, typically through a web browser for end user applications, as opposed to the traditional model of a user purchasing, although there is no limit to the software which may be available as a service. Databases and other backend functionality is also able to licensed in this way. Google Drive, Google Mail and DropBox and many other applications are licensed as a service. The advent of remote access platforms and smartphones mean that SaaS is used by a large portion of the internet by most internet users on a daily basis.
Given that businesses, many of whom collect a range of personal data themselves, are increasingly reliant upon SaaS services, it is inevitable that software service providers end up controlling vast amounts of user data. That control comes with considerable responsibility in an age of industrialised online fraud and cybercrime.
The EU Data Protection Directive (95/46/EC) – as given effect by domestic legislation on the part of Member States of the European Union, makes clear that any company which processes or controls personal data, even if it only has an “establishment” or uses “equipment” in a Member State, is subject to EU data protection laws. Accordingly, a business which operates hardware in the EU is subject to the Directive, whether or not the business is operated in the EU. These rules are present issues for companies, in particular technology companies operating in multiple countries. One of the key difficulties in monitoring and maintaining compliance with data protection law is that it is often moved between jurisdictions, frequently to central management of the enterprise which is located out of the EU. It may be impossible to conclude in a moment who exactly is storing or processing data or where it is stored but this is not necessarily an impediment to the law being effective.
Facebook, a US-owned company (although with a European HQ in Ireland), felt the effect of EU rules when it was ordered to comply with German data protection law and was forced to obtain consent prior to emailing German individuals. The US parent company, despite it being located outside of the EU, was using “equipment” situated in an EU country and the national data protection law of Germany applied.
As the rationale goes, common EU rules have been established ensuring personal data protection “everywhere in the EU”. In another example, Google was caught in a similar manner to Facebook when its Spanish subsidiary, insofar as it was “established” in the EU, led to the consequence that the US parent company’s processing (of the data) was forced to comply with Spanish data protection law.
In both cases, the two technology companies which have their central management located in the USA, have been required to comply with domestic implementing legislation for an EU-wide Directive. In terms of SaaS, this may lead to problems with compliance if differing sets of data protection laws apply at one time.
Heightened consumer sensitivity over data protection and privacy means that there is a risk of bad publicity, loss of stakeholder confidence and litigation if a breach occurs. Recent releases of pictures of naked celebrities stolen from Apple’s databases (which are SaaS based services) are a case in point
Insofar as SaaS customers are inclined to pass on data protection issues to SaaS suppliers via contract clauses requiring the supplier to “comply with all applicable laws”, suppliers should be aware of the basics of current data protection legislation to be in a position to be aware of when there might be a problem, and the sanctions imposed by the Information Commission.
For specialist advice on data protection and professional drafting data protection policies, manoeuvring through privacy legislation to get it right the first time, and SaaS services agreements contact our London solicitors for assistance.
