SaaS suppliers should be aware of relevant US laws when outsourcing SaaS services (data storage and hosting) to US companies or companies located in the USA. SaaS customers are becoming increasingly concerned about outsourcing in the USA following media reports about “Prism”. Namely, that the National Security Agency (NSA) accesses personal data stored on the servers of Microsoft, Apple, Google, Yahoo, Facebook and a few other major US public companies. Below is a summary of the most relevant US laws that SaaS suppliers should be aware of.
FISA (Foreign Intelligence Surveillance Act)
If you outsource any SaaS services to a US public company the US government can access SaaS customer data pursuant to FISA.
FISA allows the US government to access and monitor the personal data of non-US citizens (located outside of the USA) held by US public cloud providers (i.e. Amazon or Google). Public cloud providers must secretly provide all assistance, facilities and information requested by the government if they request access to SaaS customer data. The public entity is not permitted to inform the SaaS supplier that it has disclosed or been asked to disclose personal data, nor that the data is being monitored.
The Patriot Act
If you are a SaaS supplier owned by a US parent company or you outsource any SaaS services to a US located data centre or a US based company, US law enforcers can access SaaS customer data pursuant to the Patriot Act.
The Patriot Act gives US law enforcement authorities the right to access personal data held by SaaS suppliers, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent SaaS suppliers from informing their customers that they have handed over personal data. The Act applies not just to SaaS suppliers owned by a US company but also to any SaaS suppliers using the services of a US subsidiary for data processing i.e. a US data centre.
Under the provisions of the US Patriot Act and FISA the personal data of SaaS customers based in the EU must be shared with US law enforcers without the customer being informed, even though this conflicts with English and EU data protection law. If you are concerned about the implications of this you should seek legal advice on how to minimise the risk to your customer’s data.
In light of the above, it is important that SaaS suppliers ensure they are aware of the extent of any US laws they will be subject to when:
- contracting with US SaaS customers; or
- outsourcing SaaS services to companies linked to or based in the USA; or
- if they have a parent company based in the USA.
SaaS suppliers should have procedures and measures in place to deal with any applicable US laws. These procedures need to be set out clearly in the terms of the SaaS agreement with the customer, bearing in mind mandatory obligations to comply with US laws.
image courtesy of Sam Howzit