SaaS and EU legislation: What you need to know

Here is a summary of the legislative and regulatory issues that European firms need to consider when choosing a SaaS provider.
Written by Nick Heath, Contributor

When choosing a SaaS provider companies need to put in place many of the same checks and balances they would if they were handing an IT operation to an offshore service provider.

Generally when a European company signs up to a cloud service it is responsible for how the SaaS provider handles its data, rather than the SaaS provider itself. Because of the potential uncertainty over how and where the SaaS provider will store data there is the potential for the supplier to put customers in breach of national or European-wide regulation, which stipulate tight controls on processing data outside of the EU.

Under the 1995 European Data Protection Directive, which has been transposed into national law in the 27 EU member states, the transfer of personal data outside of the European Economic Area (EEA) — the countries of the European Union plus Iceland, Lichtenstein and Norway — is prohibited unless certain conditions are met. By transfer the directive means that data will be handled in some way in the non-EEA country; transporting data via these countries is permitted.

The directive defines personal data as "any information relating to an identified or identifiable natural person". This broad definition can encompass a wide range of information about a person, such as their name, address, IP address or credit card details.

Treat cloud like outsourcing
"With cloud computing companies often do not realise they should take the same precautions as they do when outsourcing," said Patrick van Eecke, partner in the technology, media and commercial department of law firm DLA Piper, who specialises in work relating to cloud computing.

Personal data can be transferred outside the EEA if it is being handled in a country that is on the European Commission's (EC) list of countries or territories that provide adequate protection for personal data. These countries are: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. More information can be found on the European Commission's website.

The US is not included on the EC list of approved countries, but data can be transferred to American companies that have signed the Safe Harbor agreement, which requires them to follow seven principles of information handling under the oversight of the Federal Trade Commission.

If a country is not on the EC list of approved non-EEA countries there are additional steps that companies or service providers can take to provide adequate safeguards for personal data and allow it to be transferred. These include using European Commission approved model contractual clauses for the transfer of data. In the UK the 1998 Data Protection Act also allows companies to transfer data to a non-EEA country if they have satisfactorily conducted their own adequacy assessment of the relevant non-EEA country or get their Binding Corporate Rules approved by the Information Commissioner.

The US is not included on the EC list of approved countries, but data can be transferred to American companies that have signed the Safe Harbor Agreement.

In addition to these measures, firms considering SaaS that want to avoid falling foul of data protection laws generally need to demonstrate that they have assessed the security of the provider and stipulated measures to protect any personal or other sensitive data handled by the provider. These measures can include asking the provider for a third-party assessment of its security, asking for data to be encrypted in transit, checking on the provider's data retention and destruction policies, setting up audit trails for data and getting details of any third-party firms the provider may share the details with.

Firms also need to consider more than just data protection legislation when adopting SaaS. National laws relating to financial legislation in EU countries restrict where businesses are able to store financial information. For example, European companies will typically need to retain electronic invoices for five to ten years, and under amendments made under the European Council directive 2010/45/EU, this information must be stored on servers either in the firm's home country or in a neighbouring EU country that provides access to the relevant tax authorities.

European data protection legislation is also being revised, and on the basis of draft documents it appears the forthcoming European Data Protection Regulation will be more restrictive than the current directive.

The proposed regulation would apply restrictions on the handling of personal data to a wider range of companies that the existing data protection directive. While restrictions under the 1995 directive only apply to European companies or service providers processing personal data within the EU, the proposed regulation would apply these restrictions to any company handling personal data relating to people living within the EU.

Specific rules in the data protection regulation would also be stricter, there would be obligatory privacy impact assessments and companies would have to appoint a data protection officer. Sanctions for breaching data protection rules would also be strengthened, with companies facing a maximum fine of two per cent of their annual turnover for breaches.

Replacing the data protection directive with a data protection regulation would also likely affect how stringently the laws were applied and enforced in Europe. European regulations are directly binding on member states unlike European directives, which have to be transposed into national law giving countries leeway in how they intepret the directive. However some countries, like the UK, are lobbying for the revised data protection legislation to be a directive rather than a regulation.

Conflicting demands
Another difficulty for companies using American SaaS providers is complying with the conflicting demands of EU and US legislation, said van Eecke, specifically fulfilling the requirements of the EU data protection regulations and the Patriot Act, which under certain conditions gives the US government the right to access data held by US companies.

"On the one hand you have very broad data protection legislation and on the other you have American companies which need to follow their own legislation, and it's very difficult to abide by both of them," said van Eecke.

Businesses, suppliers and governments in Europe are working together to find a balance between being able to take advantage of cloud services, while still protecting personal data. The recent EC Cloud Computing Strategy includes a pledge that the commission will work with cloud service providers to develop standard cloud service contracts that will fit with EU regulation.

Meanwhile, cloud service providers are taking steps to offer services where data is not stored outside of the EU, for example SaaS CRM provider Salesforce.com has committed to opening its first European datacentre.

As the SaaS market matures, it's becoming ever simpler to use these services without fear of flouting legislation, according to van Eecke.

"Throughout the years we have seen an evolution, the contracts have matured and different models have been established both on the customer and service provider's side," he said.

Editorial standards