Designing your SaaS solution in compliance with data protection regulations as a US company!

In its judgment of July 16, 2020 (Case C311/18), the European Court of Justice declared the European Commission’s Decision 2016/1250 on the transfer…

In its judgment of July 16, 2020 (Case C311/18), the European Court of Justice declared the European Commission’s Decision 2016/1250 on the transfer of personal data to the United States (Privacy Shield) invalid. At the same time, the ECJ found that Commission Decision 2010/87/EC on standard contractual clauses remains valid in principle.

As a result of this decision, it is now questionable whether and under what circumstances a US company can offer a SAAS solution in Europe or, more precisely, whether someone in Europe can use the SaaS solution of a US provider without committing a breach of data protection by using it.

What are the consequences of the decision according to the current state of discussion?

The decision deprived more than 5,300 registered companies as processors of the legal basis for transferring and receiving data. The main justification for this is that data transferred to the USA can be processed by the authorities there for the purposes of public security, national defense and national security. As an alternative, there are now only the standard contractual clauses as regulated in Decision 2010/87/EU of 05.02.2010. Theoretically, these can still be used, but only if the level of protection of the GDPR can be guaranteed during and after the transfer by the processor based in the USA. This is unlikely to be the case, at least for unencrypted data and for companies that are not 100% independent of a US company under group law.

Simply maintaining a server in the European Union, at least without encrypting the data, is probably not enough.

Following the ruling, the supervisory authorities will, indeed must, press for the standard contractual clauses to be adapted in line with the ruling. However, it is to be expected that processors will not be able to guarantee the GDPR level of protection due to the far-reaching powers of the US authorities under Section 702 of the Foreign Intelligence Surveillance Act. The transfer of data to the USA is therefore not permitted. According to the ECJ ruling, national authorities are even obliged under Art. 58 (2) f) and j) GDPR to suspend or prohibit data traffic with the USA and to impose heavy fines in the event of a violation. Non-European companies that want to process data from Europeans, be it in the area of streaming, cloud, data processing, etc., will have a hard time. Those who process customer data directly may have three options, but all of them will be difficult to implement.

  1. Customers can be fully informed about the circumstances where and which data is processed and which persons and authorities in the USA have access to this data, possibly even if this data is stored on European servers. As this customer consent may not be hidden in general terms and conditions and must be comprehensive, this is likely to be at least a major competitive disadvantage.
  2. Data can be fully encrypted. And “end to end”. The future will show to what extent this is technically possible, e.g. for streaming solutions etc., where not only the person who uploads the data has access again. It is clear that US providers will require extensive technical updates, adjustments to server structures, legal adjustments and possibly also adjustments to business models.
  3. The data of Europeans may only be processed by companies that are involved in the transfer of data to a US company under group law or by contract. If at all, providers must establish independent European subsidiaries that are only linked to the US company via profit transfer or license agreements, for example. The extent to which this is practicable for the majority of US providers is difficult to assess.

So what do providers who transfer data to the USA need to do?

The opportunity for a competitive advantage

Even if the ECJ, as an independent judicial body, cannot be assumed to have political intentions, this ruling and the situation can be a great opportunity for a SaaS provider to change its corporate structure and/or business concept in such a way that the above-mentioned points are fulfilled. This would represent a major competitive advantage over all other providers and would also be a great opportunity for marketing, growth and a highly interesting investment case.

The Federal Data Protection Commissioner has also brought into play options for simple data storage such as pseudonymization or the use of trustees who process data on behalf of US companies and who do not have to grant access to US security authorities. As this will take a long time to implement for larger providers, there are enormous opportunities here for smaller, agile providers.

I have and can provide comprehensive advice on these issues and help US providers to create the corporate and other contractual foundations to take advantage of this opportunity.

Simply contact me without obligation and let’s find out how I can help you to offer your own SaaS solution in Germany in a legally compliant manner!