Tag / software development

by

Got EU Data?

Emerging tech companies take note – if you collect the personal data of European citizens from the United States, or otherwise transfer that data to the U.S., your legal obligations may change soon.

Emerging tech companies take note – if you collect the personal data of European citizens from the United States, or otherwise transfer that data to the U.S., recent developments mean your legal obligations may change soon.

Background

Citizens of EU member states have an explicit right to privacy.  In practice, this means companies can transfer EU citizens’ personal data out of the EU only if the destination country has an adequate level of protection.

Historically, it has not been a problem to store EU citizen data in the United States.  Under an agreement between U.S. and EU regulators, which is often referred to as the “Safe Harbor,” a U.S. company could transfer that data to the U.S. by certifying to the U.S. Department of Commerce that it would adhere to European privacy principles.  The U.S. Federal Trade Commission, in turn, could bring enforcement actions against the company if it failed to comply.  More than 4,000 companies took advantage of the Safe Harbor to transfer data to the U.S., from Amazon and Google to emerging tech companies in the upper Midwest.

After Edward Snowden revealed that the US government may have indiscriminately conducted mass surveillance of EU citizens’ personal data, an Austrian Facebook user complained to EU authorities that the U.S. lacked adequate protections. On October 6, 2015, the Court of Justice of the European Union ultimately agreed and invalidated the Safe Harbor framework.

Bad Alternatives

The ruling had an immediate impact on businesses of all stripes that relied on the Safe Harbor, particularly emerging tech companies.  They were left with a handful of bad alternatives –

  • keep the data in the EU – potentially expensive or unworkable;
  • obtain user consent or use model contract provisions – also potentially expensive or unworkable, especially for companies already processing data on behalf of existing business customers with an EU presence; or
  • leverage binding corporate rules – a time-consuming process ultimately requiring approval of EU data authorities.

Worse still, the Court of Justice of the European Union ruling implicitly called into question some of these alternatives.  Recognizing the problem, EU regulators gave themselves and their U.S. counterparts until January 31, 2016 to find an alternative.  This set off intense negotiations among regulators.

Privacy Shield

On January 28, 2016 the U.S. Senate Judiciary Committee approved a bill that would allow EU citizens to sue the U.S. government for privacy violations.  Just a few days ago, on February 2, the European Commission and the U.S. Department of Commerce announced the outline of a potential Safe Harbor replacement, dubbed the “Privacy Shield.”  According to the releases:

  • U.S. companies will have stronger obligations to protect personal data of EU member state citizens. Among other things, they will be required to comply with the decisions of the EU data protection authorities regarding personnel data.
  • U.S. companies will remain subject to enforcement actions for privacy violations by the FTC, and EU privacy regulators will have the ability to refer complaints of EU member state citizens to the FTC.
  • If an EU citizen lodges a complaint regarding inappropriate activity by U.S. authorities, a new Ombudsperson at the U.S. State Department will review it.
  • Alternative dispute resolution for certain complaints will be made available for free.
  • The U.S. will commit not to indiscriminately conduct mass surveillance of EU citizens. S. guarantees regarding limits and oversight will be reviewed annually by the European Commission and the U.S. Department of Commerce.  U.S. national security agencies will be invited to participate in those reviews.

To Be Determined

The outline lacks many details that will prove vital to providing a meaningful and lasting legal alternative for U.S. technology companies.  Important outstanding questions include:

  • Will free alternative dispute resolution result in an increased number of complaints?
  • Will U.S. security agencies take up invitations to participate in annual reviews, and will those reviews be meaningful? If not, will the Court of Justice ultimately invalidate the Privacy Shield as it did the Safe Harbor?
  • Will the Privacy Shield be suspended if EU authorities conclude that the U.S. failed to comply with the Privacy Shield’s limits?
  • By when will the EU and U.S. finalize these and other Privacy Shield details? EU regulators suggested that final approval could take up to 3 months, but some EU lawmakers and privacy advocates are already arguing the Privacy Shield is not enough.

In The Meantime

While the Privacy Shield winds its way through the EU legislative process, the chair of the group composed of EU data protection agencies said the group will not take enforcement action against U.S. companies that continue to use existing legal alternatives like model contract clauses and binding corporate rules.  While these alternatives may be difficult for many emerging technology companies, they currently remain likely the only legal way to collect data from the U.S. of EU citizens or otherwise transfer EU personal data to the U.S.

by

The Confusing World of Joint Ownership of Intellectual Property

A confusing topic for many emerging companies is joint ownership of intellectual property. Many of the implications of jointly owned intellectual property are counterintuitive. In this post, we breakdown the implications of joint ownership by the default rules in the United States for patents, copyright, trade secrets, and trademarks.

A confusing topic for many entrepreneurs is joint ownership of intellectual property.  It often comes up in connection with joint development arrangements, subcontracting portions of work, joint ventures, and other collaborative projects involving intellectual property development, whether it be in connection with software, cleantech, medical device, drug development, or other technology-based initiatives. Continue reading →

by

Developing Your SaaS Agreement

The post outlines the elements of a SaaS agreement and the differences between a traditional software license or development agreement and a SaaS agreement.

An increasing number of traditional software and hardware companies are accepting the idea that software as a service (SaaS) is here to stay for some time. In September, Oracle announced that it was significantly increasing its on-line, subscription-based software tools available for middle market companies. Salesforce.com and Cisco announced last week a partnership that brings together Salesforce.com’s online customer service software with Cisco’s IP telephony. The service, called “Customer Interaction Cloud,” is designed to provide a complete, cloud-based customer service offering for small to medium sized businesses. Even Dell, with its recent acquisition of Perot Systems, has signaled an interest in expanding its presence in the SaaS space. From a customer’s standpoint, SaaS generally offers quick deployment, low upfront cost, easy management and scalability.

Legal Difference Between Traditional Software Licenses and SaaS Agreements

Before delving into the SaaS market, it is important for traditional software companies (whether that be off-the-shelf product companies or customized software developers) to understand the differences between a typical software license or software development agreement and a SaaS agreement. At a fundamental level, what is being conveyed in a software license or software development agreement is different than a SaaS agreement. A software license or development agreement typically grants either a limited or exclusive right to use the software. In some cases, they include an assignment or transfer of the actual code from the developer to the purchaser of the software. A SaaS agreement, on the other hand, typically grants only a limited right to use a “service,” with no rights to the underlying software.

Key elements of a SaaS Agreement

With the legal difference between the two business models in mind, as well as the practical differences (web based offering versus an on-site thick client or server-based offering), below are some highlights of the provisions of a typical SaaS agreement:

Subscription for a Service.

Typically, SaaS agreements provide for a subscription to a service for a specified period of time. Many states give this structure more favorable sales tax treatment over traditional shrink-wrap software license agreements.

Performance and Up-Time Guaranties.

Most SaaS agreements address at least a base level of performance and functionality requirements of the service. For more sophisticated SaaS offerings, it is common to see Service Level Agreements (SLAs). The SLAs typically address issues like site and application downtime limits, support response times, and system response times.

Privacy and Security.

SaaS agreements usually address privacy and security issues as the SaaS provider typically holds its customers’ sensitive data. SaaS vendors generally provide some base level of assurances of privacy and security, even in low price SaaS offerings. For the large and more sophisticated offerings or where there are unique confidentiality concerns, the privacy and security provisions in the SaaS agreement can be very detailed. For example, many public companies require that a SaaS vendor’s systems and offerings be compliant with Statement on Auditing Standards No. 70 (SAS 70), which is a rigorous audit standard for controls on accuracy and security.

Data Backups and Data Porting.

In most sophisticated SaaS offerings, the SaaS agreement should address data backup, redundancy, and disaster recovery. Similarly, many customers of sophisticated SaaS offerings will want assurances on the ability to move the customer’s data either to an internal system or another vendor.

Renewals, Termination, Fees and Payment Terms.

Having a continuing relationship requires that the SaaS agreement address items like automatic renewals, termination (who has the ability to terminate upon how much notice), fees (when and how often charged and for what and the ability to change), and payment terms.

Obviously, there are other provisions as well, such as warranty disclaimers, indemnification, limitation on liabilities, export laws, etc. How much these terms vary from traditional software licenses or development agreements are dependent upon the particular SaaS offerings.