3
8 Comments

SASS Business With European Users / SCC Legal Advice

Hey guys

I have a side project that iv been selling subscriptions to for a very small fee for a while with a very small portion of European users. Lately with the changes to GDPR and invalidating privacy shield, im getting a bunch of emails asking about data privacy matters, server locations etc. My servers are based in the United States.

To be clear, im in Sydney, Australia, do not have any European business entity, nor do I target European users, 85% of my user base is in the United States.

The project barely makes $1000 a month so im hesitant to start hiring lawyers and more leaning towards just preventing anyone from the EU from using the site. It just seems a little extreme.

I keep seeing mentions of SCC (Standard Contractual Clauses) although the wording in there has me a little worried about what im agreeing to.

Does anyone have any tips about how to go about setting this up and protecting yourself? Resources or people who specifically deal with this stuff?
I imagine this must be common for every website that may also have European users. I was hoping not to pay $500 an hour to a lawyer for some boilerplate policies that probably looks like every other one.

  1. 1

    If the company that provides you with servers has included Standard Contract Clauses in their Data Processing Agreement, then you'll be fine.
    Companies such as Amazon or Microsoft have included these in their legal documents, which is enough to protect you (in case you use their services).
    Feel free to ask if you have any other questions.

    1. 1

      Ok interesting, thanks @petartod does this mean I need my own data processing agreement however? Iv been asked to sign on of these Standard Contract Clauses lately, which im hesitant to do as im not quite sure what im agreeing to

      1. 1

        You are the data controller. The server providing company is a data processor.
        When signing a contract with them (Terms of Service, EULA, whatever), the Data Processing Agreement (DPA) is usually part of it. If they have included the SCC in the DPA, then you're compliant.
        You don't need your own DPA unless you are a data processor (i.e. you process the personal information of your users). And the SCCs are nothing to be scared of. After all - they are "standard" contract clauses.

        1. 2

          @petarod really interested in your take on this (legal tech on your profile).

          Lots of info about Schrems lately, the pattern I see emerging:

          • Quite a few US Tech companies say: US EU privacy shield is dead, but we have SCC's and and those are still OK so no worries.
          • EU laywers say: well, SCC's per se are not enough, you have to take "extra measures" and do your own risk assesment.
          • It's complicated stuff. Probably lots of small and large businesses are waiting it out to see what happens.

          This is something I want to get right as well. However from what I read it seems not so easy if you keep using US based services for EU clients (my SaaS is EU based as well).

          What I read about SCC's is that there are only OK when combined with a risk assesment and "extra measures"

          Laywers about (in)validity of SCC's and these extra measures:
          https://www.linkedin.com/pulse/after-schrems-ii-contracts-longer-enough-data-transfer-magali-feys/ (to bad it's on LinkedIn but good info) TLDR: "As an immediate result of the Schrems II decision, parties may no longer rely on SCC's per se for the lawful transfer of personal data to any country for which the EU Commission has not issued an adequacy decision under GDPR Article 46" and "Safeguards Must Technologically (NOT Just Contractually) Prevent Misuse of Data"

          https://www.linkedin.com/pulse/comply-schrems-iiprivacy-shield-you-dont-need-move-out-gary-lafever/ TLDR: "The GDPR and other newer privacy laws such as the CCPA hold the clues: the GDPR includes a nod to the use of technological tools called Pseudonymisation".

          And https://thecybersolicitor.com/2020/07/24/it-happened-again-part-1-schrems-ii-and-sccs/

          These "extra measures" were unclear at first but now seem to point at extra technical measures, mostly Pseudonymisation https://dataprivacymanager.net/pseudonymization-according-to-the-gdpr/ (not something you implement on a rainy sunday afternoon)

          What did I do so far? I updated the SaaS's privacy policy where I address that we are aware of the issue, have asked data processors about their policies (which I did). In the mean time: it would be possible to replace platforms I use for the SaaS with EU based platforms (hosting, transactional email) but there's a price of course (dev time, migration stuff etc). Still I'm looking into this.

          Also, the location of the servers is not the only thing, it is also the location of the company that owns the servers. So, if a US based company has a server in EU: US intelligence agencies can still grab the data if they want to, under U.S. national security law FISA 702

          Then there is they question: will they go after a little SaaS? Who knows. For me it's tempting to just go all-in on EU services to be done with the whole thing.

          Disclaimer, I'm not a laywer, just a guy googling his way to compliance

          1. 2

            Wow, this an impressive post for a non-lawyer! Great job.
            To be honest, I don't have a clear answer to this question. It is a bit in a grey zone right now and we need to follow the developments to be sure how to act and be compliant with the laws.
            Anyway, I tend to think that SCCs are not enough. Moreover, I expect to see Schrems III decision invalidating the SCCs between EU and the US because the real EU-US problem is the NSA. That's why I think that SCCs and BCRs are not enough. The EDPB does not provide a precise answer in their Schrems II FAQ either (available here https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118_en.pdf), making me think that they are not sure what the ECJ would decide if someone takes on SSCs as well.
            Aside from the Schrems III decision I expect, I believe that data protection authorities won't bother companies that transfer data in the US based on SCCs, particularly not the SMEs.
            You've taken the right steps to protect your business, but honestly, I can't say whether it will prove to be enough or not. People like to show confidence in their opinions on Linkedin, but I don't think that anyone is 100% sure what the future brings.

            1. 1

              This comment was deleted 4 years ago.

              1. 1

                I totally agree with you. With so much data and money flowing between EU and US companies, I don't think that governments would make everyone non-compliant overnight.

        2. 1

          Hmm ok, are you sure about that? I receive user information through sign ups (email and name etc), I store them in my database and its used to provide the service to the user, im responsible for managing that data so doesn't that make me a "data processor?" If my application were to share that with another service in someway, im sure thats on me, not my hosting provider right?

          1. 1

            From your comment, I think that you are only a data controller. The email service provider is the data processor.
            However, keep in mind that I have no insight into your business, so this may be an uninformed opinion.

Trending on Indie Hackers
How I grew a side project to 100k Unique Visitors in 7 days with 0 audience 49 comments Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 28 comments My Top 20 Free Tools That I Use Everyday as an Indie Hacker 14 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments