Competing Interests: Data Ownership at the Crossroads of SaaS Stakeholders and Regulation

Kicking off our series on topics concerning Software-as-a Service (SaaS) technology, it is important to lay a framework around the data managed by SaaS applications and issues that arise out of complex relationships among various stakeholders in the SaaS environment.

Valuations of companies are tied to revenue and growth projections,¹ and a significant portion of the value attributed to SaaS companies in particular is based on the data they handle and maintain.² This is typically equated as a combination of services provided and expected revenue growth from the value of the data itself. For example, using search engine advertising revenue as a proxy for the value of personal data, over the last 20 years advertising revenue on a per user basis has increased by 1,800%.³ This underscores the relationship between the amount of data that SaaS companies handle and corresponding valuations.

As a result, understanding the issues surrounding data management and various aspects of data ownership in the context of the SaaS environment has become all the more important.

Overview of SaaS Stakeholders

In a typical SaaS platform, various stakeholders are involved at different levels of data processing, each having their own unique roles and ownership claims with respect to at least some aspect of data that they store or process. Each of these stakeholders may access, own, consume, store, process, or otherwise interact with the user data at various layers of the data stack.

The number of stakeholders can vary greatly based on the complexity of the SaaS platform. For instance, a SaaS platform might include data from end users (e.g., personal, financial, or medical data) as well as confidential data from enterprises (e.g., employee, technical, or business confidential information). The SaaS service provider can further store the received confidential data on company systems or cloud service providers, where it is further processed using proprietary or open source software solutions. Alternatively, the processing and software solutions could be provided or handled by third party service provider(s) with access to the data on the company systems and the cloud service providers.

Geographic and Data-Specific Concerns With SaaS Platforms

The complexities of how enterprises and other entities interact with the data used by SaaS companies are amplified by geography. For example, stakeholders could be located in various geographic regions and subject to different jurisdictional laws, regulations, and expectations with respect to data ownership and management. Consequently, many issues can arise with respect to how obligations for complying with these considerations are allocated amongst stakeholders. In addition, different stakeholders can have competing interests and various obligations in relation to other parties indirectly involved in the SaaS process, affecting commercial relationships further downstream from the immediate ownership or management of the data.

Moreover, depending on the nature of the type of data, additional factors may have to be considered, such as privacy,⁴ regulatory compliance,⁵ data security,⁶ and data access and use.⁷ For example, a SaaS company dealing with EMR (electronic medical records) will have additional legal responsibilities when handling particular types of data, such as personal health information (PHI) of patients at a medical institution.⁸ Such EMR data can be subject to its own unique jurisdiction-based regulations, all of which depend on the geographical locations of the company itself plus those of the stakeholders involved. These issues are especially of concern in recent years given the significant increase in data breach activity and regulations (e.g., personal health information data or data relating to children).

Conclusion

Future articles will discuss these and other potential issues concerning ownership and management of SaaS cloud-based data, and suggest strategies and practices for SaaS companies to employ to protect their interests, innovations, and interests of their customers.

To read additional parts of the Clear Skies Through the Clouds series, please click here.

¹ SaaS Academy, SaaS Valuation: How to Value a SaaS Company in 2022 (Accessed October 24, 2022)

² EQVISTA, SaaS Valuation: How Do You Value A SaaS Company? (Accessed October 24, 2022)

³ MiQ, In less than two decades, the value of personal data has increased by 1,800% (Accessed October 24, 2022)

⁴ SaaSholic, Why Data Protection Is So Important for SaaS (Accessed October 24, 2022)

⁵ Dachowitz, Juliet, What Every SaaS Business Should Know About Compliance (April 7, 2021)

⁶ Bhuvaneswaran, Shivasankari, 7 SaaS security risks that every business should address (October 1, 2021)

⁷ Dziuba, Anna, SaaS User Management and Access Control: Best Practices from Relevant (Accessed October 24, 2022)

⁸ U.S. Department of Health and Human Services, Guidance on HIPAA & Cloud Computing (April 15, 2022)

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.