News
The interplay between contractual relations and the GDPR’s security principle: A lesson from France
Security breaches and data loss are a core concern of any controller or processor. What possible avenues of redress can a Controller have when data losses are caused due to failings by its Processor? A recent case from the Lille Commercial Court in the context of the OVH data center fires tells us that the interplay between contractual commitments and the security obligations under Articles 82 and 32 of the GDPR can be a strategic one, both offering redress to controllers.
A not unfamiliar key principle of the General Data Protection Regulation (“GDPR”) is personal data must be processed securely by means of appropriate technical and organizational measures, otherwise known as the so-called ‘security principle’. Accordingly, controllers are required to undertake assessments and controls, including implementing policies, carrying out risk assessments and implementing physical and technical measures to safeguard data. The obligation of security extends to the choice and appointment of processors which should be selected on the basis of appropriate audit taking into account the nature of the personal data and the risk of the processing activities.
One such mechanism is of course the conclusion of a data processing agreement in compliance with Article 82(3) of the GDPR when appointing a processor which firmly sets out the rights and responsibilities of each of the parties in the processing chain, which in reality often forms part of a suite of documents, not least when selecting and appointing a processor providing data hosting and storage services. A recent case from the Lille Commercial Court, France reminds controllers of the importance of ensuring stringent contractual provisions which helps to provide security from a data protection perspective and also in terms of commercial and contractual risk regarding the supplier-client relationship.
Facts
OVH is leading French web hosting providers. OVH designs and manufactures its own servers and data centers with a global network of 32 data centers, 4 of which are located in France. France Bati Courtage conducts is business almost exclusively online providing various online referencing sites in the field of building and construction. In order to ensure the hosting of its sites, France Bati Courtage subscribed to a hosting agreement with OVH accompanied by additional support services including an "automated backup option” which provides that all back-ups are physically isolated from the main hosting infrastructure.
Following at OVS’ Strasbourg data center (which was where the server hosting France Bati Courtage’s data was located), OVH shut off the electricity to all data center affected by the fire, meaning that France Bati Courtage’s websites and data contained on the websites were inaccessible.
France Bati Courtage had no other option but to shut down its websites and appoint internal and external service providers to reconstruct the websites and restore data from its own back-ups.
France Bati Courtage had subscribed to contractual commitments in the OVH agreement under which it hoped to be able to recover and restore all data lost due to the fire and power-cut due to the “automated back-up option” referred to above. However, OVH confirmed that the backups themselves had also been totally and irretrievably destroyed by the fire: the backups were stored in the same building as the main server.
Proceedings
France Bati Courtage issued proceedings before the Lille Commercial Court with a view to seeking damages for OVH’s contractual breaches, including compensation for loss of data as well the inability to fully exploit its online environment, being the core of its business.
Decision
The Lille Commercial Court held that the requirement for OVH to "establish backup copies and secure them, particularly in the event of a disaster or fire, was an essential obligation of the contract” and that OVH’s failure to physically isolate France Bati Courtage’s backups resulted as a breach of its contractual obligations.
Despite the low cap on OVH’s liability as per the contact (i.e., a cap to 100% of fees paid), the Lille Commercial Court overturned the cap in the circumstances and therefore awarded damages to France Bati Courtage in the sum of €93,000 for the loss of intangible assets, for the work involved in restoring data and site hosting, for financial losses and for damage to reputation.
Interplay – contract law vs. GDPR?
- Notification requirements?
This judgment did not focus on personal data or breach of GDPR requirements, but was heavily centered on the commercial losses which France Bati Courtage had incurred. The destruction of personal data, including accidental, constitutes a data breach under the GDPR. Notification to the relevant supervisory authority and communication to data subjects is not necessary if the consequences for individuals remain limited, such as if data has been restored from the backups, without significant consequences for data subjects. However, a notification is necessary if personal data has been permanently lost or temporary loss nonetheless created a risk for data subjects. Furthermore, if the breach is likely to result in high risks for data subjects they must also be informed. In this case, the Lille judgment is silent on the nature of the data and the losses stated by France Bati Courtage are more broad and general in nature.
- Key takeaways
The case serves as a stark reminder that when services are contracted for a mix of personal and general data, controllers appointing cloud-services and hosting providers need to tread carefully when negotiating the terms of their subscription agreements and associated data processing agreements.
Indeed, in many instances, it may be appropriate to bring an action for contractual breach as well as for breach of GDPR obligations depending on the losses at stake and the nature of the data concerned. Indeed, under Article 82 of the GDPR, a processor can be held liable under Article 82 to pay compensation for any damage caused by processing, including non-material damage such as distress, provided that the processor failed to comply with GDPR provisions specifically relating to processors. The obligation of security being one of those obligations, France Bati Courtage could have sought redress under Article 82 against OVH, depending on the nature of the data concerned.
Indeed, the success of France Bati Courtage in this case surrounds the prudence undertaken by them in subscribing to additional services and ensuring alternative back-up measures, not only commercially astute but also evidencing commitment to the GDPR-security principle mentioned above.
Additionally, it is also worth noting that whilst under French law, liability caps which excessively low or purport to relieve a party of an essential obligation under an agreement can be overturned by a court, parties in France and in other jurisdictions should also ensure that any contractual limitations are properly negotiated at the outset to reflect the risk as between controller-processor, whilst also being mindful of the fact that damages payable to data subjects and payment of regulatory fines cannot be limited by a contractual agreement.
Furthermore, it is important to regularly audit suppliers to ensure that contactual commitments are adhered to, and both controllers and processors must ensure that they have a Plan-B in place should the worst occur – including a security incident response plan, a data breach handling and notification policy, appropriate teams in place to address data loss and handle related legal and reputational issues, as well as appropriate insurance cover to mitigate financial exposure.
Case reference – Lille Commercial Court, judgment of 26 January 2023
Article provided by INPLP member: Charlotte Gerrish (Gerrish Legal SARL, France)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010