The interplay between contractual relations and the GDPR’s security principle: A lesson from France
A not unfamiliar key principle of the General Data Protection Regulation (“GDPR”) is personal data must be processed securely by means of appropriate technical and organizational measures, otherwise known as the so-called ‘security principle’. Accordingly, controllers are required to undertake assessments and controls, including implementing policies, carrying out risk assessments and implementing physical and technical measures to safeguard data. The obligation of security extends to the choice and appointment of processors which should be selected on the basis of appropriate audit taking into account the nature of the personal data and the risk of the processing activities.
One such mechanism is of course the conclusion of a data processing agreement in compliance with Article 82(3) of the GDPR when appointing a processor which firmly sets out the rights and responsibilities of each of the parties in the processing chain, which in reality often forms part of a suite of documents, not least when selecting and appointing a processor providing data hosting and storage services. A recent case from the Lille Commercial Court, France reminds controllers of the importance of ensuring stringent contractual provisions which helps to provide security from a data protection perspective and also in terms of commercial and contractual risk regarding the supplier-client relationship.
OVH is leading French web hosting providers. OVH designs and manufactures its own servers and data centers with a global network of 32 data centers, 4 of which are located in France. France Bati Courtage conducts is business almost exclusively online providing various online referencing sites in the field of building and construction. In order to ensure the hosting of its sites, France Bati Courtage subscribed to a hosting agreement with OVH accompanied by additional support services including an "automated backup option” which provides that all back-ups are physically isolated from the main hosting infrastructure.
Following at OVS’ Strasbourg data center (which was where the server hosting France Bati Courtage’s data was located), OVH shut off the electricity to all data center affected by the fire, meaning that France Bati Courtage’s websites and data contained on the websites were inaccessible.
France Bati Courtage had no other option but to shut down its websites and appoint internal and external service providers to reconstruct the websites and restore data from its own back-ups.
France Bati Courtage had subscribed to contractual commitments in the OVH agreement under which it hoped to be able to recover and restore all data lost due to the fire and power-cut due to the “automated back-up option” referred to above. However, OVH confirmed that the backups themselves had also been totally and irretrievably destroyed by the fire: the backups were stored in the same building as the main server.
France Bati Courtage issued proceedings before the Lille Commercial Court with a view to seeking damages for OVH’s contractual breaches, including compensation for loss of data as well the inability to fully exploit its online environment, being the core of its business.
The Lille Commercial Court held that the requirement for OVH to "establish backup copies and secure them, particularly in the event of a disaster or fire, was an essential obligation of the contract” and that OVH’s failure to physically isolate France Bati Courtage’s backups resulted as a breach of its contractual obligations.
Despite the low cap on OVH’s liability as per the contact (i.e., a cap to 100% of fees paid), the Lille Commercial Court overturned the cap in the circumstances and therefore awarded damages to France Bati Courtage in the sum of €93,000 for the loss of intangible assets, for the work involved in restoring data and site hosting, for financial losses and for damage to reputation.
Interplay – contract law vs. GDPR?
- Notification requirements?
This judgment did not focus on personal data or breach of GDPR requirements, but was heavily centered on the commercial losses which France Bati Courtage had incurred. The destruction of personal data, including accidental, constitutes a data breach under the GDPR. Notification to the relevant supervisory authority and communication to data subjects is not necessary if the consequences for individuals remain limited, such as if data has been restored from the backups, without significant consequences for data subjects. However, a notification is necessary if personal data has been permanently lost or temporary loss nonetheless created a risk for data subjects. Furthermore, if the breach is likely to result in high risks for data subjects they must also be informed. In this case, the Lille judgment is silent on the nature of the data and the losses stated by France Bati Courtage are more broad and general in nature.
- Key takeaways
The case serves as a stark reminder that when services are contracted for a mix of personal and general data, controllers appointing cloud-services and hosting providers need to tread carefully when negotiating the terms of their subscription agreements and associated data processing agreements.
Indeed, in many instances, it may be appropriate to bring an action for contractual breach as well as for breach of GDPR obligations depending on the losses at stake and the nature of the data concerned. Indeed, under Article 82 of the GDPR, a processor can be held liable under Article 82 to pay compensation for any damage caused by processing, including non-material damage such as distress, provided that the processor failed to comply with GDPR provisions specifically relating to processors. The obligation of security being one of those obligations, France Bati Courtage could have sought redress under Article 82 against OVH, depending on the nature of the data concerned.
Indeed, the success of France Bati Courtage in this case surrounds the prudence undertaken by them in subscribing to additional services and ensuring alternative back-up measures, not only commercially astute but also evidencing commitment to the GDPR-security principle mentioned above.
Additionally, it is also worth noting that whilst under French law, liability caps which excessively low or purport to relieve a party of an essential obligation under an agreement can be overturned by a court, parties in France and in other jurisdictions should also ensure that any contractual limitations are properly negotiated at the outset to reflect the risk as between controller-processor, whilst also being mindful of the fact that damages payable to data subjects and payment of regulatory fines cannot be limited by a contractual agreement.
Furthermore, it is important to regularly audit suppliers to ensure that contactual commitments are adhered to, and both controllers and processors must ensure that they have a Plan-B in place should the worst occur – including a security incident response plan, a data breach handling and notification policy, appropriate teams in place to address data loss and handle related legal and reputational issues, as well as appropriate insurance cover to mitigate financial exposure.
Case reference – Lille Commercial Court, judgment of 26 January 2023
Article provided by INPLP member: Charlotte Gerrish (Gerrish Legal SARL, France)
Dr. Tobias Höllwarth (Managing Director INPLP)