It’s has been over two years since OVH’s data centers in Strasbourg caught fire. Following a long legal battle, OVH was recently ordered in two different cases by the commercial court in Lille, (France) to pay the French companies Bati Courtage and BLUEPAD more than 100,000 € (⁓ 107,000 USD) and more than 307,000 € (⁓ 331,000 USD) respectively. As a reminder, OVH is a French leader in cloud computing and Europe’s largest cloud services provider. It provides website hosting services and has a network of 32 data centers located in eleven countries spread across four continents. In France, OVH has data centers in Roubaix, Gravelines, and Strasbourg.
What happened?
On the night of March 9-10, 2021, a fire broke out in one of OVH’s data centers in Strasbourg, which housed the data of Bati Courtage, a French company providing insurance brokerage services. This was an unfortunate incident that caused inconvenience to both Bati Courtage and its clients. Following the fire incident, OVH had to cut off power supply to all affected premises, including the data center that housed Bati Courtage’s. This made it impossible for internet users and franchisees to access Bati Courtage’s websites, including their web interface and the data of the sites themselves.
Bati Courtage faced a difficult situation as its franchisees were unhappy about losing their pages and about the impact on their business activities. To remedy the situation, Bati Courtage allocated financial and human resources, both from its own teams and external service providers, to urgently rebuild its websites from old data that it had preserved. While trying to recover its data and reactivate its business, Bati Courtage discovered that the backups of the websites were also destroyed in the fire. These backups were stored in the same OVH building as the main server.
As a result of this data loss, Bati Courtage claimed to have suffered significant losses in traffic from search engine optimization, which it had worked hard to build over a decade of financial and technical efforts. The company also suffered financial losses due to the outage and the subsequent rebuilding of its websites.
To recover its losses, Bati Courtage filed a lawsuit in Lille against OVH for the loss of its data. The company alleged that OVH breached its contract by failing to protect its data and to provide adequate backup solutions. Bati Courtage claimed that OVH is responsible for the data loss and the resulting damages.
On the other hand, OVH argued that the fire was a case of force majeure event, which, it claims, exempts it from any responsibility. OVH argued that the fire was an unforeseeable event and that it took all necessary measures to protect its customers’ data.
In January 2023, the judge ruled in favor of Bati Courtage, thus setting aside the application of the force majeure clause found in the contract between OVH and Bati Courtage.
What is force majeure?
Force majeure is a legal theory that is often seen in a service contract context. It refers to unforeseeable events or circumstances that are beyond the control of either party, and that may prevent one or both parties from fulfilling their obligations under the contract. This could include things like natural disasters, war, strikes, and other events that are outside of the control of the parties involved. In short, force majeure is a provision in a contract that allows for unforeseen events to be considered as a valid excuse for not being able to fulfill certain obligations. In the case of OVH, OVH claimed that this clause meant that it was not responsible for the loss of Bati Courtage’s data and the lack of usable backup data.
More recently, in a decision rendered in March 2023, the court in Lillesame court refused once again to apply the force majeure clause which would protect OVH, in the case opposing it to another company, BLUEPAD. The reason, this time, was that OVH wrongly located the backup server of BLUEPAD, having told the company that it was in a different building than the main server. In reality, both servers were situated in the same edifice, which burned. As a result, the backed-up data was also lost. Thus, OVH committed a fault, which preventeds the application of the “force majeure” clause.
Why are these cases important for hosting providers?
The contract between OVH and Bati Courtage, as well as the contract between OVH and BLUEPAD, were “standard form agreements,”, entirely drafted by OVH without consultation or negotiation with Bati Courtage or BLUEPAD. The contract included a detailed clause on force majeure. It provided that any damage (flood, vandalism, sabotage, fire, etc.) must systematically be considered as a case of force majeure that excludes OVH’s liability.
However, in both cases, the French judges found that this provision contradicted the nature of OVH’s obligation which is precisely to be able to rely on data backups in the event of damage. This means that OVH had not fulfilled its obligation to back up Bati Courtage’s or BLUEPAD’s data in a safe and reasonable manner. Indeed, storing Bati Courtage’s duplicated data on the same servers (i.e., those that burned) and misrepresenting the location of BLUEPAD’s back up server was unreasonable and meant that OVH could not rely on the force majeure clause. More specifically, in the first case, the court ruled that “by storing the 3 backup replications in the same place as the main server, OVH did not respect its contractual obligations towards BATI COURTAGE [own translation] 1 ”. Furthermore, the contract’s terms limiting OVH’s responsibility, including those of force majeure, were considered as creating a significant imbalance in the contract and were consequently declared null and void by the court.
These cases demonstrates that in the realm of data privacy, it’s important to remember that force majeure, and the protection that it gives to the party invoking it, may not always be applicable. Furthermore, clauses in a standard form agreement may be cast aside by the court if deemed as creating a significant imbalance between the parties. While it can be tempting to rely on force majeure as a defense in cases where data breaches or other unexpected events occur, it is important to understand that tribunals may not always accept this as a valid excuse. In many cases, courts may view data privacy as a non-negotiable obligation that cannot be set aside due to unforeseeable circumstances. This means that companies must take proactive measures to ensure that they are complying with data privacy regulations, even in the face of unexpected events.
These cases may set an important precedent in North America.
At the Law Office of S. Grynwajc, PLLC, we are admitted as lawyers both in Europe and in North America (United States and Canada) and have a particular expertise in internet and privacy law. Should you wish to ensure that your company complies with all of its legal obligations, do not hesitate to contact us, we will be happy to assist you .
1 LEGALIS, “Tribunal de commerce de Lille Métropole, jugement du 26 janvier 2023”, February 10, 2023, online : < https://www.legalis.net/jurisprudences/tribunal-de-commerce-de-lille-metropole-jugement-du-26-janvier-2023/ >.
