During the night of March 10th, 2021, a fire damaged the data centre of OVHCloud, one of the largest cloud providers in the world. The company owns 17 data centres with a total of 250,000 servers. It offers its services in 17 countries, including Canada, Finland, France, Germany, Ireland, Italy, Poland, the United Kingdom, and the United States. The fire took tens of thousands of web pages offline.
This event prompted expert to ponder on the many legal problems related to web hosting contracts: transparency in data management, adequacy of measures, liability of the hosting provider, both contractually and for the actions of the services users.
The starting point is necessarily the definition of the legal framework of this very special type of contract. The web hosting contract consists in the provision by a party, the hosting provider, of a virtual space on one or more servers to another party, in order to host web pages (or other digital content).
Although the term "hosting provider" was first defined at EU level, it was introduced into Italian law by Legislative Decree no. 70/2003. The web hosting contract is an atypical contract; therefore, it is not specifically regulated by Italian Civil Code.
As far as torts are concerned, looking at the conduct, the active hosting provider is the provider of information society services who performs an activity that goes beyond a merely technical, automatic, and passive service, and instead engages in active conduct. Viewing the conduct as more than mere transmission of information, it is reiterated that the intermediary of electronic commerce remains "exempt from the general exemption regime laid down by Article 16 of Legislative Decree No 70 of 2003, its civil liability being governed by the common rules".
In general, pursuant Article 16 "When providing an information society service consisting of the storage of information provided by a recipient of the service, the service provider shall not be liable for the information stored at the request of a recipient of the service, provided that the service provider: does not have actual knowledge that the activity or information is unlawful and, as regards claims for damages, is not aware of facts or circumstances from which the unlawfulness of the activity or information becomes apparent; upon obtaining knowledge of such facts, he acts immediately upon notice from the competent authorities to remove the information or to disable access to it".
According to Article 17, paragraph 1, "When providing the services referred to in Articles 14, 15 and 16, the service provider shall not be subject to a general obligation to monitor the information which he transmits or stores, nor to a general obligation actively to seek facts or circumstances indicating illegal activity". This position has also been formally reiterated recently by European Directive 2019/790/EU on the protection of copyright in the digital market, which specifies that the control obligations imposed by the new legislation on providers of online content sharing services do not entail any general obligation to monitor the information stored.
Looking at the case at hand, what are the critical aspects that need to be examined? What is the legal nature of the event? Who is responsible for the loss of data?
First, the hosting contract must be examined with great care, especially about the clauses describing the services actually offered and the guaranteed quality levels (the so-called SLAs - Service Level Agreements).
Moreover, the limitations of responsibility imposed by suppliers must be assessed with equal care, as well as the obligations incumbent on the client's internal organisation.
In addition to the more purely contractual aspects, the countless privacy implications must also be assessed.
In this regard, the EU Regulation 2016/679/EU is based on the principle of responsibility of those who process personal data in connection with their commercial or professional activity, identified primarily in the data controller and, to a limited extent, in the data processor. They bear the risks arising from automated processing and the costs of preventing damages to individuals' fundamental rights and freedoms.
The European Regulation significantly extends the scope of these obligations, specifying the professional diligence to which the authors of the data processing are called, first and foremost, in function of the protection of the rights and freedoms of individuals, but also of the full achievement of the purposes pursued by it.
The security discipline emerges, first, in art. 24 of the Regulation, which requires the data controller to put in place adequate technical and organisational measures to guarantee (and be able to demonstrate) that the processing is carried out in compliance with the Regulation provisions.
Art. 25 of the Regulation, in addition to Art. 24, based on the principle of data protection by design, extends this obligation of the data controller to the initial phase of the design, requiring the measures to be incorporated in the structure of the IT service that are to be implemented. Moreover, the data controller is required to adopt predefined settings suitable to limit the processing only to necessary data, reducing storage times and third-party access, according to the principle of privacy by default. This is a function of personal data security and of the systems used for processing.
A more general security obligation is set out in Article 32 of the Regulation: in order to ensure a level of security appropriate to the risk, always considering the rights and freedoms of natural persons, the data controller is required to choose and adopt adequate technical and organisational measures to prevent the accidental or unlawful loss, destruction, disclosure or access of the personal data processed.
Moreover, the rule also places a similar security obligation on the person responsible for the activities carried out on behalf of the data controller, in the event that, among the organisational measures adopted, the latter decides appoint someone: with reference to security measures, therefore, responsibilities may be shared between the owner and the person in charge.
In essence, therefore, both the controller and the processor, who are parties to a hosting cloud contract, each one for what concerns its own competence, must put in place adequate measures for the security of the data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.