In recent years, the main trends and developments in the IT outsourcing market include the following:
The emergence of new services/developments in the market has led to a flurry of new regulations and/or recommendations to govern this trend in a number of sectors, in particular the highly regulated sectors such as the finance industry. These market trends and developments in IT outsourcing, involving the worldwide sharing of an exponential amount of personal data, have also highlighted the importance of complying with the General Data Protection Regulation (GDPR) requirements.
COVID-19 had at least the benefit of accelerating and democratising the use of new outsourcing technologies, in particular within companies. The most revealing examples are the development of teleworking for employees and intra- and extra-company collaboration tools (eg, Teams, Zoom, Google Meet). Today, these trends are standard practice for a large number of employees in France.
The BPO market is a fast-growing industry that has become an integral part of the global economy, and France is no exception.
In recent years, the trend of using business process outsourcing is motivated, in particular, by the following.
COVID-19 has encouraged the use of BPO services to ensure business continuity in crisis situations. Indeed, outsourcing was a security measure in a complicated health context where employees were confined and forced to telework.
However, it is important to note that the first major disadvantage of BPO is the loss of control, in particular related to the sharing of data for the provision of the services. Indeed, there is no direct control over the outsourcing of services provided and over the service providers. This can result in difficulties in controlling the quality and ensuring compliance with legal requirements (in particular, data protection laws and security requirements). It is therefore essential to ensure (through contractual provisions, regular audits) that the service providers have robust cybersecurity measures in place before committing to outsourced activities.
The impact of new technology on the outsourcing market is as follows.
Such new technologies are accompanied by increasingly demanding safety requirements, which means that the market has to adapt, from both a technical and legal point of view, in order to comply with the new legal safety requirements and consumer demands in terms of security and transparency.
The most commonly outsourced services in France are:
Under French Law, there is no general law which governs technology transactions or outsourcing.
However, the rise of IT outsourcing has resulted in the adoption of various legal frameworks (at a local and EU level) in order to govern IT outsourcing or technology transactions in specific sectors or for specific categories of services.
The main developments of the last few years are from the following legal/administrative frameworks.
Main Legal Applicable Frameworks
Additionally, because the issue of personal and non-personal data has taken on paramount importance in recent years, particularly with the rise of digital technology (including outsourcing and cloud), the EU has decided to put in place a legal framework to make the most of its economic potential, in particular:
Main Legal Framework To Come
Main Administrative Framework
The banking sector is particularly regulated with regard to technology transactions and outsourcing.
When a banking institution outsources services considered as "essential" or “significant”, it is subject to a certain number of obligations laid down by the EBA’s Guidelines on outsourcing. Some of the obligations shall be provided in the contract the banking institution entered into with its IT provider (eg, specific provisions related to security, reversibility, audit, termination, sub-processing).
The recent DORA Regulation, which came into force on 16 January 2023 and will take effect on 17 January 2025, provides requirements for financial institutions which apply, among other things, to the management of risks associated with third-party providers, in particular the management of outsourcing risks. Moreover, the DORA Regulation also lists the minimum contractual provisions to be included in outsourcing contracts, and this list is further extended by additional clauses where significant ICT services are outsourced. DORA will become the main digital security regulation for the financial sector.
The health sector is also regulated. As set out in Article L.1111-8 of the French Public Health Code: “Any natural or legal person who hosts personal health data collected during prevention, diagnosis, care or medico-social monitoring activities on behalf of natural or legal persons at the origin of the production or collection of this data or on behalf of the patients themselves, must be approved or certified for this purpose”. Thus, health data hosts (HDS) have been required to obtain HDS certification. The HDS certification aims to guarantee the quality of service of healthcare hosting providers.
The FDPA provides restrictions for technology transactions and outsourcing related to data processing and data security.
There is no standard contract model for outsourcing transactions in France.
Most of the time, the outsourcing agreement takes the form of a master service agreement which can, if relevant, be completed by application agreements. Specific appendices can also be joined to the outsourcing agreement such as related to the service levels, the financial modalities, the schedules, the security measures, etc.
The joint venture (JV) contract or multi-sourcing contract may be used in France, but the bilateral outsourcing contract is the most common structure.
The digital transformation affected, to a certain extent, the following contract models for outsourcing transactions:
There is a trend towards contractual guarantees for security measures in IT and cloud contracts, which is justified both by the ever-increasing cybersecurity risks and by increasingly strict legislation on IT suppliers and certain sectors (eg, financial).
As a preliminary basis, IT or outsourcing agreements are ordinary contracts subject to the general and common rules of contract and civil law. There are no specific legal rules related to such agreements. The specific features found in these contracts relate to contractual freedom and business practices.
The main customer protections and remedies in technology transactions and outsourcing are:
The modalities of the contract termination are widely managed contractually. Most of the time, the contract may be terminated for the following reasons:
Usually, before terminating the contract, the customer is subject to prior formal notice, with a period of notice (contractually fixed and which must not be derisory) to correct any such breach.
The consequences of the termination are also managed contractually. Specifically, in an outsourcing contract, the “reversibility” modalities of the data may be an issue which must be negotiated with caution by the customer.
Distinction Between Direct Loss and Indirect Loss
According to the French Civil Code, the loss shall be “direct” (in addition to being certain and legitimate) to be eligible for compensation (Article 1240).
In accordance with this Article, the French doctrine makes a distinction between direct loss (the damage must be the direct result of the breach) and indirect loss (the damage is not the direct result of the breach).
Legal/Market Practice Regarding Loss of Profit, Goodwill, Business, Etc
In practice, most outsourcing contracts contain a clause excluding compensation for indirect loss (such indirect loss are usually listed in the contract): eg, loss of customers, image and reputation loss, operating loss, commercial loss, loss of earnings, business loss and profit loss. Such list is often negotiated between the parties. The provider will try to have the broadest definition possible and try to include loss of data as well as breach of data protection law included in the exclusion scope.
Categories of Losses Not Subject To Limitation of Liability
There is no applicable information in this jurisdiction. The expression “implied term” seems to be specific to common law.
The most common cybersecurity protections and security measures required by customers in technology transactions or outsourcing are the following.
On the technical side, most French clients also aim to host their data with providers offering hosting services based within the EEA.
The most common contractual clauses that help the customer manage and measure the supplier’s performance in technology transactions and outsourcing are the following.
Generally speaking, the terms do not differ significantly and remain more or less the same. In the case of cloud-based outsourcing, particular attention will be paid to:
In this very specific situation, the application of the requirements of the GDPR must be ensured, particularly in terms of security, transparency and use of appropriate safeguards (SCCs).
Article L. 1124-1 of the French Labour Code stipulates that "when there is a change in the legal situation of the employer, in particular by succession, sale, merger, transformation of the business and incorporation of the company, all employment contracts in force on the date of the change continue to exist between the new employer and the company’s employees".
In accordance with well-established case law, Article L. 1224-1 of the Labour Code applies if the following two conditions are both met:
The business must comprise several elements necessary for the operation of its activity, ie:
The legal definition of a transfer of business activity determines the application of Article L. 1224-1 of the French Labour Code. Thus, if the transfer is legally a sale of a business or a partial transfer of assets, it is generally accepted that Article L. 1224-1 applies.
Subject to compliance with these conditions, in the event of the transfer of an activity in accordance with Article L. 1224-1 of the Labour Code, the employment contracts of the employees dedicated to the activity are automatically transferred. The consent of the employees is then not required, and each employee retains, after the automatic transfer of their employment contract, all the applicable contractual provisions (eg, remuneration, seniority, place of work and working hours).
This applies to all employees holding an employment contract at the time of the legal transfer, whether the contract is open-ended or fixed-term, part-time or full-time, even if the employment contract is suspended at the time of the transfer.
Persons whose employment contracts are suspended on the date of the transfer (in particular for maternity leave, parental leave and unpaid leave) will have their employment contracts transferred under the same conditions and on the same date as other employees.
When the company hires more than 50 employees, the works council must be implemented with complete attributions or needs to be adapted with more extensive tasks. Indeed, the works council oversees the employees’ collective expression on projects of the company related to economic and financial development, working conditions of the employees, job training and production techniques. The works council is also consulted on subjects regarding the organisation and the general running of the business and redundancies, keeping in mind that the works council’s opinions are never binding on the company. Thus, the outsourcing of certain activities, services of the business or related to the employees may be subject to the works council’s consultation.
In the last few months, French companies have been keen to relocate their IT providers in France or within the EU due to: (i) the adoption of the US Cloud Act enacted on 23 March 2018; and (ii) the adoption of the FDPA and the GDPR, which provide a strict framework for international transfers of personal data outside EU countries. Such transfers are only possible if the recipient country ensures an adequate and sufficient level of protection. If this is not the case, appropriate safeguards, such as SCCs shall be implemented, and a TIA shall be performed.
These legal constraints do not favour the customer to opt for offshore resources in outsourcing transactions, especially if they concern clients’ or employees’ personal data (which can include sensitive data, eg, NIR number, health data).
Moreover, despite a certain financial benefit, the use of offshore outsourcing may lead to other difficulties and complexities beyond the legal aspect, such as, the language and cultural differences, different working habits, as well as the time difference, which can be particularly inconvenient in an emergency. Onshore and nearshore outsourcing are often seen by French companies as a means of allowing the overcoming of these difficulties and complexities.
Under French legal rules, teleworking can be implemented either by a company-wide agreement, by a charter or by a mutual agreement with the employer.
In any case, it is recommended to sign an addendum to the employment contract defining the contours of teleworking (number of days, reversibility, teleworking rights, insurance, etc). In the case of litigation, it is always better to have a written agreement specifying the teleworking conditions.
From a French perspective, the obligations raised by remote working are as follows.
The main fear for clients is the workload of employees who telework. On the one hand, certain employers fear that the employee will not work enough hours, whereas others fear that employees will work too many hours and will not alert the employer of any difficulties they are encountering. Consequently, it is important to find the balance between both situations. Moreover, clients want employees to continue to be mobile and able to do professional travel when necessary, regardless of the teleworking situation.
Clients generally seek legal advice on how to implement teleworking, while ensuring that the situation can be reversed if the employee does not perform their duties properly or does not want to continue teleworking. Clients also consult lawyers about the compensation due to an employee who teleworks (compensation for the use of the home, reimbursement of professional expenses), which is normally compulsory and governed by specific French rules.
One difficulty can be raised when the employee does not want to perform their duties remotely or from home whereas the company (ie, a foreign company) does not have an office in France. In such a case, it is important to have a discussion with the employee to find the most appropriate solution to ensure them the best working conditions and environment.
It is important to underline that the development of remote working has brought new litigations.
Many employees who were able to telework during the COVID-19 pandemic have decided to move away from their place of work. However, when they were asked to return to their place of work, they refused, claiming that teleworking was a right they were entitled to. However, under French law, telecommuting is not a right and remains subject to employer approval.
Recent Case Law Trends on Liability Limitation Clauses in Cloud Service Agreements
The liability of the IT service provider is one of the most hotly debated points in any IT project. However, the particularity of cloud service contracts is that they are rarely negotiated and are, in the majority of cases, "contracts of adhesion".
After recalling the main principles that apply to the limitation of liability clauses under French law, this article will examine the recent case law handed down in France over the last few months on this issue.
Principles Applicable to Liability Limitation Clauses
Over the decades, French courts have developed a solution aimed at prohibiting excluding and limiting liability clauses relating to the service provider’s essential obligations, which was finally enshrined in the Civil Code in 2016 on the understanding that any intentional non-performance of the obligation renders the limitation of the liability clause invalid.
Prohibition of exoneration or limitation liability clauses relating to an essential obligation
The principle, consistently upheld in case law, is that clauses which eliminate all liability (so-called exoneration liability clauses) are null and void, as they give a purely potestative character to the debtor’s commitment, which is prohibited by Article 1174 of the French Civil Code.
The principle is clear, but its application is less so, as the determination of the exonerating character of the clause is susceptible to pluses and minuses. Clearly, a clause whereby a service provider is released from "any liability whatsoever" would be elusive and therefore void for lack of cause (CA Reims, 13 December 2016: the clause exempted the provider from any liability for the results and performance of the software. The judges ruled that the clause should be deemed unwritten, as it deprived the essential obligation of the contract of any effect, even though the contract was executed between two professionals).
But what about a clause that excludes all liability for non-performance, not of the contract as a whole, but of a specific obligation?
Jurisprudence has therefore developed an average solution, which consists of prohibiting only exemption clauses relating to an essential obligation of the contract.
The Faurécia ruling (Cass. com., Feb. 13, 2007, Bull. civ. IV, no. 43) as well as the Thalès ruling (Cass. com., June 5, 2007, Bull. civ. IV, no. 157) even went so far as to set aside a clause limiting liability, regardless of the contractual amount of compensation stipulated (which, in this case, was not derisory), provided there had been a breach of an essential obligation.
Enshrinement in the civil code of the case law related to liability limitation clauses
It would appear, however, that the Cour de cassation has softened its stance since its EDF ruling (Cass. com., Dec. 18, 2007, Bull. civ. IV, no. 265) and that, even if the liability clause relates to an essential obligation, it now requires trial judges to examine in concreto whether the clause voids the debtor’s obligation.
This has led some commentators to consider that clauses limiting compensation, even if they relate to an essential obligation, may be valid, provided their amount is not derisory. This solution seems to have been adopted, in the IT field, by the Paris Court in the Faurécia case (CA Paris, 25th ch. A, Nov. 26, 2008), as well as by the Cour de cassation in the Faurécia II case in 2010 (Cass. com., June 29, 2010, Bull. civ. IV, no. 115).
Since the 2016 reform (resulting from Ordinance No 2016-131 of 10 February 2016), this case law on liability limitation clauses has been enshrined in the Civil Code, as the new Article 1170 enshrines the previous jurisprudence, declaring unwritten "any clause which deprives the essential obligation of the debtor of its substance".
Neutralisation of clauses limiting compensation in the event of intentional non-performance
The law of obligations prescribes that the damage to be made good must be limited to the damage foreseeable on the date of the contract, except where the non-performance is fraudulent, ie, intentional. When the non-performance is fraudulent, the cap is lifted and all damage is then compensable, provided it is direct (Article 1231-2 of the Civil Code). In practice, this means that IT contracts almost systematically exclude compensation for indirect damage (in this respect, judges do not further compensate commercial damage when it results from a computer failure which is not the fault of the service provider: CA Paris, Nov. 25, 2022, no. 21/0532).
In line with Article 1231-2 of the Civil Code (and because the commitment would otherwise be purely potestative), case law rules out any clause limiting compensation or exonerating liability in the event of intentional non-performance of the obligation (Cass. 1re civ., 24 fév. 1993, Bull. no. 88).
What is more remarkable is that French case law equates gross negligence with intentional fault, and applies the same effects to clauses limiting liability. Although this solution is sometimes criticised, it is regularly reaffirmed by the Cour de cassation. In any event, even if lawful, clauses limiting or exonerating liability can only cover damage resulting from slight negligence (Cass. com., Jan. 22, 2008). The qualification of fault is at the discretion of the judge, and the burden of proof lies with the creditor.
Application to Cloud Service Agreements (OVH Case Law and Others)
How are these principles applied by French judges to cloud service contracts, which are ‒ in most cases ‒ contracts of adhesion that customers cannot really negotiate?
However mistrustful one may be of disclaimer clauses, it must be remembered that the principle is that limitation liability clauses are lawful, even in contracts of adhesion, as the Cour de cassation has been asserting for the past 40 years (Cass. 1re civ., 19. Janv. 1982, Bull. civ., I, no. 29).
Nevertheless, under the terms of Article 1171 of the French Civil Code, "in a contract of adhesion, any non-negotiable clause, determined in advance by one of the parties, which creates a significant imbalance between the rights and obligations of the parties to the contract is deemed unwritten".
Consequently, if a cloud service provider sets the liability limitation amount too low in its membership contracts, it runs the risk of having its clause deemed unwritten by the judge in the event of a dispute.
French courts have had occasion to rule on this issue on several occasions in recent months, particularly in the high-profile OVH case, as well as in other less high-profile but equally instructive legal cases.
OVH case law
On 10 March 2021, a fire of unknown cause (probably caused by two UPS systems) completely destroyed one data centre and partially damaged another belonging to OVH, a French company operating in the cloud (particularly in the hosting and data backup markets). A number of disgruntled customers went to court to claim compensation for their loss, challenging the clause limiting OVH's liability to the " amounts paid in the six months preceding the claim" (which in this case amounted to EUR1,800).
OVH argued, in particular, that subscribing to a low-cost hosting and back-up package was not likely to cause a significant imbalance.
However, in its decision of 26 January 2023, the Lille Commercial Court ruled (after recalling that significant imbalance is not assessed in terms of "the adequacy of the price to the service", thus reiterating the terms of Article 1171, paragraph 2 of the Civil Code) that if the limitation of liability clause creates an asymmetry between the rights and obligations of the parties, by granting an unjustified advantage to the cloud service provider without any consideration for the customer, it creates a significant imbalance and must therefore be deemed unwritten (T. com. Lille 26 janv. 2023, RG. 2021/013526).
Considering that the limit of EUR1,800 was disproportionate, the Court ruled that the clause was "unwritten".
OVH also argued that it could not be held liable because the contract contained a clause excluding the parties from liability in the event of force majeure.
The court, however, considered that the purpose of the back-up operations was to secure the data in order to restore it in the event of a disaster, and therefore in the event of force majeure.
In fact, the application of such a clause would have prevented the restitution of the data in the event of a loss, and thus the contract of its main obligation. The court therefore ruled that the clause was deemed unwritten, so that OVH was unable to avoid liability on the grounds of force majeure.
Other recent case law
Similarly to the OVH case law, in its ruling of 15 June 2022 (RG no. 21/00432), the Limoges Court of Appeal:
In another case, where the customer’s accounting data had not been backed up, and the cloud service provider had failed to inform the customer of the scope of the back-ups it had carried out, the Paris Court of Appeal ruled that the cloud service provider had breached its contractual obligation to provide back-ups, which constituted gross negligence. The judges also ruled that the clause limiting liability was unwritten (CA Paris, Nov. 25, 2022, no. 20/05106).
As a counterpoint to these customer-friendly case law rulings, the Versailles Court of Appeal ruled (even though the alleged loss amounted to EUR64,629) that the clause limiting the cloud service provider’s liability to the amount corresponding to "the sums paid by the customer for the three-month period preceding the event(s) giving rise to its liability" (in this case EUR8. 497) was valid, on the grounds that it did not contradict the provider’s essential obligation (which, according to the Court, was to guarantee a 99.5% platform availability rate).
All in all, and despite this latest decision (which has been criticised by commentators), it seems that the trend of rulings deeming limitation of liability clauses in cloud service contracts to be unwritten is on the increase in France, particularly when compared with rulings handed down prior to 2020. This is no doubt due to the first concrete effects of the 2016 reform of the French Civil Code and the judges’ application of its new Article 1170.