RGPD

IT service provider: does your limitation of liability clause really protect you?

Can an IT service provider's protection be effectively guaranteed by limitation of liability clauses?

Contents
Schedule a discussion

Reading time:

5 min

Can an IT service provider's protection be effectively guaranteed by limitation of liability clauses?

Limitation of liability clauses are a contractual shield often used by IT service providers to frame their obligations. But are they really effective in the face of a breach of the duty to advise? A recent ruling by the Paris Court of Appeal is a reminder that these clauses are not absolute and may be set aside in the event of fault by the provider, particularly where it gives poor advice to its client during the performance of the contract.

The case in question concerns a provider supplying an online payment solution and a client who fell victim to fraud. The provider, which had advised its client on the level of security of the solution, was held liable despite the exemption clause set out in its GTC.

In what cases can such a clause be set aside? What lessons can be drawn from this ruling? Here is our analysis.

Background to the case: insufficient security despite the provider's advice

The case involves a company that used a payment services provider to secure its online transactions. The provider offered a system called "Smart 3-D Secure", designed to analyse the fraud risk of each transaction in real time and to trigger, or not, enhanced authentication.

However, several fraudulent transactions were carried out on the client's platform. Despite the alerts, the provider advised maintaining a level of security that maximised the payment conversion rate, rather than strengthening the controls.

The client, having recorded the losses caused by this fraud, brought legal proceedings to obtain compensation. The provider relied on a limitation of liability clause excluding any compensation for indirect or intangible damage resulting from a failure to perform the services.

The question put to the court was therefore whether this clause could apply, or whether the provider's liability had to be engaged despite this contractual limitation.

Let's discuss your needs for 15 minutes!

The duty to advise during the performance of the contract: a basis for liability

In this case, the Court examined whether the IT service provider had fulfilled its duty to advise throughout the contractual relationship.

The provider argued that its client, a company specialising in distance selling and prepayment, was a knowledgeable professional and was aware of the risks associated with the various payment security options. However, the judges identified several factors demonstrating a breach of this duty to advise:

  • Unsuitable recommendations: the provider advised the client to lower the security level of its transactions in order to avoid payment refusals, even though fraud had already been detected.
  • A failure to respond appropriately: despite several reports of suspicious transactions, the provider did not recommend suitable corrective measures. It even advised taking no action at first, thereby downplaying the actual risks.
  • Liability maintained during performance: even though the client company had made initial choices regarding security, the provider remained obliged to inform it of the consequences and of the evolution of the threats.

The judges therefore held that the provider could not confine itself to a purely technical role. Its duty to advise entailed a duty to warn and to provide active support in the face of evolving fraud risks, particularly in an e-commerce and marketplace context.

The ineffectiveness of limitation of liability clauses in the event of a breach of the duty to advise

One of the key points of this case lay in the provider's reliance on limitation of liability clauses, intended to exclude or limit its liability for any harm suffered by its client.

The Court of Appeal set these clauses aside on several grounds:

  • A fault distinct from the technical non-performance of the contract: the breach alleged against the provider did not concern a malfunction of its interface, but a failure to advise during the performance of the contract. A limitation of liability clause cannot exempt a party from a serious breach of an essential obligation.
  • A contractual imbalance: the clauses in question almost entirely exempted the provider, even in the event of established negligence. This disproportion led the court to find them unenforceable against the client.
  • The inoperative exclusion of fraud risk: the provider relied on a clause exempting its liability in the event of fraud (phishing, carding). However, the judges noted that this exemption presupposed the existence of organised-gang fraud, which had not been established.

Consequently, the court upheld the provider's conviction by setting aside the application of the limitation of liability clauses. This ruling falls within a consistent line of case law that refuses to apply such clauses where the provider breaches its duty to advise or to warn.

I want reliable legal documents!

Confirmation of the provider's liability and compensation for the harm

Having set aside the limitation of liability clause, the Court of Appeal upheld the provider's order to pay the damages claimed by the client.

The decision rests on several findings:

  • An established fault during the performance of the contract: the provider did not merely sell a solution, it advised its client throughout the contractual relationship. Yet its recommendations led to a reduction in the level of security, thereby facilitating fraud.
  • Harm directly linked to the provider's failings: the client had to bear the reimbursement of the fraudulent transactions, whereas a higher level of security could have prevented them.
  • The provider's refusal to take the alerts into account: despite clear signs of fraudulent activity, the provider continued to advise inaction, thereby reinforcing its liability.

Consequently, the court confirmed the client's compensation up to the amounts defrauded, as well as the award of additional damages to cover the costs incurred in the proceedings.

This ruling is a reminder that an IT service provider cannot hide behind the mere supply of a technical service when it plays an active role in its client's strategic choices. The duty to advise applies throughout the contractual relationship, and its disregard may lead to the limitation of liability being set aside. Do not hesitate to seek legal advice to help you!

To learn more

Does a limitation of liability clause always protect the IT service provider?

No. A ruling by the Paris Court of Appeal is a reminder that these clauses are not absolute. They may be set aside in the event of fault by the provider, in particular where it gave poor advice to its client during the performance of the contract, despite the exemption clause set out in its GTC.

In what cases can a limitation of liability clause be set aside?

The clause may be set aside in the event of fault by the provider, in particular a breach of the duty to advise. Where the provider gives poor advice to its client on a decisive point, such as the security level of a solution, its liability may be engaged despite the clause.

What does the Paris Court of Appeal's ruling state?

The ruling is a reminder that limitation of liability clauses are not an absolute shield. In the case concerned, a provider of an online payment solution was held liable after having given poor advice to its client on security, following fraud that was suffered.

Does the duty to advise prevail over the exemption clause?

Yes, where the breach of the duty to advise is established. A provider that steers its client towards an insufficient level of security cannot hide behind its exemption clause to escape its liability, as illustrated by the ruling handed down.

What does the IT service provider's duty to advise cover?

The duty to advise requires the provider to inform and to warn its client about the relevant technical choices, particularly regarding security. It also applies during the performance of the contract. Unsuitable advice may engage the provider's liability despite its contractual clauses.

How can an effective limitation of liability clause be drafted?

An effective clause must be clear, proportionate and must not deprive the contract of its substance. It does not provide protection in the event of gross fault or a breach of the duty to advise. Its drafting must anticipate the provider's essential obligations in order to remain enforceable.

Can an IT service provider be held liable despite its GTC?

Yes. As illustrated by the payment solution case, a provider may be held liable despite the exemption clause in its GTC, where it has breached its duty to advise. The clause does not cover all of the provider's faults.

Is a lawyer useful for securing an IT services contract?

A lawyer helps to draft enforceable limitation of liability clauses, to structure the duty to advise and to balance the contract. For both the client and the provider, this support makes it possible to anticipate disputes relating to the security and the performance of the service.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

15 min

Pre-contractual disclosure document (DIP) in franchising: mandatory content before signing
Joining a franchise network is a strategic step for many entrepreneurs. Before committing sometimes several hundred thousand euros and signing a contract that may run for five, seven or ten years, the law requires the franchisor to provide a pre-contractual disclosure docu

13 min

CNIL sanction: how to reduce the risk and respond effectively
The CNIL is no longer a symbolic authority. In 2025 and 2026, its restricted committees imposed fines of several million euros on French companies of all sizes, including online commerce and retail players. A CNIL sanction can represen

7 min

Which web maintenance plan is best suited to your business?
Which web maintenance plan is best suited to your business? This article guides you in making an informed choice.

13 min

How to draft a solid IT outsourcing agreement: a practical guide for CIOs and legal departments
Drafting a high-quality IT outsourcing agreement is a decisive factor in the success or failure of projects: here is a practical guide.

5 min

GDPR: the 5 most costly mistakes
Here are the 5 most costly mistakes in the event of a breach of the GDPR and of personal data protection obligations.

14 min

Recruiting and legally framing commercial agents: the complete guide to securing your commercial development
Using a commercial agent is one of the most effective strategies for developing a distribution network without increasing the payroll. As an independent representative, the commercial agent negotiates and concludes contracts in the name and on behalf of a company, in exchange for commissions. T
Prendre rendez-vous
Book an appointment