RGPD
Can an IT service provider's protection be effectively guaranteed by limitation of liability clauses?
Reading time:
5 min
Can an IT service provider's protection be effectively guaranteed by limitation of liability clauses?
Limitation of liability clauses are a contractual shield often used by IT service providers to frame their obligations. But are they really effective in the face of a breach of the duty to advise? A recent ruling by the Paris Court of Appeal is a reminder that these clauses are not absolute and may be set aside in the event of fault by the provider, particularly where it gives poor advice to its client during the performance of the contract.
The case in question concerns a provider supplying an online payment solution and a client who fell victim to fraud. The provider, which had advised its client on the level of security of the solution, was held liable despite the exemption clause set out in its GTC.
In what cases can such a clause be set aside? What lessons can be drawn from this ruling? Here is our analysis.
The case involves a company that used a payment services provider to secure its online transactions. The provider offered a system called "Smart 3-D Secure", designed to analyse the fraud risk of each transaction in real time and to trigger, or not, enhanced authentication.
However, several fraudulent transactions were carried out on the client's platform. Despite the alerts, the provider advised maintaining a level of security that maximised the payment conversion rate, rather than strengthening the controls.
The client, having recorded the losses caused by this fraud, brought legal proceedings to obtain compensation. The provider relied on a limitation of liability clause excluding any compensation for indirect or intangible damage resulting from a failure to perform the services.
The question put to the court was therefore whether this clause could apply, or whether the provider's liability had to be engaged despite this contractual limitation.
Let's discuss your needs for 15 minutes!
In this case, the Court examined whether the IT service provider had fulfilled its duty to advise throughout the contractual relationship.
The provider argued that its client, a company specialising in distance selling and prepayment, was a knowledgeable professional and was aware of the risks associated with the various payment security options. However, the judges identified several factors demonstrating a breach of this duty to advise:
The judges therefore held that the provider could not confine itself to a purely technical role. Its duty to advise entailed a duty to warn and to provide active support in the face of evolving fraud risks, particularly in an e-commerce and marketplace context.
One of the key points of this case lay in the provider's reliance on limitation of liability clauses, intended to exclude or limit its liability for any harm suffered by its client.
The Court of Appeal set these clauses aside on several grounds:
Consequently, the court upheld the provider's conviction by setting aside the application of the limitation of liability clauses. This ruling falls within a consistent line of case law that refuses to apply such clauses where the provider breaches its duty to advise or to warn.
I want reliable legal documents!
Having set aside the limitation of liability clause, the Court of Appeal upheld the provider's order to pay the damages claimed by the client.
The decision rests on several findings:
Consequently, the court confirmed the client's compensation up to the amounts defrauded, as well as the award of additional damages to cover the costs incurred in the proceedings.
This ruling is a reminder that an IT service provider cannot hide behind the mere supply of a technical service when it plays an active role in its client's strategic choices. The duty to advise applies throughout the contractual relationship, and its disregard may lead to the limitation of liability being set aside. Do not hesitate to seek legal advice to help you!
To learn more
No. A ruling by the Paris Court of Appeal is a reminder that these clauses are not absolute. They may be set aside in the event of fault by the provider, in particular where it gave poor advice to its client during the performance of the contract, despite the exemption clause set out in its GTC.
The clause may be set aside in the event of fault by the provider, in particular a breach of the duty to advise. Where the provider gives poor advice to its client on a decisive point, such as the security level of a solution, its liability may be engaged despite the clause.
The ruling is a reminder that limitation of liability clauses are not an absolute shield. In the case concerned, a provider of an online payment solution was held liable after having given poor advice to its client on security, following fraud that was suffered.
Yes, where the breach of the duty to advise is established. A provider that steers its client towards an insufficient level of security cannot hide behind its exemption clause to escape its liability, as illustrated by the ruling handed down.
The duty to advise requires the provider to inform and to warn its client about the relevant technical choices, particularly regarding security. It also applies during the performance of the contract. Unsuitable advice may engage the provider's liability despite its contractual clauses.
An effective clause must be clear, proportionate and must not deprive the contract of its substance. It does not provide protection in the event of gross fault or a breach of the duty to advise. Its drafting must anticipate the provider's essential obligations in order to remain enforceable.
Yes. As illustrated by the payment solution case, a provider may be held liable despite the exemption clause in its GTC, where it has breached its duty to advise. The clause does not cover all of the provider's faults.
A lawyer helps to draft enforceable limitation of liability clauses, to structure the duty to advise and to balance the contract. For both the client and the provider, this support makes it possible to anticipate disputes relating to the security and the performance of the service.
Still have questions?
Our team is available!
Have a question?

Ressources
Aller plus loin