Public and private websites and services went offline because of the fire in OVH’s data centres in Strasbourg. No one points out customers’ responsibilities by Andrea Monti – Initially published in Italian by PC Professionale no. 362
On 10 March 2021, one of the OVH data centres located in Strasbourg burned down. As a result, millions of web and many online services of private companies and public administrations stopped working. The effects of the fire spread downt to Italy, where some local public administrations suffered the interruption of their online activities.
The first reaction was to shift the responsibility onto the data centre service provider, also invoking its (alleged) duty to comply with the security measures imposed by the EU Data Protection Regulation.
In reality, however, things are not exactly like that because, counterintuitive as it may seem, the primary legal responsibility lies with OVH’s customers. It is up to them to check before purchasing services whether they meet their regulatory compliance needs.
However, let us proceed in order.
When a company or public institution decides to use third parties to do things that they could well manage themselves, the first regulatory obligation to be met is the preemptive assessment of the service’s technical characteristics. In other words, it is the public administration that must decide whether to purchase, for example, back-up or disaster-recovery services and how these services should be sized. After this step, it would be possible to request an offer, evaluate the coherence of the offer with the technical specifications required and therefore with the stipulation of the contract.
It is a fundamental element of the whole argument: customers buy a technical service, do not delegate their data processing. Consequently, the liabilities of the data centre are measured against the content of the contract. In other words, therefore, if a customer requests a service that does not include geographical back-up and – as in the case of OVH – the data centre burns down, he cannot accuse the provider of failing to protect the data because the latter did not have a contractual duty to do so.
The lack of attention paid by customers to the legal aspects of the use of data-centre services is undoubtedly due to the lack of attention paid to these profiles: they are perceived as an unnecessary and costly complication. However, there are also the aspects of cost and time to release the service to be taken into account: for a client, understanding what it needs and designing the service implies incurring additional costs and lengthening the time to production. Especially in situations where human and financial resources are limited, it is not surprising that people turn a blind eye: in the name of “what’s the worst that could happen?”.
Often, moreover, customers do not even know that they are using a subcontractor for hosting or cloud services. Web and media agencies, individual webmasters and consulting firms often do not have their data centres (however small), and even if they manage their hardware, they do not keep it ‘in house’. It is particularly true for SaaS, cloud services and, in general, for all those that require continuous updating of servers, operating systems and platforms. In these cases, the customer also buys (or, more often, rents) the machines and management services from the provider.
This way of providing Internet services is entirely legal, and one certainly cannot force those operating in the sector to equip themselves with infrastructures generating organisational costs that are difficult to bear for small and medium-sized structures. In any case, this is not possible without informing the final customer. The supplier, in other words, is obliged to declare that it provides its services in partial subcontracting but does not always do so.
From the OVH case, some evident indications emerge regarding the use of data centre services by companies and institutions. The first is to choose the type of services and their specific technical characteristics carefully. In other words, one has to get to the bottom of what he is buying. Secondly, it is essential to understand whether the supplier provides its services independently or uses subcontractors. In this case, it will be necessary to be sure that the supplier is contractually liable to the customer for any negligence of ‘subcontractors’. It leads to the third point of attention, that of the guarantee of an adequate compensation: it matters little that a supplier has agreed to be responsible even for the sky to fall if he then – in practice – cannot meet his obligations to repair the damage.
These conclusions reveal an unpleasant but fundamental aspect of the market for web services: not many players have sufficiently broad financial robustness to provide their customers with genuinely adequate guarantees. As a result, a significant number of online services are provided without any real possibility of compensation coverage, not even through an insurance policy (a subject that would require a separate discussion). Nevertheless, customers continue to ignore these issues, exposing the data for which they have a legal responsibility to risk and neglecting the impact of disruptions caused by the incorrect assessment of their suppliers.
What’s the worst that could happen?