Non-compliance with the GDPR is a new ground for cancellation of a contract
According to the Civil Code, the validity of a contract supposes the meeting of three cumulative elements which are :
- The consent of the parties
- Their ability to contract
- And a legal and certain content
This consent is defined, on the one hand, by the existence of consent, in other words, by the fact of being of sound mind, being free of any mental disorder. And secondly, the consent must not be vitiated. In this sense, the Civil Code lists three defects of consent: error, fraud and violence.
Error is a defect of consent when, without it, one of the parties would not have contracted or would have contracted on substantially different terms. The error must not be inexcusable and may relate both to the essential qualities of the service due and to the other party.
Thus, article 1133 paragraph 1 of the Civil Code defines the error on the essential qualities as: “[…] those which were expressly or tacitly agreed and in consideration of which the parties have contracted”.
In a decision dated January 12, 2023, the Grenoble Court of Appeal, for the first time, annulled a website license agreement for error in essential qualities, holding that a company could legitimately expect that the IT service provider would not illegally collect personal data.
In this case, an optics company had commissioned a service provider specializing in the creation, installation and maintenance of websites to develop its own website dedicated to its professional activity.
To this end, a 48-month operating license agreement was concluded between the parties, for the provider to manage the operating back-office.
Not being satisfied with the website, the customer decided to break the contract and stopped paying the related monthly payments. The IT service provider did not take kindly to this.
Together with his leasing company, he then sued the optical store for payment of his unpaid license fees.
In the first instance, the client was ordered to pay the compensation and appealed.
The appellant, in a bundle of claims, complained, among other things, that the site created and operated did not provide for any compliant processing of personal data collection in violation of the GDPR. In particular, it sought the nullity of the operating license agreement.
Indeed, according to the economics of the transaction, the customer remained a controller of personal data within the meaning of the GDPR.
However, a bailiff’s report highlighted the existence of cookies installed without the consent of the website user.
As a result, the designed website did not comply with the regime of collection and use of users’ personal data as required by the General Data Protection Regulation of 27 April 2016 (known as “GDPR”), imperatively applicable in Europe since 25 May 2018. Under it, users must have control over and understand the processing, collection and storage of their data.
The Court of Appeal was receptive to this argument.
She considered that the client had to be informed by the IT service provider of the existence of software allowing the installation of cookies necessary for the use of personal data.
It characterized as an essential quality within the meaning of the Civil Code, in an operating license contract, the conformity of the Internet site ordered by a client from an IT service provider. The latter, an IT professional, cannot ignore the vital regulations that are imposed on the activity of the sites he is asked to create.
In addition, the Court highlighted several relevant contextual elements, namely:
- That the client was not a personal data specialist;
- That a report of acceptance of the site without reservation made did not exempt the problem of the collection and use of data. Because only the bailiff’s report made it possible to highlight this anomaly.
Thus, the Court of Appeal pronounced the nullity of the operating license agreement for error on an essential quality of the website.
Whoever undertakes the creation of a turnkey site for a client cannot legitimately ignore the “RGPD” which now dominates all internet activity. It cannot claim to offer a turnkey site that is not compatible with it.
In concrete terms, the civil liability incurred by such a site would be coupled with the criminal liability of the company director – punishable by five years’ imprisonment and a fine of 300,000 euros.
Therefore, when you want to design your website, be sure to read the operating license agreement and in particular to include a liability clause for the IT service provider, if the latter does not ensure full compliance with the RGPD of the site that he undertakes to deliver turnkey.