Fact is that service providers may not always be able to limit their liability vis-à-vis the data subjects in scenarios where they contract with corporate customers and not the data subjects themselves. If hackers gain unlawful access to information residing in a hosted database, the service provider may be liable directly vis-à-vis the data subjects under negligence theories (if and to the extent economic harm resulting from data access is covered by tort liability under a particular jurisdiction’s laws).

But data protection laws do not prescribe the allocation of commercial liabilities between the parties. Sophisticated companies usually slice and dice exposure in various ways in indemnification, limitation of liability and warranty clauses. It is quite common to differentiate in risk allocation clauses based on whether customer and/or service provider contributed primarily to a breach or resulting harm, whether the service provider was in compliance with its contractual obligations, its information security policies and applicable law, and whether a risk materialized that could have affected any other company, including the customer.

Also, cloud service providers are increasingly mindful that they can be held liable for violations of laws by their customers or their customers’ customers, for example, in the context of uploaded viruses, illegally copied files and pornographic materials. Such risks are then shifted contractually from the provider to the customer.