Product Liability Update for Consumer Products in the EU
The European Commission proposes reforms to adapt EU product liability rules for AI and the digital age. These reforms include revising the Product Liability Directive (PLD). The PLD expands product definitions to include software and AI systems, introduces new defectiveness criteria, and emphasises the manufacturer's control over software updates. Our Products team discusses this complex legislative environment.
As part of its holistic approach to AI policy, the European Commission has proposed a package of reforms. These reforms aim to adapt EU product liability rules to the digital age and AI, including through a revision of the Product Liability Directive[1]
(the PLD). The revised Directive is intended to be complementary in nature to current EU product safety frameworks. These include:
- The General Product Safety Directive[2] (GPSD)
- Its successor, the General Product Safety Regulation[3] (GPSR), which will apply from December 2024, and
- The recently adopted AI Act.
These interlinked frameworks give rise to a complex new legislative environment that consumer product stakeholders must navigate with care. We highlight some important connections between these frameworks that developers of AI-enabled products and services should be mindful of.
Broader scope of the PLD
The PLD seeks to update the EU’s strict liability regime applicable to products, including software and by extension, AI systems. Accordingly, claims for damage allegedly caused by AI-enabled consumer products and services will fall within the scope of the PLD. This is because the PLD expands the definition of a ‘product’ to include software:
“‘product’ means all movables, even if integrated into, or inter-connected with, another movable or an immovable; it includes electricity, digital manufacturing files, raw materials and software”.
While the term ‘software’ is not defined in the PLD, the recitals to the PLD make clear that it applies to software of all kinds, including:
- Operating systems
- Firmware
- Computer programmes
- Applications, and
- AI systems
It also acknowledges that software is capable of being placed on the market as a standalone product and may subsequently be integrated into other products as a component. Accordingly, software will be a product for the purposes of applying no-fault liability under the PLD. This applies irrespective of:
- The mode of its supply or usage, and
- Whether it is stored on a device or accessed through a communication network, cloud technologies or supplied through a software-as a-service model.
Insofar as an AI system qualifies as a ‘product’ and ‘software’, it is proposed to fall within the scope of the PLD. At a high-level, this will mean that the PLD will apply to most, if not all, consumer or public facing systems. It will also apply to systems that are components of hardware that qualify as a physical ‘product’. Accordingly, consumer products and services delivered using AI-enabled technologies such as wearable devices, chatbots and smart assistant apps will be affected.
Two noteworthy exclusions regarding the scope of the PLD are as follows:
- The new product liability rules contained in the PLD will apply to products placed on the market or put into service 24 months after its entry into force. The current Product Liability Directive will be repealed with effect from 24 months after the PLD’s entry into force. However, it will continue to apply to products placed on the market or put into service before that date.
- The PLD will not apply to pure information, such as the content of digital files or the mere source code of software. It will also not “apply to free and open-source software that is developed or supplied outside the course of a commercial activity”. However, if such software is subsequently integrated by a manufacturer as a component into a product in the course of a commercial activity, the PLD will apply.
Defectiveness
Under the PLD, the criteria for determining the defectiveness of a product, including an AI system, will be expanded. Some of these additional criteria, which are non-exhaustive in nature, are particularly relevant to AI systems and link back to AI Act requirements:
- In the first instance, the PLD provides that a product will be considered defective “if it does not provide the safety that a person is entitled to expect or that is required under Union or national law”. Consequently, an AI system may be deemed defective for the purposes of a product liability claim by virtue of being non-compliant with requirements under the GPSD / GPSR and/ or the AI Act.
- Additional defectiveness criteria specified under the PLD include a product’s interconnectedness, self-learning functionality and safety-relevant cybersecurity requirements.
- In reflecting the relevance of product safety and market surveillance legislation for determining the level of safety that a person is entitled to expect, the PLD also provides that, in assessing defectiveness, interventions by competent authorities should also be taken into account. This includes “any recall of the product or any other relevant intervention by a competent authority or by an economic operator as referred to in Article 8 relating to product safety”.
Accordingly, when considering the defectiveness or otherwise of an AI system, its compliance with requirements under the GPSD / GPSR and/or the AI Act will be taken into account. Interventions by competent authorities will also be taken into account.
Rebuttable presumption - defectiveness
Under the PLD, the burden remains on a claimant
to prove:
- The defectiveness of the product
- The damage suffered
- The causal link between the injury or damage sustained, and the allegedly defective product
These elements must be proven in accordance with the standard of proof applicable under national law in the relevant Member State(s). The PLD acknowledges, however, that injured parties are often at a disadvantage compared to manufacturers in terms of accessing and understanding information about how a product was produced and how it operates. This is particularly true in cases involving technical or scientific complexity
Accordingly, the PLD introduces a rebuttable presumption of defectiveness where:
- The claimant demonstrates that the product does not comply with mandatory product safety requirements laid down in Union law or national law.
- The claimant demonstrates that the damage was caused by an “obvious malfunction” of the product during “reasonably foreseeable” use or under ordinary circumstances.
- A defendant fails to comply with a court order to disclose relevant evidence at its disposal.
In the context of AI systems, the rebuttable presumption of defectiveness triggered under the PLD can arise from a product’s non-compliance with mandatory product safety requirements laid down in Union law or national law. This presumption could therefore be triggered by an act of non-compliance with requirements under the GPSD / GPSR and/or the AI Act.
Rebuttable presumption - causation
The PLD also provides for the presumption of a causal link between a product’s alleged defectiveness and the damage suffered. This presumption applies where it has been established that the product is defective, and the damage caused is of a kind typically consistent with the defect in question.
A rebuttable presumption will arise where a national court must presume a product’s defectiveness or the causal link between its defectiveness and the damage suffered, or both, where, despite the disclosure of evidence by a manufacturer, and taking all relevant circumstances into account:
- The claimant faces excessive difficulties, in particular due to technical or scientific complexity, in proving the product’s defectiveness or the causal link between its defectiveness and the damage, or both, and
- The claimant demonstrates that it is likely that the product is defective or that there is a causal link between the defectiveness, the damage, or both.
On the interpretation of ‘excessive difficulties’, Recital 48 of the PLD refers to AI systems specifically. It provides that in determining technical or scientific complexity, national courts must do this on a case-by-case basis, taking into account various factors, including:
- The complex nature of the technology used, such as machine learning.
- The complex nature of the causal link such as a link that, in order to be proven, would require the claimant to explain the inner workings of an AI system.
It further provides that, in the assessment of excessive difficulties, while a claimant should provide arguments to demonstrate excessive difficulties, proof of these difficulties should not be required. For example, in a claim concerning an AI system, the claimant should neither be required to explain the AI system’s specific characteristics nor how those characteristics make it harder to establish the causal link.
Manufacturer’s control
The PLD introduces various new provisions that recognise that, in the case of technologically sophisticated products, a manufacturer’s responsibilities do not necessarily crystallise at the factory gates. This is particularly significant
for connected consumer products, where the hardware manufacturer retains the ability to supply software updates or upgrades to the hardware by itself or via a third party.
The PLD provides that the developer or producer of software, including an AI system provider, should be treated as a manufacturer. While the ‘provider of a related service’ is recognised as an economic operator under the PLD, related services and other components, including software updates and upgrades, are considered within the manufacturer’s control when they are integrated, inter-connected or supplied by the manufacturer. It also applies where the manufacturer authorises or consents to their supply by a third party.
A ‘related service’ is defined in the PLD as “a digital service that is integrated into, or inter-connected with, a product in such a way that its absence would prevent the product from performing one or more of its functions”. For example, where a manufacturer consents to the provision by a third party of software updates for its product or where it presents a related service or component as part of its product even though it is supplied by a third party. However, a manufacturer isn’t considered to have consented to the integration or interconnection of software with its product merely by providing for the technical possibility to do so. Similarly, a manufacturer isn’t considered to have consented by recommending a certain brand or by not prohibiting potential related services or components. Additionally, once a product has been placed on the market, it is considered within the manufacturer’s control insofar as it retains the technical ability to supply software updates or upgrades itself or via a third party.
This means that manufacturers of products with digital elements may be liable for damage arising from changes to those digital elements that occur after the physical product is placed on the market. This is a significant shift to more of a ‘lifecycle’ approach. The consequence for manufacturers of AI-enabled products is that greater attention will need to be paid to:
- The degree of control it exercises over its products once placed on the market.
- Where its products remain within its control, the extent to which changes like software updates and upgrades impact on not just safety but also product liability exposure.
- What ‘related services’ form part of its products and the level of control exerted over these ‘related services’. This includes the nature of the relationship with any third-party providers of related services and the potential consequences from a product liability perspective.
Substantial modification
The PLD maintains the general limitation period of 3 years for the initiation of proceedings for the recovery of damages. This limitation period runs from the day on which the injured person became aware, or should reasonably have become aware, of all of the following:
- The damage
- The defectiveness, and
- The identity of the relevant economic operator that can be held liable for the damage.
The PLD contains two modifications to the current 10-year longstop provision in the existing Product Liability Directive:
- An extension to 25 years in certain cases involving latent personal injuries unless the injured person has, in the meantime, initiated proceedings against a potentially liable economic operator.
- Where a product has been ‘substantially modified’, the calculation of time runs from the date that the substantially modified product has been placed on the market or put into service.
The PLD defines ‘substantial modification’ as the modification of a product after it has been placed on the market or put into service:
- That is considered substantial under relevant Union or national rules on product safety, or
- Where relevant Union or national rules do not provide such a threshold, that:
- Changes the product’s original performance, purpose or type without being foreseen in the manufacturer’s initial risk assessment, and
- Changes the nature of the hazard, creates a new hazard, or increases the level of risk.
What amounts to a ‘substantial modification’ can be quite case specific. However, the reference in the definition to modifications that are “considered substantial under relevant Union or national rules on product safety” engages the AI Act. This is because it contains references to substantial modification in the context of ‘high-risk AI systems’.
An AI system will be considered ‘high risk’ where it is:
- Intended to be used as a safety component of a product, or is itself a product, covered by the Union harmonisation legislation listed in Annex I to the AI Act.
- Required to undergo a third-party conformity assessment before being placed on the market or put into service in the EU in accordance with the applicable Union harmonisation legislation listed in Annex I to the AI Act.
Examples of possible high-risk AI systems in a consumer product context include toys, cars and AI systems that continue to learn after being placed on the market or put into service.
Where no thresholds are provided under the relevant Union or national rules on product safety, the threshold is assessed by the extent to which the modification changes the product’s original intended functions or affects its compliance with applicable safety requirements or changes its risk profile. For example, in cases involving regulated AI systems that are not high-risk under the AI Act.
We expect that the practical application of these concepts in the context of AI systems will require complex and case-specific analyses on liability exposure and mitigation.
Irrespective of which threshold criteria is applicable to a specific AI-enabled product, AI system providers and providers of products with AI components, will need to carefully track how relevant AI systems are changing and the legal consequences of those changes.
Conclusion
The move to bring the EU product liability regime up to speed with updated product safety legislation is likely to give rise to increased litigation risks that will require careful management. This is particularly the case for liability exposure related to software as a 'product' for the purposes of product liability claims. To prepare for these incoming changes, stakeholders with consumer products on the EU market should carefully consider their potential liability exposure under the PLD.
We would recommend that they carefully analyse their existing product portfolio to:
- Identify what products would fall within the scope of the PLD, including a review of thirdparty software and ‘related services’, i.e. digital services embedded in their hardware products.
- Review the warnings and disclaimers provided to users relating to risks or potential harm associated with using their products and related services, particularly having regard to the extended definition of damage.
- Incorporate the necessary screens and protocols into their product roadmaps in order to identify and mitigate EU product liability exposure.
Consumer product stakeholders should also review their:
Product liability insurance to ensure, amongst other things, that their coverage includes all damage envisaged under the PLD. Specifically, they should ensure that coverage extends to destruction or corruption of data and medically recognised damage to psychological health and to ensure that related services are also covered.
Contractual arrangements with other economic operators to ensure there are adequate liability and indemnity provisions in place. This is particularly important given the new provisions in the PLD around service providers and what is considered to be within the manufacturer’s control – even if a third party is carrying out certain tasks or services on their behalf.
For more information, contact a member of our Product Regulation & Consumer team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
[1] Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products
[2] Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety
[3] Regulation (EU) 2023/988 of the European Parliament and of the Council of 10 May 2023 on general product safety
Share this: