Internet Explorer 11 (IE11) is not supported. For the best experience please open using Chrome, Firefox, Safari or MS Edge

Insights Technology

EU Product Liability and AI: Key Reforms Explained

In-depth analysis

Dec 19, 2024
EU Product Liability and AI: Ley Reforms Explained

Our Products team explores how recent EU reforms to product safety and liability laws redefine 'products' to include AI, software, and IoT devices. We outline key changes under the Revised Product Liability Directive and the proposed AI Liability Directive, and their implications for businesses and consumers. Read our full in-depth analysis for practical insights on navigating these important regulatory shifts.

Historically, the concepts of product safety and liability used to be confined to ‘bricks and mortar’ products. Now, the term ‘products’ encompasses much wider concepts, including software, AI systems, mobile apps, hardware products with integrated software and IoT-connected products.

In recent years, the product safety legislative framework has undergone a significant reform at a European Union level. This reform includes an expansion of the meaning of the term ‘product’ and the introduction of new rules and regulations to ensure the safety of consumers. This is reflected by the implementation of the EU’s General Product Safety Regulation, or ’GPSR’[1], which came into effect in December 2024. At the same time, the EU has proposed the reform of its product liability regime to address liability issues arising from digital technologies and artificial intelligence, circular economy business models and global value chains. In that regard, it proposed the revision of the EU Product Liability Directive (Revised PLD)[2].

As part of our in-depth analysis, we provide an overview of the upcoming changes in this space in the EU and how these proposed reforms will impact businesses and consumers alike. We also set out an overview of the interplay between the Revised PLD and the EU’s proposed Artificial Intelligence Liability Directive, or 'AILD'.

Product Liability Directive

The Product Liability Directive (PLD) established an EU-wide system of strict liability for product liability claims. This means that there is no requirement for a claimant to prove that a defendant producer was negligent or at fault.

The PLD provides that a producer is liable for damage caused wholly or partly by a defect in their product. A product is considered ‘defective’ if it fails to provide the safety that a person is entitled to expect. This assessment is an objective one. It is carried out by having regard to what the public at large is generally entitled to expect, and by reference to a range of circumstances, including:

  • The presentation of the product
  • Its reasonably expected uses, and
  • The time it was put into circulation

The concept of ‘putting a product into circulation’ isn’t explicitly defined in the PLD. However, case law from the Courts of Justice of the EU (CJEU) clarifies that a product is put into circulation when the product leaves the production process and enters a marketing process in the form it is offered to consumers.[3]

The burden of proof is on a claimant to prove the damage, the defect, and the causal relationship between the two. In Ireland, claimants commonly bring a product liability claim in tandem with a claim in negligence and/or in contract.

Several statutory defences are available to producers under the PLD. If successfully invoked, a defendant can avoid liability for a defective product. These defences include:

  • That the defect did not exist at the time the product was put into circulation, or that the defect came into being afterwards
  • The ‘state of the art’ defence, is arguably the most invoked. This applies where a defendant can show the defect was not discoverable due to the state of scientific and technical knowledge at the time the product was put into circulation

It is also important to be aware that there is a limitation period of three years to bring claims under the PLD. This is subject to a long stop provision where a claimant’s right of action will be extinguished 10 years after the product’s date of circulation, if they haven’t brought a claim in that time.

Why is a Revised PLD necessary?

The PLD was adopted almost 40 years ago in 1985. In that time, we have seen a dramatic change in the types of products on the market through developments in technologies like AI and machine learning.

As a result, the European Commission reviewed the PLD and proposed the reform of the existing product liability rules to meet the challenges presented by these technological advances as well as by:

  • Products imported directly from outside the EU
  • The emergence of new actors in the supply chain such as online marketplaces
  • An increased awareness around environmental sustainability and the circular economy where products can be repaired, reused and refurbished

Incoming changes and features of the Revised PLD

The Revised PLD was adopted by the European Parliament in March 2024. It was then subsequently formally adopted by the European Council in October 2024.

The Revised PLD entered into force on 8 December 2024 and will apply to products placed on the market 24 months after this date.

There will be a protracted transitional period where product liability cases may be brought under the PLD or the Revised PLD depending on which regime is applicable.

There are several noteworthy reforms under the Revised PLD:

  • Product: The Revised PLD expands the definition of a ‘product’ to expressly include software, including standalone software and AI systems.
  • Defectiveness: New factors have been added into the Revised PLD for determining whether a product is defective, including a product’s interconnectedness, self-learning functionality, and cybersecurity vulnerabilities.
  • Defendants: The Revised PLD expands the pool of defendants that can potentially be held liable for damage caused by a defective product ensuring, amongst other things, that there is always an EU-based liable person for products bought from manufacturers who are based outside the EU.
  • Circular economy: Where a product is upgraded or repaired outside the manufacturer’s control, the company or person who modified the product should be held liable.
  • Damage: The definition of ‘damage’ has been extended under the Revised PLD. It now brings in scope medically recognised damage including psychological health and damage from the destruction or corruption of data not used for professional purposes.
  • Scope of liability: One of the previous statutory defences allows the original manufacturer to avoid liability for defects that emerge after the product is put into circulation. Under the Revised PLD, the scope of liability may be extended to the time after a product was put into circulation where it is still under the manufacturer’s control. For example, where a product has been substantially modified through software updates.
  • Products bought from non-EU manufacturers: To ensure that consumers are compensated for damages caused by products manufactured outside of the EU, the importer or the EU-based representative of the foreign manufacturer can be held liable for damages.
  • Discovery: The Revised PLD introduces a discovery model for statutory product liability claims. Under this model, a claimant who has presented facts and evidence sufficient to support a plausible claim can seek an order from a defendant to disclose relevant evidence at its disposal. While this is a significant development for civil law EU countries, it would have minimal effect in Ireland as we already have discovery in civil proceedings. In addition, the Revised PLD expressly acknowledges that it does not affect national rules on pre-trial disclosure of evidence. The Revised PLD provides that where a defendant fails to disclose relevant evidence in response to a request, the product will be presumed to be defective.
  • Rebuttable presumptions: The Revised PLD contains rebuttable presumptions on defectiveness and causation designed to ease the burden of proof for claimants.
  • Collective redress: Businesses may not only be liable for harm caused to individual consumers by defective products. They may also be subject to a collective redress action if a product defect impacts the collective interests of a group of consumers/litigants under the Collective Redress Directive[4] (CRD).

Scope of the Revised PLD

The Revised PLD explicitly applies to software, including standalone software, AI systems, digital manufacturing files, and related services. It also covers cases where an integrated digital service is necessary for a product to function, such as a car GPS system. The Revised PLD includes several limited exceptions. One exception concerns pure information, such as software source code. Another applies to free and open-source software that is not developed or used as part of a commercial activity. This wider definition of what is considered a ‘product’ will expand the scope of liability for software products beyond those incorporated into a tangible product, as required under the PLD. As a result, it will have far-reaching consequences for software developers.

The Revised PLD also broadens the pool of economic operators that may be potentially liable for a defective product.

In addition to manufacturers, importers and, in some cases, distributors of a product or component of a product, the Revised PLD also includes:

  • The providers of related services
  • Authorised representatives
  • Fulfilment service providers
  • Third parties making substantial modifications to products already placed on the market, and
  • Online platforms in certain circumstances. This occurs when they play more than a mere intermediary role in the sale of products between traders and consumers

The Revised PLD’s expanded definition of an ‘economic operator’ is designed to ensure that there is always an EU-based representative liable for damage caused by a defective product. This could be the designated authorised representative, importer, or fulfilment service provider.

EU Artificial Intelligence Act

The EU Artificial Intelligence Act 2024 (AI Act) is the world’s first comprehensive piece of AI law.

The AI Act prioritises trustworthy AI by ensuring compliance with regulatory requirements and managing the relationship between providers and regulators. In contrast, the Revised PLD and the Artificial Intelligence Liability Directive (AILD) focus on addressing harm caused. The AI Act entered into force on 1 August 2024 with staggered implementation and is fully applicable 36 months after 2 August 2024.

High-risk AI software systems must be compliant by 2 August 2026, subject to a legacy provision. Other products, such as AI-enabled medical devices, lifts, and toys, will have additional time to meet their regulatory requirements. The applicable obligations will not take effect until 36 months after the Act enters into force, on 2 August 2027.

Core concepts of the AI Act and applicability

The AI Act adopts a risk-based approach to the regulation of AI systems. It seeks to regulate them by imposing a range of obligations on providers and deployers of those AI systems depending on the risk categorisation of the AI system. These obligations include requirements related to transparency, control and risk management, training and support and recordkeeping. The aim of the AI Act is to foster trustworthy AI in Europe and beyond, by ensuring that risks of powerful and impactful AI systems are addressed.

The AI Act has broad territorial application and is applicable to:

  • Providers and manufacturers of AI systems
  • Deployers, or users, of AI systems
  • Importers, distributors, affected persons, and authorised representatives of AI systems

The AI Act imposes a far greater regulatory burden on AI developers rather than on users. The AI Act lays down an enforcement framework that is designed to regulate AI systems on a sliding scale of risk. The compliance obligations will be dictated by the risk category into which the AI system falls. There are four risk categories, including:

  1. Unacceptable risk
  2. High risk
  3. Limited risk
  4. Minimal or no risk.

Unacceptable risk AI systems

AI systems which are considered a clear threat to the safety, livelihoods and rights of people are banned. This includes systems such as social scoring by governments and toys using voice assistance that encourages dangerous behaviour. These will be banned from the EU market from 2 February 2025.

High-risk AI systems

High-risk AI covers a broad range of applications. These include AI used in medical devices, as a safety component in toys, and for managing critical infrastructure such as electricity supply. It can also include employment recruitment tools, credit scoring applications, and grade prediction technology in education. High-risk AI will be broadly divided into two categories:

  1. AI systems that are used as a safety component in products or are themselves products falling under certain specified EU harmonisation legislation e.g. toys, medical devices etc. These are known as Annex I high-risk AI systems.
  2. AI systems in certain areas will require registration in an EU database. These include educational and vocational training, law enforcement, and the management and operation of critical infrastructure, among others. These are referred to as Annex III high-risk AI systems.

Before these categories of high-risk AI systems can be put on the EU market, they will be subject to a stringent ‘conformity assessment’ process. This conformity assessment determines whether the system meets all requirements in the Act. Providers dealing with Annex I high-risk AI systems will enhance their existing third-party conformity assessment procedure with their existing notified body. In contrast, providers of Annex III high-risk AI systems will conduct self-assessments in order to meet the same requirements.

Limited risk AI systems

Limited risk AI systems have a low risk of harm that can be remedied by making them more transparent. It is important that AI systems which interact directly with people are developed to ensure that the person is aware they are interacting with AI. These systems include chatbots, and generative AI.

Minimal risk AI systems

Minimal risk AI systems pose a minimal risk to the safety and rights of citizens. These are not subject to the obligations or restrictions under the AI Act. However, companies can choose to voluntarily adopt additional codes of conduct.

The AILD

The AILD is designed to revise and harmonise Member State’s non-contractual, fault-based rules concerning claims for injuries arising from AI systems. In Ireland, this will impact claims in negligence under tort law.

The product liability regime under the PLD provides for a harmonised application of its strict liability rules across the EU. The more ‘traditional’ fault-based rules, however, tend to vary more from Member State to Member State. The worry is that Member States will, and to some extent already are, applying their fault-based national rules to cases about AI systems and models in differing ways. This is unfortunately creating a fragmented set of new legal tests and case law that lacks consistency, making it a very challenging environment to do business.

The AILD is designed to harmonise these fault-based rules across the EU. It does this through a range of mechanisms including, for example, using the same terms and definitions as those used in the AI Act. The AILD also provides for the introduction of disclosure requirements and rebuttable presumptions into national fault-based rules in alignment with similar proposed reforms under the Revised PLD.

The EU Parliament’s Research Service published a Complementary Impact Assessment in September 2024. The assessment evaluated the AILD’s relevance and effectiveness in the current legislative landscape, particularly considering the Revised PLD. The Complementary Impact Assessment has made several key recommendations, one of which is to transform the AILD into a Regulation. This would ensure it has direct application in each Member State, eliminating the need for transposing national legislation. The Complementary Impact Assessment is being considered by the European Parliament’s Legal Affairs Committee and we await its decision as to whether it will accept its recommendations or not.

Features of the AILD

There are three key features worth highlighting in the proposed AILD in its current form:

  1. Scope: The AILD would ensure that the scope of national fault-based liability regimes is broad. For example, you can have claims against any person, not just the manufacturer, for faults that influenced the AI system which caused the damage. The AILD also applies to any type of damage covered under national law, including damage resulting from discrimination or breach of fundamental rights like privacy, which could in some cases be broader than the Revised PLD’s concept of ‘damage.’ Claims under the AILD can also be made by any natural or legal person. This contrasts with the PLD whereby it is just natural persons who can make a claim.
  2. Disclosure of evidence: Similar to the new rules under the Revised PLD, national courts would have the authority, at the request of a potential claimant, to order providers of high-risk AI systems - as well as those subject to the provider's obligations and users of those systems - to disclose or preserve relevant evidence related to a specific high-risk AI system suspected of causing damage.
  3. Rebuttable presumptions: For a fault-based claim to be successful, the defendant’s negligent act or omission must be shown to have caused the damage in question. According to the EC, proving this causal link could be difficult for a claimant in a fault-based claim involving an AI system. This is because they may have to explain the inner functioning of the AI system and what a defendant did or failed to do to make the AI system behave in a way that it wasn’t perhaps supposed to. This is understandably a high evidential bar that would be difficult for most claimants. It could also arguably result in an unfair barrier to claimants' access to justice. In those circumstances and, similarly, to the provisions introduced under the Revised PLD, the AILD would provide for a presumption of the causal link where certain conditions are met.

Collective redress

The CRD allows certain public representative bodies such as regulatory agencies and NGOs to bring claims on behalf of groups of consumers. Claims are brought under a very long and evolving list of EU product safety and consumer protection legislation.

‘Qualified entities’ representing groups of consumers can seek various forms of redress. Redress options can include repair, refunds and compensation, price reduction, contract termination as well as various types of injunctive relief, such as court orders compelling traders to stop the practice which has caused the infringement.

While the AI Act is not included, a range of consumer protection and product safety legislation, including the PLD, is on that list. As a result, it means that there is a possibility for qualified entities to bring claims against manufacturers under the PLD. It remains to be seen if that will happen and what it might look like. However, there is now a legislative basis for this happening in various Member States, including Ireland.

The CRD was adopted back in December 2020 and had to be implemented by Member States by June 2023. In Ireland, we now have the Representative Actions Act 2023 and the Irish Council for Civil Liberties was the first designated qualified entity under the Act. The CRD provides for various safeguards to avoid the opening of any sort of ‘floodgate’ of claims:

  • Dismissal of manifestly unfounded cases: Courts are empowered to dismiss manifestly unfounded cases at the earliest possible stage of the proceedings.
  • Settlement: There is the possibility that a claim can be settled subject to court approval.
  • Funding transparency: A qualified entity will be required to publicly disclose information about its sources of funding. Under Irish law, third-party litigation funding is prohibited for parties with no interest in the dispute, making it challenging for qualified entities in the not-for-profit sector to fund large, sometimes cross-border, representative actions. This prohibition remains unchanged by the enactment of the 2023 Act, which allows third-party funding for representative actions "insofar as permitted in accordance with law."
  • Multiple claims by individual consumers: Consumers are prevented from being involved in a collective action where they have previously received compensation from the same trader for the same cause of action.

The CRD forms part of the new EU product liability landscape and is worth bearing in mind alongside the Revised PLD and the AI Act. Although the EU’s collective redress model is designed to be different from the US class-action system and contains multiple measures to prevent opportunistic litigation, it will undoubtedly result in increased litigation risk for consumer-facing businesses. This is because consumers will be empowered to participate in a collective action whereas individually, they may not have had the means or appetite to do so. Consequently, Ireland could become an attractive forum for joint representative actions centred on EU-wide product liability claims. This is because it is the only remaining English-speaking common law country in the EU with a largely pro-plaintiff judiciary and extensive US-style discovery model. All these factors will likely lead to more product liability litigation. This could have secondary effects, such as a greater focus by businesses on achieving regulatory compliance. Businesses will aim to limit their risk of litigation exposure. Additionally, a more stringent regulatory culture may emerge.

Conclusion

The extended scope of the Revised PLD reflects the evolution of product liability to include not only physical products but also software applications and AI systems. These are now explicitly recognised as products under the Directive. The new rules intend to enhance consumer protection for damage suffered by defective products.

Even though the AILD has not been adopted, it is the subject of ongoing discussion at an EU level. Therefore, organisations and businesses must start preparing for how it may potentially impact them. Developers of AI systems should consider the legislative changes which may affect their product and ensure their compliance with the upcoming frameworks.

The trio of new legislation consisting of the AI Act, the Revised PLD and the proposed AILD will overlap. This is likely to result in the harmonisation of how AI systems are treated under EU product safety and product liability law. This will apply to both fault-based and strict liability claims. Producers will need to be aware of these legislative reforms in the context of the development of their products and the potential liability issues which could arise.

We recommend stakeholders monitor this evolving liability landscape as well as the potential for regulatory divergence outside of the EU. The EU is fast becoming an innovative frontier in this highly complex and exciting area of law.

For more information and expert advice on the scope of this new legislation and its likely impact on your business operations, contact a member of our Products team.

This insight was prepared and contributed by Casey Whelan, Legal Executive in our Products team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

[1] EU/2023/988

[2] 85/374/EEC

[3] Case C-127/04 Declan O'Byrne v Sanofi Pasteur MSD Ltd and Sanofi Pasteur SA.

[4] 2020/1828



Share this:

Related Content

View All →