The European Commission published a proposal for a directive on liability for defective products on Sept. 28, 2022. The amendments are so extensive that the previous Product Liability Directive 85/374/EEC from 1985 shall be completely replaced.
Reasons for a new Product Liability Directive
Although the existing Product Liability Directive is still considered to be an effective instrument of consumer protection, it shows significant weaknesses in the view of the EU Commission:
- It is unclear how decades-old definitions and concepts apply to products of the modern digital economy, such as software, smart devices, and autonomous vehicles;
- The burden of proof regarding the existence of a defect and the causation of that defect for the harm suffered is a challenge for injured persons, especially when it comes to pharmaceutical, smart, or AI-enabled products;
- The previous regulations severely restrict the possibility of claiming damages. For example, property damage worth less than EUR 500 is not recoverable under the previous Product Liability Directive.
The weaknesses of the existing regulations regarding emerging digital technologies have already been analyzed in the European Commission's White Paper - On Artificial Intelligence - A European Approach to excellence and trust, COM(2020)65 final, dated 19.02.2020 and the European Commission's report on the safety and liability implications of artificial intelligence, the Internet of Things and robotics, COM(2020) 64 final, published on the same day and the report from the Expert Group on Liability for artificial intelligence and other emerging digital technologies published on 27.11.2019.
The overriding goals of the new Product Liability Directive are effective consumer protection, a level playing field and legal certainty for all companies, while at the same time avoiding high costs and risks for small and medium-sized enterprises (SMEs) and start-ups.
Addition of further liability regimes at EU and national level
The new Product Liability Directive will complement other liability regimes at EU and national level, in particular,
In the area of cyber security, the Product Liability Directive must be distinguished from the
Context of other EU legislative initiatives
In addition, the new Product Liability Directive must be seen in the context of other legislative initiatives, in particular the
The main innovations and clarifications
The new Product Liability Directive contains numerous significant changes, but some are mere clarifications, including:
- The new product liability guideline will apply to all products, in particular also to software, including AI systems
- Liability also extends to components and "related services" which, according to recital 15, may include the supply of data. This also brings service providers and data suppliers into the circle of liable parties, which has particular relevance for the area of training data;
- Developers or producers of software including operators of AI systems are manufacturers within the meaning of the Product Liability Directive;
- There is an exception for open source software, but this is again subject to exceptions that will be important in practice;
- Expansion of the circle of liable parties: Not only hardware manufacturers (e.g., car manufacturers) may be liable, but also software providers (e.g., providers of the car's navigation system) and, under certain circumstances, agents of the manufacturer or fulfillment service providers (companies that provide warehousing, packaging, addressing or shipping services for the product without being the owner of the products (with the exception of postal and freight services)), as well as distributors and online platforms in accordance with Art. 6(3) of the Digital Services Act;
- Consumers receive compensation for defectively modified products (especially through upgrades, updates or machine-learning algorithms) just as they do for completely new products;
- At the same time, it is clarified that not every upgrade or update means that the previous version of the software is defective;
- Vulnerabilities relating to cybersecurity are also considered errors;
- Evidentiary difficulties are alleviated by an obligation of the manufacturer to disclose the necessary technical information to the injured party in court and by rebuttable presumptions regarding the defectiveness of the product and the causality of the defect for the damage, especially in complex cases (e.g. AI systems or machine-learning algorithms). In doing so, Member States will be required to empower their courts to take "specific measures" to protect confidential information and trade secrets. This will have considerable relevance in the IT sector when plaintiffs demand access to the source code or surrender of training or validation data;
- The concept of damage is expanded: Eligible for compensation are also material damages caused by the alteration or destruction of data, this also includes costs of restoring data as well as medically recognized damage to mental health and damage to items that are used both privately and professionally (e.g. home office equipment), whereby in turn damage to items that are used exclusively for professional purposes is to be excluded;
- Important restriction of the exclusion of liability: The principle that the placing on the market is the essential connecting factor for product liability will be retained. However, an important exception will be introduced if the product is still under the control of the manufacturer after it has been placed on the market. This is particularly relevant for software manufacturers and especially for AI systems, where the manufacturers continuously monitor the data sets and their use, which they may even be obliged to do so under the draft AI Act ("post market monitoring"). In addition, software manufacturers in whose control the software is still cannot invoke the exclusion of liability if the defectiveness of the product is due to the lack of a software update or upgrade that would have been required for (cyber) security reasons. Thus, the new Product Liability Directive basically introduces a non-contractual obligation to provide security updates, provided that the software is still under the control of the software manufacturer. There may also be overlaps here with the new contractual update obligation for merchants under Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services;
- The previously applicable deductible of EUR 500 for property damage and the possibility of limitation to a maximum liability amount for personal injury due to member state regulations no longer
Mandatory EU consumer protection law
The Product Liability Directive is mandatory consumer protection law of the EU. Insofar as EU law is applicable, liability towards the consumer cannot be excluded or limited by contract or other statutory provisions. This means in particular, that contractual limitations regarding the amount of liability are invalid.
Significance and outlook for Swiss companies
Since Switzerland has already adopted the previous Product Liability Directive almost word for word with the Federal Law on Product Liability (PrHG), it would sound logical that the new Product Liability Directive will also be implemented in Switzerland for the same reasons. However, that remains to be seen. So far, the Federal Office of Justice has not yet been commissioned to deal with the matter at all. Irrespective of this, it is important for Swiss companies, both now and in the future, to check whether they themselves or their branch in the EU fall under the previous/new product liability law or whether their business partners, e.g. "fulfillment providers", online platforms or distributors, can assert recourse claims. Corresponding risks should be limited as far as possible. We will be happy to advise you on this.
