The EU’s Artificial Intelligence Regulation, commonly referred to as the AI Act, is expected to come into force during the summer of 2024 (the AI Act). The AI Act will be the first comprehensive legal framework for the use and development of artificial intelligence (AI), and is intended to ensure that AI systems developed and used in the EU are safe, transparent, traceable, non-discriminatory and environmentally friendly. Alongside the introduction of the AI Act, the EU is revising its product liability regime to ensure that, where AI systems cause harm to users, there are appropriate recourse and compensation mechanisms. 

European Commission proposals

The European Commission made two proposals in 2022 to ensure that the product liability regime can respond to the specific challenges faced by AI:

  • Revisions to the Product Liability Directive (85/374/EEC) (the PLD). The PLD imposes strict liability where a defective product causes material damage to consumers or their property.
  • The introduction of the AI Liability Directive (AILD) to assist claimants in making non-contractual fault-based claims. These will relate to damage caused by, for example, a breach of safety rules or unlawful discrimination based on algorithms embedded in an AI system.

While the two proposals are proceeding on separate timescales, businesses will need to ensure that they are fully aware of their scope and how they will be applied in respect of AI systems. Risk and compliance frameworks and contractual protections need to be reviewed and amended to protect against any potential liability arising from these new areas. It is also important to remember that the revisions to the product liability regime explained in this article will sit alongside other claims that may be available to potential claimants, such as for breach of contract and (in common law jurisdictions at least) claims in tort for negligence.

The two legislative initiatives focus on different areas of civil liability:

  • The Revised Product Liability Directive (the Revised PLD): non-contractual strict liability claims.
  • The AILD: non-contractual fault-based claims.

Doubt has recently been cast as to the necessity of the AILD, with the EU Parliament’s legal affairs committee commissioning a study on whether there is a legal gap left by the AI Act and PLD for the AILD to fill. Its future is therefore uncertain. However, and as set out below, the Revised PLD has already been adopted by the EU Parliament.

Content

The Revised PLD

The Revised PLD was adopted by the European Parliament in March 2024 and is awaiting approval by the European Council. There are several major amendments to the PLD proposed as part of the Revised PLD that are designed to ensure that the underlying regime can respond to the specific features of AI systems as a consumer product.

Definition of “product”

This will include software, which includes AI systems. However, free and open-source software that is developed or supplied outside the course of commercial activity is expressly excluded in an effort to avoid hampering innovation or research. However, manufacturers that integrate free and open-source software into their products may be potentially liable for any defects that arise as a result. Such integration will therefore need to be carefully considered and managed.

Definition of “defect”

The concept of defect now encompasses the “effect on the product of its ability to continue to learn or acquire new features after is has been placed on the market or put into service”. 

This means that an AI systems’ ability to self-learn and acquire new features will be relevant to considering if an AI system is defective, and the recitals to the Revised PLD specifically state that consumers can expect AI systems to be designed so as to prevent hazardous product behaviour. Accordingly, manufacturers that design a product that develops unexpected behaviours will remain liable in the event that such behaviour causes harm.  

Additionally: 

  • A product’s ability to comply with cybersecurity requirements and/or any cybersecurity vulnerability it may have will be relevant to the assessment of defectiveness. 
  • A recital to the Revised PLD states that manufacturers should be liable for damage caused where the defect arises as a result of failures to supply software and/or security updates or upgrades in response to evolving cybersecurity risks. 
  • Where third parties exploit cybersecurity vulnerabilities, the liability of the manufacturer will not be reduced or disallowed (unless the consumer has failed to take steps to maintain cybersecurity, such as to install updates).

It is important to note that a product will not be considered defective simply because a better product, including updates or upgrades, has since been put into service. 

Expansion of potential defendants

A company that has substantially modified a product outside the control of a manufacturer can be held liable for a defect it has introduced and/or caused.

Additionally, manufacturers of a defective component that has been integrated into a product can be liable under the Revised PLD.

These new categories of defendants will be specifically relevant to AI systems. 

Defendant’s disclosure obligation 

Where an injured party has presented facts and evidence to support the “plausibility of the claim for compensation”, the Revised PLD places an obligation on the manufacturer to disclose information that is relevant to the claim. This is intended to assist claimants in proving claims that involve technically complex products, such as AI systems.

However, the Revised PLD incorporates a corresponding obligation for claimants to disclose relevant evidence where a defendant demonstrates it is required for the purposes of making a counterclaim.

Presumption of defectiveness and causation

To further assist claimants in proving a defect in products that are technically complex and inherently difficult to understand without specialist knowledge, the Revised PLD imposes a presumption of defectiveness where any of the following conditions is met:

  • The defendant fails to comply with its obligation to disclose relevant evidence (as set out above).
  • The product does not comply with mandatory safety requirements intended to protect against the risk of damage that has been suffered by the claimant.
  • It is demonstrated that the damage has been caused by an obvious malfunction of the product during reasonably foreseeable use or under ordinary circumstances.

In respect of causation, where defectiveness has been established and the damage caused is typically consistent with the defect in question, a causal link between defect and damage will be presumed.

Finally, where a claimant can demonstrate that it is likely that the product is defective and/or that a causal link between the defect and the damage exists but it faces excessive difficulties in proving either of those things because of technical or scientific complexity, then a court shall presume either defectiveness or causation, or both. 

Definition of “damage”

The definition of damage has been extended to include the loss or corruption of data (although data used for professional purposes is excluded).

There is concern that the inclusion of this head of damage could lead to effectively open-ended liability for defendants. Importantly, however, the Revised PLD clarifies that the corruption or loss of data will not automatically be considered material damage and will, therefore, presumably be a matter of evidence.

The Revised PLD also includes the concept of medically recognised psychological harm as an additional type of damage.  

Exemptions from liability

The Revised PLD includes certain specific exemptions from liability, one of which is where a defect in a product did not exist at the time it was placed on the market. 

However, that exemption will not apply where it relates to digital services integrated into a product, software (including upgrades or updates), a lack of software required to maintain safety, or a substantial modification of the product. 

This means that manufacturers or providers of AI systems will remain liable for defects arising after the system is placed on the market where that defect arises as a result of:

  • A software upgrade that it has retained responsibility for providing.
  • An AI system’s ability to continuously learn. 

These outcomes are linked to the expanded definition of defect (discussed above).

The AILD

The AILD adopts many of the definitions contained in the AI Act and relates to non-contractual fault-based claims for damage caused by:

  • The output of an AI system; or 
  • The failure of an AI system to produce an output. 

Disclosure of evidence and presumption of non-compliance

A provider, a person subject to the obligations of a provider, or a user (as defined in the AI Act) can be ordered to disclose evidence in relation to a specific “high-risk AI system” that is suspected of having caused damage where a claimant has asked for such evidence but it has not been provided.  For a discussion of the meaning of high-risk AI systems under the AI Act, see our AI Act overview.

However, a claimant must be able to prove the plausibility of the claim before the order for disclosure will be made. A defendant has the right to rebut the presumption.

Presumption of causation

A presumption of causation will exist between the fault of the defendant and the output or failure of the AI system to produce an output where all the following conditions are met:
  • The claimant has demonstrated that the defendant is at fault (i.e. it failed to comply with a duty of care to protect against the damage that has occurred) or that fault has been presumed (as set out above).
  • It can be considered reasonably likely that the fault has influenced the AI system’s output or failure to produce an output.
  • The claimant has demonstrated that the AI system’s output or failure to produce an output gave rise to the damage. 

However, the above presumption will only apply in relation to non-high-risk AI systems (for the meaning of such systems, see our  AI Act overview) where it is considered excessively difficult for the claimant to prove a causal link.  

In respect of high-risk AI systems, the presumption will not apply where sufficient evidence and expertise is reasonably accessible for the claimant to prove the causal link itself. 

In summary, the AILD appears to be designed to assist claimants in overcoming some of the technical complexities that could make establishing non-contractual fault-based claims in respect of AI systems more difficult. However it has recently been subject to the criticism that its introduction may result in “over-regulation”. As set out above, a decision as to its future will be taken following a review of the of the proposed directive by the European Parliamentary Research Service. 

Mass Claims - application of the Representative Actions Directive ((EU 2020/1828) (the RAD)

The Revised PLD, like its predecessor, falls within the scope of the RAD, as would the proposed AILD.

The RAD requires all member states to have in place at least one procedural mechanism that allows qualified entities (independent not-for-profits protecting consumer interests) to bring representative actions. It applies to representative actions brought in respect of infringements of in-scope legislation that harms or may harm the collective interests of consumers. The AI Revised PLD and AILD, if brought into force, may therefore open the door to representative actions being brought on behalf of a class of claimants for harm caused by an AI system.

What next?

The ability of AI systems to self-learn and develop means that the concept of defect and fault will now extend beyond the point at which the product is placed on the market and is not within the direct control of the manufacturer or supplier.  This means businesses will have to engage with the nuances of the new liability regime and be prepared to both explain and defend the technical complexities of all AI products they place on the market.

It is also clear from the various presumptions included in both the Revised PLD and AILD that the European Commission is keen to ensure that claimants are not unfairly disadvantaged by the sophistication of AI technology and the large knowledge gap that will exist between economic operators involved in the supply of AI systems and end-users. The presumptions and obligations of disclosure therefore seek to level the playing field in relation to compensation claims for defective AI systems.

It is important that:

  • Businesses involved in the manufacture and supply of AI systems in any capacity identify if there are areas of potential liability under either the Revised PLD and/or the AILD. 
  • Compliance systems are implemented to mitigate the risks of liability.
  • Businesses ensure that, where potential liability does arise, they can gather relevant information and evidence quickly to help defend against any claim(s) brought against them.

Action points for businesses

  • Consider if the business will be impacted. Risk assessments should be undertaken to identify areas of potential liability and gaps in governance frameworks. Additionally, thought should be given to the expanded group of potential defendants.
  • Businesses must start considering compliance issues. AI Systems that conform to new EU harmonised standards will benefit from a presumption of conformity with AI Act requirements. Businesses should therefore identify all relevant standards (as and when they are adopted) and ensure compliance to benefit from the presumption. This would provide a “first line of defence” to any allegations of defectiveness . Businesses should therefore invest in robust testing, compliance, and certification mechanisms . For more information on the AI Act, see overview and our webinar, The EU AI Act: What obligations will apply to your business?
  • Disclosure of evidence may be key. The various disclosure obligations and presumptions contained in the Revised PLD and AILD have the potential to place manufacturers and other economic operators in difficult positions during litigation. Businesses should identify, control, and collate all product-critical documents.
  • Contractual protection and insurance will have to take account of these new areas of potential liability, with appropriate mechanisms incorporated to allocate risk and react to claims when they arise.
 

Want more information?

For more information on:



Contact

Andrew Swarbrick
Andrew Swarbrick
Associate
Email
andrew.swarbrick@nortonrosefulbright.com
T: +44 (20) 74442856

Practice areas:

Industries:

Recent publications

Publication

Mission impossible? Teresa Ribera’s mission letter and the future of EU merger review

Executive Vice President Vestager’s momentous tenure as Commissioner responsible for EU competition policy is nearing its end.

Global | October 28, 2024

Antitrust and competition

Publication

Time to harmonize AML control systems for global, commercial Indian companies

For many global organisations, finding the right balance between having global, unified compliance programs, and the need to address local legal and compliance risks, is a challenge. In this blog, we will address the challenge that money laundering and related issues presents to Indian companies operating in Europe.

Global | October 28, 2024

Regulation and investigations
htp

Publication

Agreement on new EU gas projects and measures under the European Green Deal

On November 28, 2023, the European Commission (EC) adopted its first list of Projects of Common Interest (PCIs), i.e., projects within the EU territory, and Projects of Mutual Interest (PMIs), i.e., projects connecting the EU with other countries, including 166 projects implementing the European Green Deal.

Global | October 24, 2024

Energy
Site search

Subscribe and stay up to date with the latest legal news, information and events . . .

Register now