European commission considers new civil liability rules for the digital age and artificial intelligence

Background and roadmap

The existing EU product liability framework is based on the Product Liability Directive (85/374/EEC) (Directive or PLD), enacted in 1985, and implemented by national liability rules. The technology-neutral provisions of the framework aim to:

• Ensure that all products in the European Single Market operate safely, reliably and consistently.
• Provide remedies if damage nevertheless occurs.
• Harmonise at EU level the treatment of claims against the producer for damage caused to a consumer due to a defect in a product. 
• Establish strict liability for damage caused by a defect in a product, provided that the injured party proves the damages, the defect, and the causal link between the two.

In the European Commission’s view, changed market realities (through transformation of the digital economy, the increasing importance of AI, and transition to a circular economy) make it necessary to revise and adapt liability rules. For example, the security of many products and services increasingly depends not only on their design and production, but also on software updates, data flows and algorithms, and it is unclear whether regulations of the EU Member States on liability for defective products still offer sufficient legal certainty and consumer protection in such circumstances.

In 2018 the European Commission's report on the application of the Product Liability Directive (COM(2018) 246 final) (Evaluation) identified challenges for the application of liability rules to the circular economy and new emerging technologies, and pointed to a need for them to be revised or clarified. The current Consultation seeks to confirm the relevance of the issues identified by the Evaluation and the Inception Impact Assessment (Ares(2021)4266516) (Impact Assessment) published on 30 June 2021.

What is the scope of the Consultation?

Section I of the Consultation concerns the Directive. Due to outdated concepts within the Directive, its application is considered to be increasingly problematic – for example, in relation to:

• Products of the digital and circular economy - especially intangible products, such as software.
• Consumer compensation - especially when in relation to proving that complex products are defective and caused the damage.

Section II of the Consultation explores problems linked to certain types of AI. AI can make it difficult to identify the potentially liable person, to prove that person is at fault, to prove that there is a “defect”, and to demonstrate a causal link between the defect and the damage. In Section II the Commission seeks stakeholder’s views on various policy options, including in relation to:

• Approaches regarding the burden of proof.
• Approaches regarding liability for operating AI-enabled products and providing AI-enabled services creating a serious injury risk.
• Measures regarding insurance for the use of AI systems that pose a serious risk of injury to the public.

Products

Digital content, software and data are essential constituents for the safe functioning of many products. However, it is often unclear to what extent such intangible elements can be classified as “products” under the Directive.

In accordance with Article 2 PLD, “product” means all movables even if incorporated into another movable or into an immovable, and electricity.¹  There are definitional problems with the term “product” because of the divergence in national definitions (arising from the transition of the Directive into national law of the Member States).

The scope of what is covered by the definition is also problematic. For example:

• Software hard coded within a data carriage device might be covered under the scope of the Directive.
• Software distributed online, and virtual products (such as apps, digital content or data), are not covered by the definition. 
• Customised software produced as an individual work, or to enable an individual service, is generally considered to be a “service” explicitly excluded from the scope of PLD.²

Such differences in approach to software become increasingly illogical, given that much software is now embedded within the products, including those within which AI may be embedded. Moreover, they show that what was once considered appropriate under the Directive in 1985 does not sit well with today's distribution methods for software.

In order to solve the problem of delineation between what is a “product” and what is a “service”, the Impact Assessment proposes extending strict liability rules to cover intangible products. As a consequence, digital content or software, irrespective of whether it takes tangible or intangible / digital form, that cause physical or material damage would be covered by the product definition.

The Impact Assessment also proposes that the scope of damages in Article 9 PLD (currently providing only for physical or material damage) could also:

• Cover cyber vulnerabilities (such as connectivity and cybersecurity).
• Be extended to non-material damage (such as data loss, privacy infringement or environmental damage).

Changes to value chains (in particular, with regard to online market places) are also addressed by the Impact Assessment:

• Under Article 3(3) PLD, importers are treated as producers for product liability purposes. While in the past, products were only brought onto the European market by importers, wholesalers, and dealers, fulfilment service providers and online marketplaces have now established new supply chains. Consumers can now buy products online directly from outside the EU without there being an importer. This leaves them with no viable route by which to seek compensation in the event of damage.
• Therefore the Impact Assessment proposes that strict liability should be extended to online market places where consumers fail to identify the producer.

Defective products

A prerequisite for the liability of the producer is that there be a defective product. According to Article 6 PLD, if a product does not provide for the safety that a person can reasonably expect at the time when the product was put into circulation, it is deemed to be defective.

How might this requirement relate to software? Although completely error-free software is rare (and perhaps impossible nowadays), the Consultation suggests that applying concepts of what is a “defect” is still workable in relation to software.

However, in respect of AI-equipped products that continuously learn and adapt while in operation, the Consultation notes that it is unclear whether unpredictable outcomes leading to damage could be treated as “defects” under the PLD:

• Such outcomes typically appear only after the product was put into circulation.
• If a level of safety to be expected from a product cannot be determined, it is difficult to take adequate safety measures. Without amending existing regulations (see below for what the Consultation suggests), manufacturers would have to rely exclusively on their own safety standards or standardisation efforts by private bodies.

Putting into circulation

Product liability starts at the time a product is put into circulation, i.e. “when it is taken out of the manufacturing process operated by the producer and enters a marketing process in the form in which it is offered to the public in order to be used or consumed.”³

In contrast to conventional products, various questions could arise when it comes to software-driven or self-adapting and learning products (for example, subsequently installed software and updates):

• What update really caused the damage?
• Did the producer or a third party provide the update?
• Can a comprehensive update be considered to be a new product?
• Is it put anew into circulation if only minor amendments or security patches are executed, or does it constitute a new product if considerable changes to  the system is the outcome, or new functions are provided?

The Consultation suggests that the physical release of software-based products from the sphere of the manufacturer is no longer the correct way of establishing that something has been put into circulation. An appropriate way of determining whether a product has been “put into circulation” would have to consider the scope and functionality of the update.

With regard to AI-equipped products and AI-based services:

• There is no so-called “design-freeze” in the development process, and ongoing amendments to the software are typically inherent in the product offering.
• The Consultation suggests that clarification of the provisions could take into account the expectations concerning the security of a product.
• The Commission considers that it may be appropriate to harmonise the existing strict liability schemes of operators/users. Liability questions could turn on the specific risk profile of the relevant system: “Following existing national models, the operator could be defined as a person, other than the producer, who is able to exercise a degree of control over the risks associated with the operation.”

Because whether something is defective is to be determined at the moment it is put into circulation, the Consultation raises the possibility that clarifications to existing law could be made to address differing product periods of development and learning (say, in relation to an AI product that includes machine learning or training). For such periods, the Consultation suggests that it might be preferable to establish strict liability (on the basis that it might be more effective than fault-based liability often currently implemented by national law).

The Consultation also addresses the determination of liability in connection with business models where products are repaired, recycled, refurbished or upgraded after they had been put into circulation. According to the Evaluation, the Directive remains unclear on about who should be liable for defects from aforementioned changes.

Burden of proof – causality

Where should the burden of proof lie in establishing strict liability of the producer? The complexity of certain products (particularly digital products, such as AI) makes it very challenging for injured parties to identify the producer responsible, and to prove that a defect caused the damage they suffered.

The Impact Assessment proposes several options to ease the evidential burden and to reduce obstacles to getting compensation:

• Alleviating the burden of proof: (1) obliging the producer to disclose technical information to the injured party; and (2) allowing courts to infer that a product is defective or caused the damage under certain circumstances, e.g. when other products in the same production series have already been proven to be defective or when a product clearly malfunctions.
• Reversing the burden of proof: in the event of damage, the producer would have to prove the product was not defective.

The specific characteristics of AI (such as autonomous behaviour, continuous adaptation, limited predictability and opacity) make it difficult to determine one’s liability with sufficient certainty and to get compensation for damage.

Injured parties may not have sufficient technical information about AI products and services. For example, understanding output production is very limited with certain opaque AI systems. As a consequence, it is particularly difficult and costly for injured parties to identify and prove the fault of a potentially liable person, or the causal link between that fault/defect and the damage suffered.

Currently, proving that “the state of scientific and technical knowledge at the time when he put the product into circulation was not such as to enable the existence of the defect to be discovered” releases a producer from liability pursuant to the so-called “development risk defence” (commonly referred to as a “state of the art” defence in US jurisprudence) under Article 7 PLD. This defence does not take into account the many issues presented by continuous adaption of software. Under a risk-based approach, the Impact Assessment suggests that risks related to AI-equipped systems and resulting uncertainty could be transferred to the producer:

• Adapting the notion of “defect” and the alleviation/reversal of burden of proof to the specific case of AI; removing the “development risk defence” to ensure producers of products that continuously learn and adapt while in operation remain strictly liable for damage.
• Ending the conditions for making claims (time limits and EUR 500 minimum threshold for damage to property).

National liability rules

Several matters regulated in the Directive are left to the discretion of Member States, including:

• Whether to implement a cap on damages caused by identical items.
• Whether to derogate from the “development risk defence”.
• Rules related to non-material damage.

The PLD does not preclude other causes of action under national law that are outside the scope of the matters it regulates, provided that those national laws are consistent with the operation of the PLD.⁴

In adapting the EU liability framework, the views of the European Court of Justice (ECJ), as expressed in its recent case law, will have to be taken into account. In particular, rather plaintiff-friendly case law implicitly has:

• Reversed the burden of proof on a number of occasions.
• Weakened the required causal link when it comes to product liability.

As a consequence, manufacturers have had to demonstrate that their products were compliant (rather than the plaintiffs having to demonstrate the opposite). In addition, national courts may apply diverging ad hoc solutions (e.g. by alleviating the burden of proof); and Member States may attempt to address the resulting legal uncertainty on national level. 

These outcomes could lead to further fragmentation of liability rules across the EU for damage caused by AI. A lack of harmonised rules could lead to obstacles in the internal market, and a possible lower level of protection of the consumer. Such concerns are reflected in the following options outlined in the Impact Assessment, referred to in the Consultation:

• Recommendation to Member States of targeted adaptations of the burden of proof.
• Legislative measure providing for a harmonised reversal of, or in other ways alleviating, the burden of proof linked to non-compliance with AI-specific obligations in EU safety legislation (e.g. documentation or human oversight obligations under the proposed AI Act), in order to better enforce these obligations through civil liability claims and further promote compliance.
• Legislative measure adapting the burden of proof where the claimant would otherwise be required to demonstrate how an opaque AI system produced a certain output that caused the damage.
• Harmonisation of claims involving fault of the operator of AI systems without a specific risk profile, by introducing a reversed burden of proof regarding fault, as well as harmonisation of additional aspects (such as the types of compensable harm, limitation periods and joint liability, as envisaged by EP resolution 2020/2014(INL)).

Some final observations

Although the current provisions of the Product Liability Directive are intended to be technology-neutral, the need for an adaption is evident. Against the background of the roadmap’s findings, the extent of the proposed increase in liability is remarkable. Proposing alleviation or reversal of burden of proof might be able to fundamentally change the Directive’s liability regime. As European Commission adoption is planned for the third quarter in 2022, it will be interesting to observe which liability regime will finally find a majority.