OSS and liability – in light of the new Product Liability Directive

In September 2022, the European Commission published a proposal for a new EU Directive on liability for defective products (draft PLD). Once adopted by the European Parliament and the Council, this Directive will replace the current Product Liability Directive 1985 (PLD). The proposal not only contains revised provisions on tangible products, but also on digital products such as software and AI systems. It is part of the EU's efforts to update its legal framework for the digital age.

Software under the current Product Liability Directive

The PLD, transposed into national law in each EU Member State, provides for strict liability for damages caused by defective products. It was intended to provide a balance between consumer protection and fostering innovation and product development. 

As it dates back to 1985 with only minor amendments over time, it contains no provisions that specifically address digital products. The general reference to “products” and its application to digital products have caused legal uncertainty, in particular as to the application to standalone software. Against the background of imposed strict liability, this resulted in unpredictable risks for software developers and other economic operators in this field.

The proposal for a new Product Liability Directive

The draft PLD provides for injured parties to be compensated where a tangible or intangible product causes damage and gives businesses greater legal certainty on liability risks in their business operation. It clarifies the scope of the products governed by the Directive and amends the strict liability regime.

How does the draft PLD apply to software?

The draft PLD makes a number of clarifications and changes to the way software fits into the product liability regime.

What is in scope?

The proposal explicitly clarifies that software, for example operating systems, firmware, or computer programs, is a “product” within the scope of the Directive. This applies irrespective of whether the software is placed on the market as a standalone product or embedded in another product and whether the software is permanently stored on a device or merely accessed through cloud technologies.

The source code of software is not considered a “product” under any circumstances as it constitutes pure information.

The proposal provides an important exemption to the classification of software as a product for Open Source Software (OSS) as long as it is developed or supplied outside the course of a commercial activity. This applies to software, including its source code and modified versions, that is openly shared and freely accessible, usable, modifiable, and redistributable. However, where such software is supplied in the course of a commercial activity, ie in exchange for payment or where personal data is used other than exclusively for improving the security, compatibility, or interoperability of the software, the Directive applies.

Liability for defective software under the draft PLD

The developer of software is a manufacturer and therefore an economic operator liable for defective software, even if the software is integrated into another product by another manufacturer. A person that substantially modifies a product which has already been placed on the market outside the original manufacturer’s control will be considered a manufacturer.

The relevant point from which a manufacturer can become liable remains the same, ie placing the product on the market. However, since digital products allow manufacturers to exercise control even after placing the product on the market, they remain liable for later defects in relation to software within their control, eg by way of upgrades or updates. 

The definition of "defect" has been expanded to include the lack of software updates or upgrades necessary to address cyber security vulnerabilities and maintain the product’s safety.

In light of the increasing importance and value of intangible assets, the loss or corruption of data also constitutes a compensable damage, including the cost of recovering or restoring the data.

Implications for Open Source Software

The proposed updates to the PLD have important implications for OSS. While the recitals of the Directive generally exclude free OSS from its scope in order to foster innovation and research, uncertainty remains due to the limitation of this exclusion to software that is developed or supplied outside a commercial activity. The recital specifies commercial activity by referring to the provision of payment or data in exchange for the software. However, it is open to question as to whether this conclusively characterises commercial activity or if a commercial activity may also be assumed in other scenarios. This is all the more true since the EU Blue Guide, which aims to contribute to a better understanding of EU product rules and to their more uniform and coherent application, describes commercial activities in a much broader way as providing goods in a business-related context; this must be assessed on a case by case basis taking into account the regularity of the supplies, the characteristics of the product as well as the intentions of the supplier.

It therefore seems possible that OSS is deemed to be supplied by way of a commercial activity, even if the development or supply of the software is free of charge. Given the fact OSS is frequently combined with proprietary software or offered alongside a service package including, for example, software maintenance, the scope of the exclusion of OSS is even more narrow.

From a more formal legal standpoint, the exclusion of certain OSS in a recital rather than the actual text of the proposed Directive is problematic. Recitals in the preamble to an EU legislative act are not legally binding and cannot be used to derogate from the provisions of the act itself. In this case, Article 4 of the draft PLD explicitly classifies software as a product, whereas the exclusion of OSS is merely included in Recital 13.

As a result, individual developers of OSS may face strict liability under the draft PLD. Where the OSS is developed by multiple or successive developers (common in OSS), each developer is potentially liable, at least for their own modifications.

This potential imposition of a strict liability regime for OSS has been met with criticism by a number of stakeholders. There are concerns that it is not possible to foresee who will use the software or how they will use it, and consequently to assess risk and potential liability. Additionally, the imposition of strict liability, in particular where OSS is developed or supplied free of charge, seems to undermine a key rationale of strict liability for defective products, namely the correlation between profit and liability. In general, the draft PLD potentially disincentives the development and distribution of OSS and therefore hinders innovation although how it will play out in practice remains to be seen.

In contrast, advocates of the expansion of the strict liability regime (particularly consumer protection groups) make the point that it makes no difference to users whether they suffer damage (such as loss of data) as a result of defective proprietary or Open Source Software.

If these developments sound concerning, it's worth remembering that OSS which is available only as a source code, does not constitute a product for which the developer assumes strict liability.

The UK's approach to product liability

It is expected that the UK will take a similar approach to the EU in many respects eg, by widening the current strict liability regime under the Consumer Protection Act 1987 to include intangible products such as software and AI systems. In 2005, the UK introduced the General Product Safety Regulations which ensured product safety in the market. However, the UK has recently recognised the need to modernise this legislation to regulate the ever-changing technological advancements such as intangible products incorporating software and AI. There has not, however, been specific reference to Open Source Software.

On 2 August 2023, the Office for Product Safety and Standards (OPSS) published a Consultation Paper on the UK Product Safety Review. The Paper outlines that current definitions in the civil product liability regime may not be adequate and liability may not always be clear especially in relation to complex software and where the product software needs to be updated. The UK published guidance in 2017 (last updated in 2021) called "Be open and use open source" giving considerations to OSS to improve transparency, flexibility and accountability, along with various other Policy Papers and guidance surrounding OSS.

The UK's position is that OSS must be licensed and when a business is looking to use the code, it may need to sign up to some form of governance.  Often these agreements will place some form of warranty requiring the contributor of code to assume some level of liability for the code they contribute. However, OSS still poses uncertainty due to its modifiable nature although according to the Consultation Paper the government is keen to examine examples of how software can change over time to help understand who is responsible for safety when software is updated. The Consultation Paper does not specify OSS but it does refer to software as a whole and outlines thirteen proposals in relation to three core aspects of the proposed new product safety framework: bringing products to the market; online supply chains; and compliance and enforcement. The Consultation will close on 24 October 2023 so there should be further developments in due course. 

Outlook  

The key message in the UK in relation to all future reform of the product safety regime is that the UK government wants to give businesses maximum scope to innovate when producing safe products and not place unnecessary burdens on them.  It will only intervene when needed to protect consumers.  Further, there needs to be flexibility so that frameworks can evolve with advances in technology and respond accordingly. This approach does appear to differ to the stricter framework currently being proposed by the EU.

The draft PLD is, however, currently going through the legislative process. Both the Council as well as the EU Parliament look set to further limit or at least clarify the application of strict liability to OSS. While the European Parliament has not yet published official statements, the mandate for negotiations of the Council states that where OSS is supplied outside the course of a commercial activity and subsequently integrated into another product, only the manufacturer of the product will be liable.

This means the question of strict liability for OSS under the new Product Liability Directive is still up for discussion and the position may well change by the time it becomes law.