Updating software – Will the obligation in 2022 become a necessity by 2024?

In 2022 and the following years, updates and upgrades – which are referred to together under the collective term “updates” – will take on greater significance. More and more people and companies depend on the use of software and programmable end devices for their everyday life. It is therefore essential for them that these devices function reliably and securely. To this end, any existing software errors must be corrected. In particular, security gaps must be closed. Furthermore, the technical environment within which the devices are supposed to function may change, which will also entail adjustments. Devices that receive late, few or no updates therefore become less useful over time or even dangerous due to security vulnerabilities.

This sets the stage for significant changes to take place in forthcoming years for all those businesses that want to sell digital content or digital services in isolation or as part of a product in Germany and the EU. First of all, warranty rights for consumers are changing in the EU, and here we will take a look at the German implementation of such changes. Furthermore, the new federal government plans to promote the discovery of software vulnerabilities and their elimination, as well as to introduce liability for them. Furthermore, according to a draft directive of the European Commission, updates should in future also play a part in ensuring product safety.

The legal situation from 1 January 2022 – entitlement to updates for a reasonable time in the circumstances

First, the provision of updates to consumers will become mandatory for providers of digital content or digital services from 1 January 2022 through far-reaching changes to the BGB (German Civil Code). The obligation will affect providers of pure software products as well as items that require software to function properly (e.g. smart home devices). The legislator has not specified exactly how long after a sale updates must be offered. It is supposed to depend on the “circumstances”. In the future, there could be regulations for certain products in a new version of the EU’s Ecodesign Directive; for smartphones, about five to seven years are under discussion. Until then, practice will have to make do with approaches that are convincing in the event of a dispute: Publicly advertised update periods, including those of the manufacturers, cannot be undercut; this should also include information within the framework of the IT security label, with which providers will be able to specifically advertise the security of their product from 2022 onward. The statutory warranty period – which is also to be extended according to plans of the new federal government – should not be undercut; indications can also be obtained from the depreciation table or from market surveys. Consideration should also be given to the intended use and a possible secondary use – a high-end gaming notebook may no longer be sufficient for current gaming titles after three years, for example, but could still live out its “life” as an office computer for a long time thereafter. It can be seen from the example that the entitlement to updates can be controlled to a certain extent. However, this requires a precise analysis and legal advice in the individual case; furthermore, it should be noted that restrictions of the update obligations are usually only possible through separate agreements. In this context, it should not be overlooked that the use of ineffective boilerplate clauses may in itself give rise to an obligation to pay damages from 28 May 2022 and – in certain cases – may even be punished with a fine.
 

Where is action required?

First of all, it must be checked whether the supply of updates is to be restricted. Such restrictions must be brought to the consumer’s attention in advance. In view of the fact that, due to the new product safety regulation, products may no longer be marketable in the EU in a few years without the offer of important updates during their lifetime, the question also arises as to whether one wants to include such products in the portfolio at all.

Furthermore, it is important to remember that the seller is responsible for providing the updates, but either cannot produce them himself (e.g. for iOS) or can only do so with considerable effort (e.g. for Android). Therefore, the seller must ensure that it can provide the updates for the relevant period of time.

Since updates, particularly upgrades to new software versions can be accompanied by changes in the scope of performance and – with regard to obsolete hardware – by performance losses, it is particularly necessary to think and act ahead. The user only has to accept such restrictions due to updates if this has been effectively agreed; how such an agreement can be effectively enabled – especially as boilerplate clauses – also requires close examination. If this is not successful, the buyer of an item may even have to be provided with a new version of the hardware.

If updates are available, they must be announced and made available to the users. An effective, data-saving and evidence-proof way should be chosen because necessary updates must be made known and the installation must also be explained to the consumer. In view of the consequences under civil law – not least the liability for faulty software, which is to be expanded in the future – the update offer should also be delivered in a court-proof manner. After all, the burden of proof lies with the seller and the presentation of evidence in mass transactions in general and only digitally available evidence in particular has more chance of success if such issues are considered at an early stage and the proceedings are geared towards them.

Finally, it may not be possible to comply with update obligations despite the best preparation, so precautions are advisable. This could be, for example, because the manufacturer does not provide the promised updates. In this case, products may have to be taken back and consumers compensated. Reserves would have to be set aside for this case and provisions made for the enforcement of compensation claims against the manufacturer. The latter can be a challenge if the manufacturer of the software in question is not based in the EU and if there is no direct contractual relationship with them.
 

What comes next?

The fact that people have to provide updates for items without being in a contractual relationship with the manufacturer and software supplier could become a more frequent problem in the medium term. Updates will become the subject of product safety law in the future because of their importance for product and especially cyber safety. The initiative aims to adopt a product safety regulation and revise Directive 2001/95/EC on general product safety to maintain its role as a safety net for consumers. The revised Directive will regulate the safety of non-food consumer products in the face of challenges from new technologies and online sales, simplifying procedures and ensuring better enforcement and more efficient market surveillance . This is also to include that, in addition to the manufacturer, importers, sellers and even operators of sales platforms are to become responsible for maintaining product safety. Products are to be considered unsafe if it is not possible to protect them from external influences, including malicious third parties, if such an influence could have an impact on the safety of the product. As soon as such safety problems become apparent during the lifetime of the products, they are to be eliminated by the aforementioned persons. One means of remediation is the provision of updates. If these cannot be obtained, the products are to be taken back and the purchasers compensated. Therefore, there is likely to be an interest on the part of economic operators to maintain the more economical option of eliminating the security problems through updates.