Making IoT devices safer

It is well known that the laws in respect of product safety and product liability in the UK and Europe are becoming increasingly out of date.While they remain adequate for simple hardware products, technological advances and the fast rise of interconnected products (smart products or Internet of Things (IoT) devices etc.) means there is considerable uncertainty when applying existing laws to these new technologies and working out whether a connected product may be safe or defective.

For example, what happens if a software update introduced by a software developer causes damage to a consumer's products by introducing a virus which causes other connected devices to fail or removes cyber protections and leads to a data breach?  Is the manufacturer liable for the update provided by a software developer? Is the software developer liable? Will the consumer have to defend a contributory negligence claim for failing to download another update which would have added the necessary protections? How do you quantify the damage caused and is it foreseeable that other household connected devices would also be damaged such that the manufacturer would be liable?  Current legislation is far from clear.

The European Commission is seeking to address this in its recent proposed updates to both the General Product Safety Directive (GPSD) and Product Liability Directive 85/374/EEC (the PLD). These updates (if implemented) will apply to all manufacturers who sell products in the EU but as a result of Brexit, these changes may not all be implemented into English law.  We understand that the Office for Product Safety and Standards (the OPSS) in the UK is conducting its own review of its product safety and liability regimes and it is expected that the UK's proposals will be similar to the European Commission's proposed changes but we will keep you updated.

How will the proposed updates impact those manufacturing or dealing with smart and IoT products and what steps could businesses take now to prepare for them?

Product Safety: proposed General Product Safety Regulation

The European safety regime has always been designed to ensure that unsafe products are not placed on the consumer market.  However, legislation remains based on the 20-year-old General Product Safety Directive 2001/95/EC, prepared to regulate far more basic appliances.

The proposed General Product Safety Regulation (GPSR) is designed to replace this and a near final version was published on 21 December 2022.It seeks to bring the European safety legislation in line with recent product advances to make it easier for legal practitioners to consider how the product safety regime applies to IoT devices and even AI-powered products.

The focus on connected technologies is clear. Key changes include expanding the definition of "product" to refer to items which are "interconnected or not to other items" (although "software" is not explicitly mentioned), expanding aspects used to assess the safety of a product, including:

• the effect on other products, where it is reasonably foreseeable that it will be used with other products, including the interconnection of products among them
• the effect that other products might have on the product to be assessed (including the effect of non-embedded items) where it is reasonably foreseeable that other products will be used with that product
• when required by the nature of product, the appropriate cybersecurity features necessary to protect the product against external influences, including malicious third parties, when such an influence may have an impact on the safety of the product, including the possible loss of interconnection
• when required by the nature of the product, the evolving, learning and predictive functionalities of a product, and
• the state of the art and technology (including the opinion of recognised scientific bodes and expert communities).

The GPSR also includes expanding the legal responsibility of actors other than the manufacturer to include any natural or legal person (other than the manufacturer) that "substantially modifies" the product (either physically or digitally). If this occurs, that person shall be considered a manufacturer.

In an ever-moving area of technological advancement, these changes seek to add a greater degree of legal certainty to the required levels of product safety.  Many businesses may now find that their products will be caught by the GPSR.  While this may, at first glance, suggest compliance headaches, the greater certainty allows businesses to understand fully what is expected of them and reduces the chance of drawn-out costly litigation should a product's safety be questioned.

Read more about the GPSR here.

Product liability and the Product Liability Directive

Product liability law in the UK is governed by the Consumer Protection Act 1987.  This implemented the PLD and is now over 35 years old.  To put this in context, the World Wide Web was only released to the general public in 1991 and it is believed that even in 2003, only half of the UK population had access to it.

The CPA imposes a strict liability regime on defective products such that if a product has a defect and that defect causes a consumer to suffer a loss (personal injury and/or property damage), the manufacturer will be liable.  A product will be deemed defective if its safety is "not such that persons generally are entitled to expect".

But what does a defect mean in respect of an IoT device? We looked at this in a recent Interface edition but in short, as the English courts have not had to consider this in much detail,  there is no clear guidance on how current product liability legislation applies to IoT devices (where software, generally consider a service, not a product, by the courts, is a key component of that product).

To address this, the European Commission has published a proposed update to the PLD (the Proposal). Relevant innovations include:

Broadening definition of "product"

The Proposal expands the scope of the PLD to cover new intangible products including digital content, software and data. Software is included regardless of whether it is integrated into a tangible product or not.

The Proposal confirms that Artificial Intelligence (AI) systems and AI-enabled goods are products which fall within the scope of the PLD.  As such, should a defective AI product cause damage, the strict liability regime of the PLD will apply (as it would with any non-AI product).  Developers will therefore continue to be responsible for any damage caused by AI systems that learn independently and for the deployment updates or lack thereof.

"Defendant" pool also increased

The Proposal also broadens the pool of potential defendants to include software developers and providers of digital services as manufacturers that affect how the product works (such as a navigation service in an autonomous vehicle) and specific reference is made to "AI system providers" falling within the manufacturer definition.

As such, many businesses which currently consider themselves out of scope of the PLD (such as those producing smart products, IoT, automated vehicles, drones etc.) will now need to reconsider and adapt to their product liability risk profile and insurance coverage in respect of any goods marketed in the EU.

Definition of damage extended

The definition of damage has also been widened to include specific reference to any loss or corruption of data that is not used exclusively for professional purposes. As a result, if a consumer were to suffer a personal data loss following hacking or malfunction of an IoT device, they could bring a claim against the manufacturer or software developer in respect of that loss.   

Update to what is a defect

When considering whether a product is defective, the Proposal includes additional circumstances to consider including:

• whether the product is able to continue to learn after it has been put on the market – a clear nod to AI
• the effect on the product by other products which might be expected to be used with it, and
• whether the product meets relevant product safety requirements (including any cybersecurity requirements).

Burden of proof in complex cases

Where a court judges that the claimant faces excessive difficulties, due to technical or scientific complexity, to prove the defectiveness of the product, or the link between its defectiveness and the damage, defectiveness shall be presumed where the claimant has demonstrated that: the product contributed to the damage; and it is likely that the product was defective or that its defectiveness is a likely cause of the damage, or both.

By explicitly widening the scope of the PLD to include software, injured persons have a better chance of being compensated where products such as smart systems are made unsafe through software updates or cybersecurity incidents. This clearly brings smart products, IoTs, 3D printing, automated vehicles, drones etc into the scope of the strict liability regime.

Read more about the Proposal here.

What happens next?

The changes to both product safety and product liability legislation are yet to be finalised, and once they are, implementation periods will be provided to allow time to prepare.  It is likely the GPSR will be finalised early next year and will be followed by an 18-month implementation period but we will have to wait a bit longer for the proposed PLD updates to go through the European legislative process.

In the meantime, those involved with IoT and smart devices should review the proposed updates in detail and consider how they impact their business and risk profile for product liability exposure.

Steps to take now include:

• Determine how the proposed changes impact your business and also any supply chains. If relevant, consider whether the contracts with suppliers are adequate for the possible increased liability risk.
• Amend warnings and IFUs (instructions for use) where required to address any newly identified risks but avoid overly qualified and generalised wording.
• Consider whether current insurance policies will cover for these increased liabilities or whether liability for any issues can be passed on to third parties.
• Maintain detailed, accurate and up to date records on product safety testing.
• Regularly review product risk assessments and update with any changes to product information and/or newly identified risks.
• Ensure that the safety and security of any software contained within a hardware device is considered in the technical design of a product from the very beginning.
• If software updates may be required as part of a product, include clear warnings of the risks if the user does not maintain their device by installing them.
• Ensure all marketing of the product, IFUs, warnings and safety guidelines are accurate and kept under constant review and regularly updated.
• Maintain good records of customer complaints to track and assess alleged product risks.

Please contact our International Product Liability and Product Safety team for further information.