It is well known that the laws in respect of product safety and product liability in the UK and Europe are becoming increasingly out of date.While they remain adequate for simple hardware products, technological advances and the fast rise of interconnected products (smart products or Internet of Things (IoT) devices etc.) means there is considerable uncertainty when applying existing laws to these new technologies and working out whether a connected product may be safe or defective.
For example, what happens if a software update introduced by a software developer causes damage to a consumer's products by introducing a virus which causes other connected devices to fail or removes cyber protections and leads to a data breach? Is the manufacturer liable for the update provided by a software developer? Is the software developer liable? Will the consumer have to defend a contributory negligence claim for failing to download another update which would have added the necessary protections? How do you quantify the damage caused and is it foreseeable that other household connected devices would also be damaged such that the manufacturer would be liable? Current legislation is far from clear.
The European Commission is seeking to address this in its recent proposed updates to both the General Product Safety Directive (GPSD) and Product Liability Directive 85/374/EEC (the PLD). These updates (if implemented) will apply to all manufacturers who sell products in the EU but as a result of Brexit, these changes may not all be implemented into English law. We understand that the Office for Product Safety and Standards (the OPSS) in the UK is conducting its own review of its product safety and liability regimes and it is expected that the UK's proposals will be similar to the European Commission's proposed changes but we will keep you updated.
How will the proposed updates impact those manufacturing or dealing with smart and IoT products and what steps could businesses take now to prepare for them?
The European safety regime has always been designed to ensure that unsafe products are not placed on the consumer market. However, legislation remains based on the 20-year-old General Product Safety Directive 2001/95/EC, prepared to regulate far more basic appliances.
The proposed General Product Safety Regulation (GPSR) is designed to replace this and a near final version was published on 21 December 2022.It seeks to bring the European safety legislation in line with recent product advances to make it easier for legal practitioners to consider how the product safety regime applies to IoT devices and even AI-powered products.
The focus on connected technologies is clear. Key changes include expanding the definition of "product" to refer to items which are "interconnected or not to other items" (although "software" is not explicitly mentioned), expanding aspects used to assess the safety of a product, including:
The GPSR also includes expanding the legal responsibility of actors other than the manufacturer to include any natural or legal person (other than the manufacturer) that "substantially modifies" the product (either physically or digitally). If this occurs, that person shall be considered a manufacturer.
In an ever-moving area of technological advancement, these changes seek to add a greater degree of legal certainty to the required levels of product safety. Many businesses may now find that their products will be caught by the GPSR. While this may, at first glance, suggest compliance headaches, the greater certainty allows businesses to understand fully what is expected of them and reduces the chance of drawn-out costly litigation should a product's safety be questioned.
Read more about the GPSR here.
Product liability law in the UK is governed by the Consumer Protection Act 1987. This implemented the PLD and is now over 35 years old. To put this in context, the World Wide Web was only released to the general public in 1991 and it is believed that even in 2003, only half of the UK population had access to it.
The CPA imposes a strict liability regime on defective products such that if a product has a defect and that defect causes a consumer to suffer a loss (personal injury and/or property damage), the manufacturer will be liable. A product will be deemed defective if its safety is "not such that persons generally are entitled to expect".
But what does a defect mean in respect of an IoT device? We looked at this in a recent Interface edition but in short, as the English courts have not had to consider this in much detail, there is no clear guidance on how current product liability legislation applies to IoT devices (where software, generally consider a service, not a product, by the courts, is a key component of that product).
To address this, the European Commission has published a proposed update to the PLD (the Proposal). Relevant innovations include:
Broadening definition of "product"
The Proposal expands the scope of the PLD to cover new intangible products including digital content, software and data. Software is included regardless of whether it is integrated into a tangible product or not.
The Proposal confirms that Artificial Intelligence (AI) systems and AI-enabled goods are products which fall within the scope of the PLD. As such, should a defective AI product cause damage, the strict liability regime of the PLD will apply (as it would with any non-AI product). Developers will therefore continue to be responsible for any damage caused by AI systems that learn independently and for the deployment updates or lack thereof.
"Defendant" pool also increased
The Proposal also broadens the pool of potential defendants to include software developers and providers of digital services as manufacturers that affect how the product works (such as a navigation service in an autonomous vehicle) and specific reference is made to "AI system providers" falling within the manufacturer definition.
As such, many businesses which currently consider themselves out of scope of the PLD (such as those producing smart products, IoT, automated vehicles, drones etc.) will now need to reconsider and adapt to their product liability risk profile and insurance coverage in respect of any goods marketed in the EU.
Definition of damage extended
The definition of damage has also been widened to include specific reference to any loss or corruption of data that is not used exclusively for professional purposes. As a result, if a consumer were to suffer a personal data loss following hacking or malfunction of an IoT device, they could bring a claim against the manufacturer or software developer in respect of that loss.
Update to what is a defect
When considering whether a product is defective, the Proposal includes additional circumstances to consider including:
Burden of proof in complex cases
Where a court judges that the claimant faces excessive difficulties, due to technical or scientific complexity, to prove the defectiveness of the product, or the link between its defectiveness and the damage, defectiveness shall be presumed where the claimant has demonstrated that: the product contributed to the damage; and it is likely that the product was defective or that its defectiveness is a likely cause of the damage, or both.
By explicitly widening the scope of the PLD to include software, injured persons have a better chance of being compensated where products such as smart systems are made unsafe through software updates or cybersecurity incidents. This clearly brings smart products, IoTs, 3D printing, automated vehicles, drones etc into the scope of the strict liability regime.
Read more about the Proposal here.
The changes to both product safety and product liability legislation are yet to be finalised, and once they are, implementation periods will be provided to allow time to prepare. It is likely the GPSR will be finalised early next year and will be followed by an 18-month implementation period but we will have to wait a bit longer for the proposed PLD updates to go through the European legislative process.
In the meantime, those involved with IoT and smart devices should review the proposed updates in detail and consider how they impact their business and risk profile for product liability exposure.
Steps to take now include:
Please contact our International Product Liability and Product Safety team for further information.
Miles Harmsworth considers the next generation of IoB devices and the approach to regulating them.
1 de 5 Publications
Thomas Kahl looks at key legal issues for connected mobility manufacturers and related businesses from a German law perspective.
2 de 5 Publications
Matt Quezada looks at what the UK's PSTI Act means for the security of the Internet of Things.
3 de 5 Publications
Paul Voigt looks at the EU's plans to protect the security of digital products.
5 de 5 Publications
Return to