Product Liability and AI (Part 2) – The EU Commission’s plans for adapting liability rules to the digital age
On 30 June 2021, the European Commission published an inception impact assessment (“IIA”) roadmap on adapting civil liability rules to the digital age, artificial intelligence and the circular economy. The initiative was prompted by an evaluation of the Product Liability Directive 85/374/EEC (the “Directive”) and addresses challenges which arise when liability rules are applied to new emerging technologies (see also the White Paper on AI and the accompanying Report on Liability for AI, IoT and Robotics). With respect to AI in particular, the initiative is part of the Commission’s staged approach to developing an ecosystem of trust for AI and it aims to complement the proposed regulation on a European approach for AI (Artificial Intelligence Act) and revised safety legislation such as the Machinery Regulation and the General Product Safety Directive.
Objectives of the proposal
At the outset, the IIA stresses that the European liability framework should (i) provide legal certainty to companies about the risk they take in the course of their business, (ii) encourage the prevention of damage and (iii) ensure injured parties are compensated. According to the Commission, liability rules must strike a delicate balance between these objectives and promoting innovation. To achieve these objectives, the initiative aims to tackle two main areas the Commission has identified.
Liability rules not fit for the digital age and circular economy
Firstly, the Commission emphasises once again, that certain features of digital technologies such as the intangibility of digital products, their dependence on data, their complexity, and connectivity, as well as features specific to AI, such as autonomous behaviour, limited predictability, continuous adaptation and opacity present challenges when applying liability rules. According to the Commission, this creates legal uncertainty for businesses and may make it difficult for consumers and other injured parties to receive compensation.
The Commission points to the 2018 Evaluation of the Directive which identified several shortcomings in relation to digital technologies in general:
- Intangibility of digital products: Digital content, software and data play a crucial role in the safe functioning of many products but it is not clear to what extent such intangible elements can be classified as products under the Directive. It is therefore unclear whether injured parties will always be compensated for damage caused by software, including updates, and who will be liable for such damage.
- Connectivity and cybersecurity: New technologies bring with them new risks, such as openness to data inputs that affect safety, cybersecurity risks, risks of damage to digital assets or privacy infringements. The Directive provides only for compensation for physical or material damage and it is unclear if the definition of a defect covers cyber vulnerabilities.
- Complexity: The complexity of digital technologies (e.g. within IoT systems) makes it challenging for injured parties to identify the responsible producer.
The Commission further points out that importers are treated as producers for product liability purposes under the Directive but that the digital age has brought changes to value chains. The rise of online marketplaces has enabled consumers to buy products from outside the EU without there being an importer, leaving consumers without anyone to hold liable under the Directive.
Moreover, the Commission believes that the specific characteristics of AI make it especially difficult to get compensation for damages under the Directive and national civil liability rules. According to the Commission, it is also uncertain whether and to what extent certain national ‘strict liability’ rules are applied to products using AI.
Lastly, the IAA deals with challenges posed by circular business models in which products are repaired, recycled, refurbished or upgraded. Such business models are increasingly common and central to the EU’s efforts to achieve sustainability and waste-reduction goals. However, under the Directive the defectiveness of a product is determined at the moment it is put into circulation. The Evaluation found the Directive to be unclear about who should be liable for defects resulting from changes to products after they are put into circulation. According to the Commission, further analysis of the extent of this problem is needed. It is also mentioned that environmental damage cannot yet be compensated under the Directive.
Significant obstacles to getting compensation and risk of fragmentation of liability rules
Secondly, the Commission states that the 2018 Evaluation of the Directive found that the complexity of certain products, e.g., pharmaceuticals and products using emerging digital technologies, makes it difficult for injured parties to prove a product defect and a causal nexus. The Commission is concerned that national courts may apply diverging ad hoc solutions to this problem, e.g. by developing extensive interpretations of strict liability regimes or by alleviating the burden of proof under national law. This may lead to further fragmentation of liability rules and – due to the specific features and economic importance of AI – to obstacles in the internal market.
The Commissions also sees need for clarification of liability rules with respect to AI products that continuously learn and adapt while in operation, as it is unclear whether unpredictable outcomes that lead to damage can be treated as ‘defects’ under the Directive. And even if this was the case, the Commission points out that the ‘development risk defence’ exempts producers from liability for defects that were undiscoverable at the time the product was put into circulation.
Lastly, the Commission is of the opinion that the Directive’s restrictions (time limits and the minimum threshold for property damage of EUR 500) may excessively limit claims.
Consequences for businesses and consumers
According to the IIA, these challenges and uncertainties have negative consequences for both businesses and consumers. The Commission states that companies face legal uncertainty due to outdated and unclear EU and national liability rules. Divergent national approaches could leave producers, service providers and operators unable to assess the extent of their liability. This could create extra costs, stifle innovation and discourage investment.
Injured parties could experience difficulties getting compensation for harm caused by digital technologies. If consumers had less protection compared to those who suffered damage caused by traditional technologies, this could undermine societal trust in and uptake of emerging technologies.
Proposed policy options
The Commission is considering the following options to adapt strict liability rules to the digital age and circular economy (taken verbatim from the IAA):
- 1.a – Revise the Directive to extend strict liability rules to cover intangible products (e.g. digital content/software) that cause physical/material damage, and to address (i) defects resulting from changes to products after they have been put into circulation (e.g. software updates or circular economy activities like product refurbishments), (ii) defects resulting from interactions with other products and services (e.g. IoT) and (iii) connectivity and cybersecurity risks. In addition, extend strict liability to online marketplaces where they fail to identify the producer.
- 1.b – As Option 1a, but extend the range of damages for which compensation can be claimed under the Directive to non-material damages (e.g. data loss, privacy infringements or environmental damage).
- 1.c – Harmonise the existing strict liability schemes of operators/users that apply to AI-equipped products and providers of AI-based services (where injured parties only have to prove that the damage emanates from the sphere of the operator of the AI-system). Following existing national models, the operator could be defined as a person, other than the producer, who is able to exercise a degree of control over the risks associated with the operation (such as owners and service providers). Alternatively, the strictly liable person could be identified by reference to the ‘user’ as defined in the proposed AI Act. The extent of harmonisation of strict liability can vary:
- (i) Recommendation to Member States of a targeted and risk-based harmonisation of the strict liability of operators/users of AI-systems that enable products and services with a specific risk profile (such as those endangering the lives, health and property of members of the public), possibly coupled with an insurance obligation.
- (ii) Targeted and risk-based harmonising legislative measure covering the same elements as 1.c (i). This option would create for those AI-systems with a specific risk profile a liability framework at EU level similar to what happens in almost all Member States’ legal systems as regards motor vehicle liability: strict liability of the producer for defects under the Directive as well as strict liability of the owner/operator.
- (iii) Risk-based, but broader harmonisation of the operator’s/user’s strict liability, similar to 1.c (ii) but including additional aspects such as statutory limitation periods for lodging a claim and rules for joint liability, as envisaged by European Parliament (EP) Resolution 2020/2014(INL).
- (iv) Strict liability of the operators/users of AI-systems in general (irrespective of their risk profile).
The following options are put forward to address proof-related and procedural obstacles to getting compensation (taken verbatim from the IAA):
- 2.1. Options to reduce obstacles to getting compensation under the Directive
- 2.1.a – Alleviate the burden of proof by (i) obliging the producer to disclose technical information to the injured party and (ii) allowing courts to infer that a product is defective or caused the damage under certain circumstances, e.g. when other products in the same production series have already been proven to be defective or when a product clearly malfunctions.
- 2.1.b – Reverse the burden of proof. In the event of damage, the producer would have to prove the product was not defective.
- 2.1.c – In addition to option 2.1.a or 2.1.b, adapt the notion of ‘defect’ and the alleviation/reversal of burden of proof to the specific case of AI and remove the ‘development risk defence’ to ensure producers of products that continuously learn and adapt while in operation remain strictly liable for damage.
- 2.1.d – In combination with option 2.1.a, 2.1.b or 2.1.c, ease the conditions for making claims (time limits and EUR 500 minimum threshold for damage to property).
- 2.2. Options to address proof-related challenges posed by AI to national liability rules
- 2.2.a – Recommendation to Member States of targeted adaptations to the burden of proof.
- 2.2.b – Legislative measure providing for a harmonised reversal of or other ways of alleviating burden of proof linked to non-compliance with AI-specific obligations in EU safety legislation (e.g. documentation or human oversight obligations under the proposed AI Act), in order to better enforce these obligations through civil liability claims and further promote compliance.
- 2.2.c – Legislative measure adapting the burden of proof where the claimant would otherwise be required to demonstrate how an opaque AI system produced a certain output that caused the damage.
- 2.2.d - Harmonisation of claims involving fault of the operator of AI systems without a specific risk profile, by introducing a reversed burden of proof regarding fault, as well as harmonisation of additional aspects such as the types of compensable harm, limitation periods and joint liability, as envisaged by EP resolution 2020/2014(INL).
Although these are still very preliminary proposals from the Commission (IIAs examine whether there is a need for EU action and analyse the possible impacts of available solutions), the proposed expansion of liability is groundbreaking. Some proposals, such as the alleviation or even reversal of the burden of proof, have the potential to fundamentally change the Directive's liability regime.