We’ve written a number of posts on whether, in various jurisdictions across the United States, software and other forms of electronic/magnetic code can be considered to be “products” for purposes of product liability – usually strict liability. As befits the decentralized product liability litigation landscape in the United States, there is considerable uncertainty, but most decisions, as well as both the Second and Third Restatements of Torts, have determined that incorporeal items composed of electronic bytes are not “products.”
The European Union now seems headed in the opposite direction. In late September, the European Commission released COM (2022) 495, a “Proposal for a directive of the European Parliament and of the Council on liability for defective products.” The overall purpose of this proposal is to replace the EU’s 35-year old product liability directive (“PLD”), which we’ve discussed in various contexts, here, here, and here, with an “entirely” new directive. Proposal at 7. In addition to software as a product, it addresses artificial intelligence, smart products, and jurisdictional issues arising from the increasing prevalence of transnational product purchase platforms such as Amazon.
Our focus today is on software as a product. We note that decisions by the European Court of Justice had reached arguably conflicting conclusions on computerized information as a “product” under existing law. Compare The Software Incubator Ltd. v. Computer Associates (UK) Ltd., ECLI:EU:C:2021:742 ¶¶39, 43 (E.U.C.J. 4th Chamber Sept. 16, 2021) (download of computer software is a “sale” of “goods” under EU Directive 86/653), with, VI v. Krone – Verlag Gesellschaft mbH & Co. KG, ECLI:EU:C:2021:298 ¶22 (E.U.C.J. April 15, 2021) (product liability directive “applies to the physical properties of products only” and cannot be applied to an error in an online newspaper), id. ¶31 (“it is nonetheless perfectly clear from the language, context and objectives of the Products Liability Directive that the reference to a ‘product’ in that directive is confined to a tangible object”). The new proposal would resolve this issue in favor of expanding strict liability to intangible computerized information.
In pertinent part, “this proposal aims to  ensure liability rules reflect the nature and risks of products in the digital age.” Proposal at 2. Obviously, the “digital age” is, well, digital. Along these lines, the proposal envisions including software, and so-called “smart” products incorporating software, “such as operating systems, firmware, computer programs, applications or AI systems,” id. at 15 (item 12), fully into the pre-existing PLD strict liability framework. Thus, the proposal:
confirms that AI systems and AI-enabled goods are “products” and therefore fall within the PLD’s scope, meaning that compensation is available when defective AI causes damage, without the injured person having to prove the manufacturer’s fault, just like for any other product.
Proposal at 5. “By enlarging the scope of the EU’s product liability regime to explicitly include software providers” the proposal is intended to “ensure that people enjoy the same protection no matter whether the defective product that harms them is tangible or digital.” Id. at 6.
The scope of the proposed new definition of “product” is quite broad, but not infinite. Generally, it “[s]oftware, such as operating systems, firmware, computer programs, applications or AI systems” whether “placed on the market as a standalone product” or “subsequently . . . integrated into other products as a component.” Id. at 15. Software would thus be a “product,” “irrespective of the mode of its supply or usage, and therefore irrespective of whether the software is stored on a device or accessed through cloud technologies.” Id. at 15-16 (item 12). Three-dimensional printing (additive manufacturing) would thus be a “product” under this proposal:
Digital manufacturing files, which contain the functional information necessary to produce a tangible item by enabling the automated control of machinery or tools, such as drills, lathes, mills and 3D printers, should be considered as products, in order to ensure consumer protection in cases where such files are defective.
Proposal at 16 (item 14). So would software components of physical products – such as automotive navigation systems (or, presumably, operating systems for robotic medical devices):
It is becoming increasingly common for digital services to be integrated in or inter-connected with a product in such a way that the absence of the service would prevent the product from performing one of its functions, for example the continuous supply of traffic data in a navigation system. . . . [I]t is necessary to extend no-fault liability to such digital services as they determine the safety of the product just as much as physical or digital components. Such related services should be considered as components of the product to which they are inter-connected.
Id. (item 15).
Two exceptions are mentioned. First “[t]he source code of software, however, is not to be considered as a product . . . as this is pure information.” Id. (item 12). Second, “open-source software developed or supplied outside the course of a commercial activity” would not be subjected to strict liability when it “is openly shared and freely accessible, usable, modifiable and redistributable.” But strict liability would apply:
where software is supplied in exchange for a price or personal data is used other than exclusively for improving the security, compatibility or interoperability of the software, and is therefore supplied in the course of a commercial activity.
Id. at 16 (item 13). “The developer or producer of software” would “be treated as a manufacturer.” Id. (item 12).
The proposal’s inclusion of software as “products” would also expand the universe of potential strictly liable defendants, and also related concepts of defect and the scope of recoverable harm.
Defendants − Under the proposal, “software providers, businesses that make substantial modifications to products, authorised representatives and fulfilment service providers” would all be subject to the same strict liability as product manufacturers. Proposal at 6. “[A]ny manufacturer involved in the production process can be made liable, in so far as their product or a component supplied by them is defective.” Id. at 18 (item 26). The inclusion of representatives and fulfillment providers means that, if the actual manufacturer had no presence in the EU, strict liability could be imposed on other entities, including the internet platforms through which an allegedly defective product was purchased. See Id. (item 27) (“it should be possible to hold them [fulfilment service providers ] liable, but given the subsidiary nature of that role, they should be liable only where no importer or authorised representative is based in the Union”).
Defect − The “factors” by which EU courts determine product defects would be expanded to include “the interconnectedness or self-learning functions of products.” Id. at 12. Product defects would include “cybersecurity vulnerabilities” – including “fail[ure] to provide software security updates necessary to tackle such vulnerabilities Id. at 7, see id. at 18 (item 23).
[S]ince digital technologies allow manufacturers to exercise control beyond the moment of placing the product on the market or putting into service, manufacturers should remain liable for defectiveness that comes into being after [the date of sale] as a result of software or related services within their control, be it in the form of upgrades or updates or machine-learning algorithms.
Proposal at 21 (item 37). “[D]efectiveness” would include “the lack of software updates or upgrades necessary to address cybersecurity vulnerabilities and maintain the product’s safety.” Id. (item 38).
On the other hand, product recalls would “not of themselves create a presumption of defectiveness.” Id. at 18 (item 24). Nor would subsequent product improvements:
[T]he existence, or subsequent placing, on the market of a better product should not in itself lead to the conclusion that a product is defective. Equally, the supply of updates or upgrades to a product should not in itself lead to the conclusion that a previous version of the product is defective.
Id. (Item 25).
Damages − The proposal also would “expand the notion of compensable damage to include the loss or corruption of data.” Id. at 12. Thus it would permit recovery of “material losses due to the loss, destruction or corruption of data.” Id. at 6. Damages would not include losses “where the owner of the product does not install an update or upgrade.” Id. at 22 (item 38).
* * * *
The proposal is not specific to prescription medical products, but does mention them several times. One example of “standalone software” that would be subjected to strict liability under the proposal is “a medical device smartphone app.” Proposal at 9. Later, the proposal states that “[s]ome products, such as life-sustaining medical devices, entail an especially high risk of damage to people and therefore give rise to particularly high safety expectations.” Id. at 17 (item 22). Most concerning, the proposal would provide a “presumption” of “defectiveness, rebuttable by the manufacturer, in cases of “technical or scientific complexity.” Id. at 20 (item 34). Prescription medical products are among the targets of such a presumption. Id. at 21 (mentioning both “an innovative medical device” and “a pharmaceutical” as examples). However, the state of the art defense remains. Id. at 22 (item 39).
Nor is there anything in the proposal indicating that websites themselves, or the algorithms that operate them, are going to be considered products in the EU. Some transfer of ownership, or at least possession, seems to be requires.
* * * *
Finally, we emphasize that this proposal is just that – a proposal. However, the EU is the largest market for prescription medical products in the world, so it behooves both our clients and their legal representatives to engage with this proposal sooner rather than later.