European Union (EU) product liability rules for artificial intelligence (AI)
In our article: Laytons Artificial Intelligence (AI) Series: Artificial Intelligence (AI) and legal liability — Laytons ETL we looked at how the rapid development of Artificial Intelligence (AI) technology leaves us to question whether the English Civil Liability rules of contractual, and extra-contractual liability for loss and damage caused by AI, are fit for purpose. The EU has taken the game of AI liability into its own territory with its proposed laws on both product liability and product safety fit for the AI age.
On 3 February 2023, the European Council published a draft compromise proposal of the revised Product Liability Directive (“Directive”). Its provisions will come into force in EU Member States 12 months after the Directive is finally approved in the EU legislative process. This draft Directive will revise the original Product Liability Directive (PLD).
The European Parliament has just adopted, at first reading, the consolidated text of a Regulation on Product Safety and it is expected that the Council, will formally adopt the Regulation at first reading without further amendments on 25 April 2023. The Regulation will then be published in the Official Journal of the European Union. Its provisions will apply 18 months after it enters into force. This regulation revises the General Product Safety Directive (GPSD).
The implementation of the PLD and the GPSD, both of which were implemented into UK Law as retained matters at the time of Brexit will leave a divergence of rules between the EU and the UK after the dates of their implementation, as the UK has not announced any intention to follow the EU legislative initiatives in respect of liabilities arising in the UK. Nevertheless, any UK based business looking to supply goods and related services in the EU (as it is the largest and closest export market) will need to comply with the new PLD and the GPSD in those markets, in practice, it may need in the UK domestic market to operate in a very similar manner to manage and mitigate its business risks as it would do in the EU. In all practical terms the UK has become a rule taker, rather than a rule maker.
Deficiencies of the PLD
The PLD when implemented 40 years ago, provided a system of strict liability whereas the national regimes provided for fault-based liability rules which require the claimant to establish fault, damage, and causation. The PLD did not address issues of emerging digital technologies(EDTs), online shopping, connected products and AI that did not exist at that time.
The EU Commission evaluation of the PLD specified developments in technology posed challenges for the application of existing liability rules:
The PLD was not designed to address the intangibility of digital products, their dependence on data, their complexity and connectivity.
Developments in technology have meant that definitions that had previously been clear-cut needed reassessment, including the terms "product", "producer", "defect" and "damage".
The development of connected products and related services required clearer attribution of damage between businesses and consumers.
The PLD was unclear on who should be liable for defects resulting from changes in products after they are put into circulation (for example, remote updates).
The burden of proof (that is, the need to prove the product was defective and caused the damage suffered) was challenging for victims in complex cases.
EU: proposal to revise and replace the PLD
While the new PLD retains the core concepts of the existing Directive, including the principle of strict liability for damage caused to a consumer by a defective product, including the core liability test of “Whether the Product provides for the safety which the public at large is entitled to expect”, the proposed new PLD includes the following provisions:
Establishing new rules of non-fault-based liability for damage caused by AI systems.
Adding to the scope of products: Software,3D printing, apps, operating systems and related digital services.
Making software developers and providers of digital services liable for defects in their software and services that cause the product as a combination of goods and services to cause damage . Manufactures will also become liable for post circulation modifications causing product defects, as will remanufacturers, who make substantial modifications to Products.
Making interconnectedness of product/services/software etc. be relevant in assessing product defects.
Products and connected services attribute damage by Businesses to Consumers.
Reversing the burden of proof in complex cases involving AI, where liability would otherwise be hard to prove.
Imposing an obligation on manufacturers to disclose evidence.
Extending the limitation period for claims from 3 years after first distribution.
Extending damages for:
Harm to psychological health including VR products.
Data corruption.
Death, personal injury and property.
The EU Commission has also published a proposal for a directive on adapting non-contractual civil liability rules for AI alongside its proposal for a revised PL D (AI Liability Directive). The objective is to make it easier for claimants to bring claims for damage caused by the fault of an AI system under the national laws of member states.
EU: proposal to revise and replace the GPSD
The new General Product Safety Regulation revises the GPSD which provides the pre-existing EU legal framework for safety of non-food consumer products to the extent that there are no sector-specific provisions in other EU legislation, such as the EU harmonised legislation for medical devices, or where that sector-specific legislation does not apply to the specific safety aspect in question (in which case the GPSD fills the gap).
The GPSD obliges manufacturers, importers, and other producers to:
Place only safe products on the market.
Inform consumers of risks associated with the product.
Ensure that products are traceable and to notify the relevant authorities if a recall is needed.
Member states may impose fines and other criminal or administrative penalties for breach.
The GPSD also established the EU Rapid Alert System, Safety Gate (formerly known as RAPEX), which allows member states to share information on potentially dangerous products and product recall exercises.
The GPSD is now over 20 years old. While it is still the most significant single piece of EU product safety legislation. However, its importance has been somewhat eroded by the increase in the number of sector-specific directives which set harmonised standards and conformity assessment requirements for product types. This has led to a fragmented regulatory landscape for product safety.
Deficiencies of the GPSD
The proposal for regulation was accompanied by a Working Document providing an executive summary of the impact assessment the Commission undertook as part of its evaluation of the GPSD in June 2020 concluded that the role of the GPSD as a safety net remained essential for consumer protection and Safety Gate had proven to be a success. However, the evaluation exposed several factors that called into question the effectiveness of some GPSD provisions, including:
The GPSD did not address how new technology, such as AI or connected consumer products, can impact product safety. For example, a product may become dangerous by having insufficient cybersecurity protection, or a consumer's personal security could be endangered if a third-party accesses information.
The GPSD was ill-equipped to deal with the challenges posed by developments in e-commerce, including sales via online platforms. The product safety obligations of operators of online platforms were unclear, which affected consumer protection and created an uneven playing field between online and offline sellers. While some online marketplaces had signed up to voluntary commitments, others had not. There was a particular problem where consumers bought products from operators located outside the EU particularly if the trader was not represented on the EU market.
The effectiveness of product recalls from consumers was low. This left too many dangerous products in consumers' hands.
The GPSD's market surveillance provisions were not consistent with the updated market surveillance rules for harmonised products (typically identifiable through the CE marking), introduced by the 2019 Market Surveillance Regulation. The adoption of that Regulation, which applies to those sectors subject to harmonised measures, meant there was an uneven framework between products under harmonised EU rules and products that were not subject to such rules (which were covered by the GPSD). This meant that products subject to the GPSD were subject to less rigorous regulation than products subject to harmonised legislation. Market surveillance authorities lacked the appropriate tools under the GPSD to impose effective sanctions and products were difficult to trace throughout the supply chain. There was also considerable divergence in the approach to product safety risk assessment between member states.
The proposed new regulation seeks to address the above problems. The regulation will work in tandem with the Commission's legislative proposals governing AI systems, machinery products and connected consumer products.
Summary of principal changes to the GPSD
The proposed regulation will, if implemented, introduce sweeping changes to the EU general product safety regime, with a significant increase in the obligations on actors throughout the supply chain and backed up by high fines for breach.
The principal changes proposed are:
Online marketplaces. A discrete chapter of the proposed regulation is dedicated to online marketplaces. Online marketplaces will have to assume more responsibility in tackling the sale of dangerous products online.
Online advertising. It will be necessary to publish safety warnings at the time of online advertising. Also, offering products for sale on an online marketplace using an official EU language will be a relevant consideration when considering whether an advertisement is targeted at EU consumers. This means the offer would need to contain information to identify the product and details of the manufacturer or responsible economic operator established in the EU.
Emerging technologies. The proposed regulation expands the definitions of "product" and "safety" to encompass EDTs. The definition of "product" takes account of interconnectivity of products and the definition of "safety" takes account of the product's cybersecurity features and its evolving, learning and predictive functionalities.
Economic operators. The proposed regulation introduces a new definition of "economic operator". This is the manufacturer, authorised representative, importer, distributor, fulfilment service provider or any other person who is subject to obligations in relation to the manufacturer or products, making them available on the market in accordance with the proposed regulation.
Technical documents. Manufacturers will have to draw up technical documents in relation to all consumer products. This is already the case with harmonised products but less so under the GPSD.
Testing. The responsible person will be required to conduct periodic sample testing of products placed on the EU market.
Market surveillance. The proposed regulation will establish a consumer safety network to exchange information and co-operate with tracing and the recall of dangerous products. Online marketplaces will be obliged to register with a Safety Gate Portal and co-operate with market surveillance authorities.
Notifications. Economic operators must issue a notification of an accident within two working days after becoming aware of the accident.
Traceability. The Commission may request an economic operator to establish a system of traceability for certain products presenting a serious risk to health and safety of consumers.
Product recalls. The proposed regulation contains several provisions designed to improve the effectiveness of product recalls within the EU, including:
the recall notice must meet specific requirements (a description of the product including a photograph, the name and brand of the product, a clear description of its hazards, and so on). Terms like "precautionary", "rare" and "voluntary" will be prohibited;
the recall notice must include an instruction to stop use immediately; and
the economic operator responsible for the recall must offer the consumer an effective, cost-free and timely remedy to either repair or replace the product or to provide a refund.
Penalties. Market surveillance authorities will be able to impose fines for non-compliance of up to 4% of the annual turnover of the economic operator or online marketplace in the concerned member state(s).
Also, as a regulation rather than a directive, there should be greater consistency across member states.
Additional EU proposals for regulation of AI products include:
Machinery Products Regulation.
Revision and replacement of General Product Safety Regulation.
Connected consumer products.
Cyber security of internet enabled products.
Cyber resilience Act
EU digital services Act
Regulation of sustainable Products
Key takeaways of legislative developments in the EU regarding defective products and their safety:
More complex products with integrated AI services have developed faster than the law.
The EU has a legislative plan for liability and regulation of AI products and services.
Legislation to be implemented in the course of 2023-2026
Other jurisdictions, including the UK, lag behind the EU legal developments.
Barriers to entry to EU market will be caused by the legislative developments.
Scope of products and services is evolving for which liabilities arise.
Coping methods and strategies for risk management and resilience are evolving. Some AI systems being adopted as risk analysis tools, and management guides.
This article is based on European Product Liabilities (Butterworths) edited by Paddy Kelly and Rebecca Attree.
If you have any questions or require advice, please reach out to Paddy Kelly or Carmen Yong in our Corporate & Commercial Department.