Increasing Systemic Legal Risks in the EU: The Economic Impacts of Changes to the EU’s Product Liability Legislation

The EU’s Product Liability Directive (PLD) determines the rules for strict product liability in the EU. It establishes a framework in which manufacturers’ liability is determined solely based on the presence of defects in the product, regardless of the manufacturer’s fault. The PLD is intended to serve as a “safety net” when fault-based or contractual liability rules do not offer sufficient compensation to consumers. It operates independently from contractual arrangements between businesses and consumers, and it cannot be weakened by contractual agreements between businesses and consumers.

The PLD is a horizontal regulation that applies to a wide range of industries in the EU because it applies to all products available on the EU market. The recently proposed changes by the European Commission would increase systemic legal uncertainty for producers and sellers of technology-intensive goods and services in the EU. The impact assessment of the European Commission does not sufficiently account for changes to the PLD proposed in 2022. Nor does it sufficiently account for the major impacts of increased legal uncertainty for European businesses. Legislators in the Council and the European Parliament should slow negotiations to allow time for policymakers to collect more evidence on the impacts on businesses, insurers, and courts we detail in this paper. This would be an opportunity to improve regulatory quality in light of the high levels of legal uncertainty associated with the changes proposed by the Commission.

Most of the proposed changes would bring new legal risks to manufacturers of technology products, software developers and services providers specialising in the development and commercialisation of digitally provided services. We identified six key determinants of new legal risks. These have largely been overlooked in the European Commission’s impact assessment regarding the reform of the PLD. The impact assessment presented by the Commission is well-researched. However, it suffers from multiple problematic aspects, resulting in a systematic neglect and underestimation of effects of new legal risks on businesses and consumers in the EU.

Technology-intensive sectors are investment-intensive and therefore particularly sensitive to legal risks. Applying econometric techniques, we find that legal uncertainty has a significant impact on the creation of value-added in the EU. The impact of legal risks on value-added production is strongest in EU industries with high digital and technological intensities, such as Europe’s software industry or budding AI ecosystem, but also, for example, the motor vehicles and transport equipment industry. We observe strong significant relationships between legal uncertainty and economic activity of small and large firms. Even if the proxy indices used in our analysis reflect a broad spectrum of legal risks perceived by businesses, the results demonstrate that even a small increase in risk perception would have a significant negative impact on the output of technology-intensive industries in the EU, reducing available supply. Existing companies may be forced to stop providing products or services in the EU, harming consumers.

Most of the proposed changes to the PLD systematically increase the legal risks in the EU. Legal uncertainty always impacts economic activity. The proposed changes to the PLD are meant to provide clarification regarding the scope of strict liability requirements. However, they conversely increase legal uncertainty for companies providing technology-intensive products, components or services in the EU.

Major sources of additional legal risks are as follows:

• Inclusion of stand-alone software: The treatment of software offerings, including AI-based applications, as products, is problematic because of the particularities of software development and the complexity of industrial partnerships in the development of technology-intensive products and components. Software applications have a fundamentally different risk profile than physical and movable goods. Standalone software cannot physically act upon any person or property. Software bugs are generally accepted as inherent to software development and can be readily fixed through remote wireless updates. The biggest challenge stemming from strict liability under the proposed PLD is that software and app developers can be held liable regardless of their intent or knowledge of defectiveness. Software developers often lack control over how their software is integrated along the supply chain. Imposing strict liability for standalone software is not justified nor proportionate as it does not pose the same risks of severe damage to persons or property.

Under a revised PLD, all companies contributing software to a product or component could still be held liable for no-fault-based errors even if they had limited their liability risks in contractual arrangements with the buyers or users of their software solutions. For complex product and software solutions, fault is extremely difficult or even impossible to assign to an individual entity in the value chain. This poses a major problem for insurance companies, which may not be able to assess which part of the value chain contains the greatest product liability risk.

Insurance companies will base their (pricing) decision on whether to insure a software provider on aspects that influence the risks facing that company. The European Commission’s own (rough) estimates indicate that the inclusion of stand-alone software, the extension of compensable damage, and the easing of the burden of proof would increase company’s liability insurance premia by 25% on average. In reality, these numbers will vary significantly between individual companies depending on company size, portfolio diversification, and the risk profiles of products and services offerings. Insurers’ assessment of risks related to no-fault-based claims would have to account for risks related to particular use cases. This will be difficult and, in many cases, impossible to be done in a reliable way, especially in the case of general-purpose software, i.e., code that is mass-produced for a broad range of common business applications such as word-processing, graphics, payroll, and accounting software. Difficulties in assessing the risks of use cases will also arise from software that is deployed in conjunction with open-source code or software deployed to run interfaces used for the provision of web-based digital services, e.g., software underlying intermediation services, search engines, and online platforms.

The difficulties of assessing new no-fault-based risks will negatively impact companies’ ability to obtain affordable and/or full insurance coverage. Currently, liability claims are dealt with such that product manufacturers and software developers have contractual arrangements, which are not covered by the PLD. This reflects the reality that contracting parties in many cases have asymmetrical information or discretion over how a contributor’s technology is going to be operated or placed into a product by another party, causing parties to contractually assign certain responsibilities or apportion potential exposure in a more equitable manner. Higher exposure to no-fault-based liability risks implies that software developers at the beginning of a new development project must be aware that there are persistent risks which may be outside their control. Businesses, small and large, will be deterred by these risks.

• Inclusion of related (digital) services: The inclusion of software-based services also fails to account for fundamental differences between product and software-based services offerings. Contrary to most movable products, digitally provided services typically do not have distinct uses with a foreseeable range of associated risks. Many digital services can be considered general purpose services, e.g., smart voice assistants, (AI-assisted) search engines, and AI-enabled services such as fraud detection, content moderation, chatbots, and the creation of smart content, which can be used in a vast range of scenarios. The inclusion of services whose areas of ​​application are not foreseeable has a deterrent effect on services development placement in the EU. Many companies, small and large, may decide not to or no longer offer a certain service in the EU because of too many possible liability risks and because insurers offer no or only limited insurance coverage.

• Inclusion of damage related to psychological health: New legal risks from the inclusion of software and digital services would be tremendously amplified if policymakers decided to extend liability risks to damage to psychological health, as the Commission proposes. Psychological health and mental illness are very complex types of damage to assess and the opinions of medical professionals frequently differ. As concerns “medically recognised psychological harm”, interpretations of what it exactly constitutes vary greatly, making it close to impossible to interpret the rules in a consistent way across the 27 Member States. The combination of including software and damage related to psychological health would lead to an increase in litigation and, as a result, increased insurance premiums for insurable risks.

The impacts of Social Inflation and collective redress have been, to date, disregarded  by policymakers. Social inflation in liability insurance reflects the trend of an increasing number of claims with high amounts of compensation claimed for damage. Social inflation, activist plaintiffs and class action would disproportionately hit companies developing and commercialising software and AI systems in the EU. Although it is difficult to assess the impact of Social Inflation on the number of immaterial damage claims, cases involving environmental standards and social media suggest that social inflation in EU liability litigation could pick up substantially if mental health becomes a compensable damage under the PLD. Anticipating increases in litigation and associated costs, companies may decide not to develop and commercialise certain software products and digital services in EU Member States.

• Inclusion of damage related to loss or corruption of data: The inclusion of data loss and the corruption of data would tremendously increase risks of being exposed to claims related to no-fault-based liability claims. The value of personal data is usually subjective. Damages from the loss of personal data are extremely difficult to define and, as a result, it is very difficult to objectively quantify it in courts. Similar to assessments of damages related to mental health, a rather unlimited expansion of individuals’ legal interests will likely result in differences in enforcement across EU Member States. Anticipating or responding to increases in litigation and associated costs, software companies and providers of data-driven digital services may decide to leave or discontinue offerings in Member State markets.

• Reversal of burden of proof and evidence disclosure obligations: The Commission proposes to alleviate the burden of proof for complex technologies, including AI-based systems and services. This constitutes a de facto reversal of the burden of proof for many technology-intensive product and service providers – despite the Commission’s impact assessment advising against a reversal in the burden of proof. As argued in the European Commission’s impact assessment, reversing the burden of proof “would expose manufacturers to significantly higher liability risks and could hamper innovation, leading also to potentially higher product prices and reduced access to innovative products.” In addition to higher exposure to no-fault-based liability risks, companies must consider the possibility of being mandated to disclose essential trade secrets. Plaintiffs would have greater incentives to launch frivolous or speculative claims due to greater leverage over defendants, which in turn may opt for out-of-court settlement rather than disclosing information or incurring the costs of court proceedings.

• Vague definitions or concepts that go undefined: Despite the clarification of product scope and damage, significant legal uncertainties remain as to the applicability of the revised Product Liability Directive to companies that develop and commercialise software and technology products. Due to unspecified applications and use cases, the Commission’s proposal would likely lead to more fragmentation as interpretations would be left to the discretion of Member States’ courts, for, e.g., the concept of related service, the application of disclosure orders, and decisions on what constitutes a scientifically and technically complex product, etc.

Impacts on businesses, R&D and consumers in the EU

For any business, the biggest challenge of strict liability is that they can be held liable regardless of their intent or knowledge of defectiveness. Policymakers do not address how companies will in the future manage, allocate or insure risks from no-fault-based liability. Companies commercialising software, AI code, AI data, and software-based services or contributing them to a product or component could still be held liable for no-fault-based errors even if they had limited their liability risks in contractual arrangements with users of their solutions. The exposure to new and unforeseeable liability risks will probably result in many technology companies no longer marketing their products and services in the EU, or only doing so to a limited extent. The effects on research and development (R&D) and innovation in Europe are difficult to predict. However, the revised PLD would have a dampening effect on investments, production and innovation in technology-intensive industries in the EU. It can be expected that innovative technology-based products and services will be (initially) marketed primarily outside the EU and that the development of these products will also increasingly take place in these markets, above all in the US.

The EU’s software and technology innovation ecosystem would be systemically disrupted. The direct impacts on the relevant sectors would be the largest in the Member States which are home to a large number of companies pursuing the development of software and app solutions. As shown in this paper, Europe’s software and app development sector is to a very large extent driven by small business activity. The termination of development projects by small companies could result in a comparatively high drop in value added in the Member States. It should be noted that the European Commission’s impact assessment underlying its PLD reform proposal does not account for impacts in industries other than ICT services (NACE sectors J62-J63). Impacts on manufacturing and services businesses, which also develop and commercialise software products and related services, have been ignored. These include carmakers and manufacturers of electrical equipment or consultancies, which engage in customised software development and solutions that are sold to other businesses and final customers.

Impacts on European consumers

A first impression of the proposed changes to the PLD may be that it provides stronger rights and benefits for consumers. However, there is only weak evidence of why it is a problem that software and mental health are not covered by strict product liability today, and why the inclusion of software should go beyond safety-relevant applications. The Commission’s impact assessment remains largely silent about why consumers have difficulties making specific claims or why their claims are rejected by the courts. The European Commission’s Regulatory Scrutiny Board states that the European Commission’s impact assessment “report is not sufficiently clear about the size and evolution of the problem”.

Even small changes in the perception of legal uncertainty and actual legal risks have a significant impact on companies operating in investment-, knowledge-, and technology-intensive industries in the EU. Some companies will simply stop serving EU markets, resulting in a decrease in the supply of technology-intensive products and services, which in turn results in less consumer choice, less access to cutting-edge innovation, and higher prices for remaining and potentially inferior offerings. Higher provisions for no-fault-based liability risks and higher cost of liability insurance would be passed on to consumers, resulting in higher prices for affected goods and services.

Policy recommendations:

• Software, AI systems and related digital services should per se not fall under the scope of the strict liability regime of the EU’s PLD. Including software and software-based services to the PLD’s no-fault-based liability regime should be strictly limited to critical applications that can cause serious harm to consumers.

The evidence base for including damages created by all defective software or apps is weak. Other liability regimes, fault-based and/or contractual are more appropriate. For example, software developers can already be held accountable on the basis of Directive 2019/770^[1] and Directive 2019/771^[2] covering rules applicable to “digital content”, “digital services”, and the “sales of goods with digital elements”.

The European Commission has also proposed, alongside the PLD, an AI Liability Directive, which provides common rules for a non-contractual, fault-based liability regime for damage caused by AI, particularly high-risk AI systems (HRAIS). At the time of writing, it is still too early to endorse the AI Liability Directive as a solution, as it is yet to move through the legislative process. AILD may be better suited to handle AI than the PLD – and they are intended to co-exist anyway. However, the AILD proposal also includes a rebuttable presumption for establishing causation, which (as is alluded to in this paper) is a potential problem for many upstream providers of software and AI applications when considering the unforeseeable scope of potential harms.

• Damage from psychological health and loss/corruption of data should both be excluded from the scope of the PLD. It is very difficult for courts to objectively assess the nature and origin of damages. It is, for example, very difficult to establish the no-fault-based impacts of a software app or consumed digital services on psychological health. Including damages from psychological health and loss/corruption of data would lead to differences in implementation and enforcement as well as speculative claims and associated forum shopping. Social inflation in no-fault-based liability claims, activist plaintiffs and collective redress would disproportionately hit companies developing and commercialising software in the EU.

• If the burden of proof is to be reversed for reasons of technical or scientific complexity, then this should be within tightly controlled limits set out for national courts to apply. Additional safeguards are needed for the disclosure of evidence to address the likelihood of businesses preferring to settle to avoid litigation costs and keep information and trade secrets confidential. The type of evidence eligible for disclosure orders must be more clearly defined. Assessments of publicly available documentation and evidence should be performed prior to resorting to a disclosure order. Furthermore, defendants should be granted reciprocal rights to request a defined set of evidentiary materials from claimants with regard to their habitual product use, proof of purchase, health records, and other relevant information. Without these safeguards and reciprocal treatment of all parties, companies potentially liable under the PLD may be inclined to settle rather than disclose trade secrets or invest in costly legal proceedings.

• The EUR 500 threshold should be maintained to prevent a disproportionately high number of claims, which could overstrain courts and insurance companies. The upper limit of EUR 70 million should also be maintained to encourage insurability of strict liability risks. The maximum threshold was not mandatory in the original PLD and was not considered a priority by the European Commission. It has been excluded from the Commission’s impact assessment. However, given the potential revisions proposed by the Commission regarding product scope and damages, these thresholds are arguably even more important than before. For example, one small unknown defect could become the basis of a strict liability claim by, potentially, millions of customers.
  

  ---

[1] Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services. Available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32019L0770#:~:text=Directive%20(EU)%202019%2F770,(Text%20with%20EEA%20relevance.).

[2] Directive (EU) 2019/771 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the sale of goods, amending Regulation (EU) 2017/2394 and Directive 2009/22/EC, and repealing Directive 1999/44/EC. Available at https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32019L0771#:~:text=Directive%20(EU)%202019%2F771,(Text%20with%20EEA%20relevance.).