Skip to content
BY 4.0 license Open Access Published by De Gruyter February 13, 2023

Liability Rules for the Digital Age

– Aiming for the Brussels Effect –

  • Gerhard Wagner EMAIL logo


With legislative proposals for two directives published in September 2022, the European Commission aims to adapt the existing liability system to the challenges posed by digitalisation. One of the proposals is related and limited to liability for artificial intelligent (AI) systems, but the other contains nothing less than a full revision of the 1985 Product Liability Directive, which lies at the heart of European tort law. Whereas the current Product Liability Directive largely followed the model of US law, the revised version breaks new ground. It does not limit itself to the expansion of the concept of product to include intangible digital goods, such as software and data as well as related services, important enough in itself, but also targets the new intermediaries of e-commerce as liable parties. As such, the proposal for a new product liability directive is a great leap forward and has the potential to grow into a worldwide benchmark in the field. In comparison, the proposal of a directive on AI liability is much harder to assess. It remains questionable whether a second directive is actually needed at this stage of the technological development.

I Introduction

Climate protection and digitalisation – these are the two major topics on the agenda of Ursula von der Leyen’s European Commission. In late September 2022, the Commission presented proposals for two directives that offer liability rules for the digital age and carry disruptive potential. The first of these proposals, the AI Liability Directive, is aimed at artificially intelligent digital systems (AI systems) and provides specific liability rules for them.[1] It is accompanied by a second initiative with much broader impact, namely the reform of the Product Liability Directive 85/374/EEC.[2] The significance of this second proposal can hardly be overestimated, as it aims for a comprehensive revision of the existing framework of product liability within the EU, the first one since the enactment of the Product Liability Directive almost 40 years ago. Importantly, the reform of product liability law is not limited to artificially intelligent devices or even to digital products, but applies more generally to products of any kind and – as will be shown – even to some categories of services. With the two proposals taken together, the Commission aims for nothing less than a comprehensive overhaul of the EU’s product liability system, together with some new provisions specifically aiming at digital systems.

The Commission’s decision to reform product liability as part of the EU digital strategy comes as a surprise. Last year, the EU Parliament issued its own proposal of a regulation covering AI liability.[3] The Parliament’s proposal targeted the operator, rather than the producer, of AI systems, imposing strict liability on the person in control of its operation.[4] The European Commission has now abandoned the Parliament’s approach entirely and focused on the liability of the producer rather than that of the operator. The focus on the producers of AI systems rather than on their users is the central policy decision underlying both proposals, the one of a revised Product Liability Directive and of a newly created AI Liability Directive. As will become clear, this policy choice deserves strong support.[5] The technological developments that we observe today call for a tightening of liability rules for manufacturers, not for a shift of liability towards the users or operators of AI systems.

II The new phenomenon: autonomous digital systems

What distinguishes artificially intelligent systems from conventional products?[6] The central feature is that digital devices operate under the control of a computer programme (software). Autonomous digital systems make their own ‘decisions’ in real time, in the factual circumstances then present, rather than executing a deterministic script written earlier, before the system was put into circulation.[7] Instead of rigidly programmed algorithms operating within an ‘if... then...’ structure, self-learning systems process a vast array of inputs in order to arrive at an output that fits the current situation and is not ‘pre-programmed’. The exact technical means by which digital autonomy in the sense just described is accomplished is rather unimportant from a legal point of view. Whether the system may be classified as ‘artificially intelligent’ or ‘capable of self-learning’ is of no import whatsoever. All that counts is that the system is not under the control of a pre-programmed, deterministic computer programme but rather ‘on its own’.

With artificially intelligent – or better: autonomous digital systems – a new actor enters the world of liability law. For the first time, artefacts are capable of making their own decisions. The standard of care applied by an autonomous digital system in a particular situation is determined by the system itself, leaving its user with hardly any influence on its ‘behaviour’. Only the manufacturer retains considerable influence as he programmed the system in this particular way before it was set free, and usually continues to exercise some degree of further control over it via software-updates and -upgrades.[8]

III Technological neutrality of liability systems

When considering the reform of liability systems with regard to autonomous digital systems, it is important to choose the right point of origin. It is crucial to realise that the relevant actors, ie manufacturers and users of autonomous digital systems, are already subject to whatever liability systems are in place. Typically, liability rules are technology-neutral.[9] They apply to horse-drawn coaches and steam engines as well as to ships, motor vehicles and machinery of any kind. Within the European legal systems, liability in negligence and fault-based liability more generally provide the backbone of the law of torts or delict. Importantly, liability for fault is applicable across the board to any human activity, regardless of whether the wrongful act is a movement of the human body, the use of a solid tool or weapon, the production and operation of conventional machinery, or the manufacture and operation of an autonomous digital system. Thus, manufacturers and users of autonomous digital technology remain liable in damages for harm negligently caused to third parties.

In modern liability systems, responsibility for fault is supplemented by categories of strict liability.[10] In the area of strict liability, the European legal systems diverge rather enormously. While French law, famously, operates something like a general clause of strict liability that applies to any object, ie thing,[11] German law offers several specific provisions each of which impose strict liability for some well-defined source of danger, mostly, but not exclusively, of a technical nature, such as motor cars, airplanes and major installations that impact the environment.[12] For systems such as the French, it is evident that digital systems of a corporeal nature do qualify as things for purposes of strict liability. Systems such as the German one will apply the categories of strict liability regardless of whether the particular source of danger is operated by a human being or by an ‘intelligent’ software programme. Autonomous cars are an important example. In both France and Germany, the keepers of motor vehicles are subject to special statutory regimes of strict liability.[13] These regimes apply equally to conventional cars operated by human drivers and to autonomous cars under the control of a driving algorithm. In Germany, the legislator introduced special legislation in 2021, removing any doubt that autonomous cars are subject to the same rules of strict liability for road accidents as conventional vehicles.[14]

IV Basic choices for digital liability

A ePerson: the artefact as a liability subject?

Autonomous digital systems are capable of making decisions on their own. In that sense, they qualify as a new actor in the arena. Once, the world was divided between legal subjects (persons) and legal objects (things), but now there is a third category: things that act like persons. One obvious reaction to the emergence of a new actor is to promote it to the status of a legal person or entity, if only for purposes of liability. Precisely this option was put forward by the European Parliament in an earlier resolution dating back to 2017.[15] The idea of an ePerson for the sole purpose of attributing liability is somewhat fascinating, but for the time being it belongs to the realm of science fiction.[16] The creation of a new liability subject can be seriously considered only if it is equipped with the necessary financial resources to ensure the satisfaction of damages claims directed against the system. Without funds, the ePerson would lead to an unlimited externalisation of risk to the benefit of parties protected against liability by the new entity, ie manufacturers and operators. This can hardly be a serious option.

It is certainly possible to ensure that the funds necessary for the payment of damages claims brought against the entity are made available. The means to achieve such end are the familiar ones, such as minimum capital requirements, known from corporate law, or insurance mandates, which are familiar from the law of motor liability. Both options raise problems of financing, as the entities which are liable to raise the minimum capital of the ePerson or pay the premiums for the mandatory liability insurance must be identified. Of course, manufacturers and operators are the usual suspects to shoulder such liabilities. In the end, then, the ePerson would serve as a mere conduit for processing the costs of accidents from the victim to the parties bearing ultimate responsibility, ie manufacturers and operators. At the current stage of technological development, such conduit would do more harm than good, simply because it would enable manufacturers and operators to partially externalise harm: any damage that exceeds the minimum capital fund or the insurance ceiling will remain with the victim.

In order to avoid the externalisation of risk to the detriment of injured parties, the creation of a new liability subject in the form of an ePerson should be avoided. If there is a good reason to limit the responsibility of manufacturers and operators, it is preferable to directly introduce liability caps, rather than trying to achieve the same result indirectly, by means of an ePerson.

B The manufacturer as the key player

If ePersons are excluded as liability subjects, manufacturers and users remain as potential addressees of liability rules for harm caused by digital autonomous systems. Theoretically, it is possible to target both actors, ie to tighten the liability of the producer as well as that of the user. However, a targeted approach that is tailored to the specific challenge posed by autonomous digital systems seems more attractive. The core of the challenge posed by the new technology is that the user loses most of his influence on the ‘behaviour’ of the digital system.[17] In a conventional motor vehicle, speed and direction are determined by the driver, while the ‘driver’ of an autonomous vehicle is relegated to the role of a passenger, as he has no influence on speed and direction of the (truly) ‘automobile’. In the same way that passengers riding on a bus should not be held liable for accidents caused by the bus, users of autonomous cars should not bear the costs of accidents caused by these vehicles. The manufacturer of autonomous motor vehicles, in turn, must ensure that the passenger, who was once the driver, cannot exert any influence on the system’s operation. Anything else would be far too dangerous!

Against this background, it is necessary to target the party that still exercises some control over the digital system. If one disregards the artefact itself, this is the manufacturer.[18] The manufacturer is the entity that can ensure the required safety of the system and, even more importantly, continuously improve its safety level over time. Liability rules must generate the economic incentives that are needed to make the manufacturer meet his responsibilities regarding product safety. This is the premise which should inform the evaluation of proposals for reforming liability rules for digital systems.

V Parliament v Commission – operator v producer liability

As already mentioned, the Proposal of the European Parliament dating back to 2020 focused on operator liability.[19] For operators of so-called high-risk AI systems, defined to include autonomous vehicles, strict liability was considered. The basic idea was to expand a modified version of the liability system established for motor vehicles in German law to all digital high-risk AI systems. To this end, the Proposal introduced the concepts of frontend and backend operators (art 3 lit e), f) of the Parliamentary Draft).[20] The frontend operator was defined as the person who exercised control over the system and internalised the benefits from its operation, whereas the backend operator would have been more or less identical to the manufacturer of the AI system, provided that the manufacturer continued to supply data and additional digital services after the product was placed on the market. Therefore, with regard to liability of the manufacturer, everything came down to the relation between the draft of the European Parliament and the Product Liability Directive 85/374/EEC. Pursuant to art 3 lit d), art 11 Sentence 3 of the parliamentary draft, with a view to the backend operator, the Product Liability Directive was intended to take priority over the new regulation. Whether this meant that the Product Liability Directive excluded claims against manufacturers under the proposed regulation[21] or that the Product Liability Directive was merely the first to be applied[22] remained controversial.

In contrast to the European Parliament, the European Commission, in its own approach, focuses on the manufacturer of the autonomous digital system in question, instead of following the Parliament’s emphasis on operator liability. With a view to manufacturers, a harmonised set of rules already exists in the European Union, namely the Product Liability Directive. In this way, the adaptation of the product liability regime to current challenges becomes the central task – and this is precisely what the proposal for a thorough revision of the Product Liability Directive aims for.

In addition to the revision of the Product Liability Directive, the Commission proposes a second legal instrument on AI liability. This second directive has no predecessor. Unlike the Proposal for a new Product Liability Directive, its exclusive focus is on AI systems, ie it would not be applicable to conventional products. However, the proposed AI Liability Directive settles with a few provisions only, and those are confined to the law of evidence. The central pillars of liability systems, namely the categories of liability and the rules on quantum, must be provided by national law. In this regard, the AI Liability Directive merely defines its points of reference within the national law. It refers to fault-based, non-contractual liability, and to nothing else.

The provisions of the AI Liability Directive themselves remain rudimentary in another sense, as they are deeply interwoven with the provisions and definitions of the proposal for the AI Regulation, the so-called Artificial Intelligence Act.[23] The AI Regulation addresses the safety aspects of digital systems. It establishes duties of care primarily for so-called providers of AI systems, and only in the second instance for the users of such systems. The ‘provider’ in the sense of the AI Regulation is identical to the ‘manufacturer’ of the Product Liability Directive. As the Proposal for an AI Liability Directive refers to the definitions of the AI Regulation, its scope of application is restricted accordingly. In plain language: the Proposal for an AI Liability Directive also primarily targets the manufacturers of such systems. This conclusion raises the question as to the justification and function of this second Proposal: if it essentially targets the same parties as the Proposal of a revised Product Liability Directive, what is its purpose and what is it good for?

Irrespective of the justification of the double-layered approach just described, the European Commission’s rejection of the Parliament’s proposal to zoom in on strict operator liability must be welcomed emphatically and without reservations. In view of the dwindling influence and control that users have on digital systems, the tightening of liability rules for this group of actors is simply counterproductive. Those who cannot avoid the causation of harm by increasing precautions should not be subject to strict liability in damages. As a user of the digital system, the operator is not in a position to determine its behaviour. While he can avoid liability by lowering the level of activity, for example using his autonomous vehicle less, this parameter can also be addressed through means other than liability. The manufacturer has the ability – and, with the help of an adequate liability system, also the incentive – to calibrate the price of the digital system to match the intensity of use.[24] This is already standard practice in the insurance industry, ie with respect to the pricing of liability insurance policies for motor cars. Setting the sails in favour of producer liability does not in any way mean that users are exempt from liability, as they remain, of course, subject to (technology-neutral) liability for fault as well as, depending on which AI system they operate, to categories of strict liability.[25] Tightening the liability of operators through imposition of strict liability for AI systems does not make sense at all. If the liability system is designed with a view to deterrence, ie the prevention of harm, nothing argues in favour of operator liability. Rather, the liability of manufacturers comes into view. In essence, this is the normative basis of the proposals submitted by the European Commission. One can but hope that the approach of the European Parliament will remain buried throughout the legislative process.[26]

VI The Proposal for a new Product Liability Directive

A Overview

The proposal on product liability aims for a complete overhaul of the existing Product Liability Directive 85/374/EEC with the goal to ‘make it ready’ for digital products. However, the reform proposal includes several other changes that are not particularly motivated by digitalisation, such as the abolition of the Member States’ option to cap liability at ECU 70 million (art 16 (1) PLD). Important elements of the proposed directive are the expansion of its scope of application to include software of all kinds as well as data and digital services, the inclusion of data into its scope of protection and the extension of liability to defects caused by the manufacturer after placing the product on the market, in particular through software updates and upgrades. Furthermore, the proposal expands the range of liable parties to include platforms and other intermediaries of electronic commerce, and alleviates the burden of proof for the injured party by granting rights of access to information and by imposing presumptions of defect and causation. Importantly, these provisions would not only apply to digital products, but regardless of the technological nature of the product. The new directive is designed to cover products of any kind. For this reason, the Proposal on a revision of the Product Liability Directive is so important.

B Extended definition of product

1 Point of departure

A central element of the proposal on product liability is the adaptation of the definition of product to the digital world. Currently, art 2 of Directive 85/374/EEC in its German language version defines products by reference to the concept of a movable thing (bewegliche Sache).[27] Accordingly, products are movable things. The German Civil Code understands things as ‘corporeal objects’ (§ 90 BGB). Thus, non-corporeal assets can never be a ‘thing’. In contrast, the English language version, which uses the term ‘movable’, is more welcoming to cover incorporeal objects, too.[28] The fact that the current Directive explicitly mentions electricity, in addition to movables, does not make things easier, as this not only supports reasoning by analogy – incorporeal objects other than electricity may also qualify as products – but also the opposite conclusion that incorporeal objects other than electricity remain outside the scope of art 2.[29] In its judgment in the Krone case, the Court of Justice of the European Union (CJEU) excluded the information contained in a newspaper article from the scope of the Product Liability Directive,[30] increasing once again the burden of persuasion for the inclusion of software. The Krone judgment effectively forecloses the strategy to justify the inclusion of software into the scope of art 2 with a view to the corporeal nature of the storage device for such software. A DVD, that is, must not be classified as a defective product simply because the software stored on it contains bugs. More precisely, the corporeal nature of the storage device does not carry over to the intangible nature of the information stored on it.

2 Inclusion of software

The doubts as to the application of the Product Liability Directive to software can be resolved if software is explicitly included into its scope, in the same way that electricity is today. This is precisely what art 4(1) of the Proposal on Product Liability does, as it mentions software alongside electricity. Even more, art 4 (2) of the proposal also mentions digital manufacturing files, ie digital templates and versions of movable property, which aims to clarify that files for 3D printing are also covered.[31] This would not have been necessary, as such files undoubtedly qualify as ‘software’. The classification of software as a product for purposes of product liability has less practical significance for end manufacturers such as assemblers who place hardware-software combinations on the market, for example vehicles with autonomous driving functions or even with ‘simple’ engine control software or smartphones and laptops with integrated software. There has been widespread agreement that the end manufacturer is liable for defects in such ‘embedded software’.[32] This remains good law even after the CJEU’s Krone decision as, in the case of embedded software, the associated hardware, which undoubtedly qualifies as a product, is defective, too. Anyway, the explicit inclusion of software would dispel any doubts in this regard. In addition to confirming the responsibility of end manufacturers, the proposed directive would pave the way for the liability of software programmers as manufacturers of component parts (art 7(1), second subparagraph).

It is the intention of the Commission to shield open access software from product liability. Only the software that is placed on the market shall qualify as a ‘product’, while the source code on which it is based shall be ignored. According to this distinction, authors of open-source software should be exempt from liability under the proposed directive.[33] This can be justified by the consideration that the incentives to contribute to open software projects should not be weakened as a consequence of new risks of liability. Nevertheless, it is doubtful whether and to what extent the liability privilege, which is only mentioned in the recitals, actually works. After all, open-source software is often distributed ‘like a product’, ie in return for a price and in a package together with services. In such cases, the liability of the provider who puts the package on the market as manufacturer is unquestionable.[34] Furthermore, also the programmer himself would be liable, as a component manufacturer, for defects of the respective open-source module. Therefore, in order to achieve the desired liability shield, an explicit exception should be included into the final text of the proposed directive. However, one should always keep in mind that any exception to the scope of the directive will be taken up by national tort law.

3 Digital services

Another extension of the scope of the directive is achieved by the inclusion of digital services via art 4 (4) and (3) of the proposal. Importantly for digital devices, the concept of digital service includes the provision of data.[35] The crucial element is whether a digital service qualifies as a ‘related service’ for the purposes of art 4 (3). The concept of related service is explained in art 4 (4), to the effect that the service needs to be integrated into, or inter-connected with, a product by, or under the control of, the manufacturer. Where these requirements are met, the service qualifies as a ‘component’ of the end product. As a consequence, both the end manufacturer and the service provider as component manufacturer are liable under the product liability regime for defects of the connected service (art 7(1), second subparagraph).[36] In this way, after many efforts to supplement the existing Product Liability Directive by a directive on the liability of suppliers of services,[37] the Commission would finally accomplish a partial harmonisation of liability for services via the product liability regime. However, the inclusion of services remains limited to such digital services whose absence would prevent the product from performing one or more of its functions and which are under the control of the manufacturer. A further inclusion of related digital services tout court would go too far: it makes sense to hold the manufacturer of a navigation system liable for errors in the cloud-based map material, or the continuing provision of traffic data,[38] but the manufacturer of a smartphone should not be liable for the content of apps installed by the user. Imagine a ‘digitised’ version of the Krone case: if the incorrect treatment advice had been published in an electronic newspaper,[39] the publisher would be liable for this under general tort law, but not the manufacturer of the smartphone under the Product Liability Directive.

4 Appraisal

The Commission’s proposals to extend the concept of product to software, including 3D printing programmes, and product-related digital services, deserve support. Together, these changes ensure the necessary adaptation of product liability law to the digital age. The same results could also be achieved by means of an extensive interpretation of art 2 of the existing Directive,[40] but such a process would require more time and necessarily involve a period of uncertainty. The disadvantage of the legislative solution is that evolution through the judiciary would be a ‘discovery process’, progressing in an iterative manner, while changes by legislative fiat risk going too far. The expansion of the concept of product to software of any kind is a pertinent example. It might be preferable to begin with standard software, which is distributed ‘like a product’, while excluding bespoke software produced under contracts for work according to specifications supplied by the obligee. The latter could for now continue to be addressed and treated as a service.[41]

When thinking about the distinction between products and services, it should be borne in mind that, according to the case law of the CJEU, the Product Liability Directive also applies where a product is being used for the supply of services rendered within the firm of the manufacturer, such as where a medical solution produced by the hospital pharmacy is used for a medical treatment.[42] Under this case law, providers who store data for others and analyse it on behalf of their customers using their own software tools would be subject to the product liability regime. In that sense, the Product Liability Directive could ‘invade’ the service sector. Again, the restriction of product liability to standard software would mitigate this effect and may therefore offer a more balanced solution.

C Extended concept of defect – narrowed exemptions

Liability under the European product liability system is composed of three elements: defect of the product, damage to or infringement of legal interests and causation between defectiveness and infringement. As the defectiveness test is decisive for whether or not the manufacturer must pay for damage caused by his product, it is the bottleneck of liability for products.

1 Concepts and benchmarks of defectiveness

The concept of product defect has caused ongoing dispute in the European as well as the international debate as divergent theories collide.[43] The two main competitors are the so-called consumer expectations test, which focuses on consumers’ safety expectations, and the risk/utility test, according to which, a cost/benefit-analysis must be applied.[44] Until now, the language employed by art 6 of Directive 85/374/EEC suggests an interpretation in the sense of the consumer expectations test because of the reference to ‘the safety a person is entitled to expect’, but remains open to a cost/benefit assessment. The new version of the directive mentions the safety expectations of the ‘public at large’ to determine defectiveness, seemingly leaning even further towards the consumer expectations test. In fact, the new terminology cannot be read as a decision against a cost/benefit-analysis. On the contrary, the recitals emphasise that an objective analysis is to be carried out, whereas individual safety expectations of product users shall not be decisive.[45] Such objective analysis cannot consist in conducting a survey and asking citizens what their safety expectations are with regard to individual products. Most people simply expect ‘safety’ and have never thought about its exact level, the costs of ensuring such safety level, and the effects of added cost on price. Since absolute safety, ie the avoidance of any loss, is neither possible nor affordable, there is no way around a cost/benefit-calculation. Here, the costs of possible safety measures in the form of an alternative product design need to be compared with the benefits in the form of a reduction in the costs of harm. To the extent that risks cannot be avoided by reasonable precautions, the benefits of the product must be weighed against the sum of manufacturing costs and costs of harm.

Against this background, art 6(1) of the proposed directive extends the criteria for the assessment of defectiveness set out in the current art 6 of Directive 85/374/EEC in order to adapt them to the requirements of digital products and to the specific marketing practices that have emerged in the digital era. In this vein, art 6(1)(c) of the proposed directive specifies that the ability of the product to continue to learn after deployment and the effects on the product of other products it can reasonably be expected to be used together with (art 6(1)(d)) must be taken into account when assessing defectiveness. In fact, the interaction between the product and accessories was relevant for a finding of defectiveness even under the existing law, so that a motorcycle manufacturer, for example, was held liable for an accident caused by a fairing that had been added by the user.[46] However, the explicit language in the proposal helps to clarify. The same is true for art 6(1)(f), which extends the requirements of defectiveness to cybersecurity, so that a digital product is defective if it does not provide the necessary security against hacker attacks.[47]

2 Dynamic concept of product defect

Digital products also call for a modification of the point in time that is decisive for the assessment of defectiveness. According to art 6(1)(c) Directive 85/374/EEC, the defect must be established at the time when the product was placed on the market. The crucial moment for the placing on the market is when the product has left the manufacturing sphere and is placed into the chain of distribution.[48] Unlike conventional products, digital products remain accessible for manufacturers even after they have been placed on the market. In particular, it is possible and common practice to subsequently modify software contained in a product by means of updates or upgrades, be it as part of inspections in the workshop or ‘over the air’. If safety-relevant properties of the product are changed ‘in the field’ by the manufacturer, it is inappropriate to base the assessment of the original product’s defectiveness on the product features present when it was first placed on the market.[49] Article 6(1)(c) Directive 85/374/EEC can be interpreted accordingly,[50] but the proposed directive removes any doubts to this effect. Article 6(1)(e) explicitly refers to the ‘moment in time when the product left the control of the manufacturer’ as the relevant time for the finding of defect. However, this shift to a point in time after the product was placed on the market should only apply to the security features of the last update or upgrade itself, but not to the whole product. The unchanged hardware must continue to be measured against the standard that was relevant when it was placed on the market. This is confirmed by art 10(2)(b), which withholds the exoneration of the manufacturer under art 10(1)(c) with regard to the faultlessness of the product at the time it was placed on the market only if the defect is due to software updates or upgrades.

The same applies to related services; here, pursuant to art 10(2)(a) of the proposed directive, no exemption is available if the defect in the product is due to a related service which was rendered after the product was placed on the market, provided that the service was under the control of the manufacturer. This provision does not target the provider of the digital service itself as, under art 6(1) of the proposal, the service provider is liable as a component manufacturer for defects in his service that exist at the time the service is placed on the market anyway. Rather, art 10(2)(a) is concerned with the liability of the end manufacturer who places a digital product on the market into which digital services are subsequently integrated or to which digital services are linked with his consent (art 4(5)).[51] The end manufacturer is therefore unable to exonerate himself if the product was free of defects at the time it was placed on the market, but became defective as a consequence of its subsequent exposure to digital services.

3 An obligation to update

The question whether and under which circumstances manufacturers, or other persons liable under the proposed directive, are obliged to provide updates or upgrades for products that are already in the field is a crucial point for the safety of digital products.

Within the realm of contract law, arts 7(d) and 8(2) Directive 2019/770 on certain aspects concerning contracts for the supply of digital content already established the obligation of the seller or other trader to provide ‘updates’.[52] The existence of this duty in contract law has led some legal scholars to argue for an exclusion of similar duties under tort law.[53] This view overlooks the fact that Directive 2019/770 exclusively targets the seller or trader as a contracting partner and not the manufacturer of the product as a third party to the contract.[54] In addition, in those Member States that do not base their law of obligations on the principle of ‘non cumul’, the reverse principle of cumulation allows parallel claims under both contract and tort law.[55] Moreover, the Digital Content Directive explicitly states that it shall not affect the duty to provide security updates.[56] Finally, product liability in tort applies only to safety features of the respective product for purposes of safeguarding the protected interests of others, whereas defects in quality remain the exclusive domain of contract law. For this reason alone, the obligation to update and upgrade under Directive 2019/770 cannot foreclose the application of product liability as part of tort law.

Under current European product liability law, the manufacturer’s responsibility for defects is limited to the period before the product is placed on the market: Directive 85/374/EEC does not recognise liability for the breach of product monitoring obligations post market.[57] This would change under the new version of the directive. Article 6(1)(e) of the proposal includes updates and upgrades installed after the product was placed on the market into the subject matter relevant to the assessment of defectiveness. Furthermore, art 10(2)(c) of the proposed directive establishes a tort duty to improve the safety of the product post market with the help of software updates or upgrades, provided that they are necessary to maintain safety. This provision removes the exemption from liability granted by art 10(1)(c), according to which, the manufacturer may exonerate himself if he proves that the product defect did not exist at the time when the original product was placed on the market. Article 10(2)(c) of the proposed directive suspends this exoneration if ‘the lack of software updates or upgrades necessary to maintain safety’ led to the defectiveness of the product. In other words: there is a product liability-based duty upon the manufacturer to continuously update and upgrade the software of his products even after they were put into circulation. The duration of such duty remains an open question.

D Scope of protection

Pursuant to art 9 of the current Product Liability Directive, the scope of protection is limited to the classic interests protected by tort law, namely the right to life, bodily integrity, health and property. According to art 9 lit b) Directive 85/374/EEC, certain restrictions apply to property damage. In this area, the scope of protection excludes damage to, or destruction of, the product itself by one of its components under the so-called complex structure theory as well as property used predominantly for commercial purposes. In addition, with a view to property damage, Member States may opt into a deductible of ECU 500 (art 16(1)).

1 Personal injury and property damage

Article 4(6) of the proposed new directive holds on to the basic policy underlying the scope of protection of current law but makes some changes in detail that aim to straighten it out. With a view to personal injury, art 4(6)(a) makes it clear that psychological harm, provided that it is medically recognised, is equal to physical harm, as was already accepted before.[58]

With a view to property damage, the proposal abolishes the Member States’ option for the ECU 500 deductible, which is most welcome. The current regime compels a switch to product liability under national law only to recover the equivalent of an additional ECU 500.[59]

The exclusion of property used for commercial purposes is narrowed somewhat as it shall no longer apply if the asset in question was not used ‘mainly’ for private use and consumption but only where it was used exclusively for professional purposes (art 4(6)(b)(iii) Proposal on Product Liability). With the latter expansion, the Commission aims to include immovable property used for both commercial and private (residential) purposes, provided that it was damaged by defective movables, including ‘smart’ digital temperature controllers or other ‘smart home’ appliances.[60] If such a product is defective and causes damage to, or destruction of, the building, the latter remains within the scope of protection as it is not used exclusively for professional purposes. This amendment is a step in the right direction, but it would have been even better if the proposal had abandoned the distinction between commercially and privately used property altogether. Private property should be one of the interests protected by the Product Liability Directive without exception. The idea of consumer protection, which stands behind the current limitation to property used for private purposes, was an important driving force behind the initial Directive 85/374/EEC, but product liability has long left this origin behind. From today’s perspective, product liability does not aim at the protection of consumers as the ‘weaker party’ in the face of ‘industrial mass production’.[61] Instead, it should provide incentives for manufacturers to take efficient precautions against harm and furthermore ensure the compensation of harm actually caused by products that fall short of reasonable safety standards – regardless of whether the damage is incurred by consumers or businesses, including professionals. Accordingly, the CJEU has oriented the interpretation of Directive 85/374/EEC towards the goal of fair competition on a level playing field and has rejected the proposition that the Directive only called for minimum harmonisation, an idea inspired by a policy of consumer protection.[62] The Commission should now set the keystone to this development and finally abandon the exclusion of goods used for commercial purposes from the scope of protection of product liability.

Harm to the product itself, the so-called Weiter­fresser­schäden in German law,[63] shall remain outside the definition of recoverable damage under the directive (art 4(6)(b)(i) and (ii) Proposal on Product Liability). The exclusion of harm to the product itself from the scope of protection deserves support because otherwise, as the US Supreme Court put it succinctly, contract law could ‘drown in a sea of tort’.[64] This and other arguments notwithstanding, the courts of some Member States accept damage to the product itself as compensable harm under national tort law, on the basis of the so-called complex structure theory, claiming that a composite product may be damaged by a defective component which is part of that same product.[65] Thus, the current, double-layered system of product liability, one based on European law, one developed under the general tort law of the Member States, fails to provide a coherent and uniform framework. This situation is not easy to change. One option would be to dispense with any limitation on the protection of private property in art 4(6)(b) Proposal on Product Liability. Then, the CJEU would have to decide whether harm to the product itself counts as property damage compensable under the European product liability regime. If the court expanded the scope of protection thus far, accepting damage to the product itself as compensable harm, uniformity would be achieved, but at the expense of the law of contract. The alternative would be to abandon the principle of cumulative application and exclude recovery under national law, alongside the Product Liability Directive, as is and shall remain allowed (art 13 Product Liability Directive and art 2(3)(c) Proposal on Product Liability). Making the Product Liability Directive the sole regime for recovery of product-related harm in Europe would be a bold step but, presumably, it would meet much resistance from the Member States. If such sweeping solution is not obtainable, then there is much to say in favour of the Commission’s decision to simply continue the exception for harm to the product itself in its proposal.

2 Data

Article 4(6)(c) of the proposed directive establishes loss and corruption of data as compensable damage, provided that the data are not used exclusively for professional purposes. By putting data on an equal footing with property in terms of liability for damage and destruction, the proposal takes account of the growing importance of data as a commercially valuable good. Corruption as well as destruction of digital data may cause enormous harm, weighing harder on the victim than damage to the more traditional incarnations of personal property in tangible items. Thus, the inclusion of digital data into the scope of protection is a welcome acknowledgment of the changing landscape of property in the digital era. Furthermore, it nicely balances the notion of recoverable damage with the definition of product. Just as much as data are accepted as a source of injury, they are also recognised as a source of loss. Finally, the classification of data as personal property protected under the law of product liability reflects developments that occur in the national systems of tort or delict as well.[66]

However, the inclusion of data serves to reinforce a criticism, voiced earlier, against the exclusion of objects used exclusively for professional purposes.[67] This restriction of the scope of protection of the proposed directive is particularly dysfunctional in the case of data, simply because pecuniary harm primarily occurs where commercially used data were corrupted or destroyed. The destruction of the digital files of photographs depicting spouses, relatives, or other loved ones, originating from birthdays, family celebrations or lovely holidays may be very painful for the party ‘owning’ such files but, typically, no pecuniary loss is incurred. Furthermore, under most legal systems, the destruction of property does not trigger claims for compensation of non-pecuniary loss.[68] To be sure, the inclusion of data into the scope of protection of the directive does not change this, as the proposal leaves issues of quantum and calculation of damages to the law of the Member States, where they had been before. This explicitly includes the question of pecuniary damages for non-pecuniary losses.[69] These considerations once again suggest cutting European product liability loose from its roots in the policy of consumer protection. After this has been done, commercially used data should be included in the scope of protection of the Product Liability Directive.[70]

E A parade of new defendants

1 Traditional defendants in product liability

In principle, product liability means liability of the manufacturer. The product manufacturer, ie the party placing the final product on the market, sometimes called OEM (Original Equipment Manufacturer), is liable for all defects in this final product, regardless of whether the defective component was manufactured in-house or obtained from a supplier, whether the defect is based on defective raw materials and whether the defect was caused by an unreasonable design of the overall product.[71] If the product fails to meet the required safety standard, the product manufacturer is held liable, irrespective of what caused the defect. The same applies to suppliers, but only regarding the components that they manufactured and contributed to,[72] as they do not bear overall responsibility for the final product. The so-called quasi-manufacturer, who affixes his trademark to the product without having manufactured it himself (art 3(1) of Directive 85/374/EEC), as well as the importer, who imports the product into the EU internal market or the European Economic Area (art 3(2) of Directive 85/374/EEC), are on an equal footing with the manufacturer in that they bear full responsibility for product safety. Finally, merchants and retailers are subject to product liability, but only if the manufacturer cannot be identified and is not disclosed by the trader within a reasonable time (art 3(3) of Directive 85/374/EEC).[73]

2 E-commerce intermediaries

The proposal for a new Product Liability Directive adds new defendants to the existing ones. They are recruited from the group of intermediaries that organise and conduct trade on the internet. In adding them to the group of responsible parties, their liability is not at all limited to the distribution of digital products, but rather covers conventional goods as well. In that sense, art 7 of the proposed directive looks at digitalisation from another angle than that of product nature: it takes account of digital methods of distribution.

Article 7(3) Proposal on Product Liability establishes the so-called fulfilment service provider as a liability subject and potential defendant on equal footing with importers of defective products. The role of the fulfilment service provider is new to product liability but already familiar from product safety law. It was introduced into the latter by art 3 No 11 of Regulation 2019/1020 on market surveillance and compliance of products.[74] Liability of the fulfilment service provider requires that the manufacturer of the defective product is established outside the EU and that neither the importer of the defective product nor an authorised representative of the manufacturer are established within the EU. In effect, this provision targets products manufactured outside the EU that are then offered to buyers within the European internal market directly, without the help of an importer based inside the EU. If, for example, the seller is domiciled in Shenzhen, China, and offers products through a digital platform based in Hong Kong, the only responsible party art 3 of the current Directive can offer is the manufacturer. This means that the victim has to seek out the manufacturer and his address in order to sue him. Article 7(3) was designed to change this by holding the fulfilment service provider responsible. Article 4(14) of the proposed directive defines the role of fulfilment service provider as any natural or legal person which offers, in the course of commercial activity, at least two of the following services: warehousing, packaging, addressing or dispatching of products belonging to others. Postal, parcel delivery and freight transport services remain excluded. It is not entirely clear whether fulfilment services must necessarily be carried out within the internal market and whether the fulfilment service provider must have its registered office or an establishment within the EU. The requirement of a seat within the EU is not spelled out explicitly, but implicitly, as it seems. To require a close connection to the internal market would be in line with the logic of putting the fulfilment service provider on an equal footing with an EU importer, who must be established in the Union as a matter of course (art 4(13) of the Proposal).[75]

The Proposal’s policy of placing fulfilment service providers on an equal footing with importers also implies that the liability of fulfilment service providers takes priority over the responsibility of distributors, which remain subject to subsidiary liability only.[76] To put it the other way around: the distributor is held liable only if the manufacturer cannot be identified or is established outside the Union, and neither an authorised representative of the manufacturer nor an importer nor a fulfilment service provider are involved and domiciled within the Union (art 7(5) of the proposed directive).

Finally, art 7(6) of the proposed directive establishes the same liability as that of distributors, ie merchants and retailers, for ‘any provider of an online platform that allows consumers to conclude distance contracts with traders and that is not a manufacturer, importer or distributor’ and in doing so creates the impression that he himself – the operator of the platform – is the contracting party. This provision transposes a solution that was much-debated within contract law[77] to the field of non-contractual liability. The application of art 7(6) of the proposed directive, however, is not dependent on contract law, but on the standard of art 6(3) of Regulation (EU) 2022/2065[78] (Digital Services Act, DSA).[79] Thus, if a trading platform fulfils the requirements set out in art 6(3) DSA, the company behind it is itself liable on the basis of the Proposal on Product Liability for personal injury and property damage caused by a defective product distributed via the platform. This is so even though the platform did not manufacture the product nor import it nor distribute it in its own name. The only thing it did was to mediate contracts between third party sellers and buyers. But still, if the platform has ‘led an average consumer to believe that the information, or the product or service that is the object of the transaction, is provided either by the online platform itself or by a recipient of the service who is acting under its authority or control’ (art 6(3) DSA), it must stand by its behaviour and accept liability as a distributor. While this has been criticised for not going far enough,[80] it corresponds to the fact that the sales platform surely does not convey the impression of being a product manufacturer. Thus, liability of the platform equal to that of a distributor seems adequate. Moreover, the Proposal’s liability concept is in line with art 14a Directive 2006/112/EC on the common system of value added tax that qualifies operators of online platforms facilitating distance sales of goods from third countries as a taxable person under certain circumstances.[81]

3 Tinkerers and manipulators

After a product has been placed on the market and distributed, it is in the hands of the users. They have the factual power to modify the product, even against the will of the manufacturer. This power also applies to the safety features of a product, and it affects traditional products just as well as digital ones. To the extent that the intervention of a third party impairs the safety features of a product, the responsibility of the manufacturer is called into question. In line with current law (art 7 lit b) Directive 85/374/EEC), art 10(1)(c) Proposal on Product Liability excludes the responsibility of the manufacturer if the defect did not exist when the product was placed on the market.

But what about the liability of the intervener? Even today, liability for modifications of safety features of a product after it was placed on the market can be established under Directive 85/374/EEC.[82] Article (4) of the proposed revision now stipulates that a person who modifies a product after it has been placed on the market attracts liability just like a manufacturer if the modification is substantial and is undertaken outside the control of the original manufacturer. Thus, any modification that was not authorised by the manufacturer (art 4(5) of the proposed directive) may give rise to liability of the modifier. This is a harsh consequence indeed for those who ‘tinker’ with a product after it has been placed on the market, particularly as the attribution of liability explicitly includes natural persons. At least, art 10(1)(g) allows for an exoneration where it can be established that the defect that caused the harm relates to a part of the product that was not affected by the modification. One must conclude a fortiori that the tinkerer is also safe from liability if the product feature he added and that caused the harm cannot be classified as defective.

Article 7(4) of the proposed directive is not limited to software and other digital products, but applies equally to conventional goods. However, it may gain particular weight in the digital arena where it is rather common for users to make changes to a computer programme or to supplement it in one way or another. The requirement of art 7(4), ie that the modification be substantial, must be taken seriously in order to avoid exposing large numbers of users to product liability as manufacturers.

F Evidence

1 Overview

Under art 4 of Directive 85/374/EEC, the burden of proof for the three central elements of liability, ie product defect, harm incurred, and causation, lies with the claimant. Article 9(1) of the Proposal on Product Liability confirms this basic principle, but eases the burden of proof that rests with the victim in several ways. The proposed directive requires the defendant to disclose evidence, grants a presumption of defect in case of non-disclosure, and also supplies presumptions of causation.

2 Access to evidence

The right to disclosure of evidence as enshrined in art 8 of the proposed directive follows the model of art 6 of the Enforcement Directive 2004/48/EC.[83] The injured party is entitled to seek a court order to the effect that the defendant must disclose relevant evidence that is at his disposal. The right to such order lies where the injured party presents facts and evidence sufficient to support the plausibility of the claim (art 8(1)). The scope of required disclosure is limited to what is necessary and proportionate (art 8(2)). Proportionality requires the national courts to balance the interest of the plaintiff in disclosure against any interests in confidentiality that the defendant or third parties may have (art 8(3)). Where such interests deserve protection, the courts are authorised to order specific protective measures, other than simply denying or curtailing the right to disclosure (art 8(4)). In particular, so-called in-camera procedures are a valid option. In-camera proceedings aim to preserve the confidentiality of sensitive information by limiting its disclosure to the judges involved as well as experts or lawyers for the other side, working under a legal duty to keep information confidential.[84] The sacrifice is that the opposing party itself does not gain access to the information so disclosed.

These provisions establish an adequate balance between the conflicting interests in disclosure and in confidentiality. Access to evidence is important in all areas of product liability, but particularly so with regard to digital devices, as, typically, there is no way for the injured party to access and analyse the computer programme that was involved in the accident.[85] Concerns about art 8 of the proposed directive bringing US-style pre-trial discovery to Europe are unfounded.[86] Also, a more detailed structure to guide the balancing of interests required by art 8 of the proposed directive does not seem necessary.

3 Presumption of defectiveness

If the defendant fails to comply with his disclosure obligations pursuant to art 8(1), this triggers a presumption of defectiveness (art 9(2)(a) of the proposed directive). The same presumption that the product is defective applies in two situations, namely, (1) if the injured party establishes that the product does not comply with mandatory safety requirements of European or national law intended to protect against the type of harm that has in fact occurred (art 9(2)(b)) or (2) that the harm was caused by an obvious malfunction of the product during normal use or under ordinary circumstances (art 9(1)(c)). Where harm was caused by a digital product, the latter presumption is likely to be particularly important as it targets ‘digital manufacturing defects’ where the product ‘behaves’ differently than the control software ‘actually’ intended.

4 Presumption of causation

The draft directive also provides two presumptions of causation. One is of conventional character, whereas the second bears disruptive potential and will likely cause some controversy. The conventional one, art 9(3) Proposal on Product Liability, establishes that the causal link between product defect and damage – meaning harm to protected interests as defined in art 4(6) – shall be presumed if ‘the damage caused is of a kind typically consistent with the defect in question’. This language must be read as a paraphrase of the established prerequisites of prima facie evidence (res ipsa loquitur).[87]

The provision bearing some disruptive potential is art 9(4) of the proposed directive, which is tailored to situations of technical or scientific complexity, which makes it excessively difficult for the plaintiff to prove the elements of a claim for damages. In this situation, the court must presume the product’s defect or the causal link between defect and harm, or even both elements, provided that the product contributed to the damage and it is likely that the product was defective and/or that its defectiveness is a likely cause of the damage. It is not at all apparent what ‘contributed’ could mean, other than a causal link. But if the plaintiff demonstrates such a contribution, causation is established and there is nothing left to presume. Therefore, in order to make sense of art 9(4) of the proposed directive, it must be understood as a relaxation of the standard of proof. Pursuant to this interpretation, the requirement that product defect or the causal link between defect and harm must be likely shall be read to mean ‘more likely than not’. Whether this interpretation would prevail should art 9(4) become law remains an open question.

In any case, there seems to be no need to explicitly preserve the defendant’s right to ‘contest’ the likelihood and the other requirements of art 9(4) as stated in subparagraph two of this provision, as this goes without saying. Mentioning the right to contest only adds confusion. It would be much better if the proposal did not speak of a presumption that does not exist, but simply and openly establish a relaxation of the standard of proof.

Furthermore, it is questionable whether the presumptions of art 9(4) of the proposed directive are necessary at all. It is submitted that the situations where a presumption of defectiveness seems warranted are adequately covered by art 9(2). Against the background of the far-reaching presumptions of defectiveness in art 9(2) of the proposed directive, no further presumption is necessary, not even for complex cases.

With a view to the presumption of causation, art 9(3) of the proposed directive does most of the work: if the product is defective and the harm incurred is typical for the defect in question, then a causal link can be established. Further easing of the burden of the proof of causation where the conditions of art 9(3) are not met may go too far. The same reasoning applies to the combination of a presumption of defectiveness and another presumption of causation, also covered by art 9(4). If a product has neither shown a malfunction nor violated legal provisions and the manufacturer has disclosed all information, but a defect could still not be established, on what grounds, then, could it still be assumed that a defect is established and that it is the ‘likely’ cause of the damage, as required by art 9(4)(b)? The answer may be that there are no such reasons. If so, art 9(4) should be dispensed with.

G Quantum and caps

With regard to the quantum, ie the categories of compensable harm and assessment of damages, the draft directive continues to refer to national law. Article 5(2) of the draft directive adds the clarification that persons that succeed or are subrogated to the right of the injured party and persons acting on behalf of injured persons in accordance with Union or national law may also rely on the new Product Liability Directive. Qualified entities within the meaning of art 4 Directive 2020/1828 on collective actions may thus sue under the new product liability regime.

The proposal no longer includes an option for the Member States to limit the liability of the producer to ECU 75 million, as the current Directive 85/374/EEC does in its art 16(1).[88] Caps on liability are part of the tradition of strict liability in Germany, even though there are not many good reasons to support this policy.[89] In particular, it is not convincing to argue that unlimited liability is not insurable. While it is certainly true that liability insurance policies usually contain a ceiling, liability in damages may well be unlimited, as the general fault-based liability of the law of tort or delict is as a matter of course. Apart from this, product liability does not really qualify as a form of strict liability, as the requirement of product defect is just another way of saying that the manufacturer or other entity must have breached the duty of care that is known from the law of negligence. Therefore, European product liability is not really a case of strict liability.[90] For these reasons, eliminating the cap on damages seems consistent and worthy of support. In legal practice, the cap never played a role anyway.

H Appraisal

The proposal for the reform of the Product Liability Directive is an impressive achievement, worthy of full support. It adapts the traditional system of product liability to the digital age thoroughly and convincingly. In addition, the proposal takes the opportunity to shake off atavisms such as the cap on damages. The Commission should feel encouraged to do the same with the Product Liability Directive’s roots in the policy of consumer protection. After all these years, the time is ripe to sever these ties and to set product liability free for what it really is: a special branch of the law of torts specifying the duty of care incumbent upon manufacturers of products. Thus, there is no need and no justification to discriminate between property used for private and other property used for professional purposes. Regardless of purpose, any property should be protected under the new directive. Otherwise, product liability under national tort law will be ready to fill the gap and continue to compete against the system of European product liability.

VII The AI Liability Directive

A Purpose and content

The positive assessment of the Commission’s proposal on the reform of the Product Liability Directive increases the pressure on the second legislative proposal, calling for an AI Liability Directive. If the new Product Liability Directive is intended to supply the framework for AI liability, why should there be a need for another piece of legislation? This question cannot be answered easily, especially since the Proposal on AI Liability is complex and its effects are difficult to assess. On the one hand, the complexity stems from the decision to base the AI Liability Directive on the Proposal for an AI Regulation, which is meant to provide rules on product safety of AI systems. The problem is that this regulation has not entered into force as of yet but itself remains in the form of a draft. Thereby, all the uncertainties and difficulties surrounding the draft AI Regulation, including speculations about its final shape, are ‘imported’ into the proposed AI Liability Directive. In addition, the Proposal on AI Liability does not establish new heads of liability and does not define the elements of any liability rule, but has an exclusive focus on the law of evidence. Much like Arts 8 and 9 of the Proposal on Product Liability, the Proposal for an AI Liability Directive grants a right to disclose evidence and creates two presumptions, one of fault and the other of causation. The effects of these rules can only be identified and discussed after they have been incorporated into the respective national tort law.

B Scope of application

The Proposal on AI Liability determines its scope of application in art 2 by referring to the definitions of the draft of the AI Regulation. It adopts the extremely broad term ‘AI system’ set out in art 3 No 1 AI Regulation, which captures almost any software of even mild complexity and sophistication.[91] The distinction between normal AI systems and high-risk AI systems as defined in art 6 AI Regulation is carried over, with high-risk AI systems being subject to stricter regimes than normal ones.

The Proposal on AI Liability itself does not create new causes of action in tort, but instead refers to the law of the Member States in this regard. Pursuant to art 1(2), reference is made to the law of non-contractual liability, and to liability based on fault more specifically. However, according to art 1(4), Member States retain the power to go further than the AI Liability Directive requires and to facilitate the enforcement of damages claims even more than necessary under the proposed directive. Thus, it remains an option for Member States to reverse the burden of proof for certain elements of a damages claim based on delict or to broaden the scope of application for the presumption of causation (art 4) to cases of strict liability under national law. The liability shields for online service providers, which were previously found in art 12 ff of the e-Commerce Directive 2000/31/EC[92] and have now been re-established in art 4 ff DSA[93], remain unaffected (art 1(3)(c) and recital 23 Proposal on AI Liability).[94]

C Addressees

1 Providers and users

The addressees of the proposed directive are providers and users of AI systems as defined in the AI Regulation. According to art 3 (2) AI Regulation, a provider is any natural or legal person who develops an AI system or has it developed with a view to placing it on the market or putting it into service under its own name or trademark. Translated into the terminology of product liability law, provider essentially means manufacturer, as illustrated by comparison to the almost identical definition in art 4(11) Proposal on Product Liability.[95] Under art 3 of the proposed AI Liability Directive in combination with art 28 of the AI Regulation, quasi-manufacturers, importers and distributors of the AI system, as well as persons who have modified the AI system after it has been placed on the market, are on an equal footing with the provider.

Unlike the draft on product liability, the Proposal on AI Liability also targets users of AI systems, who are defined as persons or public authorities using an AI system ‘under its authority’ (art 3(4) AI Regulation). This corresponds more or less to the concepts of keeper under German law[96] or gardien under French law.[97] However, the obligations are limited to commercial keepers because art 3(4) AI Regulation excludes AI systems used in the course of a personal non-professional activity.

2 Public authorities – state liability

The proposed directive refers to the definitions of providers and users in the AI Regulation, which include public authorities. Indeed, a large part of the binding rules of conduct set out in art 5 AI Regulation explicitly address public authorities, in particular law enforcement authorities. Annex III on high-risk AI systems also lists a number of areas of application for such systems, including law enforcement and migration, asylum and border control. This prompts the question whether the Proposal on AI Liability is supposed to regulate state liability as well. And indeed, this is what the explanatory memorandum claims.[98]

The approaches to state liability differ widely within the European Union.[99] While some Member States regard the liability of the state as tort-based, others classify it as a domain of administrative law, and Germany operates with a complex mixture of elements derived from private as well as from public law.[100] Within the European law of civil procedure under the Brussels I-bis Regulation, the CJEU has held that damages claims against public authorities for wrongs committed by civil servants in the course of activities de iure gestionis may be brought in the court of the place where the harmful event occurred pursuant to art 7 No 2 Brussels I-bis Regulation. The Court did not bother with the fact that the Brussels I-bis Regulation only applies to disputes in ‘civil and commercial matters’ (art 1 of Regulation 1215/2012).[101] This suggests setting the same course in substantive law and to classify as private causes of action claims against civil servants for harm committed in the course of ‘private’ activities, ie activities that private subjects could engage in just as well. However, areas such as law enforcement, border control and asylum are for sovereigns only. State liability for actions de iure imperii touches upon the public law. Within the EU, state liability for infringement of Union law is itself governed by Union law, in conjunction with the protective norm theory.[102] In this perspective, the draft of the AI Liability Directive aims to codify a special sector of state liability for infringement of Union law, with the AI Regulation, not the Proposal on AI Liability, providing the relevant rules of conduct. The competence of the EU to legislate in this area of state liability is unclear. Perhaps it can be based on an annex to the competence that is claimed for the substantive regulation, ie in relation to the AI Regulation, the internal market competence of art 114 TFEU.[103]

Alongside the public authority operating an AI system, the manufacturer of such a system remains personally responsible under the AI Regulation, as well as the Proposal on AI Liability. Therefore, he will insist on compliance with the AI Regulation in his own interest and take recourse against the authority, should he be held accountable for wrongs caused in the course of operation. Such rights of recourse will generate incentives for the authority to comply with the rules of conduct set out in the AI Regulation.

D The contents of the draft AI Liability Directive

The AI Liability Directive delivers its substantive provisions regarding access to evidence and presumptions of fault and causation in a complicated form. After due consideration, its provisions closely resemble the parallel rules in the Proposal on Product Liability, which sets out the same contents in language that is much more elegant and easier to understand.

1 Access to evidence

Article 3(1) of the proposed directive grants the potential plaintiff a right against the defendant to disclose evidence at the defendant’s disposal. The associated duty to disclose falls not only on providers, ie manufacturers, quasi-manufacturers and importers, but also on users, provided only that the responsible party manufactured, distributed or used a high-risk AI system as defined in art 6 of the AI Regulation. This transfers the broad, but complex definition of high-risk AI systems, which even covers toys that contain an AI system – ie more or less complex software – as a safety component (AI Regulation, Annex II No 2), into the AI Liability Directive and the private law of torts or delict.

To substantiate his claim for disclosure of evidence, the plaintiff must establish the plausibility of his right to damages and make it credible by submitting the relevant evidence (art 3(1)(cl. 2)). In the same way as under the draft Product Liability Directive, conflicting interests of the defendant in confidentiality must be taken into account and weighed against the disclosure interest of the plaintiff. In this situation of competing interests, the court is authorised to order specific protective measures to preserve confidentiality without sacrificing the disclosure interest of the plaintiff (art 3(4)). Again, art 3 Proposal on AI Liability has been modelled on art 6 Directive 2004/48/EC on the enforcement of intellectual property rights[104], which has developed into a staple element in Union law guideposts for national liability systems.

In the same sense as in the context of the Proposal on Product Liability, there is no need to worry about a full-scale import of US-style discovery, with all the perceived vices attached, into the European theatre.[105] In the same manner as art 8 of the proposed Product Liability Directive, art 3 Proposal on AI Liability requires the injured party to present facts and evidence ‘sufficient to support the plausibility of a claim for damages’. This alone reduces the risk of abusive disclosure orders to an acceptable level. Moreover, the ‘loser-pays’ rule dominant in European civil procedure effectively prevents the abuse of civil proceedings for the purpose of blackmailing defendants.

2 Presumption of fault

If the defendant fails to comply with a court order of disclosure pursuant to art 3(1) of the proposed directive, the rebuttable presumption of breach of duty of care under art 3(5) applies, in parallel to the presumption of defectiveness under art 9(2)(a) of the Proposal on Product Liability.[106] Throughout the provisions of the draft AI Liability Directive, breach of the duty of care and fault mean the same. These terminological ambiguities pay tribute to the many uncertainties and contradictions in legal doctrine regarding the relationship between the concepts of fault, negligence, and breach of the duty of care, for example in the German or the French law of delict.[107] No wonder, therefore, that the framers of the Proposal on AI Liability did not attempt to harmonise this area of European tort law.[108]

3 Presumption of causation

The presumption of causation enshrined in art 4 of the Proposal on AI Liability is highly complex because it differentiates between high-risk and ordinary AI systems, between providers (manufacturers, etc) and users, and, finally, between private and professional users.

a The mechanics of the presumption: breach of duty and output of the AI system

The basic rule for the presumption of causation can be found in art 4(1) Proposal on AI Liability. Article 4(1) requires that fault of the defendant has been proven by the claimant or presumed by the court pursuant to art 3(5) and that this fault involves non-compliance with a duty of care directly intended to protect against the damage that actually occurred. On top of that, it must be reasonably likely that the fault of the defendant influenced the output produced by the AI system or its failure to produce a particular output. Finally, the claimant must demonstrate that the output/failure of the AI system gave rise to the damage.

In order to apply this presumption, one must understand its mechanics. The presumption establishes neither the breach of the duty of care by the defendant, nor the causal link between this breach and the damage, nor the causation of harm by the respective AI system. All of these elements need to be established by the plaintiff in the ordinary course of civil proceedings. The only element the presumption of art 4 AI Liability Directive is concerned with is the causal link between the breach of duty of care by the defendant and the AI system’s output. The presumption is designed to help the injured party to answer the question as to whether the breach of duty caused the ‘misconduct’ of the AI system: everything else must be proven, unless national law provides for further relief alleviating the evidentiary burden. Nevertheless, even though the focus of the presumption is on the causal relationship between the behaviour of the defendant and the output of the AI system, it only applies where the duty of care breached by the defendant was intended to protect the plaintiff against the harm actually incurred. Finally, it must be considered that failure to comply with the obligation to disclose evidence under art 3(1) of the draft directive can trigger a ‘cascade’ of presumptions, with the presumption of fault under art 3(5) activating a second presumption, ie the presumption of causation under art 4(1) of the proposed directive.

b Special rules for providers of high-risk AI systems

Building on the general requirements of the presumption of causation established in art 4(1), art 4(2) adds more requirements for claims against manufacturers, quasi-manufacturers and importers (not: users) of high-risk AI systems. In suits against these parties, the claimant must prove that the defendant failed to comply with certain obligations under the proposed AI Regulation, namely by using defective training data (art 10 AI Regulation), violating the transparency requirements of art 13 AI Regulation, failing to ensure human oversight (art 14 AI Regulation), failing to meet the standards of accuracy, robustness and cybersecurity under art 15 AI Regulation or, finally, failing to comply with the obligations to correct, withdraw or recall defective AI systems already operating in the field (art 21 AI Regulation). Surprisingly, the obligation to establish, implement and document a risk management system (art 9 AI Regulation) is not mentioned.[109]

The catalogue of obligations in the proposed AI Regulation describes central duties of care for manufacturers of AI systems. Nevertheless, it is irritating that a conclusive catalogue of duties, apparently meant to exclude the establishment of further duties of care under national tort law, is put in place particularly for manufacturers of high-risk systems. To place limits on the catalogue of duties to prevent harm particularly for providers of systems carrying ‘high risk’ seems difficult to justify. Are the authors of the proposed AI Regulation and AI Liability Directive really certain that they did not miss anything? Regardless, the language of art 4(2) of the proposed directive (‘only’) leaves no doubt. And the duties to ensure ‘accuracy, robustness, and cybersecurity’ of art 15 AI Regulation – despite their unfamiliar wording – seem broad enough to capture the standard of care established in tort law. Another surprising point is that the comparatively strict mandates of art 5 of the AI Regulation, which simply prohibit certain practices, have no role to play in art 4 of the Proposal on AI Liability. Perhaps, this can be explained by the fact that the obligations of art 9 ff AI Regulation are designed to implement the prohibitions of art 5 AI Regulation, which lie ‘upstream’ of, for example, art 15 AI Regulation. If the infringement of a prohibition under art 5 of the AI Regulation is established, it should be possible to establish causation with the help of art 4 AI Liability Directive.

c Special rules for users of high-risk AI systems

The users of high-risk AI systems are also subject to specific rules governing the presumption of causation. Pursuant to art 4(3) of the proposed directive, causation must be presumed where the plaintiff establishes that a user did not use or monitor an AI system in accordance with the accompanying instructions, did not suspend or interrupt its use pursuant to art 29 AI Regulation or exposed it to input data which are not relevant in view of the system’s intended purpose (art 29(3) AI Regulation). The deviation from the wording of art 4(2) of the draft Directive (no ‘only’) suggests that this list of duties of care is not exhaustive. Therefore, it may be supplemented by additional duties of care developed under national tort law. Against this background, the limitation to specific duties for providers of high-risk AI systems seems all the more questionable.[110] Regarding the liability of users, one can predict that the presumption of causation will not gain much practical significance, simply because the duties imposed on users by the AI Regulation are so limited. If they do not abuse the AI system, observe operating instructions and ‘supply’ it with data accordingly, they will not only be safe from liability, but also from application of the presumption. This reduced scope of duties for users corresponds to their reduced means of control with regard to the risks of harm originating from AI systems.[111] And this cannot be overcome by any presumption of causation.

d Normal AI systems, private users

Article 4(5) of the proposed directive tightens the requirements needed to trigger the presumption of causation again. It concerns providers and users of ordinary (not high-risk) AI systems. The general requirements of art 4(1) apply, but, additionally, the court must find that it is excessively difficult for the plaintiff to prove the causal link between the defendant’s breach of duty and the output of the AI system.

Finally, art 4(6) of the proposed directive supplies a privilege for defendants that had used the AI system in the course of a personal, non-professional activity. The provision only applies to private users of AI systems, and only if they operated the AI system according to specifications and instructions.[112] Vice versa, the presumption applies where the defendant materially interfered with the conditions of the operation of the AI system or if the defendant was required and able to determine the conditions of operation of the AI system and failed to do so. Aside from all of this, the provision is redundant insofar as art 3 No 4 AI Regulation, to which art 2 No 4 Proposal on AI Liability refers, limits the definition of user to persons who use the AI system in the course of a professional activity. A user who operates an AI system in the context of a personal, non-professional activity is therefore not covered by the Proposal on AI Liability. If this is to be taken seriously, art 4(6) of the proposed directive has no scope of application at all.

E The relationship between the AI Directive and the Product Liability Directive

1 The principle of cumulative application

As seen above, the Commission’s legislative proposals for a European framework of liability for digital systems also include a fundamental reform of product liability, in addition to the Proposal on AI Liability. The two draft directives were designed by the Commission to form two parts of a single package.[113] This common origin, and their substantive overlap lead to the expectation of a clear-cut, consistent demarcation between the two proposals. In fact, art 3 lit b) of the Proposal on AI Liability stipulates that claims for damages based on norms transposing Directive 85/374/EEC into national law shall remain unaffected. This rationale would still apply after the proposed revision of the Product Liability Directive came into force.[114] It means that the two regimes of product liability and AI liability shall apply alongside each other, ie cumulatively.

2 Manufacturers as primary addressees of the AI Liability Directive

Article 3 lit b) of the Proposal on AI Liability assumes that claims based on European product liability and those based on national tort law stand side by side. This corresponds to traditional legal doctrine but is nevertheless remarkable in the present context. The large overlap existing between the two draft directives on product liability and AI liability is irritating. At their core, both draft directives address the same actors, namely the manufacturers of AI systems. Whereas the defendant is addressed as the manufacturer in the Proposal on Product Liability, he is called ‘provider’ in the Proposal on AI Liability. However, the reference in art 2 No 3 of the Proposal on AI Liability to art 3 No 2 AI Regulation shows that ‘provider’ in the sense of the AI Regulation is none other than the ‘manufacturer’ in the sense of the Product Liability Directive. It is unclear why the AI Regulation uses the term ‘provider’, although Regulation 2019/1020 on market surveillance and conformity of products as well as the current draft of a General Product Safety Regulation use the term ‘manufacturer’ (art 3 No 8 of Regulation 2019/1020; art 3 No 8 COM(2021) 346 final). Perhaps the explanation is that the legislative acts regulating AI systems were drafted with the goal in mind to cover not only private companies, but also public authorities and other institutions and bodies.[115]

This notwithstanding, the main addressees of the two proposed directives are identical. So what is the purpose – in the sense of added value – of the Proposal on AI Liability? Some European legal systems such as the German ‘drag along’ product liability based on the general law of delict alongside harmonised product liability under the statute transposing Directive 82/374/EEC as a ‘second track’ of manufacturer responsibility.[116] The domestic track of product liability has lost much of its prior significance since the German legislator made available compensation for non-pecuniary harm also for claims based on European product liability back in 2002.[117] Domestic product liability based on delict remains relevant only where European product liability ‘fails’. This occurs where commercial property was damaged, where the damage was caused by a component of a complex product and thus affected the product itself, and within the gap created for compensation of property damage by the deductible of ECU 500 (art 9 lit b) Directive 85/374/EEC).[118] Only the national law of delict may offer a remedy in cases where the product was not defective at the time it was put into circulation (art 6 (1) lit c) Directive 85/374/EEC), but ‘grew’ into defectiveness subsequently. Here, liability of the manufacturer may be based on the breach of the duty to monitor products post-market. Finally, liability under the law of delict is unlimited while, in Germany at least, European product liability is capped at EUR 85 million. Of these gaps existing under Directive 85/374/EEC, the Proposal on Product Liability only leaves the first-mentioned exceptions for damage to property in place, whereas all the others shall be abolished.[119] Therefore, the double-layered structure of European product liability and product liability under the national law of delict will fade away, with the former becoming ever more dominant. This alone is nothing to mourn about, but the point is that the resulting decline of liability in tort or delict under national law will be shared by the AI Liability Directive.

With its focus on the law of evidence, the AI Liability Directive will not be able to escape this consequence. As seen above, a right of access to evidence is also part of the proposed Directive on Product Liability (art 8 Proposal on Product Liability). The presumption of fault in art 3(5) of the Proposal on AI Liability corresponds to the presumption of defect in art 9(2)(a) of the draft Product Liability Directive, and the presumption of the causal link in art 4 of the AI Directive is mirrored by art 9(3) and (4) of the Proposal on Product Liability. It is impossible to escape the conclusion that, for the liability of manufacturers for personal injury and damage to property, the AI Liability Directive will play no role at all. This applies all the more to importers, fulfilment service providers, distributors and online trading platforms, as art 7 Proposal on Product Liability subjects them to more extensive obligations than those imposed by the AI Liability Directive, the latter in combination with art 28 of the AI Regulation.[120]

3 Users as liable parties

The liability of users may be the domain of the AI Liability Directive but, in reality, it does very little in the area of user liability, too. Even users of high-risk systems are only subject to rudimentary duties of care under art 29 AI Regulation, which must have been breached to trigger the access rights and presumptions of art 3, 4 Proposal on AI Liability. Additional duties of care may be developed under the national laws of tort or delict, but they will not carry very far either. It is a characteristic of digital products that the user remains largely excluded from the decisions that are relevant for the safety of the device.[121] As a consequence, the duties of care imposed on users will necessarily be very limited and remain focussed on the proper handling of the system. And this is precisely what art 29 of the AI Regulation already says.

But what if the user does not comply with his duties under the AI Regulation and manipulates the AI system, overriding its safety measures? Isn’t this a case for tort liability based on fault and thus precisely the situation that the framers of the Proposal on AI Liability had in mind when they created access rights and presumptions designed to help the injured party to obtain compensation? Indeed, users who change the intended purpose of, or make substantial modifications to, a high-risk AI system invoke the duty regime of art 8 ff, art 16(1)(a) AI Regulation, originally designed only for providers (manufacturers) pursuant to art 28(1)(b) and (c) AI Regulation. However, even here, the Proposal for a Product Liability Directive gets in the way of the AI Liability Directive. Pursuant to art 7(4) Proposal on Product Liability, any person who modifies a product already placed on the market is liable as a manufacturer.[122] Again, the Proposal on Product Liability imposes the same liability as the AI Liability Directive. This does not exclude the application of the latter – but it does render it rather superfluous.

4 Conclusion: extension of the scope of protection

In light of the above, does the Proposal on AI Liability have any practical significance at all? The answer is: some, but not too much. Its practical significance is only in those areas which the (reformed) Product Liability Directive cannot reach. They may be found where the scope of protection of the law of product liability ends. Even after the reform proposed by the Commission, the scope of protection of liability for products would remain limited to violations of the classical interests in life, bodily integrity, health, and property, the latter with the aforementioned limitations of art 4(6) Proposal on Product Liability.[123] If none of these protected interests are infringed, national tort law may step in, and the AI Liability Directive will follow suit. This raises the question as to the precise range of the interests that remain outside the scope of protection of a reformed Product Liability Directive. The answer is clear: liability under national tort law is broader than product liability in three areas, namely damage to property, infringements of personality rights, and pure financial loss.

F The AI Liability Directive in the context of national tort law

The European systems of extra-contractual liability are diverse. The AI Liability Directive did not attempt to harmonise them – and it could not, only for purposes of liability for the failure of AI systems. It is thus inevitable that the diversity of European tort law affects the impact of the Proposal on AI Liability. For purposes of assessing the impact of the AI Liability Directive, it is neither possible nor necessary to analyse the national systems of tort or delict in any detail. Rather, it is sufficient to note that liability in negligence exists in every European system of extra-contractual liability. Another common feature of European tort law is its focus on the classical human interests in life, bodily integrity, health and property. Invariably, these interests are within the core of the protective scope of causes of action based on tort.

Beyond these fundamental principles, diversity takes over. One area where the European systems of tort or delict diverge concerns the status of statutory norms that regulate behaviour through prescriptions or prohibitions.[124] In systems like the German, the violation of a statutory mandate, provided that it aims to protect the interest of the injured party, is a tort in itself, separate from general negligence liability (Section 823(2) German Civil Code). In other systems, no such tort called breach of statutory duty or breach of a protective norm exists. This does not mean, however, that statutory duties are irrelevant to the law of tort or delict. Rather, statutory duties that originate in administrative or in criminal law help to inform the negligence analysis.[125] It makes a difference whether the faute of the wrongdoer can be assessed with a view to specific duties, defined by the competent lawmakers in binding acts of legislation, or whether the court must assess, or rather: create, duties of care from general principles of tort law, such as the bonus pater familias or the reasonable person. Clearly, the fact that a statutory norm was infringed makes it easier to find fault on the part of the party that caused the harm in question.

The two alternatives, to classify the breach of statutory duty as a separate tort or to merge the statutory norm into the general standard of care, are not fully exclusive. Legal systems that embrace breach of statutory duty as a separate tort may also navigate the other route, and use the statutory norm as a guidepost in the negligence determination. One example is German law, which recognises the violation of a protective norm as a separate category of delict but also incorporates statutory norms of an administrative law nature into the determination of fault or negligence.[126] In the latter case, the fault element within the German version of Aquilian liability may be determined with a view to statutory duties.

How is all this relevant in the context of AI liability? It is important to understand that the Proposal on AI Liability itself does not impact the determination of negligence and is not a protective statute for the purposes of liability in the tort of breach of statutory duty. The reason simply is that the proposed AI Liability Directive does not supply any rules or standards of behaviour. Its purpose is to facilitate the enforcement of claims for damages, and not to create them. The situation is different for the AI Regulation, also still in form of a draft, to which the AI Liability Directive refers. The AI Regulation is certainly full of rules of conduct that may be used in either context, ie as sources for a separate tort of breach of a protective statute and as guideposts for the determination of negligence.[127]

The classification of the AI Regulation, or rather specific rules in it, as protective norms would correspond to the legal situation in other areas of product safety law. Both the English and the German courts have recognised the protective purpose of domestic as well as European product safety law.[128] In substance, the AI Regulation is nothing other than specific product safety law, as evidenced by its interface, in Annex II of the AI Regulation, to the legislative acts of the EU under the socalled ‘New Legislative Framework’ (NLF).[129] European product safety law has developed on the basis of the NLF since the 1980s and combines statutory, but fairly general, product safety requirements with references to technical norms and standards, relies on private certification agencies for certification of conformity with EU law, and uses the police powers of Member States as a back-up mechanism if it turns out ex post that a certified product causes unacceptable risk. The AI Regulation fits well into this regulatory pattern. The requirements of ‘accuracy, robustness and cybersecurity’ (art 15) that must be complied with by high-risk AI systems are as vague as they can be and are in urgent need of specification through technical norms. These cannot be found in the AI Regulation itself, but their development is envisaged by art 40 AI Regulation. The link to the usual conformity assessment procedures of product safety law is provided by art 41 ff AI Regulation. The conditions for affixing the CE marking are defined in art 49 of the AI Regulation, and the powers of the national authorities in the event of safety defects can be based on art 8 of Directive 2001/95/EC on general product safety.[130]

What would be the consequences in terms of liability if the AI Regulation or specific norms of conduct defined therein were qualified as protective norms under national tort law? Obviously, breach of duty could be established with the help of art 3(1), (5). A full cause of action not only requires breach of duty, but also the causation of damage.[131] In this context, the presumption of art 4 AI Liability Directive could come into play and – provided that its requirements are met – help the injured party to prove his case. In this way, the Proposal on AI Liability would facilitate the enforcement of claims for damages against addressees of the AI Regulation and ensure ‘private enforcement’ of this segment of product safety law.

G Filling gaps in the Product Liability Directive

As elaborated above, the AI Liability Directive serves a supplementary function to the Product Liability Directive. It will be relevant in areas that the Product Liability Directive cannot reach. These areas lie beyond the infringement of the fundamental human interests in life, bodily integrity, health and private property that are protected by the Product Liability Directive. The question is whether and to what extent national tort law offers protection against damage to, or destruction of, property used for commercial or professional purposes (below, 1), wrongful infringements of the general right of personality (below, 2) and pure economic loss (below, 3).

1 Property

According to the Proposal on Product Liability, the protection of property falls short of that granted under national tort law, namely in relation to property used for commercial or professional purposes.[132] If, for example, a traffic accident is caused by a motor vehicle with autonomous driving functions and a privately used car and a commercially used delivery van are damaged in the process, the Product Liability Directive only applies to the manufacturer’s liability towards the owner of the private car, but not regarding its liability towards the owner of the delivery van. In the latter case, the liability of the producer is governed by national tort law. Although the rules on product liability in tort largely comply with those in Directive 85/374/EEC, and a fortiori with those in the reform proposal, they do not include a duty to disclose evidence, nor do they contain presumptions of fault and causation. This is where the Proposal on AI Liability would step in and provide precisely these rules. This would result in further harmonisation of product liability, this time under the auspices of national law. It is true that art 9(2) of the Proposal on Product Liability supplies a presumption of product defect, whereas art 3(5) of the Proposal on AI Liability presumes breach of the duty of care. However, the difference is merely terminological, because, in cases of design and instruction defects, which are the most relevant, the manufacturer’s breach of the duty of care manifests itself in the defect.[133]

However, it should be noted that the Proposal on AI Liability in combination with national tort law only applies if the defect concerns the AI system, in particular, and not the conventional, non-digital part of a complex product. Pursuant to art 3(1) of the Directive on AI Liability, for access to evidence, the victim must make out a plausible case that precisely the AI system is ‘suspected of having caused damage’. Only under this condition does non-compliance of the defendant with the duty to disclose trigger the presumption of breach of duty under art 3(5). This restriction also applies to the presumption of causation enshrined in art 4, as its mechanics can only meaningfully be applied to AI systems, but not to conventional products.[134] Only in the case of digital systems can it be presumed that there is a causal link between the defendant’s breach of duty and the output of the digital system.

Another area where the AI Liability Directive would make a difference is damage to the (defective) product itself. While this type of harm shall remain excluded from the Product Liability Directive (art 4(6)(b)(i) and (ii) Proposal on Product Liability), it remains recoverable under the tort systems of some Member States.[135]

2 The general right of personality

The general right of personality in its various dimensions lies entirely outside the scope of protection of European product liability. As long as the concept of product was limited to physical objects by art 2 of Directive 85/374/EEC, this gap in protection was not noticeable, because technical devices, vehicles, machines and medicines, to name just a few examples of product categories, do not normally lead to impairment of personal honour and dignity, to distortions of the image of the individual in the public eye or to invasions of privacy. This is all the more true as the CJEU has excluded information disseminated by a printed product from the scope of protection of product liability.[136] No-one’s personal interests have yet been infringed by printed paper as such, detached from its contents.

In contrast, the general right of personality is recognised as a protected right in the laws of the Member States.[137] If the scope of protection of the general right of personality is wrongfully infringed by an AI system, liability of the wrongdoer is in question. Potential defendants are the manufacturer of the AI system and its user. Again, it is crucial that the Proposal on AI Liability does not establish such liability, but presupposes it. Only if such a claim exists under national tort law do the provisions of arts 3 and 4 Proposal on AI Liability kick in, granting the injured party, under certain conditions, a right of access to evidence and the two presumptions of fault and causation. The question of whether the manufacturer of speech recognition software is liable for language that casts members of a particular group in a false light, insults them or discriminates against them has not been decided by a court as of yet. This is an area where the AI Liability Directive could do some good.

Courts in Member States with a system of fault-based liability that includes a separate tort of breach of a protective statute may rely on the AI Regulation to create liability for infringements of personality rights caused by the workings of AI. Assuming, as one must,[138] that the duties imposed by the AI Regulation qualify as protective norms, their protective perimeter needs to be determined. In German law, one function of the tort of breach of a protective norm is precisely to extend the scope of protection of the law of delict beyond the classic interests of life, bodily integrity, health, freedom of movement and property to include non-physical personality interests. This function has lain fallow since the general right of personality has been recognised as a subjective right alongside the classic interests listed above,[139] but now it may experience a renaissance.[140] As to the protective purpose of the AI Regulation, there is no doubt at all that the protection of the fundamental rights of EU citizens is not only one of many, but its prime purpose, as emphasised many times in the explanatory memorandum.[141] Human dignity, the protection of private life and personal data, the right to equal treatment, as well as freedom of expression and assembly are explicitly mentioned.[142] If providers, ie manufacturers, of high-risk AI systems violate the safeguards imposed upon them by art 9 ff AI Regulation, they will be liable for breach of a protective statute or, in the alternative, under the general clause of liability for fault.

The general right of personality also provides protection against discrimination. This category of harm is of considerable importance because it is widely assumed that computer software is particularly susceptible to discrimination based on prohibited characteristics such as gender, race, ethnic origin, religion, ideology, or disability.[143] This assumption is questionable as it is not very likely that computer programmes do worse than human decision makers, whose biases often go unnoticed. But regardless, not every unequal treatment also constitutes a violation of human dignity or other aspects of the right of personality. Rather, it is required that the unequal treatment also insults the victim, because he is devalued, his claim to social respect is denied or his dignity is otherwise violated. An infringement of the right of personality by discriminating behaviour therefore requires that the intention to discriminate is made known to the outside, either to the person affected or to third parties. ‘Naked’ discrimination that is never revealed to anyone cannot be sanctioned as an infringement of the general right of personality. At this point, the AI Regulation may compel a more liberal approach. The AI Regulation emphasises its orientation against discrimination over and over.[144] In addition, the anti-discrimination directives of the EU[145] and art 21 of the EU Charter of Fundamental Rights, which contain the actual prohibitions of discrimination, may also qualify as protective norms and suggest a broad cause of action against discriminatory behaviour.[146]

3 Pure economic loss

The second important category of harm that lies outside the fundamental human interests protected by the law of delict (or tort) since Roman times is pure economic loss, ie pecuniary harm that is not consequential upon injury to life, bodily integrity, health, or freedom of movement or damage to property. Liability for wrongful infliction of pure economic loss is one of the darkest and most controversial areas of extra-contractual liability.[147]

In many European systems of delict or tort, one important segment of liability for pure economic loss is breach of statutory duty. Where a statutory norm aims to protect individuals against financial losses, a private cause of action lies in case of violation. It has been said already that European product safety law has been a major source of protective norms that generated private causes of action.[148] However, the protective perimeter of product safety law has, up to now, been limited to personal injury, ie to the interests in life, bodily integrity and health. The prevention of financial losses incurred by third parties has not counted among the goals of product safety law as of yet.

The crucial question therefore is whether the AI Regulation changes anything in this configuration of European product safety law, at least as far as the safety properties of AI systems are concerned. The explanatory memorandum and the recitals to the AI Regulation explicitly refer to the use of AI systems by credit institutions several times over.[149] Thus, one cannot escape the conclusion that financial harm caused by credit institutions that deploy AI systems in the course of their business activities is within the scope of protection of the AI Regulation and thus also of national tort law. This may pave the way, for example, to a cause of action where a bank denies an application for credit or where so-called robo advisors offer misadvise to private investors.[150] One obvious argument against such liability would be that tort should not be used to create and enforce duties based on contract. German law, for example, offers a way to deny such liability as liability for violation of a protective norm lies only where this sits well with the overall liability system.[151]

Caution is therefore required when including further categories of cases involving pure economic loss into the scope of protection of tort law, be it via breach of statutory duties of a protective character, be it via the general duty of care, infused by the AI Regulation. To repeat a warning voiced by Benjamin Cardozo, then sitting on the New York Court of Appeals, with a view to the responsibility of accountants: ‘If liability for negligence [for pure economic loss] exists, a thoughtless slip or blunder, the failure to detect a theft or forgery beneath the cover of deceptive entries, may expose accountants to a liability in an indeterminate amount for an indeterminate time to an indeterminate class’.[152] In other words: general negligence liability for pure financial harm is unacceptable, and it must not be introduced via the AI Regulation.

H Appraisal of the proposal on AI liability

The proposed AI Liability Directive contains only a small number of provisions that grant a right to disclosure (of evidence) and two presumptions. National tort law must supply the rules of liability, including those on its scope and the amount of damages (quantum). The relevant duties of care, on the other hand, are primarily established by the proposed AI Regulation. The interplay of these three bodies of law makes for a highly complex regulatory design, which sets ambitious standards for the legal skills of lawyers and courts alike, is difficult to predict in terms of its concrete effects on potential defendants and, all in all, generates very limited benefits for the injured party. Mandated disclosure and presumptions of fault and causation are fair enough, but the heart of liability beats somewhere else. There, where the proposed AI Liability Directive does not venture to at all: at the elements of the claim, the scope of protection and the calculation of damages. Since parallel provisions to the Proposal on AI Liability are established by the simultaneously submitted draft on a reformed Product Liability Directive, it is justified to ask whether the proposed directive on AI liability is needed at all. At the very least, it extends the right to disclosure and the presumptions of fault and causation to causes of action addressing infringements of the general right to personality and to certain cases of pure economic loss, provided that such harm was caused by an AI system.

VIII Conclusion

A Even stricter product liability?

The development of product liability as envisaged in the Commission’s proposal deserves a warm welcome.[153] However, the Commission has refrained from switching to a system of strict liability. Liability remains duty-based in the sense that the manufacturer must compensate harm caused by a product’s defect, not by a product pure and simple. While it is true that strict liability irrespective of defect should be considered for a future world dominated by AI systems,[154] the current state of technical development does not justify such a radical step. Mass harm caused by the use of AI is still no more but one possible scenario of a rather distant future, and it is unlikely that AI – despite its discussed shortcomings – will cause more harm than conventional systems relying on human control and decision.[155] In many sectors, autonomous digital systems might reduce the number of accidents significantly. Furthermore, dispensing with the requirement of product defect for AI systems would draw a wedge into the existing system of liability which is hard to justify. And doing away with defect also for conventional products is not a viable option.

Finally, calls to include pure economic loss as well as infringements of personality rights such as discrimination into the scope of protection offered by product liability must be rejected, at least at this stage.[156] In the case of pure economic loss, a flat rule of negligence liability, without further filters, went too far already, and strict liability for such losses is unacceptable. Liability for infringements of personality rights, in turn, requires a balancing of interests that product liability cannot incorporate.

B Strict liability of the operator of AI systems?

The successful reform of the Product Liability Directive sets the course so that there is hardly any space left for another directive, this time on AI liability. Those who consider this insufficient call for strict liability of AI operators.[157] The European Parliament’s draft in 2020 went precisely in this direction.[158] Article 5 of the Proposal on AI Liability grants the Commission the usual mandate for evaluation and targeted review after five years of the expiration of the transposition deadline. What is unusual is the scope of this reassessment. It shall not be limited to the substantive provisions of the directive (arts 3 and 4) but also evaluate the ‘appropriateness of no-fault liability rules for claims against the operators of certain AI systems’ (art 5(2)(cl 2) Proposal on AI Liability). This is exactly what the Parliament wanted, so that one must fear a resurrection of strict operator liability during the legislative process.

Such a revival of strict operator liability would be the worst of all possible outcomes.[159] Not only is there no good reason to subject AI systems to strict liability ‘across the board’. The essential point is that the operator remains the wrong addressee of liability, as he has little or no influence on the system’s behaviour. The privileges granted to users by art 4(3) and (6) of the proposed AI Liability Directive as well as art 29 AI Regulation confirm this insight. Finally, under the law of the Member States, the operation of technical devices and installations carrying a high risk of injury are already covered by strict liability. The prime example is traffic accidents, as the operation of motor vehicles is subject to strict liability of the keeper in both Germany and France and many other jurisdictions.[160] The German lawmakers have recently added the clarification that strict motor liability applies to autonomous vehicles just the same.[161] To increase liability for AI beyond areas involving high risk of harm is not necessary and therefore not justifiable.

In conclusion, the Proposal on AI Liability is needed only for the protection of personality interests and purely financial interests. In these areas, the right of access to evidence, together with the presumptions regarding fault and causation, improve the position of the victim seeking to enforce his damages claims. This is certainly not nothing, but also not much. Whether it is enough to carry the highly complex proposal through the legislative process in Brussels remains to be seen.

C The Brussels Effect in product liability

The Proposal for a new Product Liability Directive opens new horizons for this field of law. It takes bold steps to include software and data into this system of liability, thereby rather dramatically expanding its reach. In passing, the proposal also includes the intermediaries of e-commerce into the group of liable parties. In doing so, product liability European-style may claim a leadership role in adapting current law to the challenges of digitalisation. The draft proposal also deserves support in improving the situation of the injured party seeking redress through the product liability system. The right of access to evidence, coupled with a number of presumptions for central elements of the cause of action seems to be the right response to the difficulties of establishing the elements of damages claims under the directive.

In doing all this, the Commission adapts product liability to the challenges of digitalisation in an exemplary manner. It is an impressive achievement that has what it takes to trigger the notorious ‘Brussels Effect’, ie to become a global pioneer and lighthouse for the adaption of product liability law to digitalisation.[162] In light of the substantive virtues of the proposed ‘Product Liability Directive 2.0’, one will easily accept the elaborate wording of the draft, which falls behind the relatively poignant style and beauty of the original. But for a Union as diverse as today’s, with 27 Member States, another level of linguistic clarity is required than for the 12-member EEC of 1985.


I should like to thank Dr Sven Asmussen and Till Weskamm for valuable research assistance.

Published Online: 2023-02-13
Published in Print: 2023-02-06

© 2023 by Walter de Gruyter GmbH, Berlin/Boston

Dieses Werk ist lizensiert unter einer Creative Commons Namensnennung 4.0 International Lizenz.

Downloaded on 5.3.2024 from
Scroll to top button