EU introduces comprehensive digital-era Product Liability Directive 

The European Union has adopted Directive (EU) 2024/2853 (Directive), an update to existing product liability provisions that reflects the challenges of modern digital technologies. To this aim, the new Directive significantly expands the scope of product liability, by repealing the previous Council Directive 85/374/EEC and addressing emerging technological landscapes such as movables, software, digital manufacturing files, and AI systems. 

The Directive will come into force on 8 December 2024, but Member States have until 9 December 2026 to transpose it into their national legislation. For this reason, to ensure legal certainty, the new provisions will only apply to products placed on the market or put into service after the same date of 9 December 2026.

With the goal of ensuring maximum harmonization and minimizing disparities, the Directive prevents Member States from maintaining or introducing national provisions diverging from those set out thereunder, whether they are more or less stringent.

Key Innovations

Key innovations include a broader definition of "product" that now encompasses software, digital services, and integrated technologies. The Directive extends liability to integrated or interconnected digital services critical to a product's functionality (and safety) and clarifies responsibilities for open-source software integrated into commercial products.

Interestingly, the Directive will also cover cases where software is provided in exchange for personal data, as long as the software is supplied in the course of a commercial activity (hence, the personal data is not processed exclusively to improve the software's security, compatibility or interoperability).

In addition, the Directive introduces more favourable conditions for consumers seeking damages, by broadening the definition of compensable harm to include psychological damages and data destruction (for instance, the deletion of digital files from a hard drive). 

Another crucial change is the new evidence disclosure mechanism, which reduces the burden of proof for plaintiffs in complex cases. Defendants are required to share relevant parts of the technical documentation they are expected to possess, otherwise the product will be assumed defective.

The Directive also establishes clear limitation periods to claim compensation: a three-year limitation period from damage discovery and a ten-year expiry period from the date on which the defective product which caused the damage was placed on the market or put into service. In cases of substantial modifications, the clock resets, and the period restarts from the date the modified product is placed on the market or put into service. For personal injuries with latent effects, the expiry period extends to 25 years.

On a final note, as a product can be considered defective where it does not fulfil safety-relevant cybersecurity requirements, it should be borne in mind that the Directive is complementary to the Cyber Resilience Act (adopted on October 23, 2024 and published in the Official Journal of the European Union on November 20, 2024), which - among other things - lays down obligations that concern the provision of products security updates.

Online Platforms and the DSA 

Economic operators face expanded liability, now including logistics providers, entities substantially modifying products, and online platforms – although they can be exempted under specific circumstances. 

With respect to online platforms specifically, the Directive introduces nuanced liability provisions, holding them accountable when they assume roles beyond mere intermediation – such as manufacturer, importer, authorized representative, fulfilment service provider, or distributor of a defective product. Conversely, when online platforms function solely as intermediaries in transactions between traders and consumers, their liability is governed by the Digital Services Act (DSA), provided that they do not create the impression of being the seller or an authorized representative of the product (once again, consistently with the DSA). 

The AI Act

The Directive also establishes significant intersections with the AI Act, particularly in addressing AI systems' unique challenges. 

For starters, by referencing the AI Act's definition of AI system providers and including it within the category of "manufacturers", the Directive aims at creating a comprehensive legal framework that acknowledges AI's transformative potential while ensuring robust consumer protection mechanisms.

The Directive also explicitly recognizes AI software as a "product" subject to liability, with provisions that specifically tackle the complexities of AI technologies. Key points include defining AI systems as products liable for damages and addressing the evolving nature of machine learning algorithms.

Furthermore, the Directive recognizes the complexity of proving damage caused by defective products, including AI systems, for claimants and introduces measures to facilitate the disclosure of evidence in legal proceedings.  

Conclusions

The overarching goal of the Directive is clear: enhancing consumer protection in the digital age by creating a more comprehensive, adaptable framework for addressing product-related damages. The added complexity posed by this Directive will be that of navigating potential legal intersections with the AI Act and existing cybersecurity and data protection regulations and that of ensuring compliance with all obligations from a holistic and integrated perspective.

Authored by Massimiliano Masnada, Ambra Pacitti, Cecilia Canova, Anna Albanese