Digital health products and services delivered using technologies such as wearable devices, telemedicine platforms and health apps continue to transform the way people access healthcare and manage their wellbeing. However, use of these technologies to monitor health and deliver care have created new risks that challenge some of the core rules and concepts underpinning the current product liability regime provided for under EU law.
In this article we summarise the key changes to the EU product liability landscape being brought about by three key pieces of legislation:
- A revised Product Liability Directive
- An AI Liability Directive
- The Directive on Representative Actions (“the Collective Redress Directive”)
A Revised Product Liability Directive
The current EU Product Liability Directive (PLD) has been in force for nearly 40 years. In that time, technological advances and increased awareness and concern around environmental sustainability and circularity have led to the creation of a new generation of products that have made it more difficult to:
- Consistently apply the definitions and legal tests contained in the PLD
- Effectively prove that a defect in a product caused the damage suffered
- Allocate responsibility and liability when a business substantially modifies a product that is already on the market, or when a product has been directly imported from outside the European Union by a consumer
The changes contained in the draft text of a proposal for a revised PLD (the PLD Proposal) are designed to address these challenges and provide the EU with an extra-contractual product liability regime updated to deal with the 21st century product landscape. The PLD Proposal is particularly relevant to digital health stakeholders given the references to innovative and life-sustaining medical devices, software products, AI techniques and cybersecurity within the text.
Some noteworthy features of the PLD Proposal include:
- ‘Product’: The concept of medical device software is a well-established concept in EU product safety legislation under the EU Medical Devices Regulation (EU) 2017/745 (MDR) and In-vitro Diagnostic Device Regulation (EU) 2017/746 (IVDR). The definition of a ‘product’ under the PLD Proposal would now also include software and digital manufacturing files within scope for product liability claims.
- Terminology: The Proposal would bring EU product liability and product safety rules into closer alignment by adopting various terms and definitions, such as ‘manufacturer’ and ‘placing on the market’, that are already in use in EU product safety legislation under the NLF, including the MDR and IVDR.
- ‘Damage’: The notion of compensatable damage would be extended to include corruption of data and recognised forms of psychological injury. The €500 minimum threshold for property damage would also be removed.
- ‘Defectiveness’: The PLD Proposal would add the following factors to a list of non-exhaustive criteria that can be considered when determining whether a product “provides the safety which the public at large is entitled to expect”:
– The effect on the product of any ability to continue to learn after deployment
– The effect on the product of other products that can reasonably be expected to be used together with the product
– Product safety requirements, including safety-relevant cybersecurity requirements, and interventions related to product safety, and
– The specific expectations of the end-users for whom the product is intended
The express inclusion of product safety requirements, cybersecurity and product safety interventions in a list of criteria for ‘defectiveness’ for product liability purposes is particularly important for manufacturers of products regulated under the MDR and IVDR. Indeed, the recitals to the PLD Proposal specifically mention the full product lifecycle requirements set out under the MDR in calling for liability for damage caused by “failure to supply software security updates or upgrades that are necessary to address the product’s vulnerabilities in response to evolving cybersecurity risks.”
Another particularly important feature of the PLD Proposal is a rebuttable presumption of defectiveness that could arise in circumstances where:
- The claimant establishes that the product does not comply with mandatory safety requirements laid down in EU law or national law that are intended to protect against the risk of the damage that has occurred
- The claimant establishes that the damage was caused by an “obvious malfunction” of the product during normal use or under ordinary circumstances, or
- A national court were to consider that a claimant faced “excessive difficulties” in proving defectiveness and/or causation owing to the technical or scientific complexity of a product
Again, ‘innovative medical devices’ and complex technologies such as machine learning are called out in the recitals to the PLD Proposal as the types of complex products warranting this type of new approach.
- Causation: claimants would also be able to avail of a rebuttable presumption that a defective product caused damage where:
– He or she faced “excessive difficulties” in proving same owing to the technical or scientific complexity of a product, as above in relation to defectiveness, or
– It could be established that the product is defective and the damage caused is of a kind “typically consistent” with the defect in question.
- Defendants: the PLD Proposal expands the pool of defendants that can potentially be held liable for damage caused by a defective product (which would now include software products). As well as manufacturers, importers and in some cases distributors, the PLD Proposal would also permit no-fault liability claims to be brought against authorised representatives, fulfilment service providers, third parties making substantial modifications to products already placed on the market and certain online platforms.
- Defences: regarding the defence currently available under the PLD that allows a defendant to escape liability if it can be proved that it is probable that the defect that caused the damage did not exist when the product was put into circulation, the PLD Proposal would close off this possible defence in cases where the defect is due to a ‘related service’ or software. This includes updates or upgrades or lack thereof that are required to maintain safety that is within the control of the manufacturer.
- Limitation periods: the 10-year longstop period would be extended to 15 years in certain cases involving latent personal injuries, another significant development for healthcare products, particularly screening and diagnostic systems. Time could also be determined to start running from the date that a product had been substantially modified (i.e. at a point after it had been placed on the market or put into service) which could give rise to new issues in the context of updates and new versions of software products.
As of May 2023, a briefing published by the European Parliamentary Research Service (EPRS) noted that the EP and Council are currently working on establishing their respective positions on the draft legislation under the EU Ordinary Legislative Procedure. Most recently, the EP Committee on Internal Market and Consumer Protection (IMCO) and the Committee on Legal Affairs (JURI) have released a joint draft report on 5 April 2023 that proposes a number of changes to the draft text. It is currently not clear when the legislative text will be adopted and enter into force, however the EP committee report will need to be adopted before the EP can vote on its first reading position in a plenary sitting. Meanwhile in the Council, the Working Party on Civil Law Matters discussed a compromise text of the legislation on dates in March and April 2023. Work to reach agreement on a final text is expected to intensify throughout 2023, with the possibility of the adoption of a text before the end of the year.
Once adopted, the revised Product Liability Directive will also need to be transposed into national law. The PLD Proposal provides that the PLD would be repealed and Member States would be required to transpose the new legislation within 12 months of its entry into force.
An AI Liability Directive
As stated in the text of the relevant proposal, current national liability rules are ill-equipped to handle cases involving AI-enabled products and services. Hallmark characteristics of AI systems like opacity, complexity and autonomy can make it particularly difficult and expensive for claimants to establish who to sue and then prove how that liable person is to blame for the damage they have suffered. In response, national courts in EU Member States need to adapt how they apply existing civil liability rules in order to achieve a just result in certain cases involving AI. Several EU Member States are already pursuing their own AI civil liability strategies. Without EU-level legislation there is a risk of fragmentation, with different rules and procedures for AI cases in different Member States. This has the potential to result in increasing levels of legal uncertainty for businesses which could in turn lead to increased costs, especially for SMEs trading across borders with limited access to in-house legal and technical expertise.
A proposal for an EU Artificial Intelligence Liability Directive (the AILD Proposal) therefore aims to harmonise certain aspects of fault-based EU civil liability frameworks as they apply to AI. The AILD Proposal is intended to complement planned revisions to the EU’s non-fault based (strict liability) regime provided for under the Product Liability Directive and does not seek to alter well established concepts forming part of existing national civil liability systems such as ‘fault’ or ‘damage’. Instead, it seeks to address the burden-of-proof issue in a way that interferes as little as possible with different national liability regimes.
The AILD Proposal contains two key features that are particularly relevant to digital health stakeholders:
- Access to evidence: claimants seeking compensation would have an opportunity to obtain information on ‘high-risk AI systems’ (a category defined under the EU AI Act that is expected to include devices regulated under the MDR) that must be recorded and documented under the AI Act. These requests would need to be “supported by facts and evidence sufficient to establish the plausibility of the contemplated claim for damages”. The requested evidence would also need to be at the addressee’s disposal. This measure would be open to ‘potential claimants’ who could request a court to order the disclosure of relevant evidence in advance of submitting a claim for damages.
- Rebuttable presumption of causation: the AILD Proposal also makes provision for a presumption of a causal link in the case of fault, which can trigger if a number of criteria are satisfied:
– Firstly, the claimant needs to demonstrate a fault on the part of the defendant. This can be an instance of non-compliance with a duty of care laid down in EU or national law. In the case of ‘high-risk AI systems’, non-compliance with the requirements of the AI Act would constitute such a fault.
– Secondly, the claimant would need to show that it was ‘reasonably likely’ that the fault had influenced the AI-system output in question, or lack thereof.
– Thirdly, the claimant would still need to demonstrate that the output, or lack of an output, caused the damage complained of. The presumption also distinguishes between claims brought against providers and users of high-risk AI systems, and defendants may prevent the presumption from triggering in cases involving high-risk AI systems where they could demonstrate that the evidence and expertise needed for the claimant to prove a causal link is already available.
Like the PLD, the Proposal AILD Proposal is currently undergoing review by the EP and the Council as part of the EU Ordinary Legislative Procedure. It is not clear when a settled text will be agreed however once adopted, the AI Liability Directive will also need to be transposed into national law. The AILD Proposal provides that Member States would be required to transpose the new legislation within 2 years of its entry into force.
The Directive on Representative Actions
Prior to the Collective Redress Directive (CRD) coming into effect, member states had different legal systems and procedures regarding collective actions, making it challenging for consumers to exercise their rights across borders. With the growth of e-commerce and the digital economy, consumer harm increasingly transcended national boundaries. Calls for updated legislation recognized the need for a unified approach to collective redress to tackle these types of cross-border consumer issues more effectively.
The CRD harmonized the rules and procedures for representative actions, ensuring consistency and facilitating cross-border consumer claims while providing safeguards to prevent frivolous claims against traders. It seeks to streamline legal processes by allowing representative actions to be brought on behalf of a group of consumers with similar claims, thus reducing the burden on individuals to initiate separate legal proceedings and making the process more efficient and cost-effective. To distinguish the EU regime from the more litigious US class action procedure, the criteria required in the Directive to bring a redress action are relatively strict.
- Qualified entities: The CRD requires each Member State to designate at least one ‘qualified entity’ to bring actions on behalf of consumers. A list of qualified entities will be maintained by the European Commission. Qualified entities, such as consumer organisations, will be empowered to bring collective action cases on behalf of consumers for breaches of a wide range of EU Directives and Regulations including the MDR, the GDPR and the Product Liability Directive. In order to bring a cross-border representative action, the qualified entity will have to meet certain criteria:
– Be a non-profit organisation in the area of consumer protection
– Be independent
– Have a legitimate interest in ensuring that there is compliance with the provisions of the Directive
Qualified entities will also be able to apply for injunctive relief and other redress, with injunctions potentially being granted on a preventative or prohibitive basis. In addition, qualified entities may seek redress on behalf of consumers in the form of compensation, repair, replacement, price reduction, contract termination or reimbursement. The redress awarded could vary among consumers in the group or could be the same for all consumers involved in the action. Member States will be given some flexibility as to how this will operate, and will be able to decide to either opt-in, i.e. consumers actively opt-in to being represented, or to opt-out, i.e. a consumer must express their desire not to be represented by a qualified entity. For cross-border actions, only the opt-in basis will be available.
- Safeguards: One of the important features of the Directive on representative actions are the safeguards which were introduced in order to ensure the system does not encourage frivolous lawsuits. These include:
– Loser pays principle: The costs of the proceedings should be borne by the unsuccessful party.
– Dismissal of manifestly unfounded cases: Courts will also be willing to dismiss manifestly unfounded cases at the earliest possible stage of the proceedings.
– Settlement: There is also the possibility that a claim can be settled. However, such a settlement requires the approval of the court.
– Third party funding: A qualified entity will be required to publicly disclose information about its sources of funding for the representative actions it brings. It is important to note that at present, third party funding in Ireland is prohibited.
– Multiple claims by individual consumers: Member States will be required to lay down rules preventing consumers from bringing an individual action or being involved in another collective action against the same trader for the same infringement. Furthermore, Member States must ensure that consumers do not receive compensation more than once for the same cause of action against the same trader.
The CRD was published in the Official Journal of European Union on 4 December 2020. Member States are required to adopt implementing measures by 25 December 2022 and the measures will apply from 25 June 2023. However, at the time of writing only a small number of Member States had notified the EC of implementation. The EC has therefore issued ‘formal letters’ to 24 Member States in relation to a failure to transpose the CRD.
On one hand, manufacturers of products regulated under the EU Medical Devices Regulation (EU) 2017/745 (MDR) and In-vitro Diagnostic Device Regulation (EU) 2017/746 (IVDR) may be uniquely well placed to adapt to these changes given the existing need to comply with these modern and sophisticated pieces of product safety legislation. On the other hand, however, the move to bring the EU product liability regime up to speed with updated product safety legislation is likely to give rise to increased litigation risks that will require careful management. To prepare for these incoming changes digital health stakeholders with products on the EU market should:
- Assess how the revisions contained in the current text of the Proposal would impact their product portfolios were they to become law
- Consider the impact of these proposed changes alongside other new EU legislation designed to safeguard the interests of consumers, especially the Collective Redress Directive, and
- Where necessary, identify opportunities to become involved in policy debates relating to proposed changes that could have a significant impact on particular product lines or product categories.
- PLD Proposal
- EC Q&As on the revision of the PLD
- EP Draft Committee Report on the PLD Proposal (April 2023)
- EPRS Briefing: New Product Liability Directive (May 2023)
- AILD Proposal
- MHC Insights: Class Actions in Ireland?
For more information, contact a member of our Product Regulation & Consumer team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.