This article represents the third part of the series of blog posts entitled “What’s changing in 2023”, in which the experts of the Produktkanzlei team summarize the relevant topics from their respective areas of expertise in an overview format. Specifically, the draft AI Regulation (see A.), draft Cyber Resilience Act (see B.), data protection and cybersecurity in Radio Equipment Law (see C.), proposed Product Liability Directive (see D.), and draft AI Liability Directive (see E.) will be examined below.
A. AI Regulation
In April 2021, the EU Commission presented a draft AI Regulation intended to define the legal framework for the development, distribution and use of AI systems. This draft has since been viewed critically and has been the subject of controversial discussions (see, for example, Wiebe, BB 2022, 899 et seq.). After the European Parliament also submitted hundreds of amendments, the original Commission draft underwent changes in various places under the Czech Council Presidency. In particular, the initially broad term “AI system”, which basically covered any software, was narrowed by now requiring a certain degree of autonomy. Meanwhile, the New Legislative Framework (NLF) remained in place as a regulatory concept under product safety law.
Contrary to expectations, the AI Regulation was not adopted in 2022. It is therefore likely that the EU will do so in 2023. However, it is still unclear exactly when the EU will reach an agreement and adopt the AI Regulation.
B. Cyber Resilience Act
Early last fall, the Commission published its proposal for a regulation on horizontal cybersecurity requirements for products with digital elements, the Cyber Resilience Act. This European legal act is intended to introduce mandatory cybersecurity requirements for products with digital elements throughout their lifecycle (for more details on the individual contents of the draft, see our blog post on the draft EU Cybersecurity Resilience Act).
The legislative process is still quite early. Even though the EU attaches great importance to the legislative project, the regulation can be expected to be enacted at the end of 2023 at the most. In view of the far-reaching regulations, however, economic operators would do well to follow developments closely now.
C. Data protection and cybersecurity in Radio Equipment Law
At the beginning of last year, Regulation (EU) 2022/30 was published, making amendments to Directive 2014/53/EU (known as the EU Radio Equipment Directive). This amending regulation introduces data protection and cybersecurity requirements for certain radio equipment for the first time. Radio equipment that can itself communicate over the Internet (whether directly or via other equipment) must not have a harmful effect on the network or its operation, nor cause misuse of network resources that would cause unacceptable degradation of service, Art. 1 para. 1 Regulation (EU) 2022/30. In addition, it incorporates safeguards to ensure that personal data and the privacy of the user and subscriber are protected, Art. 1 para. 2 (a) Regulation (EU) 2022/30.
Although this regulation will not apply until 01.08.2024, as the concretization of these requirements by means of harmonized standards is likely to take place in the near future, it makes sense to use 2023 to prepare for these new, far-reaching regulations, which will affect a large number of radio equipment.
D. Product Liability Directive
The Commission’s draft Directive on liability for defective products of 28.09.2022 (PLD-D) provides for a comprehensive reform of strict product liability law. The reason for and aim of the reform is, among other things, to meet the special features of product liability law and the challenges arising from the digitalization of products. For example, the term “product” now explicitly includes software (such as an AI system) and digital construction documents (such as functional information for 3D printers) (cf. Art. 4 para. 1 PLD-D). Accordingly, the ability of a product (e.g., an AI system) to learn and change, networking and interoperability with other products, software updates after being placed on the market, and safety-relevant cybersecurity requirements along with requirements of product safety law are among the criteria for assessing the defectiveness of a product (cf. Art. 6 para. 1 PLD-D). In addition, the draft provides for consideration of official corrective measures in the context of the assessment of defectiveness, Art. 6 para. 1 (g) PLD-D.
In accordance with the reason for the reform, the draft expands the circle of protected goods: data establish protected goods. The loss or falsification of data that is not used exclusively for professional purposes constitutes compensable damage (cf. Art. 4 para. 6 (c) PLD-D).
In addition, the draft leads to an expansion of the personal scope of application. In addition to the (final or partial) manufacturer, liable economic operators are also importers and the manufacturer’s authorized representatives in accordance with Art. 7 para. 1 PLD-D, provided that the manufacturer is located outside the EU (see Art. 6 para. 2 PLD-D). In these cases, fulfilment service providers are also liable on a subsidiary basis, Art. 6 para. 3 PLD-D. Based on the manufacturer fiction, any natural or legal person who substantially alters a product that has already been placed on the market or put into service within the meaning of product safety law shall also be liable as a manufacturer, Art. 6 para. 4 PLD-D. The subsidiary liability of suppliers, which may also include providers of an online platform, remains in place, Art. 6 para. 5, 6 PLD-D.
The draft breaks new ground in procedural law with the possibility of a court order for the disclosure of relevant evidence, such as internal company design or production documents. The prerequisite for a “disclosure of documents” is the plausible presentation of the claim for damages by the claimant. In terms of procedural law, Art. 9 PLD-D also lightens the burden of proof in favor of the claimant, despite the usual distribution of the burden of proof. Accordingly, a defect is rebuttably presumed in the following cases:
- violation of the obligation to disclose documents
- proof of a violation of mandatory national or EU safety requirements
- proof that the damage was caused by an obvious malfunction of the product during normal use or under normal circumstances
In addition, the maximum liability limit (previously EUR 85 million pursuant to Sec. 10 para. 1 German Product Liability Act) and the deductible of EUR 500 for property damage (previously pursuant to Sec. 11 German Product Liability Act) will be abolished. Furthermore, the extension of the limitation period for late effects on health to 15 years is planned, Art. 14 para. 3 PLD-D.
There is no doubt that the proposal contains a number of tightening measures. However, it cannot necessarily be assumed that the draft will be adopted on a 1-to-1 basis; changes are therefore to be expected, especially as the legislative process is only just beginning. Against this background, entry into force in 2023 is not very likely. In any case, the current draft provides for an implementation period of 12 months from the entry into force of the Directive, Art. 18 para. 1 PLD-D.
E. AI Liability Directive
The Commission has envisaged special liability-related regulations for AI systems in the draft Directive on AI Liability of 28.09.2022 (AI Liability Directive-D). Contrary to the title, the directive does not contain a specific liability regime together with corresponding substantive claims for damages. The directive has only a limited scope of application and only serves to facilitate the assertion of non-contractual fault-based civil law claims for damages in relation to damage caused by an AI system. In this respect, the directive does not affect substantive product liability law. Specifically, the directive is essentially limited to two provisions: a duty to disclose information about high-risk AI systems on the one hand (Art. 3 AI Liability Directive-D) and a rebuttable presumption of a causal link between the breach of the duty of care and the conduct of the AI system on the other (Art. 4 AI Liability Directive-D).
The draft Regulation on operator liability for AI systems submitted by the European Parliament in October 2020 is thus likely to be “off the menu”. The progress of the AI Liability Directive-D will strongly depend on the development of the AI Regulation due to its close interlinkage. The PLD-D will also influence the AI Liability Directive-D. It remains to be seen whether the AI Liability Directive will enter into force as early as 2023. In any case, after the directive enters into force, Member States will have two years to implement it, Art. 7 para. 1 AI Liability Directive-D.
Do you have any questions about this news, or would you like to discuss it with the author? Please contact: Dr. Gerhard Wiebe