Liability in the Internet of Things: The Legal Riddle

We are facing the next step towards the digitisation of our society and economy, where many objects and people are interconnected through communication networks and report data about themselves or their surrounding environment. The Internet of Things (hereinafter, “IoT”) era is here to stay and it is changing how companies operate at every level and how they interact with other parties. Ever since the European Commission launched the Alliance of IoT Innovation to support the creation of an innovative and industry driven European Internet of Things ecosystem in March 2015, the European Commission has carried out several support policy actions to accelerate the arrival of the IoT. Automated driving is a prime example of living in the IoT era. Many of the vehicles that we drive today are connected vehicles, in other words, moving computers capable of exchanging information wirelessly with, among others, the producers, other vehicles and other service providers, in order to improve the security, efficiency and comfort of the driver. Other examples of IoT based products can be found on smart homes, personal wellness and wearables and smart cities. The aim of IoT is to combine the physical and virtual worlds in order to achieve a smarter world that will make our lives easier, safer, more efficient and more user-friendly. However, as we submerge into the IoT application and use, it becomes clearer that there are going to be new kinds of legal risks and challenges. While some of these consequences may be easily foreseen, some other consequences will be unexpected, not being noticed until bumped into the problem directly. One area that will be impacted is product liability.
 
Considering the technology advance, it might be time to review the existing legislation of the European Union regarding the liability of defective products. The Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products (hereinafter, the “Directive”) ensures consumer protection against damage caused to health or property by a defective product. According to the Directive, the producer shall be liable for the damage caused by a defect in his product. Under the Directive, a “product” is defined as a movable – even if incorporated into another movable or into an immovable – and includes primary agricultural products, game and electricity. A product shall be considered defective when it does not provide the safety which a person is entitled to expect. The Directive defines “producer” as the manufacturer, the service provider, or the importer in the European Union, of specific finished products, any components integrated into a specific finished product or raw materials.
 
In light of the technological advancements, it is uncertain to what extent the present Directive meets its objectives of guaranteeing the liability of the producer for the damage caused by a defective product nowadays and in the near future. In fact, it is questionable whether the concepts such as “product” or “producer” that can be found in the Directive are obsolete when talking about IoT based products.
 
In the IoT product and service producers collaborate, creating a complex ecosystem composed by physical objects, software, internet infrastructure, etc. involving a variety of actors such as product manufacturers, software producers, infrastructure providers or even the final users. Any of the personalities involved in the so called IoT ecosystem could cause damage and should therefore be liable. As a consequence, it could be difficult to assign the liability and, even more, to establish general rules of liability, especially considering that the liability may vary over the life of the product/service.
 
The European Commission has expressed its concern regarding liability in the framework of the Digital Single Market through several communications, staff working documents and workshops with stakeholders, among others. The European Commission points out[1] that such interdependency between product and service providers increase the following questions: “Who is responsible for guaranteeing the safety of a product? Who is responsible for ensuring safety on an on-going basis? How should liabilities be allocated in the event that the technology behaves in an unsafe way, causing damage?” The necessity to even ask these questions in the first place highlights the difficulties in identifying the origin of the defect on the product and in determining where the responsibility lies. Above all this, there is the very complicated problem of how to prove the defectiveness or unsafety of the product, how it was originated and the causal link with the caused damage.
 
Likewise, another issue to consider is whether some of the definitions in the current European Union legislation are valid for IoT based products. In this regard, products and services are differentiated and, as a consequence, the services fall out of the scope of the product liability of the Directive. Considering that software or data supply is considered a service, in an IoT based product the damage could be caused by a service. For instance, going back to the example of the connected vehicle, as a consequence of false data supply to the GPS of the vehicle, it could end up circulating through a street in an opposite direction, which could cause physical damage to property or personal injury.
 
The European Commission is determined to adapt the current legislation in order to achieve a product liability coherent with the developments of technology. In this regard, in September 2016, the Commission published an Evaluation and Fitness Check Roadmap in order to assess the functioning and the performance of the Directive.[2] In fact, article 21 of the Directive obliges the European Commission to present a review of its application to the Council every five years and, due to the new technological developments, it can be foreseen that the next revision will result on a formal review. The European Commission aims to provide an evidence-based assessment for each member state with an evaluation of the effectiveness, efficiency, coherence, relevance and EU added value of the Directive. The evaluation shall be completed by July 2017.
 
Sönke Lund
Partner
slund@mmmm.es
 
Lund has a Degree in Law from the University of Hamburg, including previous studies in Berlin. Member of the Hamburg Bar and the Barcelona Bar. Specialised in Intellectual & Industrial Property Law, Private International Law and Procedure, Consumer Law, Distribution and International Sales, Environmental and Technology Law and Food Law.
 
Consuelo Álvarez
Associate
calvarez@mmmm.es
 
Álvarez has a Degree in Law from the University of Valencia and a Master of Laws (LL.M.) in Intellectual Property from the Heinrich Heine University of Düsseldorf. Member of the Valencia Bar and the Barcelona Bar. Specialised in Intellectual & Industrial Property Law, Litigation, Consumer Law, Data Protection and e-commerce Law.
 
Monereo Meyer Marinel-lo Abogados
Passeig de Gràcia, 98 · E-08008 Barcelona
Tel: (+34) 93 487 58 94 · Fax: (+34) 93 487 38 44