Regulating the future: A look at the EU's plan to reboot product liability rules for AI

A recently presented European Union plan to update long-standing product liability rules for the digital age -- including addressing rising use of artificial intelligence (AI) and automation -- took some instant flak from European consumer organization, BEUC, which framed the update as something of a downgrade by arguing EU consumers will be left less well protected from harms caused by AI services than other types of products.

For a flavor of the sorts of AI-driven harms and risks that may be fuelling demands for robust liability protections, only last month the U.K.'s data protection watchdog issued a blanket warning over pseudoscientific AI systems that claim to perform 'emotional analysis' -- urging such tech should not be used for anything other than pure entertainment. While on the public sector side, back in 2020, a Dutch court found an algorithmic welfare risk assessment for social security claimants breached human rights law. And, in recent years, the UN has also warned over the human rights risks of automating public service delivery. Additionally, US courts' use of blackbox AI systems to make sentencing decisions -- opaquely baking in bias and discrimination -- has been a tech-enabled crime against humanity for years.

BEUC, an umbrella consumer group which represents 46 independent consumer organisations from 32 countries, had been calling for years for an update to EU liability laws to take account of growing applications of AI and ensure consumer protections laws are not being outpaced. But its view of the EU's proposed policy package -- which consist of tweaks to the existing Product Liability Directive (PLD) so that it covers software and AI systems (among other changes); and a new AI Liability Directive (AILD) which aims to address a broader swathe of potential harms stemming from automation -- is that it falls short of the more comprehensive reform package it was advocating for.

"The new rules provide progress in some areas, do not go far enough in others, and are too weak for AI-driven services," it warned in a first response to the Commission proposal back in September. "Contrary to traditional product liability rules, if a consumer gets harmed by an AI service operator, they will need to prove the fault lies with the operator. Considering how opaque and complex AI systems are, these conditions will make it de facto impossible for consumers to use their right to compensation for damages."

“It is essential that liability rules catch up with the fact we are increasingly surrounded by digital and AI-driven products and services like home assistants or insurance policies based on personalised pricing. However, consumers are going to be less well protected when it comes to AI services, because they will have to prove the operator was at fault or negligent in order to claim compensation for damages," added deputy director general, Ursula Pachl, in an accompanying statement responding to the Commission proposal.

"Asking consumers to do this is a real let down. In a world of highly complex and obscure ‘black box’ AI systems, it will be practically impossible for the consumer to use the new rules. As a result, consumers will be better protected if a lawnmower shreds their shoes in the garden than if they are unfairly discriminated against through a credit scoring system.”

Given the continued, fast-paced spread of AI -- via features such as 'personalized pricing' or even the recent explosion of AI generated imagery -- there could come a time when some form of automation is the rule not the exception for products and services -- with the risk, if BEUC's fears are well-founded, of a mass downgrading of product liability protections for the bloc's ~447 million citizens.

Discussing its objections to the proposals, a further wrinkle raised by Frederico Oliveira Da Silva, a senior legal officer at BEUC, relates to how the AILD makes explicit reference to an earlier Commission proposal for a risk-based framework to regulate applications of artificial intelligence -- aka, the AI Act -- implicating a need for consumers to, essentially, prove a breach of that regulation in order to bring a case under the AILD.

Despite this connection, the two pieces of draft legislation were not presented simultaneously by the Commission -- there's around 1.5 years between their introduction -- creating, BEUC worries, disjointed legislative tracks that could bake in inconsistencies and dial up the complexity.

For example, it points out that the AI Act is geared towards regulators, not consumers -- which could therefore limit the utility of proposed new information disclosure powers in the AI Liability Directive given the EU rules determining how AI makers are supposed to document their systems for regulatory compliance are contained in the AI Act -- so, in other words, consumers may struggle to understand the technical documents they can obtain under disclosure powers in the AILD since the information was written for submitting to regulators, not an average user.

When presenting the liability package, the EU's justice commissioner also made direct reference to "high risk" AI systems -- using a specific classification contained in the AI Act which appeared to imply that only a subset of AI systems would be liable. However, when queried whether liability under the AILD would be limited only to the 'high risk' AI systems in the AI Act (which represents a small subset of potential applications for AI), Didier Reynders said that's not the Commission's intention. So, well, confusing much?

BEUC argues a disjointed policy package has the potential to -- at the least -- introduce inconsistencies between rules that are supposed to slot together and function as one. It could also undermine application of and access to redress for liability by creating a more complicated track for consumers to be able to exercise their rights. While the different legislative timings suggest one piece of a linked package for regulating AI will be adopted in advance of the other -- potentially opening up a gap for consumers to obtain redress for AI driven harms in the meanwhile.

As it stands, both the AI Act and the liability package are still working their way through the EU's co-legislation process so much could still be subject to change prior to adoption as EU law.

AI services blind spots?

BEUC sums up its concerns over the Commission's starting point for modernizing long-standing EU liability rules by warning the proposal creates an "AI services blind spot" for consumers and fails to "go far enough" to ensure robust protections in all scenarios -- since certain types of AI harms will entail a higher bar for consumers to achieve redress as they do not fall under the broader PLD. (Notably 'non-physical' harms attached to fundamental rights -- such as discrimination or data loss, which will be brought in under the AILD.)

For its part, the Commission robustly defends against this critique of a "blind spot" in the package for AI systems. Although whether the EU's co-legislators, the Council and parliament, will seek to make changes to the package -- or even further tweak the AI Act with an eye on improving alignment -- remains to be seen.

In its press conference presenting the proposals for amending EU product liability rules, the Commission focused on foregrounding measures it claimed would support consumers to successfully circumvent the 'black box' AI explainability issue -- specifically the introduction of novel disclosure requirements (enabling consumers to obtain data to make a case for liability); and a rebuttable presumption of causality (lowering the bar for making a case). Its pitch is that, taken together, the package addresses "the specific difficulties of proof linked with AI and ensures that justified claims are not hindered".

And while the EU's executive did not dwell on why it did not propose the same strict liability regime as the PLD for the full sweep of AI liability -- instead opting for a system in which consumers will still have to prove a failure of compliance -- it's clear that EU liability law isn't the easiest file to reopen/achieve consensus on across the bloc's 27 member states (the PLD itself dates back to 1985). So it may be that the Commission felt this was the least disruptive way to modernize product liability rules without opening up the knottier pandora's box of national laws which would have been needed to expand the types of harm allowed for in the PLD.

"The AI Liability Directive does not propose a fault-based liability system but harmonises in a targeted way certain provisions of the existing national fault-based liability regimes, in order to ensure that victims of damage caused by AI systems are not less protected than any other victims of damage," a Commission spokesperson told us when we put BEUC's criticisms to it. "At a later stage, the Commission will assess the effect of these measures on victim protection and uptake of AI."

"The new Product Liability Directive establishes a strict liability regime for all products, meaning that there is no need to show that someone is at fault in order to get compensation," it went on. "The Commission did not propose a lower level of protection for people harmed by AI systems: All products will be covered under the new Product Liability Directive, including all types of software, applications and AI systems. Whereas the [proposed updated] Product Liability Directive does not cover the defective provision of services as such, just like the current Product Liability Directive, it will still apply to all products when they cause a material damage to a natural person, irrespective of whether they are used in the course of providing a service or not.

"Therefore, the Commission looks holistically at both liability pillars and aims to ensure the same level of protection of victims of AI as if damage was caused for any other reason."

The Commission also emphasizes that the AI Liability Directive covers a broader swathe of damages -- by both AI-enabled products and services "such as credit scoring, insurance ranking, recruitment services etc., where such activities are conducted on the basis of AI solutions".

"As regards the Product Liability Directive, it has always had a clear purpose: to lay down compensation rules to address risks in the production of products," it added, defending maintaining the PLD's focus on tangible harms.

Asked how European consumers can be expected to understand what's likely to be highly technical data on AI systems they might obtain using disclosure powers in the AILD, the Commission suggested a victim who receives information on an AI system from a potential defendant -- after making a request for a court order for "disclosure or preservation of relevant evidence" -- should seek out a relevant expert to assist them.

"If the disclosed documents are too complex for the consumer to understand, the consumer will be able, like in any other court case, to benefit from the help of an expert in a court case. If the liability claim is justified, the defendant will bear the costs of the expert, according to national rules on cost distribution in civil procedure," it told us.

"Under the Product Liability Directive, victims can request access to information from manufacturers concerning any product that has caused damage covered under the Product Liability Directive. This information, for example data logs preceding a road accident, could prove very useful to the victim’s legal team to establish if a vehicle was defective," the Commission spokesperson added.

On the decision to create separate legislative tracks, one containing the AILD + PLD update package, and the earlier AI Act proposal track, the Commission said it was acting on a European Parliament resolution asking it to prepare the two former pieces together "in order to adapt liability rules for AI in a coherent way", adding: "The same request was also made in discussions with Member States and stakeholders. Therefore, the Commission decided to propose a liability legislative package, putting both proposals together, and not link the adoption of the AI Liability Directive proposal to the launch of the AI Act proposal."

"The fact that the negotiations on the AI Act are more advanced can only be beneficial, because the AI Liability Directive makes reference to provisions of the AI Act," the Commission further argued.

It also emphasized that the AI Act falls under the PLD regime -- again denying any risks of "loopholes or inconsistencies".

"The PLD was adopted in 1985, before most EU safety legislation was even adopted. In any event, the PLD does not refer to a specific provision of the AI Act since the whole legislation falls under its regime, it is not subject and does not rely on the negotiation of the AI Act per se and therefore there are no risks of loopholes or inconsistencies with the PLD. In fact, under the PLD, the consumer does not need to prove the breach of the AI Act to get redress for a damage caused by an AI system, it just needs to establish that the damage resulted from a defect in the system," it said.

Ultimately, the truth of whether the Commission's approach to updating EU product liability rules to respond to fast-scaling automation is fundamentally flawed or perfectly balanced probably lies somewhere between the two positions. But the bloc is ahead of the curve in trying to regulate any of this stuff -- so landing somewhere in the middle may be the soundest strategy for now.

Regulating the future

It's absolutely true that EU lawmakers are taking on the challenge of regulating a fast-unfolding future. So just by proposing rules for AI the bloc is notably far advanced of other jurisdictions -- which of course brings its own pitfalls, but also, arguably, allows lawmakers some wiggle room to figure things out (and iterate) in the application. How the laws get applied will also, after all, be a matter for European courts.

It's also fair to say the Commission looks to be trying to strike a balance between going in too hard and chilling the development of new AI driven services -- while putting up eye-catching enough warning signs to make technologists pay attention to consumer risks and try to prevent an accountability 'black hole' letting harms scale out of control.

The AI Act itself is clearly intended as a core preventative framework here -- shrinking risks and harms attached to certain applications of cutting edge technologies by forcing system developers to consider trust and safety issues up front, with the threat of penalties for non-compliance. But the liability regime proposes a further toughening up of that framework by increasing exposure to damages actions for those that fail to play by the rules. And doing so in a way that could even encourage over-compliance with the AI Act -- given 'low risk' applications typically won't face any specific regulation under that framework (yet could, potentially, face liability under broader AI liability provisions).

So AI systems makers and appliers may feel pushed towards adopting the EU's regulatory 'best practice' on AI to defend against the risk of being sued by consumers armed with new powers to pull data on their systems and a rebuttable presumption of causality that puts the onus on them to prove otherwise.

Also incoming next year: Enforcement of the EU's new Collective Redress Directive, providing for collective consumers lawsuits to be filed across the bloc. The directive has been several years in the making but EU Member States need to have adopted and published the necessary laws and provisions by late December -- with enforcement slated to start in the middle of 2023.

That means an uptick in consumer litigation is on the cards across the EU which will surely also concentrate minds on regulatory compliance.

Discussing the EU's updated liability package, Katie Chandler, head of product liability & product safety for international law firm TaylorWessing, highlights the disclosure obligations contained in the AILD as a "really significant" development for consumers -- while noting the package as a whole will require consumers to do some leg work to "understand which route they're going and who they're going after"; i.e. whether they're suing an AI system under the PLD for being defective or suing an AI system under the AILD for a breach of fundamental rights, say. (And, well, one thing looks certain: There will be more work for lawyers to help consumer get a handle on the expanding redress options for obtaining damages from dodgy tech.)

"This new disclosure obligations is really significant and really new and essentially if the manufacturer or the software developer can't prove they're complying with safety regulations -- and, I think, presumably, that will mean the requirements under the AI Act -- then causation is presumed under those circumstance which I would have thought is a real move forward towards trying to help the consumers make it easier to bring a claim," Chandler told TechCrunch.

"And then in the AILD I think it's broader -- because it attaches to operators of AI systems [e.g. operators of an autonomous delivery car/drone etc] -- the user/operator who may well not have applied reasonable skill and care, followed the instructions carefully, or operated it correctly, you'd then be able to go after then under the AILD."

"My view so far is that the packages taken as a whole do, I think, provide for different recourse for different types of damage. The strict liability harm under the PLD is more straightforward -- because of the no fault regime -- but does cover software and AI systems and does cover [certain types of damage] but if you've got this other type of harm [such as a breach of fundamental rights] their aim is to say that those will be covered by the AILD and then to get round the concerns about proving that the damage is caused by the system those rebuttable presumptions come into play," she added.

"I honestly do think this is a really significant move forward for consumers because -- once this is implemented -- tech companies will now be firmly in the framework of needing to recompense consumers in the event of particular types of damage and loss. And they won't be able to argue that they don't sort of fit in these regimes now -- which I think is a major change.

"Any sensible tech company operating in Europe, on the back of this will look carefully at these and plan for them and have to get to grips with the AI Act for sure."

Whether the EU's two proposed routes for supporting consumer redress for different types of AI harms will be effective in practice will obviously depend on the application. So a full analysis of efficacy is likely to require several years of the regime operating to assess how it's working and whether there are AI blind spots or not.

But Dr Philipp Behrendt, a partner at TaylorWessing's Hamburg office, also gave an upbeat assessment of how the reforms extend liability to cover faulty software and AI.

"Under current product liability laws, software is not regarded as a product. That means, if a consumer suffers damages caused by software he or she can not recover damages under product liability laws. However, if the software is used in, for example, a car and the car causes damages to the consumer this is covered by product liability laws and that would also be the case if AI software is used. That means it may be more difficult for the consumer to make a claim for AI products but that is because of the general exception for software under the product liability directive," he told TechCrunch.

"Under the future rules, the product liability rules shall cover software as well and, in this case, AI is not treated differently at all. What is important is that the AI directive does not establish claims but only helps consumers by introducing an assumption of causality establishing a causal link between the failure of an AI system and the damage caused and disclosure obligations about specific high-risk AI systems. Therefore BEUC's criticism that the regime proposed by the Commission will mean that European consumers have a lower level of protection for products that use AI vs non-AI products seems to be a misunderstanding of the product liability regime."

"Having the two approaches in the way that they've proposed will -- subject to seeing if these rebuttal presumptions and disclosure requirements are enough to hold those responsible to account -- probably give a route to the different types of damage in a reasonable way," Chandler also predicted. "But I think it's all in the application. It's all in seeing how the courts interpret this, how the courts apply things like the disclosure obligations and how these rebuttable presumptions actually do assist."

"That is all legally sound, really, in my view because there are different types of damage... and [the AILD] catches other types of scenarios -- how you're going to deal with breach of my fundamental rights when it comes to loss of data for example," she added. "I struggle to see how that could come within the PLD because that's just not what the PLD is designed to do. But the AILD gives this route and includes similar presumptions -- rebuttal presumptions -- so it does go some way."

She also spoke up in favor of the need for EU lawmakers to strike a balance. "Of course the other side of the coin is innovation and the need to strike that balance between consumer protection and innovation -- and how might bringing [AI] into the strict liability regime in a more formalized way, how would that impact on startups? Or how would that impact on iterations of AI systems -- it's perhaps, I think, the challenge as well [for the Commission]," she said, adding: "I would have though most people would agree there needs to be a careful balance."

While the U.K. is no longer a member of the EU, she suggested local lawmakers will be keen to promote a similar balance between bolstering consumer protections and encouraging technology development for any U.K. liability reforms, suggesting: "I'd be surprised if [the U.K.] did anything that was significantly different and say more difficult for the parties involved -- behind the development of the AI and the potential defendants -- because I would have thought they want to get the same balance."

In the meanwhile, the EU continues leading the charge on regulating tech globally -- now keenly pressing ahead with rebooting product liability rules for the age of AI, with Chandler noting, for example, the relatively short feedback period it's provided for responding to the Commission proposal (which she suggests means critiques like BEUC's may not generate much pause for thought in the short term). She also emphasized the length of time it's taken for the EU to get a draft proposal on updating liability out there -- a factor which is likely providing added impetus for getting the package moving now it's out on the table.

"I'm not sure that the BEUC are going to get what they want here. I think they might have to just wait to see how this is applied," she suggested, adding: "I presume the Commission's strategy will be to put these packages in place -- obviously you've got the Collective Redress Directive in the background which is also connected because you could well see group actions in relation to failing AI systems and product liability -- and generally see how that satisfies the need for consumers to get the compensation that they need. And then at that point -- however many years down the line -- they'll then review it and look at it again."

Further along the horizon -- as AI services become more deeply embedded into, well, everything -- the EU could decide it needs to look at deeper reforms by broadening the strict liability regime to include AI systems. But that's being left to a process of future iteration to allow for more interplay between us humans and the cutting edge. "That would be years down the line," predicted Chandler. "I think that is going to require some experience of how this is all applied in practice -- to identify the gaps, identify where there might be some weaknesses."