This article first appeared in Chambers Global Practice Guides. The aim of this guide is to provide in-house counsel with expert legal commentary on the main practice areas in key jurisdictions around the world. The guides focus on the practical legal issues affecting business and enable the reader to compare legislation and procedure across a range of key jurisdictions. This specific guide provides an overview of product liability laws and regulations applicable in United Kingdom.
Click here to read the section on Product Liability & Safety 2021 - Law and Practice.
Product liability is the area of law governing the liability of producers, suppliers and distributors of defective products. In the UK, claims relating to product liability may be brought in negligence, breach of contract or pursuant to the Consumer Protection Act 1987 (CPA), the implementing legislation which transposed the EU Product Liability Directive 85/374/EEC (PLD) into UK law.
Consumer products have evolved considerably since the CPA came into force over 30 years ago. At that time, the World Wide Web was yet to go live, and CD-ROMs were at the forefront of technology. The products on the market then were more simplistic in nature and tended to be physical items, for example, a car or a washing machine, that were not subject to updates or modifications once they had left the factory gates. The traditional risks of personal injury and property damage associated with these products were tangible and widely understood.
Fast-forward thirty-plus years and many of the products that we use today have features and characteristics that could not have been imagined in the 1980s, for example, remote access and wireless application protocols like Bluetooth, with products capable of manual or automated modification via software updates. Connected devices, commonly referred to as the internet of things (IoT) and technologies powered by AI (hereafter referred to as "emerging technologies" for the purpose of this report), including robotics, continue to develop at lightning speed and have set the stage for ongoing technological advancement. Research by Statistica suggests that, by 2030, around 50 billion of these connected devices will be in use around the world. From wearable health monitoring devices to home security systems to virtual AI assistants like Apple’s Siri, consumers’ increasing reliance on these emerging technologies has changed the way we live today, and this has been brought to the fore by the COVID-19 pandemic.
With technology having developed faster than the law, the way that the CPA applies, or indeed whether it does apply, to these emerging technologies is far from clear. The unique features and characteristics of these technologies present challenges to the existing legal framework and raise questions as to whether it is fit for purpose, or the extent to which it may need to be adapted. We examine how these challenges have been recognised by legislators and what the future may hold for product liability legislation in the UK.
Emerging technologies and CPA claims
Minding the liability gap
With the exception of A v National Blood Authority , which concerned transfused blood, CPA claims in England and Wales have predominantly concerned stand-alone, physical products, usually involving an easily identifiable producer and physical damage. By way of example, the recent landmark authorities of Wilkes v DePuy International Limited  and Gee & others v DePuy International Ltd  (Gee) concerned hip implants, and Wilson & Ors v Beko Plc  involved a fridge freezer. Although the CPA definition of "product" is relatively wide in scope, its application to emerging technologies has yet to be tested.
Product or service
The CPA imposes strict liability on a producer for damage caused by a defective product, sometimes referred to as "no fault liability". A claimant must prove the defect and that the defect caused the damage claimed.
Notably, the CPA only applies to products, not the provision of services. Section 1(2) of the CPA explains that a product “means any goods or electricity and… includes a product which is comprised in another product, whether by virtue of being a component part or raw material or otherwise”.
The distinction between "product" and "service" has not posed any great challenge to the application of the CPA thus far. However, as recognised by the European Commission (the Commission) in its Fifth Report on the application of the PLD (2018), there are open questions as to what separates a product from a service in the context of emerging technologies, where products and services typically have a close interaction. For example, an AI-powered medical device, like a connected pacemaker, comprises the physical hardware of the pacemaker and cloud-based software which produces patient data.
Whether software is to be considered a product as defined by the CPA, or a service, is fundamental to the application of the CPA to emerging technologies. It is conceivable that AI-based software, or data that is integrated into hardware as an intangible “component part”, could be considered a product. This issue was addressed at European level as early as 1988, not long after the PLD had come into force, with Lord Cockfield of the European Commission stating that “the Directive applied to software in the same way, moreover, that it applies to handicraft and artistic products”. Despite this direction, these issues continue to be the subject of extensive debate by European and UK legislative bodies.
More recently, in VI v KRONE-Verlag Gesselschaft mbH & Co KG , the CJEU ruled that it is clear from the interpretation of the the PLD that inaccurate health advice in a printed newspaper, which, when followed, causes injury to the reader, does not constitute a "defective product" within the meaning of its provisions. The CJEU considered that the provision of inaccurate advice, which by its nature constituted a "service", was unrelated to the printed newspaper and further, the service did not concern either the presentation or the use of the newspaper. Accordingly, the service was not part of the inherent characteristics of the printed newspaper which alone permits an assessment as to whether the product is defective. The CJEU ruled that liability of service providers and liability of manufacturers of finished products constitute two distinct liability regimes, as the activity of service providers cannot be equated with those of producers, importers and suppliers. Further, it considered that a liability regime applicable to providers of services should be governed by separate legislation. This case offers an insight as to how a court may approach defective product claims brought in respect of emerging technologies, where the line between what is considered a product and a service is blurred.
Why the ongoing debate?
If software is considered a service, a consumer would be precluded from bringing a defective products claim under the CPA but could pursue an action in negligence or breach of contract. To bring a claim in negligence, the consumer would need to demonstrate that the supplier of the service had not acted with reasonable skill or care, which is potentially more challenging than bringing a claim under the CPA as it involves an examination of the supplier’s actions. Furthermore, it could become problematic for courts to apply, for example, a “reasonable software standard”, instead of the reasonable person standard.
Who is a producer?
The CPA imposes strict liability on a producer, or those who hold themselves out to be a producer. As emerging technologies typically comprise software that is subject to regular updates, questions may be raised as to which person(s) is considered a producer for the purposes of the CPA. For example, is the software developer or the engineer responsible for the updates liable for damage caused by the software? Might the software itself, or the human using the technology, be considered a producer?
Scope of "damage"
Section 5 of the CPA restricts recoverable damages to death, personal injury, or damage to private property exceeding £275 but excludes damage to the defective product itself. However, whilst a vulnerability in software resulting in a cybersecurity attack arguably has the potential to render a product defective if the producer failed to protect the device from such attacks, it is questionable whether the scope of any consequential immaterial damage, such as the unauthorised disclosure of personal data (or any resulting Information Commissioner's Office (ICO) fines), will be covered by the CPA. Guidance may be sought from EU level discussion where it has been proposed that “immaterial loss” should be taken into account in respect of any future civil liability regime for AI.
The approach to "defect"
Section 3 of the CPA provides that a product is defective "if the safety of the product is not such as persons generally are entitled to expect". As the CPA applies to a range of products from toys to medical devices, this is a flexible test. In assessing the safety of a product, the court will take into account all of the circumstances it considers factually and legally relevant to the evaluation of safety on a case by case basis. These factors may include safety marks, regulatory compliance and warnings, and what might reasonably be expected to be done with the product.
What people generally are entitled to expect
In Gee, the court confirmed that the test for defect is objective and asks what people are generally entitled to expect when the product was released to market, not what the claimant actually expected. The application of this test to emerging technologies will be not be straightforward, particularly given the fast pace of development.
Furthermore, whilst entitled expectation is judged at the date of supply of a product, determining the date of supply may be difficult where a product contains software that is subject to automatic modification. For example, if an update to software contained within AI-powered robotic surgical equipment causes it to malfunction, resulting in injury to a patient, is the date of supply the date the equipment was supplied to the hospital, or the date the software was updated?
“All of the circumstances”
In the UK, industry standards in respect of connected consumer products were first published in 2018 via a voluntary Code of Conduct setting out the security principles to be applied by producers and other relevant industry stakeholders. A new European Standard on connected product security was subsequently adopted in 2020, with the UK Government contributing significantly to its development. When considering “all of the circumstances” for the purposes of considering whether an emerging technology is defective under the CPA, a court may therefore take into account the absence of published industry standards prior to 2018, in particular where the emerging technology has caused damage prior to that date.
The courts’ likely approach to defect in emerging technologies
Although the approach to defect in respect of a connected device is yet to come before the UK courts, some direction may be sought from the European case of Boston Scientific Medizintechnik GMbH v AOK Sachesn-Anhanlt-Die Gesundheitskasse  (Boston). Here, the court was willing to find a product defective within the meaning of the PLD where it belonged to a group of products where there was the potential for failure. Whilst the decision in Boston was fact-specific and concerned high-risk implantable medical devices, the application of a "presumption of defect" is perhaps superficially attractive in the context of emerging technologies where a product’s functionality has been unexpectedly compromised. However, it is arguable that this approach is only likely to prove persuasive if the compromised functionality poses similar life threatening risks to that of the pacemaker device that was the subject of Boston.
Establishing a causal link between defect and damage can be an onerous burden on a consumer, particularly if the claimant is unable to establish what it is about a product that makes it defective and the cause of the damage. The burden may feel even heavier in the context of a complex emerging technology. For example, a user of a healthcare application may not be able to determine why an algorithm within the software has made a particular patient diagnosis, that resulted in injury. Determining causation can be further complicated by multiple users and operators of the software in question. Problems may arise if the chain of causation has been broken, particularly if the consumer misused the software or did not follow the manufacturer’s instructions.
Application of the ten-year longstop period
The CPA provides for a ten-year longstop provision which extinguishes any right of action for damages brought under the CPA more than ten years after the product was first supplied. The court will not allow circumvention of the ten-year longstop, as confirmed by Wilson & Ors v Beko Plc .
It is questionable whether the longstop is fit for purpose in respect of emerging technologies. For example, if an autonomous vehicle becomes faulty as a result of a software update performed ten years after the vehicle was supplied, is the longstop period calculated against the date the vehicle itself was supplied, or the date of the software update which potentially changes the characteristics of the vehicle? Unless legislators clarify this issue, producers of emerging technologies could be at risk of open-ended liabilities lasting the product’s lifetime, of which the likely consequence is increased product prices and insurance premiums.
In February 2021, the Berlin Regional Court ruled that for products which comprise individual parts that are put into circulation on different dates, it is those dates which are relevant for the purpose of the longstop period and not the date the products were subsequently assembled for use. This decision offers an insight into how courts could apply the longstop to claims concerning emerging technologies where software changes arguably result in the constitution of a new product, or where hardware and software components are manufactured by different manufacturers at different times.
Current defences under the CPA – will they survive?
Section 4(1)(d) provides one of the defences to a defective products claim where “the defect did not exist in the product at the relevant time”. The application of this defence to emerging technologies has been considered by the EU’s Expert Group on Liability and New Technologies (Expert Group) who recommend that a producer should still be liable for defects, even if the defects appear after the product was put into circulation, as long as the producer was still in control of updates to, or upgrades on, the technology.
Section 4(1)(e) also provides a "development risks defence" where “the state of scientific and technical knowledge at the relevant time was not such that a producer of products of the same description as the product in question might be expected to have discovered the defect if it had existed in his products whilst they were under his control”. A producer of emerging technologies may seek to rely on this defence to assert that a product risk was not reasonably foreseeable at the time of programming and/or that the programming was in line with the relevant industry standards at the time of development. However, there may be difficulties in applying this defence to certain emerging technologies, particularly if the level of safety of those technologies is not yet fully known. This was recognised by the Expert Group who recommended that this defence should not be available for emerging technologies generally, providing that the producer was still in control of updates to, or upgrades on, the technology, and where it is predictable that unforeseen developments might occur.
Future-proofing product liability
EU driving change
The EU has long recognised that emerging technologies, particularly artificial intelligence (AI), have a significant role to play in economic development, acknowledging the importance of evaluating existing legislation to ensure that the EU is ready for the digital age. The regulation of emerging technologies has already materialised within the medical devices sphere with the introduction of the Medical Device Regulations and In Vitro Diagnostic Regulations (2017/745 and 746) that, belatedly, came into force on 26 May 2021.
The EU is now leading the charge for future reform, showing a commitment to developing legislation that balances the promotion of innovation with consumer protection, whilst protecting citizens’ fundamental rights. For example, recent proposals call for a restriction on the use of “real” time identification in publicly accessible places.
In a post-Brexit era, the proposed reform will not be implemented in the UK. Nevertheless, given the global nature of the AI market, UK product manufacturers will be directly affected when seeking to sell their products in the EU. Furthermore, as the UK is independently taking similar initiatives, it is anticipated that it will largely reflect any future legislative changes that may be made at European level.
Focus on products and AI
In 2018, the Commission published its fifth report on the application of the PLD, evaluating its function and performance. It concluded that, despite the increased complexities of modern products, the PLD continues to serve its purpose but signalled that certain concepts may need to be updated, including “product” and “defect”.
The above-mentioned Expert Group was subsequently formed to establish how effectively the existing EU liability framework would operate in relation to emerging technologies with a view to drawing up future guidance on the PLD. Their findings culminated in the Commission’s White Paper on AI in February 2020, which set out proposals for a harmonised regulatory framework for AI. The White Paper was accompanied by a “Report on the safety and liability implications of Artificial Intelligence, the Internet of Things and Robotics” (the Report). The Report does not advocate an overhaul of the entire product liability regime but, instead, acknowledges that provisions explicitly covering new risks presented by emerging digital technologies could be introduced to provide more legal certainty, for example, the mental safety risks to users and the risks of faulty data at the design stage. The Report also acknowledged uncertainty as to how, and to what extent, certain risks, including cyber-threats and loss of connectivity, are sufficiently addressed by the PLD or other existing European legislation.
In October 2020, the European Parliament (the EP) made recommendations to the Commission for a civil liability regime for AI, to take the form of a regulation. Notably, the recommendation acknowledges that the PLD is “an effective means of getting compensation for harm triggered by a defective product but should nevertheless be revised to adapt it to the digital world and to address the challenges posed by emerging digital technologies, ensuring, thereby, a high level of effective consumer protection, as well as legal certainty for consumers and businesses”. The EP urged the Commission to assess whether the PLD should be transformed into a regulation, to clarify the definition of "products" by determining whether digital content and digital services fall within its scope, and to consider adapting concepts including "damage", "defect" and "producer".
The EP also called on the Commission to:
- Consider reversing the rules governing the burden of proof for harm caused by emerging digital technologies in clearly defined cases
- Ensure any update to the PLD remains limited to clearly identified problems for which feasible solutions already exist whilst allowing future technological developments to be covered, and
- Continue using the PLD in respect of civil claims concerning defective AI-systems when the AI-system qualifies as a product under the PLD.
The EP proposes a strict liability regime for high-risk AI systems, with high-risk defined as “a significant potential in an autonomously operating AI-system to cause harm or damage to one or more persons in a manner that is random and goes beyond what can reasonably be expected”. Unlike the PLD, this strict liability regime does not require the affected person to prove if, and how, the AI-system was faulty. For AI systems not classified as high-risk, the recommendations provide that the operator shall be “subject to fault-based liability for any harm or damage that was caused by a physical or virtual activity, device or process driven by the AI system”, making it clear that the operator will not be able to escape liability by arguing that the harm or damage was caused by an activity, device or process driven by the AI system.
On 21 April 2021, the Commission published its long awaited proposals for a regulation laying down harmonised rules on AI. The proposals impose strict controls and extensive risk management for the most risky forms of AI, including the requirement to undergo conformity assessments, the drawing up and maintenance of technical documentation, the implementation of quality management systems and affixation of CE-markings to indicate conformity with the Commission’s proposed regulation, before products are released to market. The proposals have wide-ranging applicability and will affect both AI providers and users inside and outside the EU.
The Commission pledges to propose, in 2022, measures adapting the liability framework to the challenges of emerging technologies to ensure that victims who suffer damage to their life, health or property because of emerging technologies have access to the same compensation as victims of other technologies and other products. It also proposes the possibility of a revision of the PLD. With the CPA being the implementing legislation that transposed the PLD into UK law, UK legislators will undoubtedly be following these developments very closely.
UK product safety and liability review
Although not as advanced as the EU, the UK has taken, and continues to take, similar steps to address whether its existing product safety and liability regimes meet the challenges of emerging technologies.
We have seen the recent introduction of sector-specific legislation governing emerging technologies. In 2018, the Automated and Electrical Vehicles Act came into force imposing liability on an insurer for damage caused by an insured automated vehicle. Developments subsequently followed in the medical devices arena with the introduction of the Medicines and Medical Devices Act 2021, which provides the Secretary of State for Health with wide powers to amend the existing regulatory framework for medical devices and medicines post-Brexit, including the improvement of medical device safety and performance through advances in technology.
On 11 March 2021, the government opened a consultation via its UK Product Safety Review (the Review), exploring changes to existing product safety laws to ensure the framework is fit for the future. This includes a call for evidence from stakeholders to consider how and to what extent the existing framework may need to be adapted in respect of liability and enforcement. Whilst the CPA is not the central focus of the Review, it acknowledges that its provisions do not reflect emerging technologies like internet-enabled devices, AI and 3D printing. The Review expressly excludes food, chemicals, medical or healthcare products, construction products or vehicles, all of which are subject to separate regulation.
The potential review and reform of the CPA is, however, being mooted by the Law Commission as part of its 14th Programme of Law Reform, having recently invited views as to whether the CPA should be extended to cover all software and other tech developments, citing the similar challenges that have been considered and addressed by the EU.
Although the government’s Review and the Law Commission’s 14th Programme are still in their infancy, change is on the horizon and the UK product liability framework will inevitably be subject to amendment. Interested stakeholders will be watching these developments closely and, in particular, the extent to which the UK will mirror Europe’s proposals.