European Product Liability Act
The revised EU Product Liability Directive 2024/2853 was adopted on the 23rd of October 2024, replacing the 40-year-old Product Liability Directive 85/374/EEC. Relevant to all companies selling products in the EU market, the new directive aims to update the product liability rules to include the latest technologies, the circular economy, new business models, and globalisation of supply chains. It is also designed to make the process of seeking compensation for defective products easier. Some of the amendments in the revised version include:
1. The definition of a 'product' now includes embedded and standalone software and AI-powered products, including those related to digital health.
2. Liability for manufacturers extends to damage resulting from missing or inadequate software updates or weak cybersecurity protection of products.
3. Allows claimants to sue for wider damage, including destruction or corruption of data. Also removes the current deductibles and maximum liability limits.
4. New liability risks for authorised representatives of the manufacturer, software developers, fulfilment service providers (i.e. storage, packaging and shipping service providers), distributors and online marketplaces operators.
5. Strict liability for companies that ‘substantially modify’ a product (regardless of fault).
From an automotive industry standpoint, the new directive’s expansion of the term ‘product’ means that software updates and AI-supported systems in vehicles are also covered under product liability. Specifically, it considers cyber security errors to be potential product defects, which makes it even more pertinent in light of the increasing connectivity and autonomisation of vehicles. Additionally, according to the amendments mentioned above, the liability will not only be limited to manufacturers of automobiles but also extend to importers, fulfilment service providers, and retailers. All of these changes, along with the removal of maximum liability limits and retroactive liability for software updates, present big challenges for vehicle and car manufacturers and their suppliers.
While the revised PLA broadens liability, it also includes certain exclusions and limitations:
- State of the Knowledge: Manufacturers may not be held liable if they can demonstrate that the state of scientific and technical knowledge at the time of production did not allow for the detection of the defect.
- Third-Party Modifications: Liability may be limited if the defect was caused by unauthorised modifications or misuse by the user or third parties.
- Statute of Limitations: Claims must be brought within a specified period after the defect becomes known.
EU Data Act
The EU Data Act, adopted in 2023 and expected to be fully applicable by the end of 2025, introduces new rules for data sharing, accessibility, and security in the digital economy. For the automotive industry, the Data Act has significant implications, particularly as vehicles generate and process vast amounts of data.
Key Provisions of the EU Data Act
- Data Accessibility: The Data Act grants users (e.g., vehicle owners, fleet operators) the right to access data generated by their products, including connected vehicles.
- Data Sharing: Manufacturers may be required to share certain data with third parties, such as service providers, repair shops, and insurers, under specified conditions.
- Data Security: The act imposes strict requirements for the protection of personal and non-personal data, including encryption, access controls, and incident response measures.
- Interoperability: The Data Act promotes interoperability and standardised data formats to facilitate data sharing and reuse.
Implications for the automotive industry
The EU Data Act requires OEMs to enhance data transparency, implement robust cyber security measures, and adapt to data-driven business models such as predictive maintenance and usage-based insurance. Compliance poses challenges, requiring major updates to IT systems, processes, and contracts to meet regulatory standards and ensure user control over vehicle-generated data.
Strategies for Managing Data Accessibility, Security, and Compliance
The best strategy for OEMs is to adopt robust data governance frameworks, strengthen cyber security with encryption and monitoring, and create user-friendly data portals. They should also establish secure third-party data-sharing protocols and continuously monitor regulatory changes to maintain compliance with evolving Data Act requirements.
- Implement Data Governance Frameworks: Establish clear policies and procedures for data collection, storage, sharing, and deletion.
- Enhance Cyber Security Controls: Deploy advanced encryption, access controls, and monitoring tools to protect vehicle data.
- Develop User-Centric Data Portals: Provide users with secure, user-friendly interfaces for accessing and managing their data.
- Engage with Third Parties: Establish contractual and technical frameworks for secure data sharing with authorised third parties.
- Monitor Regulatory Developments: Stay informed about updates to the Data Act and related regulations to ensure ongoing compliance.