As our lives and work become increasingly digital, significant issues regarding the applicability of product liability law to software are being addressed. Daniel West takes a look at the pertinent developments

In the 21st Century, our lives are becoming more digital as we increasingly rely on connected devices, like mobile phones, automated vehicles and smart fridges, ie., products that use, and are often reliant on, software that can change over time – whether by a software update, artificial intelligence or machine learning.

Historically, the law has been slow to afford the same protections to software as it does to tangible products. As readers of CIR may be aware, the UK’s Office for Product Safety and Standards recently sought the public’s views on possible changes to UK product safety post-Brexit, including addressing new technologies; and, similarly, the European Commission’s plans to remove obstacles to consumers bringing claims in respect of digital products.

Against this background, the Court of Justice of the European Union ruled that at least for the purpose of the Commercial Agents Directive (86/653/EEC), software can constitute goods (even if not supplied on a physical medium) – indicating the first shift towards a more modern approach to new technologies.

Software is not a tangible good or physical ‘thing’. It might be supplied on a physical thing (such as a disc or pre-installed on a computer) but increasingly frequently it’s downloaded; and product liability law developed before downloading was common. For instance, the law of contract has traditionally only afforded consumers with protection where software is supplied on a physical medium. Or, in the case of bespoke software, the creation itself might be considered a service which must be performed with reasonable care and skill. But this left a lacuna in the law for off-the-peg software that had not been supplied on a physical medium.

The issue was recognised in the Consumer Rights Act, which was introduced in October 2015, affording consumers new protections when purchasing “digital content” (defined as “data produced and supplied in a digital form”) – which would include software.

Such protections mirror those previously afforded only to tangible goods – namely that the digital content must be of satisfactory quality, fit for purposes and as described. Curiously, the CRA does not seek to achieve this by extending or clarifying the definition of “goods” to include digital content, but instead gives “digital content” its own section – thereby tacitly acknowledging that “digital content” is something separate and distinct from goods.

Despite the introduction of the CRA, issues remain around the applicability of product liability law to software, including:

1. It remains unclear whether the definitions of “product” in the Consumer Protection Act 1987 and General Product Safety Regulations 2005 are intended to include software.

2. In a society where most people accept that software will contain bugs, it may be difficult to determine what level of safety is to be expected.

3. Currently, the safety of a product is determined at the point it is released to the market, but if a product can change throughout its lifecycle, then it’s possible it could become unsafe later.

4. If a producer can update a product to make it safer then questions arise as to whether there is any obligation on it to do so, particularly if consumer expectations of safety change throughout a product’s lifecycle.

5. If a product can change throughout its lifecycle then it is not clear when limitation should start to run in the context of a product that becomes unsafe; and the CRA appears to suggest that regardless of when a flaw is introduced, the limitation period will still run from the date the product was originally supplied – creating a possibility a flaw could be introduced into a product close to or after the six-year limitation period in contract, leaving the consumer without a claim.

Ongoing OPSS and EU reviews

The government created the OPSS in 2018 to deliver and improve consumer protection in the UK. In March 2021, the OPSS issued a call for evidence with a view to reforming the product safety framework, to ensure that it is fit for the future.

The call for evidence recognised that the “growth of internet-connected devices blurs the boundary between product and service, and between an individual product and a connected one”, that “a growing number of products can now communicate with each other and us, learn and evolve in a way that was not envisioned when product regulations were drafted” and that “the interface of software and hardware blurs the boundaries of producer responsibility”.

The response to the consultation, published in November 2021, acknowledged that “the current framework was designed for traditional products” and that clarity was needed with regard to “whether the definition of ‘product’ includes software, the requirements for software updates, and where liability lies”. In this respect, the OPSS says it’s working with the government “to understand the impact of AI on product safety and liability”.

Whilst the UK has of course now left the EU and can set its own product liability rules, it is also worth noting what is happening at an EU level (particularly as the current framework is largely inherited from the UK’s time as an EU member).

In 2018 the European Commission published a review of the Product Liability Directive, upon which the domestic Consumer Protection Act is based, and concluded that it remained an “adequate tool” but had criticisms regarding its applicability to interconnected, digital, autonomous and intelligent products – particularly where products can be changed or adapted throughout their lifecycle.

Consequently, the EC will revise the PLD and recently closed its own public consultation. The amendments being considered include extending the PLD to cover software and digital content and defects resulting from changes made to a product after it has been released to the market.

The Software Incubator Ltd v Computer Associates (UK) LtdIn the case of The Software Incubator Ltd v Computer Associates (UK) Ltd, the court was required to consider the Commercial Agents (Council Directive) Regulations 1993, which implemented the Commercial Agents Directive (86/653/EEC) in the UK. The purpose of this Directive and the subsequent 1993 Regulations is to provide protections for commercial agents selling ‘goods’. The court was asked to determine whether software was goods.

The High Court found in 2016 that software was goods for the purposes of the 1993 Regulations. As such, the matter was appealed and in 2018 the Court of Appeal said that software was not goods. Despite acknowledging that the distinction between tangible and intangible goods “seems artificial in the modern age”, the court said it could not ignore the judicial authorities maintaining the distinction. (The court acknowledged that the introduction of the CRA had proved the point by drawing a clear distinction between tangible, moveable items and digital content.)

The matter was appealed again to the Supreme Court which referred the issue to the CJEU. As a result, in September 2021 the CJEU confirmed that for the purposes of the specific Directive, software can constitute goods. The CJEU came to this conclusion because its own body of case law established that goods meant “products which can be valued in money and which are capable, as such, of forming the subject of commercial transactions”.

It followed that software fell within this definition. The final word of the Supreme Court is awaited.

There remain significant issues regarding the applicability of product liability law to software, particularly where it’s downloaded and connected, or intelligent products that can change throughout their lifecycle. As a result, both the UK (via the OPSS) and the EU are carrying out separate reviews into how the current product liability regime can be made fit for purpose in the 21st century.

The CJEU’s recent decision that software can (at least in some circumstances) constitute goods matches the shift at both domestic and EU level towards a more modern and dynamic approach to consumer protection.

This article was published in the May-June 2022 issue of CIR Magazine.

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.