Mandatory updates? State of the art for software
The pace of technological development continues unabated, due above all to trend towards digitization. For this reason, laws and contractual agreements which make reference to technical standards should typically be drafted in an open-ended manner so as to enable them to keep pace with recent technological developments (as noted e.g. by the Federal Constitutional Court in its famous Kalkar Order of 8 August 1978, Case No. 2 BvL 8/77) (only in German). Instead of requiring a specific technical condition, laws and contracts will therefore typically include an abstract designation of the necessary or desirable technical condition.
The three technical standards and their legal significance
Three different standards have emerged for the abstract designation of technical requirements:
- The first is "generally accepted technical rules." This refers to technical determinations which are viewed as a reflection of the state of technical design by a majority of people in the field (such as DIN standards or VDI guidelines). If "generally accepted technical rules" are the applicable standard, there is typically an expectation that the product meets certain minimum requirements.
- One step higher is "state of the art," which refers to established findings from science, engineering and experience. If the start of the art is required, it is not necessary to use the best available technology, only one which has undergone a certain amount of testing. But unlike "generally accepted technical rules," it is not necessary for the solution to be accepted by a majority of people in the field or for it to be specified in technical standards. "State of the art" is required e.g. in data protection law (cf. Article 32(1) of the GDPR) (only in German) as well as in medical devices law (cf. MDR, Annex 1, No. 1) und in many other statutes. "State of the art" is also frequently relied upon for the identification of material defects and it will be the applicable standard in connection with implementation of the Digital Content Directive.
- Another step above is the "state of science and engineering," which requires the best possible technical performance, and which is used e.g. in product liability law (cf. Federal Supreme Court, Judgment of 16 June 2009, Case No. VI ZR 107/08) (only in German).
State of the art in software
Whether manufacturers are required to adhere to the "state of the art" or a different technical standard depends on which laws apply as well as the existing contractual agreements. For this reason, manufacturers of software and products which contain software should carefully examine their statutory and contractual obligations in each case. The technical rules described above must be followed depending on the applicable technical standard. This is generally true for software in the same way as for physical products.
When is the assessment made?
Of course, the question as to whether a product or software adheres to the state of the art depends on when the assessment is made. This, in turn, depends on the applicable laws and contractual agreements. In data protection law, for example, state of the art must be ensured throughout the entire processing period, so that the definition of state of the art must be continually adapted based on a risk assessment.
In the law governing contracts of sale, the situation is different. In this case, the question as to whether a defect exists is determined at the time of passage of risk. When software is involved, this raises a fascinating question, and one which has yet to be fully clarified: is software considered to be defective only when a weak point is discovered, or is the software defective if the necessary conditions are present for the emergence of a weak point.
Our view is that a defect can only exist upon passage of risk if the software's weak point was foreseeable at that time. This should be the case if the weak point is not attributable to new attack techniques or previously unknown technical methods. Contractual agreements frequently specify a duty to ensure state of the art on a continuous basis over the entire term of the contract or the entire useful life of the product or software in question.
When are updates necessary?
Manufacturers are required to provide software updates whenever they have a statutory or contractual duty to do so. Whether or not this is the case depends on the applicable laws and contractual agreements, like the applicable date for determining the state of the art. While the decisive period in data protection law is always the period of processing, the decisive period for identifying whether a defect exists in the law governing contracts of sale is generally the contractual warranty period. However, warranty claims in contracts of sale do not establish a claim against the manufacturer to receive updates, due to the fact that warranty for defects can generally be provided by other means. Whether the manufacturer has an ancillary contractual duty to provide updates has been a subject of constant discussion. By Judgment of 16 October 1997 (Case No. 83 O 26–97) (only in German), the District Court of Cologne ruled that the manufacturer is required to provide updates, for a fee, over the entire life cycle of the device. But these principles will be altered by implementation of the Digital Content Directive. For example, the Federal Ministry of Justice is planning to enact a new statute, § 327 f(1) of the Civil Code, under which updates for digital products would have to be supplied for a certain period of time. Under this statute, updates would have to be provided by the manufacturer for as long as the consumer "may expect, given the type and purpose of the digital product and taking into account the circumstances and the nature of the contract." Unlike in contractual law, a duty to provide updates does not exist in product liability law, at least not for now.
The question as to which technical standard applies for software is legally complex, as is the question as to whether and to what extent updates need to be provided. These questions may become even more complex in the coming years with the addition of new legal requirements with respect to IT security. Accordingly, software manufacturers would be well-advised to fully clarify at an early stage which statutory and contractual requirements their software must adhere to. It is also necessary to establish continuous monitoring of the legal requirements and of their software's IT security properties.