Introduction
New provisions of the Civil Code have been in effect since 1 January 2022 with respect to contracts of sale, including a general obligation for sellers of digital products and goods with digital elements within the framework of B2C contractual relationships to provide (software) updates for a certain period of time. In light of the fact that products are becoming increasingly digitized, these new provisions raise the question as to the extent to which additional update requirements exist for manufacturers, retailers, sellers, etc. This White Paper will provide an overview of existing and potential future update requirements in this regard.
Contract Law
The provisions beginning with § 327e and § 475b of the Civil Code were enacted in order to implement Directive (EU 2019/770) on certain aspects concerning contracts for the supply of digital content and digital services (the Digital Content Directive (“DCD”)) (as we reported) and Directive (EU 2019/771) on certain aspects concerning contracts for the sale of goods (the Sale of Goods Directive (the “SGD”)) (as we reported) into German law, and these new provisions have been in effect since January of this year. The above statutes relate to the conformance of digital products (§ 327e of the Civil Code and subsequent Sections) and goods with digital elements (§ 475b of the Civil Code and subsequent Sections) to B2C contracts. Under these new provisions, the aforementioned product groups conform to the contract if they meet certain subjective and objective requirements. The subjective requirements relate to compliance with any contractually stipulated update requirements, but the unique aspect is the objective requirements: the entrepreneur is required to ensure that the consumer is provided with the updates which are necessary in order to maintain conformity with the contract. The period in which updates are to be provided generally depends on the expectations of a reasonable consumer, except in cases where the contract provides for continuous supply of the product, in which case the agreed-upon period applies (although this period must be at least two years in cases involving goods with digital elements). With the enactment of this provision concerning objective requirements, a general obligation now exists for sellers to provide updates for certain product groups in B2C contracts. At the same time, the seller is also required to notify consumers of all necessary updates in these cases.
General Product Safety Law and Market Surveillance
Provisions of general product safety law can be found in Directive (2001/95/EC) on general product safety (the Product Safety Directive (“PSD”)) (only in German) and, at the national level, in the Product Safety Act (“PSA”). According to the currently prevailing view, the above statutes apply at the very least to software which is located in a data storage medium or which is integrated (“embedded”) into a physical product, but these statutes do not include any express obligations to provide updates. The PSD is currently being revised at the level of European law (as we reported). While the proposal published by the European Commission (“EU Commission”) for a Regulation on general product safety (COM(2021) 346 final) (“draft GPSR”) does not expressly provide for a general obligation to provide updates, it does state that, in the event of a recall, the responsible economic operator is required to offer effective, cost-free and timely remedies, which may include repairs, replacements and refunds.
In case of self-repair by the consumer, the economic operator is required to provide software updates free of charge. In other words, the draft GPSR establishes a future obligation for responsible economic operators to provide updates in cases such as these. It should also be kept in mind that the scope of the draft GPSR is likely to be extended to include all software products.
According to the published amendments to the draft GPSR (PDF) by the European Parliament’s Committee on the Internal Market and Consumer Protection (“IMCO”), the term “product” is to be defined as any item, interconnected or not to other items (of physical, digital or mixed nature), supplied or made available. More recently, a compromise proposal (PDF) from the Council of the European Union defined a “product” as any item of physical, digital or mixed nature, so that the aforementioned obligation to provide updates would apply to manufacturers, retailers, importers, et. of stand-alone software as well.
Within the sphere of market surveillance, an obligation to provide updates may be established in any individual case by order of the authorities. With the implementation of Regulation (EU 2019/1020) on market surveillance and compliance of products (the Market Surveillance Regulation (“MSR”)) (as we reported), which has been in effect since 16 July 2021, through the enactment of a national Market Surveillance Act (“MSA”) and associated revision of the PSA, the provisions relating to market surveillance were transferred from the Product Safety Act, as formerly amended, to the Market Surveillance Act. The MSA specifies a number of powers which are available to the market surveillance authorities, with reference to the MSR. Among them is the power to require economic operators to take appropriate action to restore product safety. Therefore, if a software product were unsafe in any individual case, the market surveillance authorities would be able to order the economic operator to provide updates, as an appropriate action to restore product safety. An obligation to provide updates may also arise as the indirect result of a recall order: by ordering the recall of an unsafe software product, an authority could indirectly require the economic operator to overhaul the product and to update it if necessary. Accordingly, any update requirements from the sphere of market surveillance do not exist as general obligations, but rather arise depending on the circumstances of each individual case.
The AI Regulation
In April 2021, the EU Commission published a proposal for a Regulation laying down harmonized rules on artificial intelligence (AI) (COM(2021) 206 final) (“draft AIR) (as we reported). The draft Regulation contains provisions which are designed to ensure a functioning internal market for AI, as well as ones which are designed to address the potential risks posed by AI. While the draft Regulation does not expressly establish a general obligation for providers of AI systems to provide specific updates, the need for continuous updates is evident from the overall context of the Regulation’s provisions. In particular, routine updates would be required within the framework of the risk management system, which is described as a “continuous iterative process.” Updates are also mentioned as potentially necessary maintenance and support measures, if only within the framework of the provisions governing notification requirements. The same applies for the preparation of technical documentation, which must include not only the software version but also information about any requirements with regard to software updates.
A similar approach can also be found in the Regulation (EU 2017/745) on medical devices (the Medical Devices Regulation (“MDR”)), under which risk management represents a continuous iterative process throughout the entire life cycle of the device and the principles of the software life cycle are to be observed in the manufacture of safe medical devices.
Machinery Products Regulation
Directive (2006/42/EC) on machinery (the Machinery Directive), which is currently in effect, and which deals with the requirements for safe machinery, is currently being revised by the EU Commission. To this end, the EU Commission published a proposal for a Regulation on Machinery Products (COM(2021) 202 final) (“draft Machinery Products Regulation”) (as we reported), which appeared simultaneously with the draft AI Regulation in April 2021. According to the EU Commission’s Explanatory Memorandum, this proposal is intended to address “the new risks stemming from digital emerging technologies.”
In particular, the proposal is intended to address new risks associated with the uploading of software onto a product, so that updates of software which is installed in a machinery product are taken into account in risk assessments. Particularly with respect to the risks associated with uploading updates, the proposal includes provisions relating to “substantial modifications,” which refer to (digital) changes to machinery products after they are placed on the market or put in service which could not be foreseen by the manufacturer, whereby the changes must be so substantial that the product can no longer comply with the applicable health and safety requirements. In these cases, the person who carries out the substantial modification takes on the obligations which originally applied to the manufacturer. While this change does not require economic operators to provide updates, it does establish separate obligations in the event that an update takes place.
Eco-design Directive
Directive (2009/125/EC) establishing a framework for the setting of eco-design requirements for energy-related products (the Eco-design Directive) authorizes the EU Commission to adopt implementing measures defining binding requirements for certain product groups. The EU Commission has exercised this authority, issuing regulations defining eco-design requirements for ten product groups so far, including refrigerating appliances, household washing machines and washer-drivers, household dishwashers and electronic displays. These implementing regulations are designed to ensure product durability and contain provisions relating to product repair and maintenance. They include e.g. obligations to ensure that the products are easy to repair, an obligation to provide repair and maintenance information and an obligation to provide spare parts and make them available for a certain period of time (seven to ten years). Given the obligation to provide spare parts, a duty to provide updates therefore exists for the above product groups to the extent that they are software products which need to be repaired and/or updated in any individual case.
The Eco-design Directive is currently being revised by the EU Commission. As part of the European Green Deal, the EU Commission has published a proposal (COM(2022) 142 final) (PDF) for a Regulation establishing a framework for setting eco-design requirements for sustainable products (the Eco-Design Regulation). At the moment, the proposal does not extend the scope of the Eco-Design Directive to such an extent as to establish a general obligation for responsible economic operators to provide updates. However, it includes express requirements for software and firmware updates, which may only be implemented if they do not adversely affect the product’s performance.
Product Liability Law
Within the framework of product liability law, it is necessary to distinguish between product liability law in the narrow sense and product liability law in the broader sense.
Product liability law in the narrow sense is defined by the provisions of Directive (85/374/EEC) on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products (the Product Liability Directive) and at the national level by the Product Liability Act (“PLA”) and obligates manufacturers to place only defect-free products on the market. As part of this obligation, manufacturers are liable regardless of fault for damages which arise due to defective products. Because manufacturers are liable regardless of fault, there is no further obligation for manufacturers to conduct product surveillance for products which have been placed on the market. In the absence of such a duty for manufacturers to conduct product surveillance, neither the Product Liability Directive nor the Product Liability Act require manufacturers to provide updates after their products have been placed on the market, regardless of the question as to whether the provisions of product liability law apply to (stand-alone) software (as we reported). The Product Liability Directive is currently being revised by the EU Commission with regard to its validity and effectiveness in the present day. To this end, the EU Commission recently conducted a consultation in order to adapt the Directive’s liability rules to the digital age and to account for developments in the field of AI. An actual draft of the revised Product Liability Directive is not yet available, but given the principle mentioned above, the absence of a product surveillance obligation, obligations to provide updates from the standpoint of product liability law are not to be expected.
In product liability law in the broader sense, a different situation applies: under the heading of “producer’s liability,” § 823 of the German Civil Code establishes liability for the breach of “duties to safeguard traffic.” Duties to safeguard traffic conform to the requirements for defect-free products in accordance with the Product Liability Act with one important addition: a product surveillance obligation. Unlike in cases governed by the Product Liability Act, manufacturers subject to producer’s liability are required to continue monitoring their products after they are placed on the market to ensure that they are safe and defect-free, and to implement appropriate remedies if necessary. This addition is founded in the fundamental nature of producer’s liability which, unlike liability in accordance with the Product Liability Act, applies only if the producer is at fault. Accordingly, a duty to provide updates (for physical, embedded and stand-alone software alike) may exist within the framework of producer’s liability, and following from the product surveillance obligation, provided that the updates represent an appropriate remedy in any specific case. This is particularly the case if security vulnerabilities are found, or if there is a threat of cyberattacks, and certain updates offer a simple way of preventing or at least minimizing these risks.
Update Obligations through the Back Door: Current State of the Art
Even though general update obligations are not expressly provided for in general product safety law or in product safety regulations for specific product groups, there is still a possibility of introducing update obligations for economic operators through the back door. In both general product safety law and product safety regulations for specific product groups, the question as to the necessary degree of product safety is determined in each case by the state of the art. Since the provisions of product safety law require economic operators not only to place only safe products on the market but also to continuously ensure that their products on the market are safe and to maintain the supply of safe products, at least for the duration of the product’s ordinary life cycle, they are also required to account for possible changes in safety requirements consistent with the current state of the art. In this way, changes in the technical regulations which form the basis for the state of the art may cause update obligations to be introduced through the back door. The same applies for compliance with the product surveillance obligation within the framework of producer’s liability in civil law. In this case as well, requirements for defect-free products may change over a product’s life cycle as a result of new developments in the state of the art. Accordingly, developments in the state of the art should be carefully scrutinized in each case within the bounds of product surveillance in order to check for future update obligations.
Outlook: Right of Repair
The introduction of a general right of repair is currently being debated at length at both the EU level and the national level. Under current law, a specific right of repair only exists for certain product groups under the aforementioned implementing measures adopted by the EU Commission based on the Eco-design Directive (see above). According to the EU Commission, these regulations are to be extended in order to create a general right of repair by applying the Eco-design Directive to other product groups as part of the European Green Deal. To this end, a consultation procedure for the EU Commission is currently underway as part of the Green Deal’s “Sustainable Product Initiative” (“SPI”) (as we reported), and will run through the start of April 2022. At the national level, the federal government’s coalition agreement contains the goal of implementing a general right of repair, and expressly states that manufacturers would be required to supply updates during the typical useful life of the product. Actual draft legislation has yet to be presented at either the European or the national level. Germany’s Minister for the Environment, Nature Conservation, Nuclear Safety and Consumer Protection, Steffi Lemke, stated in an interview that the German government intends to implement a national right of repair as noted in the coalition agreement right away, regardless of developments at the EU level. But this approach was discarded in subsequent interviews, so that we will need to await developments at the European level for the time being.
The proposal for a general right of repair has encountered heavy criticism from the industrial sector, as well as from a legal standpoint. From a legal standpoint, a general right of repair, with the object of regulating product durability by requiring manufacturers to supply spare parts for a period of seven to ten years, would establish no-fault liability for manufacturers and retailers beyond the statutory warranty periods. This would require not only a single change in the law, but a long list of changes and additions to a variety of laws. Aside from the legal structuring of a general right of repair, criticism has focused on the question as to the persons to whom such a requirement would actually apply. If retailers are required to ensure that a product can be repaired, one may ask how retailers can be expected to ensure such a thing, given that they do not manufacture the product themselves, but merely distribute it. The only conceivable solution would be to involve the manufacturer in the actual contract of sale, with the duty to perform repairs. Likely the heaviest criticism has been levelled against the proposal to require manufacturers to supply updates throughout the typical useful life of the product. Requiring manufacturers to ensure that products are functioning properly for a certain period of time after placement on the market, regardless of actual fault, would result in strict product liability for manufacturers, associated with a duty to conduct product surveillance for products on the market. This would represent a substantial departure from the existing principles of product liability law in the narrow sense (see above) and could not be justified by a mere reference to a general right of repair.
Conclusion
Update obligations with regard to software products are currently being debated with respect to a wide variety of laws at both the EU level and the national level, and have already been implemented in some cases. There is also a danger that additional update requirements will be established as a result of changes in the state of the art. Companies should follow the ongoing updates and discussions as part of their compliance management activities, and should be prepared for future update requirements. Please let us know if we can help you implement these requirements.
Download the full whitepaper with appendix here.
back