Update requi­re­ment for goods with digi­tal content

Digi­tal con­tent and internet-capable goods with inte­gra­ted digi­tal ele­ments need to be updated fre­quent­ly in order to main­tain func­tion­a­li­ty and security.

Whe­ther and to what ext­ent ven­dors are gene­ral­ly requi­red to pro­vi­de updates for their pro­ducts is a ques­ti­on which had yet to be cle­ar­ly sett­led at the EU level and which is ans­we­red by the Direc­ti­ve adopted on 20 May 2019 on cer­tain aspects con­cer­ning con­tracts for the sup­p­ly of digi­tal con­tent and digi­tal ser­vices (Direc­ti­ve 2019/770; Digi­tal Con­tent Direc­ti­ve) (PDF) and the Direc­ti­ve on cer­tain aspects con­cer­ning con­tracts for the sale of goods (Direc­ti­ve 2019/771; Sale of Goods Direc­ti­ve) (PDF).

The Direc­ti­ves con­tain pro­vi­si­ons sta­ting whe­ther pro­vi­ding updates is neces­sa­ry for a pro­duct to be in con­for­mance with the con­tract and the­r­e­fo­re defect-free. If the con­tract calls for regu­lar soft­ware updates, pro­vi­si­on of the­se updates is a cri­ter­ion for deter­mi­ning con­for­mance with the contract.

Duty to pro­vi­de updates: updata­bi­li­ty by default

For the first time in Euro­pean con­tract law, both Direc­ti­ves estab­lish a duty to pro­vi­de updates. Ven­dors are requi­red to noti­fy con­su­mers of updates which are neces­sa­ry for con­for­mance with the con­tract and to pro­vi­de tho­se updates (Artic­le 7 No. 3 of the Sale of Goods Direc­ti­ve, Artic­le 8 No. 2 of the Digi­tal Con­tent Direc­ti­ve). This requi­re­ment is meant to ensu­re that the goods will be able to per­form their con­trac­tu­al func­tion even if the digi­tal envi­ron­ment chan­ges. Howe­ver, the Direc­ti­ves do not estab­lish a duty for the ven­dor to pro­vi­de impro­ved or digi­tal con­tent. Nevert­hel­ess, this requi­re­ment is exten­si­ve, as most ven­dors will be unable to com­ply with the duty to pro­vi­de infor­ma­ti­on and updates on their own, but will ins­tead be com­pel­led to make arran­ge­ments with third par­ties to pro­vi­de the digi­tal content.

Varia­ble update peri­ods crea­te legal uncertainty

With respect to the peri­od in which updates have to be gua­ran­teed, the Direc­ti­ves distin­gu­ish bet­ween digi­tal con­tent which is pro­vi­ded over an ongo­ing peri­od and con­tent which is pro­vi­ded at once. In the for­mer case, a duty to pro­vi­de updates exists only for the peri­od in ques­ti­on, but in the case of con­tent which is pro­vi­ded at once, the manu­fac­tu­rer is requi­red to pro­vi­de updates for as long as a con­su­mer can reason­ab­ly expect such updates to be pro­vi­ded. This crea­tes con­sidera­ble legal uncer­tain­ty for ven­dors and manu­fac­tu­r­ers, and for con­su­mers as well. The peri­od of time for which the con­su­mer expects to use the pro­duct under the con­tract can be used as a bench­mark. But even after the war­ran­ty peri­od expi­res, con­su­mers may still have the expec­ta­ti­on that goods with digi­tal ele­ments can­not be used for attacks on their digi­tal envi­ron­ment; this is espe­ci­al­ly the case for pro­ducts rela­ting to the inter­net of things. This expec­ta­ti­on may extend the peri­od accor­din­gly and rela­tes pri­ma­ri­ly to secu­ri­ty updates.

No duty for con­su­mers to install updates

On the other hand, con­su­mers are not requi­red to install the updates pro­vi­ded to them. Howe­ver, if they fail to do so even though instal­la­ti­on of the updates is neces­sa­ry for con­for­mance with the con­tract, the manu­fac­tu­rer may be released from its war­ran­ty for defects which can be attri­bu­ted to the fail­ure to install updates. Ques­ti­ons rela­ting to bur­den of pro­of will con­ti­nue to be deter­mi­ned by natio­nal law.

Sum­ma­ry

In order to com­ply with the new duty to pro­vi­de updates, ven­dors need to reach sui­ta­ble con­trac­tu­al arran­ge­ments with update manu­fac­tu­r­ers while kee­ping in mind at all times that the update peri­od may vary. Both aspects requi­re con­sul­ta­ti­on with an att­or­ney so that a legal­ly secu­re con­cept can be developed.