Digital content and internet-capable goods with integrated digital elements need to be updated frequently in order to maintain functionality and security.
Whether and to what extent vendors are generally required to provide updates for their products is a question which had yet to be clearly settled at the EU level and which is answered by the Directive adopted on 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (Directive 2019/770; Digital Content Directive) (PDF) and the Directive on certain aspects concerning contracts for the sale of goods (Directive 2019/771; Sale of Goods Directive) (PDF).
The Directives contain provisions stating whether providing updates is necessary for a product to be in conformance with the contract and therefore defect-free. If the contract calls for regular software updates, provision of these updates is a criterion for determining conformance with the contract.
Duty to provide updates: updatability by default
For the first time in European contract law, both Directives establish a duty to provide updates. Vendors are required to notify consumers of updates which are necessary for conformance with the contract and to provide those updates (Article 7 No. 3 of the Sale of Goods Directive, Article 8 No. 2 of the Digital Content Directive). This requirement is meant to ensure that the goods will be able to perform their contractual function even if the digital environment changes. However, the Directives do not establish a duty for the vendor to provide improved or digital content. Nevertheless, this requirement is extensive, as most vendors will be unable to comply with the duty to provide information and updates on their own, but will instead be compelled to make arrangements with third parties to provide the digital content.
Variable update periods create legal uncertainty
With respect to the period in which updates have to be guaranteed, the Directives distinguish between digital content which is provided over an ongoing period and content which is provided at once. In the former case, a duty to provide updates exists only for the period in question, but in the case of content which is provided at once, the manufacturer is required to provide updates for as long as a consumer can reasonably expect such updates to be provided. This creates considerable legal uncertainty for vendors and manufacturers, and for consumers as well. The period of time for which the consumer expects to use the product under the contract can be used as a benchmark. But even after the warranty period expires, consumers may still have the expectation that goods with digital elements cannot be used for attacks on their digital environment; this is especially the case for products relating to the internet of things. This expectation may extend the period accordingly and relates primarily to security updates.
No duty for consumers to install updates
On the other hand, consumers are not required to install the updates provided to them. However, if they fail to do so even though installation of the updates is necessary for conformance with the contract, the manufacturer may be released from its warranty for defects which can be attributed to the failure to install updates. Questions relating to burden of proof will continue to be determined by national law.
In order to comply with the new duty to provide updates, vendors need to reach suitable contractual arrangements with update manufacturers while keeping in mind at all times that the update period may vary. Both aspects require consultation with an attorney so that a legally secure concept can be developed.back