Automated vehicles (AV) are most probably the future of the car industry and driving. They are expected to dramatically decrease accidents and make roads safer, given that 94% of grave accidents are due to human error, while at the same time significantly reduce traffic congestion, driving down costs and CO2 emissions [ 1 ].

AV are the result of combining and integrating multiple sensors into a single system, which helps the vehicle adjust its road behaviour to the environment in which it is moving [ 2 ]. They combine sensors and software to control, navigate, and drive the vehicle [ 3 ]. There are six levels of automation ranging from L0 (no automation at all) to L5 (full self-driving capacity) [ 4 ]. Currently there are mainly L2 vehicles in operation, which enable only partial automation in strictly defined conditions, while the driver retains control of the vehicle for most of the time. L5 vehicles are not expected to become operational in the near future. AV of L2 and higher employ AI systems, which result in gradual modification of these systems in a way that cannot be predicted in advance. 2

According to recitals (2) and (7) of the PLD, the objective of the PLD is the fair apportionment of the risks inherent in modern technological production. It is a full-harmonization directive, which means that EU member States are not allowed to establish more victim-friendly provisions on strict liability for defective products.

Art. 7(b) PLD entails that liability is imposed only for defects that existed at the time the product was put into circulation. A product is put into circulation when it is taken out of the manufacturing process operated by the producer and enters a marketing process in the form in which it is offered to the public in order to be used or consumed [ 15 ].

Software updates are put into circulation at the time of their release. However, their release most often occurs after the AV and its operating software have been put into circulation. Unless we consider the software update a sperate ‘product’, there will be no liability for software updates.

However, the extension of liability combined with the strict nature of such liability risks creating a serious counter-incentive for producers to release updates, which could render AV quickly obsolete and thus undermine the promise of enhanced safety that these vehicles are supposed to bring. The same goes for security updates. As a result, to consider a software update as a distinct ‘product’ may have an adverse impact on safety and security.

According to Art. 6(1) PLD, a product is ‘defective’, when it does not provide the safety which a person is entitled to expect, taking all circumstances into account, including (a) the presentation of the product, (b) the use to which it could reasonably be expected that the product would be put, (c) the time when the product was put into circulation. As already mentioned, the time that the product was put into circulation is critical, since ‘producers’ are only liable for defects that existed at that time. Hence, the PLD lays down no duty to warn on dangers after the product has been put into circulation or to recall defective products.

Recital (6) PLD clarifies that the defectiveness of the product is determined by reference to the lack of the safety which the public at large is entitled to expect. Therefore, the safety-expectations are determined objectively, which means that reference is not made to the expectations of the specific user [ 16 ]. In addition, the PLD establishes a duty to put into circulation products that are reasonably safe, taking into account all the circumstances – not products that are absolutely safe [ 17 ]. In this regard, some national courts have referred to a risk-benefit analysis of the product’s characteristics, taking into account the kind and the extent of the risks connected to the use of the product, the possibility that such risks materialize, the cost of additional safety measures and the benefits from the use of the product [ 16, 18 ]. Nonetheless, the compatibility of the risk-utility test with the Directive’s liability system is disputed [ 12 ].

At the same time, recital (6) PLD makes clear that safety is assessed by excluding any misuse of the product not reasonable under the circumstances. Consequently, the reasonable safety expectations of the user encompass cases of foreseeable product misuse. Producers must consider foreseeable product misuse both when designing the product and when issuing instructions and warnings [ 9, 19 ].

Moreover, the CJEU has ruled in the Boston Scientific Medizintechnik case that, where it is found that products belonging to the same group or forming part of the same production series have a potential defect, an individual product of such series may be classified as defective without there being any need to establish that this product has such a defect [ 20 ].

Applying these principles to software updates is challenging. Updates form part of a wider system of systems, i.e. they are part of the basic software, which is part of the AV. Identifying the reasonable user expectations as to updates themselves may be hardly possible, given the highly complex nature of software used in AV and its interaction with other pieces of software, including other updates. Besides, users may often be unaware of the updates installed in their system.

Nevertheless, two main indications could be used. First, any documentation accompanying the release of the update, such as release notes, instructions and warnings - although these may be hardly understandable to the average users to shape their expectations. Second, any problems experienced by users or vulnerabilities identified by third parties and made public, which users would reasonably expect to be remedied. In this respect, there is an interesting interaction between safety expectations of users and the risk-utility test. The safety expectations may not be able to be met under a risk-utility analysis. One could argue that, in such cases, the expectations of the users would not be reasonable. Nevertheless, this may not always be valid. For example, there may be a major security vulnerability, which would be reasonable to expect to be fixed as soon as possible; yet fixing such vulnerability may not be possible, without affecting other functionalities of the basic software.

Things get more complicated, if we consider the evolving behaviour of AV in view of their self-learning abilities. Each AV may exhibit different behaviour under similar circumstances, so that different users may have different expectations based on their experience. In addition, such differences may render inappropriate the application of the CJEU’s ruling on the Boston Scientific Medizintechnik case [ 20 ]. 7 ‘Damage’ ‘Damage’ is defined in Art. 9 PLD. It includes physical injury and property damage. Nevertheless, the latter is actionable only under certain requirements: no damage to the defective product itself is covered, while damage to other property items requires that (a) the damage exceeds 500€, (b) the damaged item is of a type ordinarily intended for private use or consumption, and (c) the item was used by the injured person mainly for his/her own private use or consumption. Non-material damages can be awarded according to the applicable national provisions.

A first major challenge is to identify what would be damage to the defective product itself, which is not covered. The distinction between the component and the product is highly disputed in cases of complex products [ 10 ]. It is unclear whether this would cover the basic software and the AV as such. It appears reasonable to deem that the defective update and the basic software are one ‘product’, but things are less clear as to the AV as such. It can be argued that since software is an integral part of the AV, the update, the software and the AV are the same ‘product’. The opposing view would be that software could be uninstalled and re-installed just like e.g. a defective tire, so that there are two distinct products.

Another question is whether data are ‘property items’. One might argue that a ‘property item’ refers only to tangible products and data are intangible. However, it would be more correct to interpret the term widely. A property item is any piece of property that has monetary value as such, irrespective of its tangibility. In modern economy, there can be no doubt that data as such have value, given that they are the object of distinct economic transactions. Besides, traditional property items, such as vinyl discs and CDs, have been digitalized and are sold online as if they were tangible objects.

Third, it is to be examined whether damage related to personal data is covered, e.g. a security flaw in a piece of software leads to loss or theft of personal data of the driver, stored in his/her mobile phone, which is connected to the infotainment system of the AV. One might argue that personal data protection is regulated exclusively in the General Data Protection Regulation (GDPR) [ 21 ]. However, the GDPR applies to the processing of personal data [Art. 2(1) GDPR] and regulates the liability of the controller and the processor of personal data (Art. 82 GDPR). The software developer may not qualify as a controller or processor, as it may not be involved in any processing of personal data. In such cases the GDPR will be inapplicable. But even if the GPDR is applicable, there is nothing indicating that it constitutes an exclusive remedy – on the contrary, there are significant indications that the GDPR does not regulate exclusively issues of personal data, e.g. the wording of Arts 77(1), 78(1) and 79(1) “without prejudice to any available administrative or non-judicial remedy”. At the same time however, it is doubtful whether loss or theft of personal data is damage to ‘a property item’ or ‘physical injury’. It would be more appropriate to consider such cases as an infringement of personality, for which non-material damage under the applicable national law is due, per Art. 9 PLD. 8

In the cases of software updates, the most significant defences under the PLD are that the defect did not exist when the product was put into circulation [Art. 7(b)], that the state of scientific and technical knowledge at the time when he put the product into circulation was not such as to enable the existence of the defect to be discovered [state of the art defence - Art. 7(e)] and that there was contributory negligence of the user [Art. 8(2)].

The ECJ has clarified that Article 7(e) is not specifically directed at the practices and safety standards in use in the industrial sector in which the producer is operating, but, unreservedly, at the state of scientific and technical knowledge, including the most advanced level of such knowledge, at the time when the product in question was put into circulation [ 22 ]. Second, this defence is judged objectively, taking into account the state of knowledge of which the producer is presumed to have been informed. Nevertheless, it is implicit in the wording of Article 7(e) that the relevant scientific and technical knowledge must have been accessible at the time when the product in question was put into circulation. Therefore, in order to have a defence under Article 7(e) PLD, the producer of a defective product must prove either that the objective state of scientific and technical knowledge, including the most advanced level of such knowledge at the time when the product in question was put into circulation did not enable the discovery of the defect; or that such knowledge was not accessible at the time when the product in question was put into circulation. Concerning software updates, the developer/ producer would have to prove that the defect was not discoverable at all, at the time of the update release. Impracticability of being discovered, e.g. due to the complexity of the software code, will not suffice. Thus, the occasions of successful invoking the defence will be rather rare.

As to the user’s contributory negligence, it may relate to inappropriate installation, e.g. installation while the vehicle is in motion, while the producer warns that the vehicle must not be, inappropriate settings or even installation of third-party software that is incompatible with the installed update. 9

The injured person is required to prove the damage, the defect and the causal link between defect and damage (Art. 4).

According to the CJEU [ 23 ], under the principle of procedural autonomy and subject to the principles of equivalency and effectiveness, evidentiary issues are governed by the national law of each MS. The CJEU underlines the principle of effectiveness, which requires that national procedural rules do not render practically impossible or excessively difficult the exercise of rights conferred by EU law. Yet, such rules must not undermine the apportionment of the burden of proof established in the PLD. Thus, circumstantial evidence may be allowed in certain cases, to establish such relationship, and alleviate the plaintiff’s burden of proof. However, this is allowed only on a case-by-case basis and provided that the burden of proof is not practically reversed. It would be a violation of the Directive’s rules, if a presumption of a causal link could be automatically created when specific facts, pre-identified by the legislature or supreme judicial body, are proven.

The provisions of the PLD on the burden of proof have received criticism as being excessive for claimants, especially in cases of complex products. However, such difficulties have been mitigated mainly by the practice of courts in many MS by granting evidentiary facilitations under specific circumstances [ 24 ]. 10

Concerning time bars, the PLD establishes a limitation period of three years from the day on which the plaintiff became aware, or should reasonably have become aware, of the damage, the defect and the identity of the producer [Art. 10(1)]. In any case, the producer’s liability is extinguished upon the expiry of a 10-year period from the date on which the producer put into circulation the actual product which caused the damage, unless the injured person has in the meantime instituted proceedings against the producer (Art. 11).

The 10-year period is mainly justified by the fact that strict liability puts a higher burden on producers than fault-based liability; therefore, the liability period is limited in order not to discourage technological innovation and to allow insurance cover [ 24 ]. Nevertheless, it has been criticized as too short for some categories of products [ 9 ], to which AV could be added. In the long-run, the 10-year limitation period entails that manufacturers will not be liable for defects of older vehicle models.

If software updates are deemed separate products, then there will be a separate ten-year period running for each one of them. Whether this would lead to an extension of the liability of the end manufacturer or at least the developer of the basic software is uncertain. Should software updates have been developed by third parties, the answer appears to be rather negative. Yet, things are less clear if the updates come from the manufacturer itself or entities cooperating with it. Besides, to distinguish cases of thirdparty developers would be fair from one aspect, but could incentivize producers to outsource production and release of updates to escape liability.

To regard software updates as ‘products’ under the PLD entails many legal and practical challenges. They relate to the notion of ‘product’, the time of placement into circulation, the notion of ‘defect’, the burden of proof especially as to causation and the calculation of time bars. Applying the Directive to software updates seems to create more problems than solutions.

Therefore, it is submitted that the PLD is inapplicable both de lege lata and de lege ferenda to software updates. It is simpler and more logical to consider software updates of automated vehicles as a maintenance service.