Can things be defective products? - An analysis of the Product Liability Directive applied to IoT

Abstract: The number of products equipped with sensor and network capabilities has risen in recent years and continues to increase. These products, part of the Internet of Things (IoT), bring about new ways for products intended for private use to malfunction and cause personal injury and property damage. In the EU, the Product Liability Directive (PLD) regulates producers’ strict liability for damage to other products than the one causing the damage and for harm to persons. The damage must be ascribable to a “product” that is “defective” in the meaning of the PLD. For some types of defect, the producer can invoke liability exemptions. However, the PLD was adopted prior the widespread use of the internet and long before digital technologies become incorporated into billions of consumer products. The concepts of product and defect and the available liability exemptions, therefore, do not explicitly regulate the unique characteristics of IoT. The purpose of this thesis is to critically examine if the concepts of product and defect, as they are understood within the PLD, are flexible enough to encompass damages caused by IoT products. This involves addressing the characteristics of IoT products, analysing case law, evaluating the Europe-an Commission’s soft law instruments on emerging digital technologies and comparing the PLD to similar consumer protection regulation. The thesis finds that not all digital elements of IoT fall within the scope of the Directive. The deciding factor for IoT products to be regarded as prod-ucts in the meaning of the PLD is that they are not intangible services. While software that comes pre-installed in IoT products are components covered by the PLD, the same cannot with certainty be said about, e.g., software updates or interconnected cloud systems. Both the distinction be-tween services and products and principles such as functional equivalence are examined to reach this conclusion. Moreover, the thesis addresses that the static concept of defect makes the PLD ill-equipped to regulate liability for IoT products. The possibility to change products through updates – and, when technology advances, self-learning software – after the product reaches the consumer, renders the provisions of the PLD archaic. The issue mainly lies in that the assessment of defect is firmly anchored in the moment when the product was “put into circulation”. The thesis presents that these shortcomings, which leave liability for IoT products regulated partially differently than other products, could be solved through drastic alterations to the PLD. Changes to the current regime would require careful consideration of the variety of products on the market today and in the future, as well as to the interests of all parties, to fulfil the aim set out in the PLD of complete harmonisation of strict liability for all products.