How large is the market for the Internet of Things (IoT)? In 2017, the number of IoT products in use was about 8.4 billion. That’s a massive number, and a 31 percent increase over the previous year. And the market continues to grow exponentially; connected products are now found in virtually every area of our lives. So are regulations keeping pace?
In this hoganlovells.com interview, Christine Gateau, a partner at Hogan Lovells in Paris, explores IoT regulatory developments in the EU and their impact on litigation, explains provisions of the Product Liability Directive (PLD), and suggests areas where IoT product litigation risks could be reduced.
Is the guidance set forth in the PLD and other regulations in the EU still relevant for today’s IoT products?
Christine Gateau: Clearly, the regulations affect not only the way you can handle litigation involving IoT products, but also the way you want to design future IoT products.
If we concentrate on the EU side, the key provision here is the PLD. The principle is that it provides for strict liability. It’s a good directive, and it’s more than 30 years old, so one topic around this directive is, is it fit for purpose? And is it relevant to today’s — as well as tomorrow’s — technology products?
What questions did the EU Commission have about the PLD when it convened its consultation in 2017?
Gateau: Obviously, over the past 30 years, technology has evolved greatly, but the product liability regime has not. The European Commission considered last year that it was time to launch a public consultation to evaluate the PLD and see whether changes would be necessary to this regulation.
Currently, we have a strict liability mechanism — a mechanism that applies to products, defined as “movable” products, which can be industrially produced. And when we talk about IoT products, we have some questions: does this directive apply only to tangible assets? Or is it also applicable to software and apps? We also have questions around who can be considered a producer of such products. Are we talking about only the manufacturer, or about people designing the software?
Another topic that can be questioned nowadays is the level of safety. There is a great emphasis within the PLD on the level of safety that a user expects to see. Here, the question is, are we talking about assessing the level of safety when the product is first released, or when a software patch is released? When do you place that cautionary notice?
How has Hogan Lovells contributed to the Commission’s evaluation?
Gateau: In April 2017, our European offices contributed to this exercise by providing a report to the Commission with insights into how the PLD is currently being implemented, and also mentioning some of the questions raised by the application of the PLD to new technologies.
Further, two of the report’s authors, who were from Hogan Lovells, attended and presented the report at a conference held in October 2017. The process continued into this year, and in April 2018, the Commission released its report on the evaluation of the PLD as well as of different policy documents.
But this process is not over yet. It will continue over the remainder of 2018 and into 2019. We can only encourage you to follow and be involved in this consultation process. For the moment, what the EU Commission has done is reach the interesting conclusion that, even though it’s more than 30 years old, the PLD continues to be a tool that is adequate for the modern world. But there is a need for clarification and maybe adaptation of some concepts.
What are the Commission’s goals over the short term?
Gateau: The Commission intends to continue to consult broadly in order to do two things: first, they will draw up complete guidance as to how the directive applies today. Then they will assess to what extent emerging digital technologies, including the IoT, can be addressed by the existing directive.
We at Hogan Lovells can help you participate in this process and make sure your voice is heard in those debates. Why is this so important? It’s important because, except for the principle of strict liability, all of the provisions of the PLD are going to be under debate. To be under debate does not mean that the PLD will be changed, but it will be discussed, and in the meetings that already took place, the discussions were really extensive. It’s very important that the manufacturers and companies make themselves heard, since the consumer associations have made themselves heard very much.
Which provisions of the PLD are under debate?
Gateau: Almost every provision — from defining what is a defective product and the burden of proof, to the limitation period, to cases of the exclusion of liability. It can clearly be a game-changer from the way you flip the coin.
The end game of the Commission is to publish two documents. The first is a guidance paper, which will be published mid-2019 and will be an interpretation of PLD regulations in light of the evolution of technology. The second will be a report on the consequences and potential loopholes as to the liability and security of IoT products.
What is really important is to understand how the experts’ committees are working and participate in the committees, because the result of those committees will then be sent up to the Commission, and be taken into consideration in both the guidance paper and report.
In those committees, there are a lot of participants, including representatives of countries and associations, such as consumer, manufacturer, and industry sector associations. So there are multiple ways a company can participate in those meetings, even though they do not participate directly, since they can participate either through a national association specific to one European country or an association that covers several countries. There are also law firms and law professors participating, and they are focusing on two topics: one is product liability and the other is new technologies. They want to see clearly how the PLD is applied currently to new technologies and if adaptation is necessary.
The product liability expert committee, for example, last met in November 2018, and the topic of discussion was very broad. It was on the definition of a product, and therefore who should be considered as a producer, who could be held liable, and the definition of a defect. They discussed the definition of who should bear the burden of proof, what kinds of damages can be compensated, and whether there can be exceptions to this product liability regime. Is the state-of-the-art a valid exception? All those questions are under debate.
What is the risk if manufacturers and producers do not participate in these meetings?
Gateau: What we saw during those first meetings is that the consumer associations were very well organized and want to make as many modifications as possible into the definitions of product, producer, defect, and burden of proof. They want to make sure that they completely reverse the burden of proof onto the manufacturer or producer of a product. So the voices of the manufacturer and producer clearly are needed to make a balance with the voices of the consumer associations.
One of the topics we discussed about litigation is the burden of proof and how you can prove your case. Speaking from the EU side, where you have either no discovery or limited disclosure, the access to proof is different from the United States. In those cases, the litigation that involves a product defect or a question about whether a product is defective may often include an expert investigation. And in that complex situation, the expert may have a hard time finding the root cause of a defective product. There may be several causes and it’s not always easy to define the portion of responsibility of each company involved in product manufacturing.
Are there regulatory concerns with the data stored in IoT products?
Gateau: With IoT products, you have different questions that can arise with all those data. It’s easier to find the root cause of an issue, which can be good or bad for the manufacturer. In this context, having a lot of data that can be exploited by an expert can either help the company prove its product was not defective, or it could greatly help the plaintiff prove its case and be awarded damages.
So the topic under discussion here is — how much data do you really want your IoT product to store, and how much data on the way the product is functioning do you want to be accessed after it’s released on the market? That’s a question that clearly needs to be answered from the design stage.
One of topics we explore is that it may be very good to have a lot of data available, but bear in mind that all that data can be accessed by the request of a judge, and therefore that data can be used against you.
What questions might producers and manufacturers want to ask early on, as they start designing an IoT product?
Gateau: During the IoT product’s concept stage, you may want to ask the design team and engineers questions such as, do you want to include privacy by design? How much data security will you include in the product? If you know the countries in which you want your products to be released, you know where the regulations might be the most restrictive, so you should consider whether to apply those stringent regulations or more lenient regulations. Obviously, as litigators, we can only recommend that you consult the litigation team as early as possible to be aware of the risks and see how you can mitigate them from the beginning.
Also, as I was mentioning, you may want to ask at an early stage how much data you want to be available to a potential judge or expert if something goes wrong.
And regarding the privacy notice and user agreement that goes with the product, I — being French — would add that you may want to consider the length of the documents that you provide with the products, because at some point in some remote countries, you may need to translate everything into another language — for example, French. And at that time, you may consider that it’s a very long document to translate. It’s helpful when that kind of consideration is addressed as early as possible.
About Christine Gateau:
“Highly knowledgeable” in IT and e-commerce disputes (Who’s Who Legal: France 2015), litigation partner Christine Gateau is “in a class of her own” when it comes to defending online marketplaces (Who’s Who Legal: France 2015). Described as “really excellent” by Chambers Europe 2018: litigation, Christine regularly appears before French courts and is involved in matters currently pending before the European Court of Justice. From reviewing general terms and conditions to defending them in court, from meetings with the French General Directorate of Consumer Affairs to negotiations with consumer associations, Christine successfully represents Internet companies in their first steps on the French market.