The New Product Liability Directive(s) proposals and medical devices / IVDs
On 28 September the Commission adopted two related proposals for EU regulation of no-fault liability for defective products. One proposal updates the ‘old’ Product Liability Directive (PLD) from 1985 to make it suitable again for the current circumstances. The other proposal provides a complimentary directive for liability specifically for damage caused by AI. You can track progress of the proposals here and here.
In this blog we will look into what the first of the new proposals means at first sight for the medical devices and IVD industry. I’ll discuss the AI PLD in an upcoming blog. This discussion of the new PLD is by necessity premature because this is just a legislative proposal that will likely see (significant) amendments during the legislative procedure so the final text is likely going to diverge. Also, my review is not complete, as I have just focused on what I thought is the interesting stuff at the moment – my first impression as it were.
Both the AI PLD and the new PLD are built around the principle that safety and liability are sides of the same coin: if an economic operator does not manufacture or make available safe devices to consumers, the economic operator is liable for the damages that he causes. In this regard the Commission really tried to link the rules for market access of products to the rules for product liability for products. This was also a welcome and much needed update, given that the old PLD dated back from 1985 and does not incorporate any developments regarding how it relates to product regulation since.
Scope now covers software
The definition of product has had an update. It now covers all movables, even if integrated into another movable or into an immovable, as well as electricity, digital manufacturing files and software. The addition of digital manufacturing files may interest the medical devices manufacturers that 3D print medical devices but outsource design. Software in scope of the new PLD is a major game changer for medical devices companies that sell devices that run software, consist of software or are updated by software.
From producer to economic operator
The old PLD is focused on the liability of the producer and provides for a mechanism to impose liability on certain parties in the supply chain in case the producer is not established in the EU. One of the problems here is that the concept of ‘producer’ is not the same as the concept of ‘manufacturer’ in New Legislative Framework (NLF) legislation (if you don’t know what the NLF framework is, read the Blue Guide, see section 1.2 about the NLF). Also, the other parties in the supply chain were not necessarily the same as the parties regulated in the supply chain under the New Legislative Framework.
The new PLD fixes this, by synching its use of concepts to the New Legislative Framework based on the argument that safety and regulatory compliance on the one hand and liablity for the products concerned on the other hand are sides of the same coin.
Unfortunately (or maybe necessarily) the new PLD also applies to economic operators under the NLF framework, but also defines them and slightly differently from the MDR and IVDR. On the other hand these definitions do seem to be more in line with the Market Surveillance Regulation than those in the MDR and IVDR.
The new PLD defines economic operator as “the manufacturer of a product or component, the provider of a related service, the authorised representative, the importer, the fulfilment service provider or the distributor” (article 4 (16) new PLD).
For one thing, ‘economic operator’ is defined differently than in the MDR, in which it also includes the person in article 22 (1) or (3) MDR.
On the other hand, the definition under the new PDL includes the fulfillment services provider (also defined in the MSR), while the MDR and IVDR do not know the concept of fulfillment services provider and are only concerned with FSPs if they also qualify as economic operator under the MDR or IVDR (usually if they perform additional actions in relation to devices that qualify them as importer or distributor). The MSR also recognises this for the MDR in article 4 (5) MSR.
Economic operators and liability
The new PLD ups the ante considerably for economic operators, both those that qualify as EO under the MDR/IVDR (notably the authorised representative (AR)) and those who don’t (fullfilment services providers):
- Autorised Representative: “where the manufacturer of the defective product is established outside the Union, [… ]the authorised representative of the manufacturer can be held liable for damage caused by that product (article 7 (2) new PLD). The AR was already jointly and severally liable with the manufacturer, but this applied only in case the manufacturer had not complied with his obligations under article 10 MDR / IVDR. The new PLD ups the game by removing the requirement of non-compliance with article 10 MDR / IVDR. As a result, ARs will need to both amend their mandate agreements and revisit their insurance cover, as the liablity risk for ARs of medical devices manufacturer will change under the new PLD.
- Importer (not necessarily the same as under the old PLD): “where the manufacturer of the defective product is established outside the Union, the importer of the defective product […] can be held liable for damage caused by that product (article 7 (2) new PLD). This logic is the same as under the old PLD, but the concept of importer is defined differently – by the NLF definition.
- Fulfillment Service Provider: “where the manufacturer of the defective product is established outside the Union and neither of the economic operators referred to in paragraph 2 is established in the Union, the fulfilment service provider can be held liable for damage caused by the defective product” (article 7 (3) new PLD). This has consequences for the FSP when the manufacturer is dropshipping to consumers via an FSP in the Union: he is now liable for product liability and had better get some good indemnities from the manufacturer.
- End user and service organisations: “Any natural or legal person that modifies a product that has already been placed on the market or put into service shall be considered a manufacturer of the product for the purposes of paragraph 1, where the modification is considered substantial under relevant Union or national rules on product safety and is undertaken outside the original manufacturer’s control.” (Article 7 (4) new PLD)
- Distributor: “where the manufacturer is established outside the Union, an economic operator under paragraph 2 or 3 cannot be identified, each distributor of the product can be held liable where: (a) the claimant requests that distributor to identify the economic operator or the person who supplied the distributor with the product; and (b) the distributor fails to identify the economic operator or the person who supplied the distributor with the product within 1 month of receiving the request.“ (article 7 (5) PLD). This rule is similar to the existing rule under the old PLD, except that the concept of distributor is defined differently.
- Online intermediaries: “any provider of an online platform that allows consumers to conclude distance contracts with traders and that is not a manufacturer, importer or distributor , provided that the conditions of [Article 6(3) Digital Services Act proposal] are fulfilled.” This provision would typically apply to service providers like Amazon. The Digital Services Act “establishes that online platforms that allow consumers to conclude distance contracts with traders are not exempt from liability under consumer protection law where they present the product or otherwise enable the specific transaction in question in a way that would lead an average consumer to believe that the product is provided either by the online platform itself or by a trader acting under its authority or control. In keeping with this principle, when online platforms do so present the product or otherwise enable the specific transaction, it should be possible to hold them liable, in the same way as distributors under this Directive. That means that they would be liable only when they do so present the product or otherwise enable the specific transaction, and only where the online platform fails to promptly identify a relevant economic operator based in the Union.”
Article 13 provides that no economic operator can contractually limit or exclude these liabilities. The liability rules are closely based on those of the current 1985 PLD, but new is that if there are two or more liable persons, they are liable jointly and severally. This means that even if they have excluded product liability amongst themselves, this has no effect vis-a-vis the consumer who may still hold them jointly liable. This means a thing or two for agreements in the supply chain, because these should account for the possibility of joint and several liability.
The new PLD also stipulates that if a defective product causes damage, the contributory actions of third parties do not reduce the liability of the manufacturer, whereas the contributory actions of the injured person may do so.
The new PLD therefore means a lot for service providers in the supply chain. Also, the concept of importer and distributor is defined differently under the new PLD: by reference to NLF definitions. That means that suddenly the Blue Guide becomes mandatory reading for product liability lawyers!
Exemptions from liability
The exemptions from liability generally follow those included in the old PLD, such as that it is probable that the defect which caused the damage did not exist at the time when the product was put into circulation by him or that this defect came into being afterwards (article 7 (b) old PLD). However, the new PLD adds an important exception to this exemption by providing that “an economic operator shall not be exempted from liability, where the defectiveness of the product is due to any of the following, provided that it is within the manufacturer’s control:
(a) a related service;
(b) software, including software updates or upgrades; or
(c) the lack of software updates or upgrades necessary to maintain safety.”This exception to exemption makes it very important for devices manufacturers to monitor how their installed base is doing, and push out software updates or upgrades when needed. This makes post-market surveillance and PMCF / PMPF processes even more critical than they already are under the MDR and IVDR.
Loss of data covered
Under the proposal the damage that can be claimed is extended with “loss or corruption of data that is not used exclusively for professional purposes”. This means that if the proposal is adopted, medical devices manufacturers will be exposed to potential liability in case of data breaches under the GDPR that also lead to loss of data (see for examples the table in the back of MDCG 2019-11 re cybersecurity of medical devices). This would be new in the space of for example medical wearables, but it does not seem excluded that there is liability for loss of patient data from professional use medical devices if the consumer/patient suffers damage as a result. In the latter case the question would be if article 4 (6) (c) applies (“loss or corruption of data that is not used exclusively for professional purposes”).
Disclosure of evidence
The new PLD contains additional rules about disclosure of evidence in article 8 and it is interesting how the new PLD potentially limits options for claimants (which may also be subrogated parties (article 5 (2) new PLD) to obtain evidence under the MDR and IVDR for claimants, including subrogated parties.
The MDR (article 10 (14) MDR) and IVDR (article 10 (13) IVDR) have a provision under which the claimant (which can also be a subrogated party) can facilitate the provision of the information and documentation relating to the conformity of the device by the competent authority. However, article 10 (14) MDR and 10 (13) IVDR also provide that the competent authority need not comply with the obligation laid down in the third subparagraph where disclosure of the information and documentation referred to in the first subparagraph is ordinarily dealt with in the context of legal proceedings. And this is exactly what the new PLD does: ensure that this information is dealt with in the context of legal proceedings. So where there was any doubt under national proceedings and article 10 (14) MDR or 10 (13) IVDR might be available, the chances are limited by the new PLD.
Burden of proof
Still the old rule (claimant must provide proof of defect and causal link) but the new PLD helps the claimant with three important presumptions (which are rebuttable by the defendant (article 9 (5) new PLD):
- Article 9 (2)“The defectiveness of the product shall be presumed, where any of the following conditions are met: (a) the defendant has failed to comply with an obligation to disclose relevant evidence at its disposal pursuant to Article 8(1); (b) the claimant establishes that the product does not comply with mandatory safety requirements laid down in Union law or national law that are intended to protect against the risk of the damage that has occurred; or (c) the claimant establishes that the damage was caused by an obvious malfunction of the product during normal use or under ordinary circumstances.”
- Article 9 (3): “The causal link between the defectiveness of the product and the damage shall be presumed, where it has been established that the product is defective and the damage caused is of a kind typically consistent with the defect in question.”
- Article 9 (4): “Where a national court judges that the claimant faces excessive difficulties, due to technical or scientific complexity, to prove the defectiveness of the product or the causal link between its defectiveness and the damage, or both, the defectiveness of the product or causal link between its defectiveness and the damage, or both, shall be presumed where the claimant has demonstrated, on the basis of sufficiently relevant evidence, that: (a) the product contributed to the damage; and (b) it is likely that the product was defective or that its defectiveness is a likely cause of the damage, or both. The defendant shall have the right to contest the existence of excessive difficulties or the likelihood referred to in the first subparagraph.”
The proposal further aims to ensure that manufacturers can be held liable for changes they make to products they have already placed on the market, including when these changes are triggered by software updates or machine learning. Recital 38:
“In recognition of manufacturers’ responsibilities under Union law for the safety of products throughout their lifecycle, such as under Regulation (EU) 2017/745 of the European Parliament and of the Council, manufacturers should also be liable for damage caused by their failure to supply software security updates or upgrades that are necessary to address the product’s vulnerabilities in response to evolving cybersecurity risks. Such liability should not apply where the supply or installation of such software is beyond the manufacturer’s control, for example where the owner of the product does not install an update or upgrade supplied for the purpose of ensuring or maintaining the level of safety of the product.”Recital 38 new PLD
For the geographically challenged (and that concerns a lot of people I find with respect to the concept of Union under the MDR and IVDR) I am just going to be very explicit this directive is a directive with EEA relevance (it says so at the beginning), which is why the text of the directive does not use ‘European Union’ but Union to denote its geographic scope because the EEA includes countries that are not EU member states (Iceland, Liechtenstein and Norway). As you can read in the Blue Guide (which more people should do) in section 2.9:
“Union harmonisation legislation applies to the Member States of the EU and to certain European territories to the extent necessary to give effect to the arrangements set out in the Accession Treaty of the relevant Member States.”Blue Guide section 2.9
In case the text has EEA relevance, the relevant accession treaty is the EEA Agreement. This means that every time you see or hear someone say that the scope of the new PLD is the European Union, you may ask them what the Norwegians, Liechtensteiners and Icelanders ever did to him or her to be ignored this way.
In some cases, such as with the MDR and IVDR, there may be additional agreements for these specific instruments, such as the Turkish Association Agreeement (see section 2.9.4 of the Blue Guide). In that case the instrument would feature on the product-related list of Union technical legislation to be harmonised by Turkey adopted by the EU-Turkey Association Council.
Limitation periods stay largely the same as under the old PLD: 3 years after damage, defect and identity of liable party awareness of the plaintiff and maximum 10 years after the product was put into circulation.
Transposition and other member state responsibilities
Some interesting Member States’ to-dos in the new PLD: the Member States shall publish, in an easily accessible and electronic format, any final judgment delivered by their national courts in relation to proceedings launched pursuant to the new PLD as well as other relevant final judgments on product liability. The publication shall be made without delay upon notification of the full written judgment to the parties.
The Commission may set up and maintain a publicly available database containing the judgments to be published by the Member States. It is not clear to me what the use is of making this optional for the Commission if it is important, and what this option would depend on. If this is important, why should the Commission have discretion here?
The transposition period is quite short. Article 18 (1) provides that the Member States must implement the directive within one year after its entry into force.
More about AI PLD later
Some short points here already – the proposal is part of the currently pending AI basket of measures: the AI Act, revision of sectorial rules to amend for AI (not in MDR/IVDR) and the AI PLD. The AI PLD has links with many new and old initiatives such as the GDRP, the Green Deal, the EU Data Strategy, the Digital Services Act and the Cyber Resilience Act. It even has ties into the EU Charter on Human Rights:
“In addition, this proposal complements other strands in the Commission’s AI policy based on preventive regulatory and supervisory requirements aimed directly at avoiding fundamental rights breaches (such as discrimination). These are the AI Act, the General Data Protection Regulation, the Digital Services Act and EU law on non-discrimination and equal treatment. At the same time, this proposal does not create or harmonise the duties of care or the liability of various entities whose activity is regulated under those legal acts and, therefore, does not create new liability claims or affect the exemptions from liability under those other legal acts.”
Watch this space for an analysis of the AI PLD.
What’s next for the proposals?
The new PLD (together with the AI PLD) has now entered the ordinary legislative procedure. This means that the Council and the Parliament are looking at the directive(s) concurrently. Although the directives have been subject to a consultation process, I’m pretty sure that there still will be a healthy amount of lobbying happening during the legislative process and that we can expect many amendments, so do not treat these proposals as final.
Although, strangely enough, the Commission has also extended the feedback period for stakeholders because the proposal text had not been available in all official languages, so you can still comment until 4 December. All feedback received will be summarised by the European Commission and presented to the European Parliament and Council with the aim of feeding into the legislative debate.