Source: European Parliament 2
|MOTION FOR A EUROPEAN PARLIAMENT RESOLUTION|
with recommendations to the Commission on a civil liability regime for artificial intelligence
The European Parliament,
– having regard to Article 225 of the Treaty on the Functioning of the European Union,
– having regard to Articles 114 and 169 of the Treaty on the Functioning of the European Union,
– having regard to Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products,
– having regard to Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market (‘Unfair Commercial Practices Directive’) and Directive 2011/83/EC of the European Parliament and of the Council of 25 October 2011 on consumer rights, as well as other consumer protection rules,
– having regard to Regulation (EU) 2017/745 of the European Parliament and the Council of 5 April 2017 on medical devices,
– having regard to Council Regulation (EU) 2018/1488 of 28 September 2018 establishing the European High Performance Computing Joint Undertaking,
– having regard to Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services,
– having regard to the Interinstitutional Agreement of 13 April 2016 on Better Law-Making and the Better Regulations Guidelines,
– having regard to the proposal for a regulation of the European Parliament and of the Council of 6 June 2018 establishing the Digital Europe programme for the period 2021-2027 (COM(2018)0434),
– having regard to the Commission communication of 25 April 2018 on Artificial Intelligence for Europe (COM(2018)0237),
– having regard to the Commission communication of 7 December 2018 on a coordinated plan on artificial intelligence (COM(2018)0795),
– having regard to the Commission communication of 8 April 2019 on building trust in human-centric artificial intelligence (COM(2019)0168),
– having regard to the Commission report of 19 February 2020 to the European Parliament, the Council and the European Economic and Social Committee on safety and liability implications of Artificial Intelligence, the Internet of Things and robotics (COM(2020)0064),
– having regard to the Commission White Paper of 19 February 2020 on Artificial Intelligence – A European approach to excellence and trust (COM(2020)0065),
– having regard to its resolution of 16 February 2017 with recommendations to the Commission on Civil Law Rules on Robotics,
– having regard to its resolution of 1 June 2017 on digitizing European industry,
– having regard to its resolution of 12 September 2018 on autonomous weapon systems,
– having regard to its resolution of 12 February 2019 on a comprehensive European industrial policy on artificial intelligence and robotics,
– having regard to its resolution of 12 February 2020 on automated decision-making processes: ensuring consumer protection and free movement of goods and services,
– having regard to the report of 8 April 2019 of the High-Level Expert Group on Artificial Intelligence entitled “Ethics Guidelines for trustworthy AI”,
– having regard to the report of 8 April 2019 of the High-Level Expert Group on Artificial Intelligence entitled “A definition of AI: Main Capabilities and Disciplines”,
– having regard to the report of 26 June 2019 of the High-Level Expert Group on Artificial Intelligence entitled “Policy and investment recommendations for trustworthy AI”,
– having regard to the report of 21 November 2019 of the Expert Group on Liability and New Technologies – New Technologies Formation entitled “Liability for Artificial Intelligence and other emerging digital technologies“,
– having regard to the European Parliamentary Research Service STOA Policy Briefing of June 2016 on legal and ethical reflections concerning robotics,
– having regard to the Study of the Directorate General for internal policies of the European Parliament of October 2016 for the Legal Affairs Committee entitled “European Civil Law Rules in Robotics”,
– having regard to Rules 47 and 54 of its Rules of Procedure,
– having regard to the opinions of the Committee on the Internal Market and Consumer Protection and the Committee on Transport and Tourism,
– having regard to the report of the Committee on Legal Affairs (A9-0178/2020),
A. whereas the concept of ‘liability’ plays an important double role in our daily life: on the one hand, it ensures that a person who has suffered harm or damage is entitled to claim and receive compensation from the party proven to be liable for that harm or damage, and on the other hand, it provides the economic incentives for natural and legal persons to avoid causing harm or damage in the first place or price into their behaviour the risk of having to pay compensation;
B. whereas any future-orientated civil liability legal framework has to instil confidence in the safety, reliability and consistency of products and services, including in digital technology, in order to strike a balance between efficiently and fairly protecting potential victims of harm or damage and, at the same time, providing enough leeway to make it possible for enterprises, and particularly small and medium-sized enterprises, to develop new technologies, products or services; whereas this will help build confidence and create stability for investment; whereas ultimately, the goal of any liability framework should be to provide legal certainty for all parties, whether it be the producer, the operator, the affected person or any other third party;
C. whereas the legal system of a Member State can adjust its liability rules for certain actors or can make them stricter for certain activities; whereas strict liability means that a party can be held liable despite the absence of fault; whereas in many national tort laws, the defendant is held strictly liable if a risk which that defendant has created for the public, such as in the form of cars or hazardous activities, or a risk which he cannot control, like animals, results in harm or damage being caused;
D. whereas any future Union legislatiion, having as a goal the explicit assignment of liability as regards Artificial Intelligence (AI) -systems, should be preceded by analysis and consultation with the Member States on the compliance of the proposed legislative act with economic, legal and social conditions;
E. whereas the issue of a civil liability regime for AI should be the subject of a broad public debate, taking into consideration all the interests at stake, especially the ethical, legal, economic and social aspects, to avoid misunderstandings and unjustified fears that such technology may cause among citizens; whereas careful examination of the consequences of any new regulatory framework on all actors in an impact assessment should be a prerequisite for further legislative steps;
F. whereas the notion of AI-systems comprises a large group of different technologies, including simple statistics, machine learning and deep learning;
G. whereas using the term “automated decision-making” could avoid the possible ambiguity of the term AI; whereas “automated decision-making” involves a user delegating initially a decision, partly or completely, to an entity by way of using software or a service; whereas that entity then in turn uses automatically executed decision-making models to perform an action on behalf of a user, or to inform the user’s decisions in performing an action;
H. whereas certain AI-systems present significant legal challenges for the existing liability framework and could lead to situations in which their opacity could make it extremely expensive or even impossible to identify who was in control of the risk associated with the AI-system, or which code, input or data have ultimately caused the harmful operation; whereas this factor could make it harder to identify the link between harm or damage and the behaviour causing it, with the result that victims might not receive adequate compensation;
I. whereas the legal challenges also result from the connectivity between an AI-system and other AI-systems and non-AI-systems, their dependency on external data, their vulnerability to cybersecurity breaches as well as from the design of increasingly autonomous AI-systems using, inter alia, machine-learning and deep-learning techniques;
J. whereas sound ethical standards for AI-systems combined with solid and fair compensation procedures can help to address those legal challenges and eliminate the risk of users being less willing to accept emerging technology; whereas fair compensation procedures means that each person who suffers harm caused by AI-systems or whose property damage is caused by AI-systems should have the same level of protection compared to cases without involvement of an AI-system; whereas the user needs to be sure that potential damage caused by systems using AI is covered by adequate insurance and that there is a defined legal route for redress;
K. whereas legal certainty is also an essential condition for the dynamic development and innovation of AI-based technology, in particular for start-ups, micro, small and medium-size enterprises, and its practical application in everyday life; whereas the crucial role of start-ups, micro, small and medium-size enterprises, especially in the European economy, justifies a strictly proportionate approach to enable them to develop and innovate;
L. whereas the diversity of AI-systems and the diverse range of risks the technology poses complicates efforts to find a single solution, suitable for the entire spectrum of risks; whereas, in this respect, an approach should be adopted in which experiments, pilots and regulatory sandboxes are used to come up with proportional and evidence-based solutions that address specific situations and sectors, where needed;
1. Considers that the challenge related to the introduction of AI-systems into society, the workplace and the economy is one of the most important questions on the current political agenda; whereas technologies based on AI could and should endeavour to improve our lives in almost every sector, from the personal sphere, for example the transport sector, personalised education, assistance to vulnerable persons, fitness programs, and credit provisions, to the working environment, for example alleviation from tedious and repetitive tasks, and to global challenges such as climate change, healthcare, nutrition and logistics;
2. Firmly believes that in order to efficiently exploit the advantages and prevent potential misuses of AI-systems and to avoid regulatory fragmentation in the Union, uniform, principle-based and future-proof legislation across the Union for all AI-systems is crucial; is of the opinion that, while sector-specific regulations for the broad range of possible applications are preferable, a horizontal and harmonized legal framework based on common principles seems necessary to ensure legal clarity, to establish equal standards across the Union and to effectively protect our European values and citizens’ rights;
3. States that the Digital Single Market needs to be fully harmonized, since the digital sphere is characterized by rapid cross-border dynamics and international data flows; considers that the Union will only achieve the objectives of maintaining the Union’s digital sovereignty and of boosting digital innovation in Europe with consistent and common rules in line with a culture of innovation;
4. Notes that the global A I race is already underway and that the Union should play a leading role in it, by exploiting its scientific and technological potential; strongly emphasises that technology development must not come at the expense of the protection of users from damage that can be caused by devices and systems using AI; encourages the promotion of the Union standards on civil liability at an international level;
5. Firmly believes that the new common rules for AI-systems should only take the form of a regulation; considers that the question of liability in cases of harm or damage caused by an AI-system is one of the key aspects to address within this framework;
Liability and Artificial Intelligence
6. Believes that there is no need for a complete revision of the well-functioning liability regimes but that the complexity, connectivity, opacity, vulnerability, the capacity of being modified through updates, the capacity for self-learning and the potential autonomy of AI-systems, as well as the multitude of actors involved therein represent nevertheless a significant challenge to the effectiveness of Union and national liability framework provisions; considers that specific and coordinated adjustments to the liability regimes are necessary to avoid a situation in which persons who suffer harm or whose property is damaged end up without compensation;
7. Notes that all physical or virtual activities, devices or processes that are driven by AI-systems may technically be the direct or indirect cause of harm or damage, yet are nearly always the result of someone building, deploying or interfering with the systems; notes in this respect that it is not necessary to give legal personality to AI-systems; is of the opinion that the opacity, connectivity and autonomy of AI-systems could make it in practice very difficult or even impossible to trace back specific harmful actions of AI-systems to specific human input or to decisions in the design; recalls that, in accordance with widely accepted liability concepts, one is nevertheless able to circumvent this obstacle by making the different persons in the whole value chain who create, maintain or control the risk associated with the AI-system, liable;
8. Considers that the Product Liability Directive (PLD) has for over 30 years proven to be an effective means of getting compensation for harm triggered by a defective product, but should nevertheless be revised to adapt it to the digital world and to address the challenges posed by emerging digital technologies, ensuring thereby a high level of effective consumer protection, as well as legal certainty for consumers and businesses, while avoiding high costs and risks for SMEs and start-ups; urges the Commission to assess whether the PLD should be transformed into a regulation, to clarify the definition of ‘products’ by determining whether digital content and digital services fall under its scope and to consider adapting concepts such as ‘damage’, ‘defect’ and ‘producer’; is of the opinion that, for the purpose of legal certainty throughout the Union, following the review of the PLD, the concept of ‘producer’ should incorporate manufacturers, developers, programmers, service providers as well as backend operators; calls on the Commission to consider reversing the rules governing the burden of proof for harm caused by emerging digital technologies in clearly defined cases and after a proper assessment; points out the importance of ensuring that the updated Union act remains limited to clearly identified problems for which feasible solutions already exist and at the same time allows future technological developments to be covered, including developments based on free and open source software; notes that the PLD should continue to be used with regard to civil liability claims against the producer of a defective AI-system, when the AI-system qualifies as a product under that Directive; highlights that any update of the product liability framework should go hand in hand with the update of Directive 2001/95/EC of the European Parliament and of the Council of 3 December 2001 on general product safety in order to ensure that AI systems integrate safety and security by design principles;
9. Considers that the existing fault-based tort law of the Member States offers in most cases a sufficient level of protection for persons that suffer harm caused by an interfering third party like a hacker or for persons whose property is damaged by such a third party, as the interference regularly constitutes a fault-based action; notes that only for specific cases, including those where the third party is untraceable or impecunious, does the addition of liability rules to complement existing national tort law seem necessary;
10. Considers it, therefore, appropriate for this report to focus on civil liability claims against the operator of an AI-system; affirms that the operator’s liability is justified by the fact that he or she is controlling a risk associated with the AI-system, comparable to an owner of a car; considers that due to the AI-system’s complexity and connectivity, the operator will be in many cases the first visible contact point for the affected person;
Liability of the operator
11. Opines that liability rules involving the operator should cover all operations of AI-systems, irrespective of where the operation takes place and whether it happens physically or virtually; remarks that operations in public spaces that expose many persons to a risk constitute, however, cases that require further consideration; considers that the potential victims of harm or damage are often not aware of the operation and regularly would not have contractual liability claims against the operator; notes that when harm or damage materialises, such persons would then only have a fault-liability claim, and they might find it difficult to prove the fault of the operator of the AI-system and thus, corresponding liability claims might fail;
12. Considers it appropriate to understand operator to cover both frontend and backend operator, as long as the latter is not covered by the PLD; notes that the frontend operator should be defined as the natural or legal person who exercises a degree of control over a risk connected with the operation and functioning of the AI-system and benefits from its operation; states that the backend operator should be defined as the natural or legal person who, on a continuous basis, defines the features of the technology, provides data and essential backend support service and therefore also exercises a degree of control over the risk connected with the operation and functioning of the AI-system; considers that exercising control means any action of the operator that influences the operation of the AI-system and thus the extent to which it exposes third parties to its potential risks; considers that such actions could impact the operation of an AI-system from start to finish, by determining the input, output or results, or could change specific functions or processes within the AI-system;
13. Notes that there could be situations in which there is more than one operator, for example a backend and frontend operator; considers that in that event, all operators should be jointly and severally liable while having the right to recourse proportionately against each other; is of the opinion that the proportions of liability should be determined by the respective degrees of control the operators had over the risk connected with the operation and functioning of the AI-system; considers that the product traceability should be improved in order to better identify those involved in the different stages;
Different liability rules for different risks
14. Recognises that the type of AI-system the operator is exercising control over is a determining factor regarding liability; notes that an AI-system that entails an inherent high risk and acts autonomously potentially endangers the general public to a much higher degree; considers that, based on the legal challenges that AI-systems pose to the existing civil liability regimes, it seems reasonable to set up a common strict liability regime for those high-risk autonomous AI-systems; underlines that such a risk-based approach, that might encompass several levels of risk, should be based on clear criteria and an appropriate definition of high risk and provide for legal certainty;
15. Believes that an AI-system presents a high risk when its autonomous operation involves a significant potential to cause harm to one or more persons, in a manner that is random and goes beyond what can reasonably be expected; considers that when determining whether an AI-system is high-risk, the sector in which significant risks can be expected to arise and the nature of the activities undertaken must also be taken into account; considers that the significance of the potential depends on the interplay between the severity of possible harm, the likelihood that the risk causes harm or damage and the manner in which the AI-system is being used;
16. Recommends that all high-risk AI-systems be exhaustively listed in an Annex to the proposed Regulation; recognises that, given the rapid technological developments and the required technical expertise, the Commission should review that Annex without undue delay, but at least every six months, and if necessary, amend it through a delegated act; believes that the Commission should closely cooperate with a newly formed standing committee similar to the existing Standing Committee on Precursors or the Technical Committee on Motor Vehicles, which include national experts of the Member States and stakeholders; considers that the balanced membership of the ‘High-Level Expert Group on Artificial Intelligence’ could serve as an example for the formation of the group of stakeholders, with the addition of ethics experts and anthropologists, sociologists and mental health specialists; is also of the opinion that the European Parliament should appoint consultative experts to advise the newly established standing committee;
17. Notes that the development of technologies based on AI is hugely dynamic and continuously accelerating; stresses that, to ensure adequate protection for users, a fast-track approach is needed to analyse new devices and systems using AI-systems that emerge on the European market, concerning potential risks; recommends that all procedures in this regard should be simplified as much as possible; further suggests that the assessment by the Commission of whether an AI-system poses a high-risk should start at the same time as the product safety assessment, in order to prevent a situation in which a high-risk AI-system is already approved for the market but not yet classified as high-risk and thus operates without mandatory insurance cover;
18. Notes that the Commission should assess how the data collected, recorded or stored on high-risk AI-systems for the purposes of gathering evidence in case of harm or damage caused by that AI-system could be accessed and used by the investigating authority and how the traceability and auditability of such data could be improved, while taking into account fundamental and privacy rights;
19. States that in line with strict liability systems of the Member States, the proposed Regulation should cover violations of the important legally protected rights to life, health, physical integrity and property, and should set out the amounts and extent of compensation, as well as the limitation period; is of the opinion that the proposed Regulation should also incorporate significant immaterial harm that results in a verifiable economic loss above a threshold harmonised in Union liability law, that balances the access to justice of affected persons and the interests of other involved persons; urges the Commission to re-evaluate and to align the thresholds for damages in Union law; is of the opinion that the Commission should analyse in depth the legal traditions in all Member States and their existing national laws that grant compensation for immaterial harm, in order to evaluate if the inclusion of immaterial harm in AI-specific legislative acts is necessary and if it contradicts the existing Union legal framework or undermines the national law of the Member States;
20. Determines that all activities, devices or processes driven by AI-systems that cause harm or damage but are not listed in the Annex to the proposed Regulation should remain subject to fault-based liability; believes that the affected person should nevertheless benefit from a presumption of fault on the part of the operator, who should be able to exculpate itself by proving it has abided by its duty of care;
21. Considers that an AI system that has not yet been assessed by the Commission and the newly-formed standing committee and, thus, is not yet classified as high-risk and not included in the list set out in the Annex to the proposed Regulation, should nevertheless, by way of exception to the system provided for in paragraph 20, be subject to strict liability if it caused repeated incidents resulting in serious harm or damage; notes that if that is the case, the Commission should also assess, without undue delay, the need to revise that Annex to add the AI-system in question to the list; is of the opinion that, if, following that assessment, the Commission decides to include that AI-system on the list, that inclusion should have retroactive effect from the time of the first proven incident caused by that AI-system, which resulted in serious harm or damage;
22. Requests the Commission to evaluate the need for legal provisions at Union level on contracts to prevent contractual non-liability clauses, including in Business-to-Business and Business-to-Administration relationships;
Insurances and AI-systems
23. Considers liability coverage to be one of the key factors that defines the success of new technologies, products and services; observes that proper liability coverage is also essential for assuring the public that it can trust the new technology despite the potential for suffering harm or for facing legal claims by affected persons; notes at the same time that this regulatory system focuses on the need to exploit and enhance the advantages of AI-systems, while putting in place robust safeguards;
24. Is of the opinion that, based on the significant potential to cause harm or damage and by taking Directive 2009/103/EC of the European Parliament and of the Council of 16 September 2009 relating to insurance against civil liability in respect of the use of motor vehicles, and the enforcement of the obligation to insure against such liability into account, all operators of high-risk AI-systems listed in the Annex to the proposed Regulation should hold liability insurance; considers that such a mandatory insurance regime for high-risk AI-systems should cover the amounts and the extent of compensation laid down by the proposed Regulation; is mindful of the fact that such technology is currently still very rare, since it presupposes a high degree of autonomous decision making and that, as a result, the current discussions are mostly future-oriented; believes nevertheless that uncertainty regarding risks should not make insurance premiums prohibitively high and thereby an obstacle to research and innovation;
25. Believes that a compensation mechanism at Union level, funded with public money, is not the right way to fill potential insurance gaps; considers that a lack of data on the risks associated with AI-systems combined with an uncertainty regarding developments in the future make it difficult for the insurance sector to come up with adapted or new insurance products; considers that leaving the development of mandatory insurance entirely to the market is likely to result in a one-size-fits-all approach with disproportionately high premiums and the wrong incentives, stimulating operators to opt for the cheapest insurance rather than for the best coverage and could become an obstacle to research and innovation; considers that the Commission should work closely with the insurance sector to see how data and innovative models can be used to create insurance policies that offer adequate coverage for an affordable price;
26. Requests the Commission to submit, on the basis of Article 225 of the Treaty on the Functioning of the European Union, a proposal for a Regulation on liability for the operation of Artificial Intelligence-systems, following the recommendations set out in the Annex hereto;
27. Considers that the requested proposal will not have financial implications;
28. Instructs its President to forward this resolution and the accompanying recommendations to the Commission and the Council.
|ANNEX TO THE MOTION FOR A RESOLUTION: DETAILED RECOMMENDATIONS FOR DRAWING UP A EUROPEAN PARLIAMENT AND COUNCIL REGULATION ON LIABILITY FOR THE OPERATION OF ARTIFICIAL INTELLIGENCE-SYSTEMS|
A. PRINCIPLES AND AIMS OF THE PROPOSAL
This Report addresses an important aspect of digitisation, which itself is shaped by cross-border activities, global competition and core societal considerations. The following principles should serve as guidance:
A genuine Digital Single Market requires full harmonisation by means of a Regulation. New legal challenges posed by the development of Artificial Intelligence (AI)-systems have to be addressed by establishing maximal legal certainty throughout the liability chain, including for the producer, the operator, the affected person and any other third party. There should be no over-regulation and red tape must be prevented as this would hamper European innovation in AI, especially in the case of technology, product or service developed by SMEs or start-ups. Civil liability rules for AI should seek to strike a balance between the protection of the public on the one hand and business incentives to invest in innovation, especially AI systems, on the other. Instead of replacing the well-functioning existing liability regimes, a few necessary adjustments should be made by introducing new and future-orientated ideas. The future proposal for a Regulation and the Product Liability Directive are two pillars of a common liability framework for AI-systems and require close coordination and alignment between all political actors, at Union and national levels.
Citizens should be entitled to the same level of protection and rights, irrespective of whether the harm is caused by an AI-system or not, or if it takes place physically or virtually, so that their confidence in the new technology is strengthened.
Both material and immaterial harm should be taken into account in the future proposal for a Regulation. Based on, among other documents, its Communication of 19 February 2020 on the safety and liability implications of AI and robotics, the European Commission is called upon to profoundly analyse the legal traditions in all Member States as well as the existing legislative provisions that grant compensation for immaterial harm in order to evaluate if the inclusion of immaterial harm in the future proposal for a Regulation is legally sound and necessary from the perspective of the affected person. Based on the currently available information, Parliament believes that significant immaterial harm should be included if the affected person suffered a noticeable, meaning a verifiable, economic loss.
B. TEXT OF THE PROPOSAL REQUESTED
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on liability for the operation of Artificial Intelligence-systems
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee,
Acting in accordance with the ordinary legislative procedure,
(1) The concept of ‘liability’ plays an important double role in our daily life: on the one hand, it ensures that a person who has suffered harm or damage is entitled to claim compensation from the party held liable for that harm or damage, and on the other hand, it provides the economic incentives for persons to avoid causing harm or damage in the first place. Any liability framework should strive to instil confidence in the safety, reliability and consistency of products and services, including emerging digital technologies, such as artificial intelligence (”AI”), the Internet of Things (IoT) or robotics, in order to strike a balance between efficiently protecting potential victims of harm or damage and at the same time providing enough leeway to make the development of new technologies, products or services possible.
(2) Especially at the beginning of the life cycle of new products and services, after being pre-tested, there is a certain degree of risk for the user as well as for third persons that something will not function properly. This process of trial-and-error is at the same time a key enabler of technical progress without which most of our technologies would not exist. So far, the risks accompanying new products and services have been properly mitigated by strong product safety legislation and liability rules.
(3) The rise of AI however presents a significant challenge for the existing liability frameworks. Using AI-systems in our daily life will lead to situations in which their opacity (“black box” element) and the multitude of actors who intervene in their life-cycle make it extremely expensive or even impossible to identify who was in control of the risk of using the AI-system in question or which code or input caused the harmful operation. That difficulty is compounded by the connectivity between an AI-system and other AI-systems and non-AI-systems, by its dependency on external data, by its vulnerability to cybersecurity breaches, as well as by the increasing autonomy of AI-systems triggered by machine-learning and deep-learning capabilities. In addition to these complex features and potential vulnerabilities, AI-systems could also be used to cause severe harm, such as compromising human dignity and European values and freedoms, by tracking individuals against their will, by introducing social credit systems, by taking biased decisions in matters of health insurance, credit provision, court orders, recruitment or employment or by constructing lethal autonomous weapon systems.
(4) It is important to point out that the advantages of deploying AI-systems will byfar outweigh the disadvantages. They will help to fight climate change more effectively, to improve medical examinations as well as working conditions, to better integrate disabled and ageing persons into society and to provide tailor-made education courses for all types of students. To exploit the various technological opportunities and to boost people’s trust in the use of AI-systems, while at the same time preventing harmful scenarios, sound ethical standards combined with solid and fair compensation procedure is the best way forward.
(5) An adequate liability regime is also necessary to counterweight the breach of safety rules. However, the liability regime laid down in this Regulation needs to take into consideration all interests at stake. A careful examination of the consequences of any new regulatory framework on small and medium-sized enterprises (SMEs) and start-ups is a prerequisite for further legislative action. The crucial role that such enterprises play in the European economy justifies a strictly proportionate approach in order to enable them to develop and innovate. On the other hand, the victims of harm or damage caused by AI-systems need to have a right to redress and to full compensation for the harm or damage that they have suffered.
(6) Any required changes in the existing legal framework should start with the clarification that AI-systems have neither legal personality nor human conscience, and that their sole task is to serve humanity. Many AI-systems are also not so different from other technologies, which are sometimes based on even more complex software. Ultimately, the vast majority of AI-systems are used for handling trivial tasks without or with minimum risks for the society. By using the term “automated decision-making”, the possible ambiguity of the term AI could be avoided. That term describes a situation in which a user initially delegates a decision, partly or completely, to an entity, by means of software or a service. That entity, in turn, uses automatically executed decision-making models to perform an action on behalf of a user, or to inform the user’s decision in performing an action.
(7) There are however also AI-systems that are developed and deployed in a critical manner and are based on technologies such as neuronal networks and deep-learning processes. Their opacity and autonomy could make it very difficult to trace back specific actions to specific human decisions in their design or in their operation. An operator of such an AI-system might for instance argue that the physical or virtual activity, device or process causing the harm or damage was outside of his or her control because it was caused by an autonomous operation of his or her AI-system. Moreover, the mere operation of an autonomous AI-system should not be a sufficient ground for admitting the liability claim. As a result, there might be liability cases in which the allocation of liability could be unfair or inefficient, or in which a person who suffers harm or damage caused by an AI-system cannot prove the fault of the producer, of an interfering third party or of the operator and ends up without compensation.
(8) Nevertheless, it should always be clear that whoever creates, maintains, controls or interferes with the AI-system, should be accountable for the harm or damage that the activity, device or process causes. This follows from general and widely accepted liability concepts of justice, according to which the person that creates or maintains a risk for the public is liable if that risk causes harm or damage, and thus should ex-ante minimise or ex-post compensate that risk. Consequently, the rise of AI-systems does not pose a need for a complete revision of liability rules throughout the Union. Specific adjustments to the existing legislation and the introduction of well-accessed and targeted new provisions would be sufficient to accommodate the AI-related challenges, with a view to preventing regulatory fragmentation and ensuring the harmonisation of civil liability legislation throughout the Union in connection with AI.
(9) Council Directive 85/374/EEC (the Product Liability Directive) has proven for over 30 years to be an effective means of getting compensation for damage triggered by a defective product. Hence, it should also be used with regard to civil liability claims of a party who suffers harm or damage against the producer of a defective AI-system. In line with the better regulation principles of the Union, any necessary legislative adjustments should be discussed during the necessary review of that Directive. The existing fault-based liability law of the Member States also offers in most cases a sufficient level of protection for persons that suffer harm or damage caused by an interfering third person, as that interference regularly constitutes a fault-based action, where the third-party uses the AI system to cause harm. Consequently, this Regulation should focus on claims against the operator of an AI-system.
(10) The liability of the operator under this Regulation is based on the fact that he or she exercises a degree of control over a risk connected with the operation and functioning of an AI-system, which is comparable to that of an owner of a car. The more sophisticated and more autonomous a system is, the greater the impact of defining and influencing the algorithms, for example by continuous updates, becomes. As there is often more than one person who could, in a meaningful way, be considered as ‘operating’ the AI-system, under this Regulation ‘operator’ should be understood to cover both the frontend and the backend operator . Although in general, the frontend operator appears as the person who ‘primarily’ decides on the use of the AI-system, the backend operator could in fact have a higher degree of control over the operational risks. If the backend operator also qualifies as ‘producer’ as defined in Article 3 of the Product Liability Directive, that Directive should apply to him or her. If there is only one operator and that operator is also the producer of the AI-system, this Regulation should prevail over the Product Liability Directive.
(11) If a user, namely the person that utilises the AI-system, is involved in the harmful event, he or she should only be liable under this Regulation if the user also qualifies as an operator. If not, the extent of the user’s grossly negligent or intentional contribution to the risk might lead to the user’s fault-based liability to the claimant. Applicable consumer rights of the user should remain unaffected.
(12) This Regulation should enable the affected person to bring forward liability claims throughout the liability chain and throughout the lifecycle of an AI-system. It should also cover in principle all AI-systems, no matter where they are operating and whether the operations take place physically or virtually. The majority of liability claims under this Regulation should however address cases of third party liability, where an AI-system operates in a public space and exposes many persons to a risk. In that situation, the affected persons will often not be aware of the operating AI-system and will not have any contractual or legal relationship towards the operator. Consequently, the operation of the AI-system puts them into a situation in which, in the event of harm or damage being caused, they only have fault-based liability claims against the operator of the AI-system, while facing severe difficulties to prove fault on the part of the operator.
(13) The type of AI-system the operator is exercising control over is a determining factor. An AI-system that entails a high risk potentially endangers the user or the public to a much higher degree and in a manner that is random and goes beyond what can reasonably be expected. This means that at the start of the autonomous operation of the AI-system, the majority of the potentially affected persons are unknown and not identifiable, for example persons on a public square or in a neighbouring house, compared to the operation of an AI-system that involves specific persons, who have regularly consented to its deployment before, for example surgery in a hospital or a sales demonstration in a small shop. Determining how significant the potential is of a high-risk AI-system to cause harm or damage is dependent on the interplay between the purpose of use for which the AI system is put on the market, the manner in which the AI-system is being used, the severity of the potential harm or damage, the degree of autonomy of decision-making that can result in harm and the likelihood that the risk materialises. The degree of severity should be determined based on relevant factors such as the extent of the potential harm resulting from the operation on affected persons, including in particular effects on fundamental rights, the number of affected persons, the total value for the potential damage, as well as the harm to society as a whole. The likelihood for the harm or damage to occur should be determined based on relevant factors such as the role of the algorithmic calculations in the decision-making process, the complexity of the decision and the reversibility of the effects. Ultimately, the manner of usage should depend on relevant factors such as the context and sector in which the AI-system operates, if it could have legal or factual effects on important legally protected rights of the affected person, and whether the effects can reasonably be avoided.
(14) All AI-systems with a high risk should be exhaustively listed in an Annex to this Regulation. Given the rapid technical and market developments worldwide, as well as the technical expertise which is required for an adequate review of AI-systems, the power to adopt delegated acts in accordance with Article 290 of the Treaty on the Functioning of the European Union should be delegated to the Commission to amend this Regulation in respect of the types of AI-systems that pose a high risk and the critical sectors where they are used. Based on the definitions and provisions laid down in this Regulation, the Commission should review the Annex without undue delay, but at least every six months, and, if necessary, amend it by means of delegated acts. The assessment by the Commission of whether an AI-system poses a high-risk should start at the same time as the product safety assessment, in order to prevent a situation in which a high-risk AI-system is already approved for the market but not yet classified as high-risk and thus operates without mandatory insurance cover. To give businesses and research organisations enough planning and investment security, changes to the critical sectors should only be made every twelve months. Operators should be called upon to notify the Commission if they are working on new technology, products or services that fall under one of the existing critical sectors provided for in the Annex and which later could qualify as a high-risk AI-system.
(15) It is of particular importance that the Commission carry out appropriate consultations with the relevant stakeholders during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. A standing committee called ‘Technical Committee – high-risk AI-systems’ (TCRAI) should support the Commission in its regular review under this Regulation. That standing committee should comprise representatives of the Member States, as well as a balanced selection of stakeholders, including consumer organisation, associations representing affected persons, businesses representatives from different sectors and sizes, as well as researchers and scientists. In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups as well as the standing TCRAI-committee, when dealing with the preparation of delegated acts.
(16) This Regulation should cover harm or damage to life, health, physical integrity, property and significant immaterial harm that results in a verifiable economic loss above a threshold, harmonised in Union liability law, that balances the access to justice of affected persons with the interests of other involved persons. The Commission should re-evaluate and align the thresholds for damages in Union law. Significant immaterial harm should be understood as meaning harm as a result of which the affected person suffers considerable detriment, an objective and demonstrable impairment of his or her personal interests and an economic loss calculated having regard, for example, to annual average figures of past revenues and other relevant circumstances. This Regulation should also determine the amount and extent of compensation, as well as the limitation period for bringing forward liability claims. This Regulation should set out a significantly lower ceiling for compensation than that provided for in the Product Liability Directive, as this Regulation only refers to the harm or damage of a single person resulting from a single operation of an AI-system, while the former refers to a number of products or even a product line with the same defect.
(17) All physical or virtual activities, devices or processes driven by AI-systems that are not listed as a high-risk AI-system in the Annex to this Regulation should remain subject to fault-based liability, unless stricter national laws and consumer protection legislation is in force. The national laws of the Member States, including any relevant jurisprudence, with regard to the amount and extent of compensation, as well as the limitation period, should continue to apply. A person who suffers harm or damage caused by an AI-system not listed as a high-risk AI-system should benefit from the presumption of fault of the operator.
(18) The diligence which can be expected from an operator should be commensurate with (i) the nature of the AI system: (ii) the legally-protected right potentially affected: (iii) the potential harm or damage the AI-system could cause: and (iv) the likelihood of such damage. Thereby, it should be taken into account that the operator might have limited knowledge of the algorithms and data used in the AI-system. It should be presumed that the operator has observed the due care that can reasonably be expected from him or her in selecting a suitable AI-system, if the operator has selected an AI-system which has been certified under a scheme similar to the voluntary certification scheme envisaged by the Commission. It should be presumed that the operator has observed the due care that can reasonably be expected from him or her during the operation of the AI-system, if the operator can prove that he or she actually and regularly monitored the AI-system during its operation and that he or she notified the manufacturer about potential irregularities during the operation. It should be presumed that the operator has observed the due care that can reasonably be expected from him or her as regards maintaining the operational reliability, if the operator installed all available updates provided by the producer of the AI-system. Since the level of sophistication of operators can vary depending on whether they are mere consumers or professionals, the duties of care should be adapted accordingly.
(19) In order to enable the operator to prove that he or she was not at fault, or to enable the affected person to prove the existence of fault, producers should have the duty to cooperate with both parties concerned, including by providing well-documented information. Both producers established within and outside the Union should furthermore have the obligation to designate an AI-liability representative within the Union as a contact point for replying to all requests from operators, in a manner similar to the data protection officers as set out in Article 37 of Regulation (EU) 2016/679 of the European Parliament and of the Council , to the manufacturer’s representative as set out in Articles 3(41) and 13(4) of Regulation 2018/858 of the European Parliament and of the Council or to the authorised representative as set out in Articles 4(2) and 5 of Regulation 2019/1020 of the European Parliament and of the Council .
(20) The legislator has to consider the liability risks connected to AI-systems during their whole lifecycle, from development to usage to end of life, including the waste and recycling management. The inclusion of AI-systems in a product or service represents a financial risk for businesses and consequently will have a heavy impact on the ability and options for SMEs, as well as for start-ups, in relation to insuring and financing their research and development projects based on new technologies. The purpose of liability is, therefore, not only to safeguard important legally protected rights of individuals, but also to determine whether businesses, especially SMEs and start-ups, are able to raise capital, innovate, research, and ultimately offer new products and services, as well as whether consumers trust such products and services and are willing to use them despite the potential risks and legal claims being brought in respect of such products or services.
(21) Insurance can help guarantee that victims receive effective compensation and pool the risks of all insured persons. One of the factors on which insurance companies base their offer of insurance products and services is risk assessment, based on access to sufficient historical claim data. A lack of access to, or an insufficient quantity of, high quality data could be a reason why creating insurance products for new and emerging technologies is difficult at the beginning. However, greater access to, and optimising the use of, data generated by new technologies, coupled with an obligation to provide well-documented information, would enhance insurers’ ability to model emerging risk and to foster the development of more innovative cover.
(22) Given that historical claim data is missing, how and under which conditions liability is insurable should be investigated, with a view to linking insurance to the product and not to the responsible person. There are already insurance products that are developed area-by-area and cover-by-cover as technology develops. Many insurers specialise in certain market segments (e.g. SMEs) or in providing cover for certain product types (e.g. electrical goods), which means that there will usually be an insurance product available for the insured. However, a “one size fits all” solution is difficult to envisage and the insurance market will need time to adapt. The Commission should work closely with the insurances market to develop innovative insurance products that could close the insurance gap. In exceptional cases, such as an event incurring collective damages, in which the compensation significantly exceeds the maximum amounts set out in this Regulation, Member States should be encouraged to set up a special compensation fund, for a limited period of time, that addresses the specific needs of those cases. Special compensation funds could also be set up to cover those exceptional cases in which an AI-system, which is not yet classified as high-risk AI-system and thus, is not yet insured, causes harm or damage. In order to ensure legal certainty and to fulfil the obligation to inform all potentially affected persons, the existence of the special compensation fund as well as the conditions to benefit from it should be made public in a clear and comprehensive manner.
(23) It is of utmost importance that any future changes to this Regulation go hand in hand with the necessary review of the Product Liability Directive, in order to revise it in a comprehensive and consistent manner and to guarantee the rights and obligations of all parties concerned throughout the liability chain. The introduction of a new liability regime for the operator of AI-systems requires that the provisions of this Regulation and the review of the Product Liability Directive be closely coordinated in terms of substance as well as approach so that they together constitute a consistent liability framework for AI-systems, balancing the interests of producer, operator, consumer and the affected person, as regards the liability risk and the relevant compensation arrangements. Adapting and streamlining the definitions of AI-system, frontend and backend operator, producer, defect, product and service throughout all pieces of legislation is therefore necessary and should be envisaged in parallel.
(24) Since the objectives of this Regulation, namely to create a future-orientated and unified approach at Union level, setting common European standards for European citizens and businesses to ensure the consistency of rights and legal certainty throughout the Union and to avoid fragmentation of the Digital Single Market, which would hamper the goal of maintaining digital sovereignty, of fostering digital innovation in Europe and of ensuring a high-level protection of citizen and consumer rights, require that the liability regimes for AI-systems are fully harmonized. Since this cannot be sufficiently achieved by the Member States due to the rapid technological change, the cross-border development as well as the usage of AI-systems and eventually, the conflicting legislative approaches across the Union, but can rather, by reason of the scale or effects of the action, be achieved at Union level. The Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve these objectives,
HAVE ADOPTED THIS REGULATION:
This Regulation sets out rules for the civil liability claims of natural and legal persons against operators of AI-systems.
1. This Regulation applies on the territory of the Union where a physical or virtual activity, device or process driven by an AI-system has caused harm or damage to the life, health, physical integrity of a natural person, to the property of a natural or legal person or has caused significant immaterial harm resulting in a verifiable economic loss.
2. Any agreement between an operator of an AI-system and a natural or legal person who suffers harm or damage because of the AI-system, which circumvents or limits the rights and obligations set out in this Regulation, concluded before or after the harm or damage occurred, shall be deemed null and void as regards the rights and obligations laid down in this Regulation.
3. This Regulation is without prejudice to any additional liability claims resulting from contractual relationships, as well as from regulations on product liability, consumer protection, anti-discrimination, labour and environmental protection between the operator and the natural or legal person who suffered harm or damage because of the AI-system and that may be brought against the operator under Union or national law.
For the purposes of this Regulation, the following definitions apply:
(a) ‘AI-system’ means a system that is either software-based or embedded in hardware devices, and that displays behaviour simulating intelligence by, inter alia, collecting and processing data, analysing and interpreting its environment, and by taking action, with some degree of autonomy, to achieve specific goals;
(b) ‘autonomous’ means an AI-system that operates by interpreting certain input and by using a set of pre-determined instructions, without being limited to such instructions, despite the system’s behaviour being constrained by, and targeted at, fulfilling the goal it was given and other relevant design choices made by its developer;
(c) ‘high risk’ means a significant potential in an autonomously operating AI-system to cause harm or damage to one or more persons in a manner that is random and goes beyond what can reasonably be expected; the significance of the potential depends on the interplay between the severity of possible harm or damage, the degree of autonomy of decision-making, the likelihood that the risk materializes and the manner and the context in which the AI-system is being used;
(d) ‘operator’ means both the frontend and the backend operator as long as the latter’s liability is not already covered by Directive 85/374/EEC;
(e) ‘frontend operator’ means any natural or legal person who exercises a degree of control over a risk connected with the operation and functioning of the AI-system and benefits from its operation;
(f) ‘backend operator’ means any natural or legal person who, on a continuous basis, defines the features of the technology and provides data and an essential backend support service and therefore also exercises a degree of control over the risk connected with the operation and functioning of the AI-system;
(g) ‘control’ means any action of an operator that influences the operation of an AI-system and thus the extent to which the operator exposes third parties to the potential risks associated with the operation and functioning of the AI-system; such actions can impact the operation at any stage by determining the input, output or results, or can change specific functions or processes within the AI-system; the degree to which those aspects of the operation of the AI-system are determined by the action depends on the level of influence the operator has over the risk connected with the operation and functioning of the AI-system;
(h) ‘affected person’ means any person who suffers harm or damage caused by a physical or virtual activity, device or process driven by an AI-system, and who is not its operator;
(i) ‘harm or damage’ means an adverse impact affecting the life, health, physical integrity of a natural person, the property of a natural or legal person or causing significant immaterial harm that results in a verifiable economic loss;
(j) ‘producer’ means the producer as defined in Article 3 of Council Directive 85/374/EEC.
Strict liability for high-risk AI-systems
1. The operator of a high-risk AI-system shall be strictly liable for any harm or damage that was caused by a physical or virtual activity, device or process driven by that AI-system.
2. All high-risk AI-systems and all critical sectors where they are used shall be listed in the Annex to this Regulation. The Commission is empowered to adopt delegated acts in accordance with Article 13, to amend that exhaustive list, by:
(a) including new types of high-risk AI-systems and critical sectors in which they are deployed;
(b) deleting types of AI-systems that can no longer be considered to pose a high risk; and/or
(c) changing the critical sectors for existing high-risk AI-systems.
Any delegated act amending the Annex shall come into force six months after its adoption. When determining new high-risk AI-systems and/or critical sectors to be inserted by means of delegated acts in the Annex, the Commission shall take full account of the criteria set out in this Regulation, in particular those referred to in Article 3(c).
3. Operators of high-risk AI-systems shall not be able to exonerate themselves from liability by arguing that they acted with due diligence or that the harm or damage was caused by an autonomous activity, device or process driven by their AI-system. Operators shall not be held liable if the harm or damage was caused by force majeure.
4. The frontend operator of a high-risk AI-system shall ensure that operations of that AI-system are covered by liability insurance that is adequate in relation to the amounts and extent of compensation provided for in Articles 5 and 6 of this Regulation. The backend operator shall ensure that its services are covered by business liability or product liability insurance that is adequate in relation to the amounts and extent of compensation provided for in Article 5 and 6 of this Regulation. If compulsory insurance regimes of the frontend or backend operator already in force pursuant to other Union or national law or existing voluntary corporate insurance funds are considered to cover the operation of the AI-system or the provided service, the obligation to take out insurance for the AI-system or the provided service pursuant to this Regulation shall be deemed fulfilled, as long as the relevant existing compulsory insurance or the voluntary corporate insurance funds cover the amounts and the extent of compensation provided for in Articles 5 and 6 of this Regulation.
5. This Regulation shall prevail over national liability regimes in the event of conflicting strict liability classification of AI-systems.
Amount of compensation
1. An operator of a high-risk AI-system that has been held liable for harm or damage under this Regulation shall compensate:
(a) up to a maximum amount of EUR two million in the event of the death of, or in the event of harm caused to the health or physical integrity of, an affected person, resulting from an operation of a high-risk AI-system;
(b) up to a maximum amount of EUR one million in the event of significant immaterial harm that results in a verifiable economic loss or of damage caused to property, including when several items of property of an affected person were damaged as a result of a single operation of a single high-risk AI-system; where the affected person also holds a contractual liability claim against the operator, no compensation shall be paid under this Regulation, if the total amount of the damage to property or the significant immaterial harm is of a value that falls below [EUR 500].
2. Where the combined compensation to be paid to several persons who suffer harm or damage caused by the same operation of the same high-risk AI-system exceeds the maximum total amounts provided for in paragraph 1, the amounts to be paid to each person shall be reduced pro-rata so that the combined compensation does not exceed the maximum amounts set out in paragraph 1.
Extent of compensation
1. Within the amount set out in Article 5(1)(a), compensation to be paid by the operator held liable in the event of physical harm followed by the death of the affected person, shall be calculated based on the costs of the medical treatment that the affected person underwent prior to his or her death, and of the pecuniary prejudice sustained prior to death caused by the cessation or reduction of the earning capacity or the increase in his or her needs for the duration of the harm prior to death. The operator held liable shall furthermore reimburse the funeral costs for the deceased affected person to the party who is responsible for defraying those expenses.
If, at the time of the incident that caused the harm leading to his or her death, the affected person was in a relationship with a third party and had a legal obligation to support that third party, the operator held liable shall indemnify the third party by paying maintenance to the extent to which the affected person would have been obliged to pay, for the period corresponding to an average life expectancy for a person of his or her age and general description. The operator shall also indemnify the third party if, at the time of the incident that caused the death, the third party had been conceived but had not yet been born.
2. Within the amount set out in Article 5(1)(b), compensation to be paid by the operator held liable in the event of harm to the health or the physical integrity of the affected person shall include the reimbursement of the costs of the related medical treatment as well as the payment for any pecuniary prejudice sustained by the affected person, as a result of the temporary suspension, reduction or permanent cessation of his or her earning capacity or the consequent, medically certified increase in his or her needs.
1. Civil liability claims, brought in accordance with Article 4(1), concerning harm to life, health or physical integrity, shall be subject to a special limitation period of 30 years from the date on which the harm occurred.
2. Civil liability claims, brought in accordance with Article 4(1), concerning damage to property or significant immaterial harm that results in a verifiable economic loss shall be subject to special limitation period of:
(a) 10 years from the date when the property damage occurred or the verifiable economic loss resulting from the significant immaterial harm, respectively, occurred, or
(b) 30 years from the date on which the operation of the high-risk AI-system that subsequently caused the property damage or the immaterial harm took place.
Of the periods referred to in the first subparagraph, the period that ends first shall be applicable.
3. This Article shall be without prejudice to national law regulating the suspension or interruption of limitation periods.
Fault-based liability for other AI-systems
1. The operator of an AI-system that does not constitute a high-risk AI-system as laid down in Articles 3(c) and 4(2) and, as a result is not listed in the Annex to this Regulation, shall be subject to fault-based liability for any harm or damage that was caused by a physical or virtual activity, device or process driven by the AI-system.
2. The operator shall not be liable if he or she can prove that the harm or damage was caused without his or her fault, relying on either of the following grounds’:
(a) the AI-system was activated without his or her knowledge while all reasonable and necessary measures to avoid such activation outside of the operator’s control were taken, or
(b) due diligence was observed by performing all the following actions: selecting a suitable AI-system for the right task and skills, putting the AI-system duly into operation, monitoring the activities and maintaining the operational reliability by regularly installing all available updates.
The operator shall not be able to escape liability by arguing that the harm or damage was caused by an autonomous activity, device or process driven by his or her AI-system. The operator shall not be liable if the harm or damage was caused by force majeure.
3. Where the harm or damage was caused by a third party that interfered with the AI-system by modifying its functioning or its effects, the operator shall nonetheless be liable for the payment of compensation if such third party is untraceable or impecunious.
4. At the request of the operator or the affected person, the producer of an AI-system shall have the duty of cooperating with, and providing information to, them to the extent warranted by the significance of the claim, in order to allow for the identification of the liabilities.
National provisions on compensation and limitation period
Civil liability claims brought in accordance with Article 8(1) shall be subject, in relation to limitation periods as well as the amounts and the extent of compensation, to the laws of the Member State in which the harm or damage occurred.
Apportionment of liability
1. If the harm or damage is caused both by a physical or virtual activity, device or process driven by an AI-system and by the actions of an affected person or of any person for whom the affected person is responsible, the extent of liability of the operator under this Regulation shall be reduced accordingly. The operator shall not be liable if the affected person or the person for whom he or she is responsible is solely to blame for the harm or damage caused.
2. An operator held liable may use the data generated by the AI-system to prove contributory negligence on the part of the affected person, in accordance with Regulation (EU) 2016/679 and other relevant data protection laws. The affected person may also use such data as a means of proof or clarification in the liability claim.
Joint and several liability
If there is more than one operator of an AI-system, they shall be jointly and severally liable. If a frontend operator is also the producer of the AI-system, this Regulation shall prevail over the Product Liability Directive. If the backend operator also qualifies as a producer as defined in Article 3 of the Product Liability Directive, that Directive should apply to him or her. If there is only one operator and that operator is also the producer of the AI-system, this Regulation should prevail over the Product Liability Directive.
Recourse for compensation
1. The operator shall not be entitled to pursue a recourse action unless the affected person has been paid in full any compensation which that person is entitled to receive under this Regulation.
2. In the event that the operator is held jointly and severally liable with other operators in respect of an affected person and has fully compensated that affected person, in accordance with Article 4(1) or 8(1), that operator may recover part of the compensation from the other operators, in proportion to his or her liability.
The proportions of liability shall be based on the respective degrees of control the operators had over the risk connected with the operation and functioning of the AI-system. If the contribution attributable to a jointly and severally liable operator cannot be obtained from him or her, the shortfall shall be borne by the other operators. To the extent that a jointly and severally liable operator compensates the affected person and demands adjustment of advance payments from the other liable operators, the claim of the affected person against the other operators shall be subrogated to the operator. The subrogation of claims shall not be asserted to the disadvantage of the original claim.
3. In the event that the operator of a defective AI-system fully indemnifies the affected person for harm or damages in accordance with Article 4(1) or 8(1), he or she may take action for redress against the producer of the defective AI-system in accordance with Directive 85/374/EEC and with national provisions concerning liability for defective products.
4. In the event that the insurer of the operator indemnifies the affected person for harm or damage in accordance with Article 4(1) or 8(1), any civil liability claim of the affected person against another person for the same damage shall be subrogated to the insurer of the operator to the extent of the amount the insurer of the operator has compensated the affected person.
Exercise of the delegation
1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.
2. The power to adopt delegated acts referred to in Article 4(2) shall be conferred on the Commission for a period of five years from [date of application of this Regulation].
3. The delegation of power referred to in Article 4(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
4. Before adopting a delegated act, the Commission shall consult the standing Technical Committee for high-risk AI-systems (TCRAI-committee) in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.
5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.
6. A delegated act adopted pursuant to Article 4(2) shall enter into force only if no objection has been expressed by either the European Parliament or the Council within a period of two months of notification or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.
By 1 January 202X [3 years after the date of application of this Regulation], and every three years thereafter, the Commission shall present to the European Parliament, the Council and the European Economic and Social Committee a detailed report reviewing this Regulation in light of further development of Artificial Intelligence.
When preparing the report referred to in the first subparagraph, the Commission shall request relevant information from Member States relating to case law, court settlements as well as accident statistics, such as the number of accidents, damage suffered, AI applications involved, compensation paid by insurance companies, as well as an assessment of the number of claims brought by affected persons, either individually or collectively, and of the time frames in which those claims are dealt with in court.
The Commission’s report shall be accompanied, where appropriate, by legislative proposals, intended to address any gaps identified in the report.
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
It shall apply from 1 January 202X.
This Regulation shall be binding in its entirety and directly applicable in the Member States.
The concept of ‘liability’ plays an important double role in our daily life: on the one hand, it ensures that a person who has suffered harm is entitled to claim compensation from the person proven to be liable for that harm, and on the other hand, it provides the economic incentives for persons to avoid causing harm in the first place. Any future-orientated liability framework should therefore strive to strike the balance between efficiently protecting potential victims of damage and at the same time, providing enough leeway to make the development of new technologies, products or services possible.
Especially at the beginning of the life cycle of new products and services, there is a certain degree of risk for the user as well as third persons that something is not function properly. This process of trial-and-error is however also a key enabler of technical progress without whom most of our technologies would not exist today. So far, Europe’s strong product safety regulations and liability rules were more than capable to deal with the potentially higher risks of new technologies. In the eyes of many people, this certitude is now being challenged by the rise of Artificial Intelligence (AI). What makes this technology unique is its ‘opacity’ or in other words, its ‘black box’ feature. Combined with its connectivity, dependency on external data, vulnerability to cybersecurity breaches and a distinctive autonomy, the involvement of AI-systems could make it extremely expensive or even impossible to identify who was in control or which code or input has ultimately caused the harmful operation. As a result, the harmed person could face difficulties to get compensation.
Even though AI-systems are indeed posing new legal challenges to our existing liability regime, they are materially in many cases not so different to other technologies, which sometimes are based on even more sophisticated software. Modern AI-systems regularly function rather trivial and are far away from conscious robots we know from Sci-Fi movies. Any discussion about giving AI-systems legal personality is therefore obsolete. Choosing a sensible approach to address the legal challenges posed by new AI-systems means that we refrain from major changes to our liability framework. If a person suffered harm caused by a defective AI-system, the Product Liability Directive (PLD) should remain the legal means to seek compensation from the producer. If the harm was caused by an interfering third person, the existing fault-based liability system in the Member States offer (in most cases) a sufficient level of protection. In line with better regulation principles of the Union, any necessary legislative adjustments with regard to producers and interfering third persons should be discussed in these respective legal frameworks.
This report makes nonetheless one crucial exception from its faith in the existing liability regimes: it sees a legal gap when it comes to the liability of the deployers of AI-systems. Although these persons are deciding on the use of AI-systems, are the ones who are mainly exercising control over the associated risks and are benefiting from their operations, many liability claims against them would fail due to the inability of the affected persons to prove the deployer’s fault. Especially in cases, where the harm was caused by an operation of an AI-system in a public space, the potentially enormous group of affected person would regularly not hold any contractual relationship towards the deployer, leaving them with almost no chance of being compensated for their harm. The Rapporteur propose two different approaches to solve this legal gap, depending on the level of risk the AI-system entails:
(1) High-risk AI-systems: The deployer of such a system is in quite a similar position as the owner of a car or a pet. He or she exercises control over an item that significantly endangers the public, in a manner that is random and impossible to predict in advance. Consequently, the deployer – like the owner of a car or pet – should be subject to a strict liability regime and compensate the victim within a certain extent and certain amount of money for any harm to its important legally protected rights (life, health, physical integrity, property). This Report defines clear criteria on which AI-systems can qualify as high-risk and list them exhaustively in an ANNEX. Given the rapid technical and market developments and given the technical expertise that is required for an adequate review of an AI-system, it should be up to the European Commission to amend the ANNEX through delegated acts. A newly formed standing committee, involving national experts and stakeholders, should support the Commission in its review of potentially high-risk AI-systems.
(2) All other AI-systems: The person who suffered harm caused by an AI-systems that is not listed in the Annex, should nevertheless benefit from a presumption of fault towards the deployer. The national law regulating the amount and extent of compensation as well as the limitation period in case of harm caused by the AI-system remain applicable.
Any proposal for new legislation needs to analyse profoundly the existing laws to avoid duplication or conflicting provisions. Based on this principle, the Report does only cover harm to life, health, physical integrity and property. Although AI-systems can admittedly cause considerable harm to personal rights and other important legally protected interests, those infringements are much better addressed by already existing and tailor-made legal provisions in those areas (e.g. anti-discrimination law or consumer protection law). For the very same reason, the use of biometric data or of face recognition techniques by AI-systems were not incorporated by the Rapporteur; any unauthorized use in this area is already covered by specific data protection laws such as the GDPR. With regard to conflicting national liability regimes when it comes to the question if an AI-system falls under strict liability or with regard to the limiting effect of contractual agreements, this Report holds that its provisions always prevail. It moreover aims to achieve full compensation for the affected person by the deployer, before potential liability claims against the producer can be brought forward by other persons than the affected person. For the purpose of legal certainty throughout the Union, the backend operator – which is not covered by this Regulation – should fall under the same liability rules as the producer, manufacturer and developer.
As the European Union and its Member States do not require radical changes to their liability frameworks, AI-systems also should not push us away from our traditional insurances systems. Publicly funded compensation mechanisms are no adequate answer to the rise of Artificial Intelligence. Such compensation regimes would only impose an unnecessary financial burden on taxpayer. Despite the lack of access to quality historical claims data involving AI-systems, European insurers are already developing new products area-by-area and cover-by-cover as the technology develops further. If there is a need for a new cover, the insurance market will come up with an adequate solution. It would be wrong to fall for hypothetical scenarios that are being used to lobby for additional public systems. If one day a mass harm event like a large terrorist attack materializes, Member States could set up special compensation funds for a limited period of time as it already happened in the past. Consequently, this Report solely requires deployers of high-risk AI-systems to hold an adequate liability insurance (comparable with the obligation set up by the Motor Insurance Directive), which covers the amounts and the extent of compensation determined by this Regulation. The Rapporteur strongly believes in the insurance market to either adapt existing insurance covers or to come up with various new products that each separately cover the different types of AI-systems in different sectors.
With its narrow but clear approach on liability rules for the deployer of AI-systems, the Rapporteur is convinced to strike the balance between effectively protecting the society while allowing this exciting technology to innovate further. Way too often only the risks of Artificial Intelligence are singled out. Yes, AI-systems could be used to do bad things. But do we want to allow negative manifestations – that happen with all technologies from mobile phones to nuclear power – to restrict our general use? Do we want to pass on the help of AI-systems in our fight against climate change, to improve our health care system or to better integrate persons with disabilities? This Report strongly advises to focus on exploiting the positives effects of AI-systems, while building up strong safeguards.
Thereby, all new laws on Artificial Intelligence should be written in form of regulations. As the digital sphere is characterized by rapid cross-border dynamics, our European Digital Single Market needs to be fully harmonized to catch up with the global digital competition.
It is crucial to emphasise that the political discussion on this Regulation should go hand in hand with a necessary Review of the PLD. The introduction of a new liability regime for the deployer of AI-systems requires that the negotiations on this Report and the Review of the PLD should be closely coordinated in terms of substance as well as approach so that they together constitute a consistent liability framework for AI-systems, balancing the interest of producer, deployer and the affected person, as regards the liability risk. Adapting and streamlining the definitions of AI-system, deployer, producer, developer, defect, product and service throughout all legislative initiatives seem therefore necessary.
Last but not least, the political players should realise that the technological progress does not stop during their legislative negotiations. If we are serious with our goal to keep up with digitisation, to maintain our digital sovereignty and to play a major role in the digital age, the European Institutions need to send a clear political message to our successful industry and to our bright researchers working on new AI-systems. Until the legislative response to the rise of Artificial Intelligence becomes law, industry and researchers should be able to innovate according to the current rules and should benefit from a five-year-long transition period. If we are not granting them this planning certainty, Europe will miss out on numerous new fascinating technologies, products or services.
|OPINION OF THE COMMITTEE ON THE INTERNAL MARKET AND CONSUMER PROTECTION (7.7.2020)|
for the Committee on Legal Affairs
on Civil liability regime for artificial intelligence
Rapporteur for opinion: Svenja Hahn
(Initiative – Rule 47 of the Rules of Procedure)
The Committee on the Internal Market and Consumer Protection calls on the Committee on Legal Affairs, as the committee responsible:
– to incorporate the following suggestions into its motion for a resolution:
A. whereas the use of emerging digital technologies, such as Artificial Intelligence (AI), the Internet of Things and of Services (IoT/IoS) or robotics, will continue to play an increasing role in our everyday lives;
B. whereas such emerging digital technologies have the potential to contribute to the development of innovation in many sectors and offer benefits for consumers through innovative products and services , for businesses, in particular start-ups, micro, small and medium enterprises (SMEs), through optimised performance and increased competitiveness, and for public administration, through improved, more inclusive and customised public services;
C. whereas the use, deployment and development of AI and other emerging digital technologies might also present risks to and challenges for the existing liability framework on products which is not necessarily adapted to such new applications, thus potentially undermining consumer trust and protection;
D. whereas product safety and product liability are two complementary mechanisms pursuing the same policy goal of a functioning single market for goods and services, and this opinion contains suggestions as to possible adjustments of the Union liability frameworkin light of the increased importance of emerging digital technologies;
E. whereas robust liability mechanisms triggering remedies for damage and harm contribute to better protection of citizens and consumers from damage and harm, creation of trust in emerging digital technologies while ensuring legal certainty for businesses, in particular start-ups, micro, small and medium enterprises (SMEs), thereby enabling them to innovate;
F. whereas in order to build acceptance, the theoretical benefits of AI should also contribute effectively to prosperity and development;
G. whereas the Report from the Commission to the European Parliament, the Council and the European Economic and Social Committee on the safety and liability implications of Artificial Intelligence, the Internet of Things and robotics and the White Paper On Artificial Intelligence – A European approach to excellence and trust should be considered as the basis for the future European legislation;
1. Welcomes the Commission’s aim of making the Union legal framework fit the new technological developments, deployments and uses of AI and other emerging digital technologies, thereby ensuring a high level of protection for consumers from damage and harm caused by new technologies based on artificial intelligence, robotics and related technologies, while maintaining a balance with the objective of digitalisation of industrial and consumer products and supporting technological innovation;
2. Calls on the Commission to update the existing liability framework, and in particular Council Directive 85/374/EEC (the Product Liability Directive – ‘PLD’), to adapt it to the digital world;
3. Calls on the Commission to revise the PLD, by addressing the challenges posed by emerging digital technologies such as artificial intelligence, the Internet of things (IoT) or robotics, thereby ensuring a high level of effective consumer protection as well as legal certainty for consumers and businesses, while avoiding high costs and risks for SMEs and start-ups;
4. Highlights that any update of the product liability framework should go hand in hand with the update of Directive 2001/95/EC of the European Parliament and of the Council (the Product Safety Directive) in order to ensure that AI systems integrate safety and security by design principles;
5. Emphasises that any revision of the existing liability framework should aim to further harmonise liability and consumer protection rules in order to ensure a level playing field and to avoid inequalities in consumer protection and fragmentation of the single market;
6. Asks the Commission to assess whether a regulation on general product liability could contribute to this aim; stresses, however, the importance of ensuring that Union regulation remains limited to clearly identified problems for which feasible solutions exist and leaves room for further technological developments, including the developments based on free and open source software; highlights that this should be done in full compliance with the applicable legislation, including Directive (EU) 2019/790of the European Parliament and of the Council;
7. Calls on the Commission to update the product liability framework by taking into account the specific challenges of digitalisation for liability law; considers that challenges may arise, for example, due to products being inter-connected, data-dependent or vulnerable to cybersecurity risks;
8. Underlines, in particular, the need to take into account processes in AI applications that may not be well documented, or which may occur autonomously after the product has been placed on the market;
9. Urges the Commission to clarify the definition of ‘products’ under the PLD, by determining whether digital content and digital services fall under its scope and to consider adapting such concepts as ‘producer’, ‘damage’ and ‘defect’; underlines the need to take into account the consumer acquis when doing so and in particular the current Directive (EU) 2019/770 of the European Parliament and of the Council (the Digital Content Directive) and Directive (EU) 2019/771 of the European Parliament and of the Council  (the Sale of goods Directive);
10. Recommends that AI should not be granted its own legal personality; asks the Commission to also examine whether the product liability framework needs to be revised in order to protect, and indemnify injured parties efficiently as regards products that are purchased as a bundle with related services and to consider privacy-by-design and security-by-design rules as being a reasonable expectation of consumers regarding their digital products;
11. Highlights the fact that online marketplaces, acting as importers or suppliers of the products sold online in the supply chain, fall under the PLD and therefore are liable for damage caused by a defect in the products they have sold, except where they act as a supplier and the producer is identified, in accordance with the relevant provisions of the PLD;
12. Calls on the Commission to assess, in close coordination with corresponding possible adjustments to the Union safety framework, whether the notion of ‘time when the product was put into circulation’ is fit for purpose for emerging digital technologies, and whether the responsibility and liability of producer could go beyond this notion, taking into account that AI-driven products may be changed or altered under the producer’s control after they have been placed on the market, which could cause a defect and ensuing damage;
13. Stresses the importance of ensuring a fair and efficient allocation of liability in the chain of commercial transactions in order to attribute liability in the most appropriate way; highlights that due to the complexity, connectivity and opacity of the products based on AI and new technologies, it could be difficult for consumers to prove what defect in a product caused damage, as it cannot be assumed that consumers have all of the necessary information or specific technical knowledge;
14. Underlines therefore the relevance of making it possible for consumers who have suffered harm or whose property has been damaged to prove that a defect in a product caused damage, even if third party software is involved or the cause of a defect is difficult to trace, for example when products are part of a complex interconnected Internet of Things environment;
15. Calls on the Commission to consider reversing the rules governing the burden of proof for harm caused by emerging digital technologies in clearly defined cases and after a proper assessment, in order to empower consumers who have suffered harm or whose property has been damaged to defend their rights while preventing abuse and providing legal certainty for businesses, as well as to ensure fairness and to mitigate the informational asymmetries impairing the situation of injured parties;
16. Asks the Commission to assess the possibility of introducing an obligation for producers of emerging digital technologies to equip their products with means of recording information about the operation of the technology, in accordance with applicable data protection provisions and the rules concerning the protection of trade secrets, taking into account, inter alia, the likelihood that a risk of the technology materialises, whether such a duty is appropriate and proportionate and the technical feasibility and costs of it; suggests that failing to comply with this duty or refusing to give the consumer in question reasonable access to this information would trigger a rebuttable liability presumption on the part of the producer;
17. Highlights the need for a risk based approach to AI within the existing liability framework, which takes into account different levels of risk for consumers in specific sectors and uses of AI; underlines that such an approach, that might encompass several levels of risk, should be based on clear criteria and an appropriate definition of high risk and provide for legal certainty;
18. Further considers that those involved in the different stages of the development, deployment and use of AI-based systems should be held into account in proportion to their liability in their internal relationship; stresses, however, that in relation to the party who has suffered harm or whose property has been damaged the joint and several liability of these different actors should be guaranteed; suggests that product traceability be improved, for instance via the use of distributed ledger technologies, such as blockchain, in order to better identify those involved in the different stages;
19. Underlines that explainability, interpretability and traceability of AI systems are key to ensuring that liability mechanisms offer an adequate, efficient and fair allocation of responsibilities;
20. Asks the Commission to carefully assess the introduction of a separate yet complementary strict liability regime for AI systems presenting a high risk of causing harm or damage to one or more persons or their property in a manner that is random and impossible to predict in advance, taking into account, inter alia, its likely impact on the protection of citizens and consumers from harm, the capacity of businesses, particularly SMEs, to innovate, the coherence of the Union’s safety and liability framework and on the principles of subsidiarity and proportionality; considers that this regime should ensure that victims are effectively compensated for damage caused by AI driven systems;
21. Calls on the Commission to propose concrete measures, such as a registry of products liability cases, to enhance transparency and to monitor defective products circulating in the Union; highlights that it is essential to ensure that there is a high level of consumer protection in relation to, and a high degree of information about, the products that could be purchased.
INFORMATION ON ADOPTION IN COMMITTEE ASKED FOR OPINION
Result of final vote
Members present for the final vote
Alex Agius Saliba, Andrus Ansip, Alessandra Basso, Brando Benifei, Adam Bielan, Hynek Blaško, Biljana Borzan, Vlad-Marius Botoş, Markus Buchheit, Dita Charanzová, Deirdre Clune, David Cormand, Petra De Sutter, Carlo Fidanza, Evelyne Gebhardt, Alexandra Geese, Sandro Gozi, Maria Grapini, Svenja Hahn, Virginie Joron, Eugen Jurzyca, Arba Kokalari, Marcel Kolaja, Kateřina Konečná, Andrey Kovatchev, Jean-Lin Lacapelle, Maria-Manuel Leitão-Marques, Adriana Maldonado López, Antonius Manders, Beata Mazurek, Leszek Miller, Kris Peeters, Anne-Sophie Pelletier, Christel Schaldemose, Andreas Schwab, Tomislav Sokol, Ivan Štefanec, Kim Van Sparrentak, Marion Walsmann, Marco Zullo
Substitutes present for the final vote
Pascal Arimont, Maria da Graça Carvalho, Edina Tóth, Stéphanie Yon-Courtin
FINAL VOTE BY ROLL CALL IN COMMITTEE ASKED FOR OPINION
Pascal Arimont, Maria da Graça Carvalho, Deirdre Clune, Arba Kokalari, Andrey Kovatchev, Antonius Manders, Kris Peeters, Andreas Schwab, Tomislav Sokol, Ivan Štefanec, Edina Tóth, Marion Walsmann
Alex Agius Saliba, Brando Benifei, Biljana Borzan, Evelyne Gebhardt, Maria Grapini, Maria‑Manuel Leitão‑Marques, Adriana Maldonado López, Leszek Miller, Christel Schaldemose
Andrus Ansip, Vlad‑Marius Botoş, Dita Charanzová, Sandro Gozi, Svenja Hahn, Stéphanie Yon‑Courtin
David Cormand, Petra De Sutter, Alexandra Geese, Marcel Kolaja, Kim Van Sparrentak
Adam Bielan, Carlo Fidanza, Beata Mazurek
Kateřina Konečná, Anne‑Sophie Pelletier
Hynek Blaško, Markus Buchheit, Virginie Joron, Jean‑Lin Lacapelle
Key to symbols:
+ : in favour
– : against
0 : abstention
|OPINION OF THE COMMITTEE ON TRANSPORT AND TOURISM (15.7.2020)||
INFORMATION ON ADOPTION IN COMMITTEE ASKED FOR OPINION
FINAL VOTE BY ROLL CALL IN COMMITTEE ASKED FOR OPINION
Key to symbols:
+ : in favour
– : against
0 : abstention