The Revised Product Liability Directive
Directive 2024/2853, effective December 2026, makes it easier for victims of AI-caused harm to prove liability and get compensated. It expands "products" to software and AI, eases the burden of proof via rebuttable presumptions and inferred causality, retains strict liability, and covers psychological harm and data loss.
Directive 2024/2853 → adopted, with Member States implementing into national law by December 2026. Goal → make it easier for victims of AI-caused harm to prove liability and get compensated.
- Expanded scope → "products" now include standalone software, digital manufacturing files, AI-enabled systems, plus cloud-based AI services and platforms distributing AI; liability also covers updates, patches and modifications that later render a product defective.
- Burden of proof eased → rebuttable presumptions of defectiveness where complexity blocks proving causation; courts may infer causality when a defect is highly probable, shifting the burden to the manufacturer, and claimants can request disclosure of technical documentation, with judges balancing trade secret confidentiality.
- Harmonised strict liability → consistent victim rights EU-wide; no negligence proof needed, only defect plus harm; covers defects from updates, upgrades or continuous learning; broad accountability across manufacturers, importers, authorised representatives, fulfilment service providers, online platforms in certain cases, software developers and AI providers.
- Damage types covered → beyond injury, death and property damage → psychological harm from defective AI · financial losses from security vulnerabilities or incorrect AI decisions · data loss or corruption
The liability chain: manufacturers · software developers and AI providers · importers and distributors · third-party AI integrators. Implications for developers: robust testing, validation and risk assessment across the life cycle, more documentation and explainability, and align liability work with the EU AI Act's safety and ethical standards.
An AI thermostat overheated → the defect traced to a third-party AI model. Before integrating external AI → rigorous vendor screening · certifications current · verify standards compliance · examine safety testing reports, benchmarks, technical specifications · review the vendor's incident response procedure · run a security audit · start with limited pilot deployments in controlled environments.
PLD numbers and hooks → effective December 2026 · strict liability retained · rebuttable presumptions + inferred causality flip the burden onto manufacturers · damages include psychological harm and data loss · defects from continuous learning count.
Module 5's four takeaways → 1) Understand privacy laws (GDPR/CCPA principles, Article 22, DPIAs, controller duties, sensitive-data gateways) · 2) Clarify ownership (define rights for AI content; only humans can be inventors; training-data copyright still being settled) · 3) Conduct audits (NYC mandates them for employment AI, Section 1557 demands proactive healthcare checks) · 4) Monitor legal changes (PLD lands December 2026, fair use still being decided). Mnemonic bank → C·L·EC (Article 22 exceptions), Interest → Necessity → Balance (EDPB legitimate-interest test), Really Private Records Take Guarding, Because Health's Sensitive (the 8 special categories). One last anchor → using AI never exempts an organisation from the laws that already applied, it usually adds new ones on top.