Daniel Schonberger, Chief Legal Officer of the Web3 Foundation has condemned the proposed expansion of the Product Liability Directive (PLD) by the European Commission (EC) to include software, making developers strictly liable for exploited bugs in their code. Schonberger has argued that the directive poses an extinction-level threat to Web3 and as such, must be nipped in the bud.
Europe’s New PLD to Stifle Web3 Growth
In September 2022, the European Commission released a legislative package designed to update the decades-old European Union liability rules to meet evolving challenges in the digital age. The authorities expect the revised PLD rules to “give businesses legal certainty to invest in new and innovative products and “will ensure that victims can get fair compensation when defective products, including digital and refurbished products, cause harm.”
The modernized PLD also aims to make it possible for people to be compensated for damage “when products like robots, drones or smart-home systems are made unsafe by software updates, AI or digital services that are needed to operate the product, as well as when manufacturers fail to address cybersecurity vulnerabilities.”
While the European Commission has made it clear that the primary objective of the revised PLD proposal which is open for public comments and feedback until December 11, 2022, is to protect consumers and foster innovation, Daniel has argued that the move will have dire consequences for the burgeoning Web3 industry.
“By expanding the Product Liability Directive to software and making developers strictly liable for exploited bugs, the European Commission might pose an extinction-level threat to the nascent Web3 space. The industry was not at the table and the regulator seems to be sleepwalking over the opportunity to create a better Web.”
PLD will do more Harm than Good
According to Schonberger, the European Commission began working on modernizing its PLD policy more than five years ago as a result of increased coverage of advancements in artificial intelligence (AI) by mainstream media.
While the PLD was initially designed to protect consumers and compensate them when they incur damages or get injured when using defective offline and hardware products such as ‘failed brakes on a car,” the proposed revision, which Schonberger has described as a shock to many stakeholders in the Web3 space, will put even programmers and blockchain developers on the hot seat.
“The Commission’s proposed revision will dramatically undermine a familiar, well-functioning, and balanced framework and for the first time define standalone software as a covered product under the standard. Additionally, the range of compensable damages would be expanded beyond personal injury and damage to property to include ‘material losses resulting from loss or corruption of data,” he noted
Against that backdrop, if the proposed PLD revision is passed into law, software developers will now be liable to compensate or fully reimburse consumers when they lose money while using their products as a result of hacks or vulnerability exploits.
Schonberger says this treatment of software totally contravenes universally accepted standards and practices in the industry.
“First of all, there is broad agreement among tech and governmental stakeholders that software resembles a service rather than a product. Decades of software development have fostered a universal acceptance and acknowledgment that code can’t be released entirely ‘bug-free’ and is viewed as an iterative process. Producers and consumers work cooperatively to identify software performance ‘bugs’ and develop and implement patches to address these issues. A blanket requalification of software as products does not seem justified or consistent with established business and legal precedent.”
While the expansion of the PLD policy to software may seem quite harsh to developers, one major upside of this legislation is that it may significantly curb the incident of hacks and heists in the DeFi sector, as developers will start paying more attention to the security of their code, knowing full well that their European consumers will be duly compensated when things go wrong.
The Right Approach
Schonberger says instead of the current route the European Commission has decided to follow, a more effective approach would be to classify software into various categories and extend the PLD to those that “already qualify as quasi-products because of their inherent potential to cause comparable harm. Examples include medical device software and others.”
Schonberger argues that the PLD should only focus on compensating consumers for damages resulting from abnormally hazardous instances where their health and safety are at great risk, rather than a “case of harm resulting from the loss or corruption of data that merely constitutes an economic loss.”
Schonberger further stated that legal systems across various jurisdictions do not currently apply any form of strict liability standard for the loss of data caused by a software bug and as such, the revised PLD proposal as regards software is not the way to go.
“Traditional software developers and big tech alike disagree with the Commission’s revision. Rightfully, they argue such a liability framework would impede innovation and yield unacceptable overhead, preventing and delaying the development of useful products and services for the consumer market, “ he noted, adding:
“The application of these proposed standards on the loss of data carries even greater significance when the perceived loss relates to crypto assets. Consumers can obtain a clear valuation of their loss based on a spot market valuation. Since all transactions are immutably logged on the blockchain, evidence for a specific loss, for example through the malicious exploitation of cybersecurity vulnerability by a hacker, is easily established.”