EU's product liability directive (Was: Re: The Case for Rust (in the base system))

From: Poul-Henning Kamp <phk_at_phk.freebsd.dk>
Date: Tue, 03 Sep 2024 07:07:45 UTC
fvalasiad writes:

>  If only people bothered using the mature ecosystem of tools around C.

I know I have mentioned it before, but: 

Software quality will go through a paradigm shift when the new EU product
liability directive lands:

	(6)
	In order to ensure that the Union’s product liability regime
	is comprehensive, no-fault liability for defective products
	should apply to all movables, including software, including
	when they are integrated into other movables or installed
	in immovables.

("no-fault liability" means that the consumer does not need to show
that the manufacturer knew or should have known about the defect,
showing it is defect is enough.)

A lot of the force behind this new directive is Microsofts "Even
if our software caused a genocide because of the way we designed
it, and we did that on purpose, you can only recover $5.00" license
terms.

The EU council of ministers still need to vote on it, but that is
expected to be a formality, and then the EU member countries have
two short years to put it into effect in their own legislation.

The current text as it applies to FOSS has:

	(13)
	Free and open-source software, where the source code is
	openly shared and users can freely access, use, modify and
	redistribute the software or modified versions thereof, can
	contribute to research and innovation on the market. Such
	software is subject to licences that allow anyone the freedom
	to run, copy, distribute, study, change and improve the
	software. In order not to hamper innovation or research,
	this Directive should not apply to free and open-source
	software developed or supplied outside the course of a
	commercial activity, since products so developed or supplied
	are by definition not placed on the market. Developing or
	contributing to such software should not be understood as
	making it available on the market. Providing such. This is
	in particular the case for software on open repositories
	should not be considered as making it available on the
	market, unless this occurs in the course of a commercial
	activity. In principle, the supply of free and open-source
	software by non-profit organisations should not be considered
	as taking place in a business-related context, unless the
	supply occurs in the course of a commercial activity,
	including its source code and modified versions, that is
	openly shared and freely accessible, usable, modifiable and
	redistributable. However, where software is supplied in
	exchange for a price or personal data is used other than
	exclusively for improving the security, compatibility or
	interoperability of the software, and is therefore supplied
	in the course of a commercial activity, the Directive should
	apply.

	(13a)
	If free and open-source software supplied outside the course
	of a commercial activity is subsequently integrated by a
	manufacturer as a component into a product in the course
	of a commercial activity and that is therefore placed on
	the market, it would be possible to hold that manufacturer
	liable for damage caused by the defectiveness of such
	software, while not the manufacturer of the software itself
	because they would have not fulfilled the conditions of
	placing a product or component on the market.

Full text:

	https://data.consilium.europa.eu/doc/document/ST-5809-2024-INIT/en/pdf

As far as anybody will tell me, we should all be in the clear under
article 13, as far as our activities relate to freebsd.org

But 13a, means that anybody who sells a product built around FOSS
is on the hook for defects in that FOSS software.

FOSS software quality will come under a lot more scrutiny going forward.

Poul-Henning

PS: Here is one insurance company who finally got the memo a week ago:

	https://www.zurich.com/commercial-insurance/sustainability-and-insights/commercial-insurance-risk-insights/risk-managers-must-prepare-now-for-eu-product-liability-shakeup

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.