European Parliament: Civil liability regime for artificial intelligence

Within the Committee on Legal Affairs, MEP Axel Voss (EPP, Germany) was tasked with drafting the report with recommendations to the Commission on a Civil liability regime for artificial intelligence (AI). The draft report includes a proposed Regulation in Annex.

The proposed legislative text establishes a strict liability regime for high-risk AI-systems, while other AI systems are covered by fault-based liability. Strict liability means that a party can be held liable despite the absence of fault. This regime is suitable for situations where it results difficult for the victim to prove a fault. The draft report underlines that AI systems present significant legal challenges for the existing liability framework as their opacity could make it extremely expensive to identify who/what has caused the harmful operation. This difficulty is further enhanced by the vulnerability to cybersecurity breaches and the increasing autonomy of such systems.

Please find below the main points of this proposed legislative text.

Subject and scope: liability claims against deployers

The proposed Regulation covers liability claims of natural and legal person against the deployer of AI systems. The deployer is defined as the person who decides on the use of the AI-system, exercises control over the associated risk and benefits from its operation.

Axel Voss justifies the choice of focusing on deployers by explaining that the deployer is controlling a risk associated with the AI-system, comparable to an owner of a car or pet. In addition, given the complexity of AI-systems, the deployer will often be the first visible contact point for the affected person.

The proposed Regulation applies “on the territory of the Union where a physical or virtual activity, device or process driven by an AI-system has caused harm or damage to the life, health, physical integrity or the property of a natural or legal person.”

Definition of AI

In the proposed Regulation, “AI system means a system that displays intelligent behaviour by analysing certain input and taking action, with some degree of autonomy, to achieve specific goals. AI-systems can be purely software-based, acting in the virtual world, or can be embedded in hardware devices.”

High-risk applications: strict liability and mandatory insurance

In case of high-risk AI-systems, the deployer of a such system is strictly liable for any harm or damage that was caused by a physical or virtual activity, device or process driven by that AI system.

“High risk means a significant potential in an autonomously operating AI-system to cause harm or damage to one or more persons in a manner that is random and impossible to predict in advance […]”.

The proposed Regulation includes in Annex a list of high-risk AI systems and the critical sectors where they are used. This list is revised every 6 months by the Commission by means of a delegated act. Before adopting a delegated act, the Commission consults the standing Technical Committee for high-risk AI-systems (TCRAI-committee).  

The deployer cannot exonerate himself or herself by arguing that he or she acted with due diligence, neither by stating that harm was caused by an autonomous activity.

The deployer of a high-risk system shall take a liability insurance. However, if compulsory insurance regimes already cover the operation of the AI-system, the obligation to take out insurance for the AI-system is deemed fulfilled -as long as it covers the amounts of the compensation established by the proposed Regulation.

List of high-risk AI systems

The proposed Regulation includes an exhaustive list of high-risk AI-systems and the critical sectors where they are being deployed:

Amount of compensation and time limitation

According to the proposed Regulation, a deployer who his held liable for harm or damage shall compensate:

(a) up to a maximum total amount of EUR ten million in the event of death or of harm caused to the health or physical integrity of one or several persons as the result of the same operation of the same high-risk AI-system;

(b) up to a maximum total amount of EUR two million in the event of damage caused to property, including when several items of property of one or several persons were damaged as a result of the same operation of the same high-risk AI-system; where the affected person also holds a contractual liability claim against the deployer, no compensation shall be paid under this Regulation if the total amount of the damage to property is of a value that falls below EUR 500.

Civil liability claims can take place up to 30 years after the harm occurred, with a reduced period for property damage (10 years).

Fault-based liability for other AI-systems

The deployer of an AI-system that is not defined as high-risk (not included in the list) is subject to fault-based liability for any harm or damage caused by a physical or virtual activity, device or process driven by the AI-system. This means that the affected person needs to prove the deployer’s fault to get compensation. Such claims are brought in accordance with the national laws of the Member State where the damage or harm occurred.

In this case, due diligence can exonerate the deployer from liability. The (non-binding) recitals of the proposed Regulation state that it should be presumed that the deployer has observed due care in selecting a suitable AI-system, if the deployer has selected an AI-system which has been certified under  the voluntary certification scheme envisaged in the Commission’s White Paper (called “voluntary labelling” in the White Paper).

In case of cyber-attack interfering with the AI system, the deployer is liable for the payments of compensation if the third party (e.g. hacker) is untraceable or impecunious.

Joint liability

If there is more than one deployer of an AI-system, they are jointly and severally liable. If any of the deployers is also the producer of the AI-system, the Regulation prevails over the Product Liability Directive.

Cooperation with producers

The producer of an AI system must cooperate with the deployer to allow the latter to prove that he or she acted without fault. The producer is defined as the developer or backend operator of an AI-system, or the producer as defined in the Product Liability Directive.

European as well as non-European producers should designate an AI-liability representative within the Union as a contact points for replying to all requests from deployers.

Deployers can take action for redress against the producer of the defective AI-system according to the Product Liability Directive and national provisions.

Link with the Product Liability Directive

Civil liability claims against producers under the Product Liability Directive are still possible when the AI-system qualifies as product. The draft report notes that the concept of “producer” should encompass the backend operator, together with manufacturer and developer.

Any necessary legislative adjustments should be discussed during a review of the Product Liability Directive.

Next steps:

12 May: the draft report will be presented to the Committee on Legal Affairs

End of July: Final version of the report

Late summer: plenary vote on the report

For any question on this issue, do not hesitate to contact Camille Dornier: camille.dornier@eurosmart.com