Further Information
According to the EU Commission Staff Working Document (SWD (2018) 137), a working definition of ‘liability’ is the responsibility of one party for harm or damage caused to another party, which may be a cause for compensation, financially or otherwise, by the former to the latter.
In regards to the development of a collaborative information management system, the allocation of liability can be a complex exercise which very much depends on the chosen exploitation model of the system and as such will be subject to several cross-cutting legal instruments that regulate different liability aspects. Some of there are:
European Product Liability Directive: The first corpus of rules that should be taken into account concerns the European Product Liability Directive since the software and hardware created for and used by a collaborative information management system are considered to be products that fall within its scope. This directive, that has been transposed into national laws, imposes a strict liability regime on producers. They will be held liable for damage caused by the malfunctioning of the product without the proof of a fault.
Electronic Commerce Directive: The Electronic Commerce Directive might be of relevance when assessing the liability of the central actor who would be providing the system’s architecture to interested first responder agencies who would like to interconnect. If some kind of illegal content would be communicated between the different parties, the host of the general infrastructure could benefit from certain liability exemptions laid down in this instrument.
General Data Protection Regulation (GDPR): Data protection legislation and failure to comply with the security requirements of the General Data Protection Regulation (GDPR), could also trigger liability. In the context of data protection compliance all of the participants should ensure the secure processing of personal information at every single stage of the processing chain. First of all, this implies that the servers on which each single national agency (the connected entity) stores this information for their own purposes are safe. Secondly, this requires that the transmission via the collaborative information management system takes place in a secure way. This can be either a shared responsibility or a responsibility borne by a single organisation that hosts the system’s infrastructure (host). Therefore, the system itself should be designed to accommodate different kinds of security policies and allow for the implementation of a number of precautionary measures, such as the encryption of the information during the communication process.
Furthermore, the addition and use of emerging digital technologies such as IoT, AI, autonomous drones, etc. in a collaborative information management system can raise additional questions in regards to liability. Specifically, the increasing connectedness and complexity, in terms of design and system integration, of such products and services raises the issue of whether effective redress mechanisms for victims and legal certainty for producers can still be possible. Characteristics such as increased autonomy and self-learning, for example, can prove challenging where the damage caused by the autonomous machine cannot be linked to a defect or human wrongdoing. Or, the presence and use of faulty or corrupted data (for example, due to hacking or connectivity problems) can be considered a service malfunction rather than a product one. As such, it would fall outside the European product liability and safety regimes and within national law. Still, where damage is caused by the supply of erroneous data or by a failure to supply data, allocating liability may become unclear and claims potentially difficult to enforce (EU SWD 2018).
Examples