Big Data & Issues & Opportunities: Liability

In this eighth article in our series on "Big Data & Issues & Opportunities" (see our previous article here), we look into liability issues in the context of new technologies, including with respect to big data, applied in the transport sector.

Setting the scene

The term "liability" is to be understood rather broadly, as meaning the responsibility of one party (or several parties) for harm or damage caused to another party, which may be a cause for compensation, functionally or otherwise, by the former to the latter.[1]

Liability has already been recognised as a legal issue to be carefully assessed and further examined by EU and national authorities. More particularly, some Member States have already adopted limited initiatives to permit – under strict conditions – highly or fully automated vehicles on their road infrastructures.[2] At EU level, there has been no regulatory intervention to date. However, both the European Parliament and the European Commission have been very active in relation to the identification of the liability issues surrounding new or disruptive technologies, notably through the following recent publications and initiatives:

  • The European Parliament resolution of 16 February 2017 with recommendations to the Commission on Civil Law Rules on Robotics;
  • The Study on emerging issues of data ownership, interoperability, (re-)usability and access to data, and liability; a study (SMART 2016/0030) prepared by Deloitte for the European Commission and published in 2017;
  • The Workshop on liability in the area of autonomous and advanced robots and Internet of Things systems, organised by the European Commission and held in Brussels on 13 July 2017;
  • The establishment by the European Commission of a Working Group on Liability and New Technologies, which includes two formations, i.e. the Product Liability Directive and the New Technologies; and
  • The European Commission Staff Working Document on liability for emerging digital technologies accompanying the Communication from the Commission on Artificial intelligence for Europe, which was published on 24 April 2018.

It clearly follows from the foregoing that the European institutions recognise the need to potentially review the current rules on liability to take into account the rise of disruptive technologies. The above initiatives however specifically aim to assess and rethink the rules in light of Artificial Intelligence, devices that are (fully) automated and able to take autonomous decisions, and robots. Undeniably, the output of such technologies is more far-reaching than big data analytics, even if they are not mature yet. Such technologies may however rely on big data in order to function properly. Accordingly, any initiatives in relation to more far-reaching technologies will also be relevant to big data.

This article therefore aims to provide a general overview of the liability issues that may arise in relation to new technologies, focusing in particular on big data in the transport sector. It will also determine whether regulatory intervention is desirable in the long and the short term.

Extra-contractual and statutory liability and safety regimes

The current extra-contractual, statutory and safety-related liability legal framework in the EU is rather complex. This is mainly due to the high number of legal instruments regulating parts of the issue, but also to the discrepancies that may exist between Member States.

An attempt to schematise the current system in a simplistic manner may look as follows[3]

 Liability  Safety
 Member States-driven  EU-driven
 Extra-contractual liability
(including tort)
 Statutory liability
(including product liability)
 Safety requirements
Relates to the civil law responsibility for damage caused outside the context of a contract (i.e. damage is caused by a violation of a right or a legitimate interest protected by law).

Extra-contractual liability can be imposed by general civil law rules, but also by specific legislation.

Two main categories exist:

  • Fault-based liability (applicable in most Member States): the fault of the author of the wrongful behaviour must be proven by the victim. In some cases, national law introduces variations to facilitate the burden of proof.
Strict liability: it is not dependent on a fault. The victim must only demonstrate the damage and the causal link (e.g. the damage caused by the owner of a vehicle).
 The EU product liability legislation (Directive 85/374) provides for a strict liability regime of producers of defective products that cause damage to natural persons or their property. The regime further includes a 'cascade' system in order to ensure that the injured person can bring his/her claim. The EU safety legislation aims at ensuring that only safe products can be placed on the internal market of the EU.

This includes various instruments such as for instance:

  • Directive 2001/95 on general product safety
  • Directive 2006/42 on machinery
  • Directive 2014/53 on radio equipment
Such system is further reinforced by harmonised standards, where such standards provide a presumption of conformity with the EU safety legislation.

As clearly affirmed by the European Commission, the above regimes are not specifically applicable to damages caused by new or disruptive technologies but they "certainly constitute helpful precedents or points of reference to which one can turn to further a reflection about how to best address, from a normative standpoint, certain distinguishing elements of risks and damages created by the emerging digital technologies."  It goes without saying that it should be clearly assessed whether changes to the above legal systems are needed in order to ensure effective redress mechanisms for victims, but also legal certainty for the various actors involved in such technologies.[4]

For instance, given that various products and services generate data, which is ultimately being processed, the availability and quality of data is considered essential. However, in case of faulty or corrupted data, or situations of supply of erroneous data or analyses, the allocation of liability is unclear under the current regimes, which leads to legal uncertainty. Such issue is of course of utmost importance to all actors in the (big) data value chain.

In the context of its Staff Working Document on liability for emerging digital technologies, the Commission provides two examples relevant to the transport sector. It however does not dig into the intricacies related to the highly complex data value chain and the number of actors involved in purely data-related services (collection, analysis, aggregation, etc.), which could – to a greater or lesser extent – cause damage.

Illustration in the transport sector: It is already possible to rely on fully autonomous unmanned aircrafts, or "drones", for instance for the delivery of packages.[5] A parcel delivery drone flying autonomously from the seller's warehouse to the customer's residence may cause damage in various ways, e.g. it may suddenly fall to the ground, collide in-air with another flying vessel, or drop the package resulting in property damage or personal injury. Without prejudice to any national legislation covering liability for autonomous drones specifically, it could reasonably be argued that autonomous drones are "aircrafts" and therefore covered by national and international rules regarding liability for aircrafts. The following claims from the victim could be imagined[6]:

  • The victim would have a strict liability claim against the operator of the drone (provided that the national law on liability for aircraft accidents is considered to cover drones). Indeed, aircrafts are typically subject to a strict liability regime. In the case of autonomous drones, the operator would be the person or entity controlling the drone's overall use. The victim only needs to prove that the drone caused the damage without having to demonstrate the cause of the drone falling down or dropping the package.
  • The victim could have a claim against the operator under general national tort law rules which would require demonstrating a fault on the operator's part (e.g. operating the drone under dangerous weather conditions or lack of required maintenance). The operator could under certain conditions also be responsible if the accident was caused by malfunctioning of any third-party services (e.g. GPS mapping) he chose to rely on.
  • The victim may also sue the manufacturer under the national law provisions implementing the Product Liability Directive. To this end, the victim would have to prove a defect in the drone and that the damage resulted from such defect.
Illustration in the transport sector: Only few EU Member States have thus far adopted specific rules covering highly or fully automated vehicles.[7] The liability regime for automated vehicles therefore generally consists of the national civil liability rules applicable to motor vehicles. Nevertheless, the Motor Insurance Directive requires all EU Member States to ensure that civil liability for the use of vehicles is covered by insurance and that the victim of an accident can bring a direct claim against the insurer of the party that caused the accident. In the event a fully automated vehicle causes an accident, the following may be held liable for the damage:
  • The driver/holder of the vehicle under civil liability rules; or
  • The manufacturer of the automated vehicle under national laws implementing the Product Liability Directive, provided that the victim can identify and prove a defect in the vehicle as well as the causal link between the defect and the damage.

Contractual liability

While the previous section only looked into the extra-contractual liability aspects, one should not ignore the contractual liability issues, which are particularly relevant with respect to the relationship between the actors of the (big) data value chain, as well as the relationship with the end-user.

On the one hand, the customer wishes to be able to act against the big data analytics host or provider in case it suffers any damage related to the use of the service. On the other hand, the big data analytics host/provider is looking to limit as much as possible its liability in case of failure, such as service failures. Also, it will want to include provisions in order to cover the hypotheses where the customer from its side may be held responsible for types of use of the platform that are not allowed.

In this sub-section, we examine issues related to limitations and exclusions of liability, both in a business-to-consumer ("B2C") and business-to-business ("B2B") context.

As a matter of principle, limitations and exclusions of liability can be regulated contractually. However, although this is possible throughout the EU Member States, there still remain discrepancies between national systems and case law.

The general principle is that parties may freely agree on liability limitations or exclusions. However, in certain instances, mandatory statutory provisions prohibit, and thus invalidate, limitation or exclusion of liability. This is typically the case for fraud, wilful intent, physical damage, or death. The question can however be a bit more complex when a party wishes to limit liability for gross negligence. In some EU Member States, liability limitations for gross negligence are prohibited, whereas in other countries these are not. Moreover, under many laws, the exoneration clause may not have the effect of rendering the agreement devoid of any meaning or purpose.

In addition to the above-mentioned rules in relation to liability and the limitation or exclusion thereof, it is important to take into account additional rules such as those related to data protection or consumer protection.

Specifically in a B2C context, clauses limiting or excluding liability may rapidly be considered as creating an imbalance between the rights and obligations of the parties. Many of the restrictions stem from European legislation, such as the Directive on unfair terms in consumer contracts.[8]

In a B2B context, the contractual freedom between parties is usually perceived to be without any limit. Nonetheless, in certain cases, clauses agreed between professional parties may be declared invalid in case the limitation of liability clauses could be considered unreasonable. The legal grounds for these considerations differ from country to country.

It follows from the foregoing that when looking into the liability aspects, it is also important to carefully (re-)consider the contractual liability rules as these may have an impact on the actors of the data value chain, but also end-users. However, the current status of these rules, which may differ across the EU, is likely to limit the uptake of new technologies, including big data.

Limitation of liability for intermediaries – Safe Harbour

The liability of intermediaries, those entities offering infrastructures on which massive abuses of third parties' rights can occur, has been brought to the attention and has given rise to a specific liability regime at EU level (the so-called secondary liability regime or "safe harbour"). Such regime was deemed necessary in light of the rise of technologies which had enabled the multiplication of massive abuses of third parties' rights due to the ease of sharing large amounts of information via networks and platforms.

More specifically, Directive 2000/31/EC on Electronic Commerce[9] ("the e-Commerce Directive") aims at promoting electronic commerce and tries to ensure net neutrality. This Directive attempts to achieve those objectives by prohibiting the imposition of a general monitoring obligation, and by introducing three liability exemptions, according to specific activities, namely “mere conduit”[10], “caching”[11] and “hosting”.[12]

In short, the core idea is to protect intermediaries who are not the authors of the infringing or damaging activity but who are involved in the transit or hosting of the infringing content. This allows ‘protecting’, to a certain extent, such intermediaries from the tempting idea of acting against those entities that are easily identifiable, known, and creditworthy. It shall be noted however that the EU Commission is currently examining the rules related to intermediaries, as part of its Digital Single Market strategy.

It goes without saying that the emergence of new technologies and the complexity of the data value chain put pressure on the current safe harbour regime, which was not created in view of new services such as AI, IoT and big data.

Illustration in the transport sector: The difficult application of the safe harbour regime to new players on the market can be illustrated by referring to the recent Uber judgment by the CJEU. On 20 December 2017, the CJEU provided important guidance as to the scope of the term ‘information society services’, as used in the E-Commerce Directive (Directive 2000/31/EC). According to the CJEU, Uber’s services must be regarded as forming an integral part of an overall service the main component of which is a transport service and, accordingly, must be classified not as ‘an information society service’ but as ‘a service in the field of transport’. The CJEU specifically ruled as follows: “an intermediation service such as that [provided by Uber], the purpose of which is to connect, by means of a smartphone application and for remuneration, non-professional drivers using their own vehicle with persons who wish to make urban journeys, must be regarded as being inherently linked to a transport service and, accordingly, must be classified as ‘a service in the field of transport’ within the meaning of EU law.” Consequently, such a service must be excluded from the e-Commerce Directive, and thus from the safe harbour regime. That means that Member States are free to regulate the conditions under which such services are to be provided.

Through the Uber ruling, the CJEU made it clear that information society services that form an integral part of an overall service the main component of which consists of a service that is not an information society service, cannot be qualified as an information society service. Other online service providers (such as online platforms) will need to determine whether their services form an integral part of an overall service without an information society service as the main component. If that is the case, their service might not be classified as an information society service.

Liability aspects of the draft Directive on the supply of digital content

The Draft Directive on the Supply of Digital Content (hereinafter the "Draft Directive") aims to deal with the liability of suppliers of digital content towards the consumer (read also our sixth article here on the Supply of Digital Content).[13] This section aims to demonstrate briefly the necessary evolution of liability regimes in the EU in order to tackle new technologies. The below analysis is based on the Commission's proposed text, which has not yet been adopted.

According to the Draft Directive, the supplier's liability is limited to any failure to supply the digital content and for any non-conformity existing at the time of the supply of the digital content or digital service. In a situation where the digital content is provided on a continuous basis, the liability of the supplier is extended over the time of said supply. In other words, the digital content supplier remains liable for defects existing at the time of supply without any time limit.

Because of the complexity characterising digital content, suppliers are in the best position to prove that defects existed at the time of their supply. It is indeed almost or even impossible for consumers to properly evaluate those technical products and identify the cause of their potential defects. In other words, digital content is not subject to the classic "wear and tear" governing more traditional goods. This is why the Draft Directive provides for a reversal of the burden of proof, i.e. the burden of proof will lie with the supplier.

Pursuant to Recital 44 of the Draft Directive the supplier's liability is an essential element "to increase consumers' trust in digital content (…), consumers should be entitled to a compensation for damages caused to the consumer's digital environment by a lack of conformity with the contract or a failure to supply the digital content." The Draft Directive however leaves it up to the EU Member States to define the complete conditions for the exercise of this right to damages.


We welcome the EU institutions' ongoing work regarding extra-contractual and statutory liability. On such basis, it will be possible to determine whether regulatory intervention is required. In all likelihood, intervention should take place in two phases. In the short- and mid-term, non-regulatory intervention, such as the creation of model contract clauses or the identification of appropriate safety standards, should be pursued. In the long term, regulatory intervention should be considered in the form of sector-specific legislation on minimum liabilities to be borne by certain service providers in certain sectors, a general revision of liability law, and/or legislation on insurance-related obligations.

Nonetheless, this article has shown that the current status of contractual liability rules, which may differ across the EU, is likely to limit the uptake of new technologies, including big data in the transport sector.

Our next article will examine the aspects related to copyright, database rights and trade secrets.

 This series of articles has been made possible by the LeMO Project (, of which Bird & Bird LLP is a partner. The LeMO project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement no. 770038.

The information given in this document concerning technical, legal or professional subject matter is for guidance only and does not constitute legal or professional advice.

The content of this article reflects only the authors’ views. The European Commission and Innovation and Networks Executive Agency (INEA) are not responsible for any use that may be made of the information it contains.

[1] See Commission, 'Liability for emerging digital technologies Accompanying the document Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions Artificial intelligence for Europe' (Staff working document) SWD (2018) 137 final, 2 footnote 1.

[2] SWD (2018) 137 final, 9.

[3] See also Deloitte, 'Emerging Issues of Data Ownership, Interoperability, (re)Usability and Access to Data, and Liability: Liability in the Area of Autonomous Systems and Advanced Robots / IoT-systems' (Openforum Europe, 13 July 2017)  accessed 26 October 2018; Martina Barbero and others, 'Study on Emerging Issues of Data Ownership, Interoperability, (re-)Usability and Access to Data, and Liability' (European Commission 2017) accessed 26 October 2018. 

[4] SWD (2018) 137 final, 9.

[5] SWD (2018) 137 final, 11-13.

[6] Ibid.

[7] Ibid.

[8] Commission, 'Proposal for a Directive of the European Parliament and of the Council on certain aspects concerning contracts for the supply of digital content' ("Draft Directive"), COM (2015) 634 final, art 10.

[9] Council Directive 93/13/EEC on unfair terms in consumer contracts [1993] OJ L 95/29.

[10] Directive 2000/31/EC of the European Parliament and of the Council on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on Electronic Commerce’) [2000] OJ L178/1 .

[11] Ibid art 12. Mere conduit consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network. The acts of transmission and of provision of access include the automatic, intermediate and transient storage of the information transmitted in so far as this takes place for the sole purpose of carrying out the transmission in the communication network, and provided that the information is not stored for any period longer than is reasonably necessary for the transmission. 

[12] Ibid art 13. Caching consists of the transmission in a communication network of information provided by a recipient of the service.

[13] Ibid art 14.

Latest insights

More Insights

Related capabilities