Expert Insights

Expert Insights

Product liability and the internet of things

UK product liability law (derived from the Consumer Protection Act 1987 (CPA) which in turn incorporated into UK law EU Directive 85/374/EEC (the Directive)) is now over thirty years old.  Putting that into context, the CPA was enacted over a decade before the internet was beginning to see mainstream use and at a time when the Sony Walkman was in its pomp and the Nintendo Game Boy was still to be released.

In the light of the rapid pace of technological development, it is no surprise that in January 2017 the European Commission launched a public consultation to evaluate the Directive and its fitness for purpose.

Internet of Things

One of the key areas of focus for the consultation is the ‘Internet of Things’ (IoT).  For the uninitiated, the IoT is the interconnection via the internet of computing devices embedded in everyday objects, enabling them to send and receive data.

Our lives are already littered with examples of IoT technology (more than we would care to admit or perhaps would recognise) such as activity trackers, smart lighting, automated household appliances and self-driving cars.  This trend will undoubtedly continue.

A study by the European Commission has predicted that the number of IoT connections within EU member states will rise to almost 6 billion in 2020 from approximately 1.8 billion in 2013.  Whilst there are undoubted benefits from these technological advancements (dependent on your perspective) what is evident is that they raise thorny legal issues in areas such as product liability.

Product Liability Issues

If a self-driving car crashed or an automated household device caused a fire, where would liability rest?  Under the CPA, liability primarily lies with the producer of the product (including the producers of component parts), any person who has held themselves out as being the producer of the product (such as putting their name on the product) and any person who has imported the product into an EU member state from outside the EU to supply it to another in the course of business.

However, the presence of IoT technology will likely complicate matters.  A causal link is required between the defect and the damage it caused and it may become more difficult to determine whether an IoT device was at fault.  There is also a more fundamental question of whether under CPA in its current form software falls within the definition of product.

Another issue relates to CPA s3(2)(c) which states that one of the relevant factors in determining the safety levels that people are generally entitled to expect is at the time the product was supplied by the producer.  If a producer supplies updates to IoT devices, does this mean that the time period for determining safety at supply runs from each and every update?  Approaching it from the other angle, would the consumer then be liable for failing to download such updates?

This on-going relationship between the producer and its device will also raise issues under one of the CPA defences which provides a producer with a defence if it can prove “that the state of scientific and technical knowledge at the relevant time was not such that a producer of products of the same description as the product in question might be expected to have discovered the defect if it had existed in his products while they were under his control”.  For producers who monitor IoT devices, and therefore become aware of defects at a later date, it may be said that the device remains under the producer’s control effectively obligating continuing updates and continuing exposure to product liability claims.

The big issue which has hit the headlines on a number of occasions is that since IoT devices are connected to the internet they are vulnerable to the possibility of hacking.  Under the CPA there is a defect if the safety of the product is not such as persons generally are entitled to expect.  In relation to hacking, the question will be what level of security are people generally entitled to expect to protect them against hacking? The expectation of safety may vary dependent on the market the IoT device operates in.


The UK government is already looking at the issue of self-driving cars through the Vehicle Technology and Aviation Bill (VTAB).  In its current form, the VTAB proposes that where an accident is caused by an insured automated vehicle driving itself, the insurer is liable for the accident.  If there is no insurance the owner is liable instead. This is intended to avoid the need for a potentially complex product liability claim for the victim.  However if an accident occurs as a direct result of prohibited alterations to the vehicle’s operation system or failure to install software updates, the insurer can recover from the person responsible, showing recognition that the product may not always be at fault.  Additionally, an insurer or owner is not liable to the driver where the accident was caused due to the driver allowing the car to drive itself in an inappropriate situation.  This brings back to focus driver negligence. 

Should the VTAB be enacted, it will provide much-needed clarity in respect of self-driving cars.  However, there are still a wealth of other IoT devices which continue to raise product liability issues for both producers and consumers meaning that this area of law still has plenty of room for development (even before you throw Brexit into the pot) and the response to the public consultation on the Directive will be very interesting.

This article was written by Jamie Cartwright. For more information please contact Jamie on +4401483252618 or at

Our thinking

Share this Page