The UK’s product safety legal regime seeks to balance the rights of consumers with those of business, aiming for the highest level of public safety that does not stifle innovation.
The product safety regimes apply to consumer products, including:
The system consists of the following fundamental legislative pillars.
General product safety requirements
These are contained within the General Product Safety Regulations 2005 (GPSR). This legislation contains fundamental, overarching concepts of product safety – including the following:
Supplementary product-specific safety requirements
These are contained within sector-specific legislation, to more specifically address unique or specific risks associated with certain types of products. Such requirements, where they exist, take precedence over the above-mentioned general requirements contained in the GPSR. Otherwise, these product-specific requirements apply where the GPSR are silent. Sector-specific laws exist in respect of, for example:
Separate product-specific safety regimes
These are contained within separate product safety regimes, which aim to address unique and quite separate risks of products not considered "industrial products" (which the above-mentioned legislation addresses). These operate separately from the GPSR above and include, for example:
Enforcement and Monitoring of Obligations Imposed by the Above Systems by Regulators
Market surveillance activities are carried out by regulators, who are empowered to monitor and enforce compliance with the above-mentioned product safety laws. Please refer to 1.2 Regulatory Authorities for Product Safety for further detail.
The Role of Technical Standards
In practice, compliance with the above legal requirements is often achieved through adherence to technical standards – specific to each product type/category/feature – which provides a benefit of conformity under the relevant legislation. Technical standards are developed by relevant standardisation organisations, and are designated under appropriate legislation by the Secretary of State who is empowered to do so in the UK.
The Effect of Brexit on the UK Product Safety Law Regime
The above UK product safety laws derive largely from EU legislation (the GPSR give effect to EU Directive 2001/95/EC on general product safety, for example). Given the implementation of local UK laws to enact EU-level obligations prior to Brexit and/or the direct effect of EU laws in the UK at the time of initial pre-Brexit implementation, much of the legislative framework for product safety in the UK remains substantively unchanged post-Brexit. However, various UK legislation, such as, most relevantly, The Product Safety and Metrology etc. (Amendment etc.) (EU Exit) Regulations 2019, was enacted to amend EU-based legislation to make correct references to the UK rather than the EU, and to ensure the continued applicability of the legislation in the UK. Supplementary legislation was also required to be enacted in some sectors to empower relevant UK law-makers to implement future changes to UK legislation. In some specific areas, including medical devices, because of imminent legislative changes in the EU that didn’t take effect prior to Brexit, the EU and UK position already deviate significantly. Future deviation is also likely, particularly in the context of legislative reviews and amendments of UK and EU product safety systems currently underway. Please refer to 3.1 Trends in Product Liability and Product Safety Policy for further detail.
Oversight of the UK product safety regimes is undertaken by several regulators, at various levels, in the UK.
Local authorities have day-to-day responsibility for the enforcement of product safety legislation in the UK. This enforcement is carried out through local Trading Standards (TS) offices. Such authorities, through the GPSR and Consumer Rights Act 2015 (CRA), have a wide range of powers, including the ability to:
Overarching Product Safety-Specific Regulator
The Department for Business, Energy and Industrial Strategy (BEIS) is responsible for high-level oversight of policy and strategy in the area of product safety regulation. In January 2018, the Office for Product Safety and Standards (OPSS) was developed within BEIS to address an apparent need for a technical, centralised resource to assist localised regulatory enforcement around product safety issues. The OPSS carries out the following functions:
OPSS is empowered with many of the aforementioned enforcement powers of TS.
There are product-specific regulators for the following product categories: food, vehicles, medicines and medical devices and workplace equipment (including PPE).
Product producers in the UK are required to conduct corrective actions to address product safety issues that make a product unsafe (GPSR Section 7), in contravention of the GPSR safety requirements or other relevant product safety laws. The actions taken by producers must be “commensurate with the characteristics of the product” and there are a range of corrective actions that can be taken, including: withdrawal from the supply chain, additional warnings to consumers, in-market repairs or alterations, and a consumer-facing recall. Generally, consumer-facing recalls are considered a last resort. The nature of the corrective action undertaken is determined by the results of a risk assessment.
In March 2018, OPSS co-operated with UK’s standards institution, the British Standards Institution (BSI) to launch a Code of Practice for Product Safety Recalls (PAS 7100:2018). The Code has two parts, as follows.
EU-level guidance on topics of risk assessments (RAPEX methodology, 2019) and guidelines (European Commission and PROSAFE guides) may still be useful, given the basis of the laws, notwithstanding the event of Brexit, but will not necessarily be held in the same regard without further changes being implemented to preserve their position as official guidance in the UK.
There are no mandatory requirements for advertisements or other form-specific requirements for the advertising of product safety recalls in the UK. However, the above-mentioned Code provides detailed guidance on the form and content of corrective action announcements.
Under Article 9 of the GPSR, or equivalent sector-specific regimes, there is a mandatory obligation on producers or distributors to report to authorities where they know that a product they supply is “incompatible with the general safety requirement” under the GPSR.
The GPSR requires the report to be in writing, and contain certain mandatory information (namely, the action taken to prevent risk to consumers and location of supplied products, as well as further identifying information if the product is thought to pose a serious risk).
There is no mandatory procedure to follow to make these reports, and the practices of TS offices can differ greatly in practice, including requiring completion of specific forms. There is also sometimes interaction between the OPSS and TS, for example where a report to both entities is requested, or warranted for certain more significant issues.
Post-Brexit, the UK is no longer part of the European Commission’s rapid alert system, Safety Gate (formerly RAPEX), which assists with Europe-wide information sharing regarding non-food product safety risks. Reports to UK market surveillance regulators will be recorded, in certain circumstances, on the OPSS’ Product Safety Database, which covers consumer products under the ambit of OPSS’ work.
Although there are no specific timeframes under statute regarding these reports (the legislation states simply states obliged entities should “forthwith notify an enforcement authority”); generally, the recommended timeframe for reporting, provided in guidance documents only, is dictated by the assessed risk of the safety matter to consumers who use the affected products.
It is a criminal offence to fail to report to authorities under Section 20(3) of the GPSR. An unlimited fine or imprisonment for a term not exceeding three months is the applicable punishment.
In practice, companies and regulators work to resolve issues before there is a need to prosecute formally. Regulators are likely to employ the wide range of powers available to them under relevant legislation prior to commencing formal prosecution. Please refer to 1.2 Regulatory Authorities for Product Safety. There are a few, isolated examples of companies being prosecuted, particularly in respect of toy or children’s product manufacturers where the risk to vulnerable users is considered particularly egregious, or where there has been a significant delay in reporting to authorities. Generally, companies plead guilty in short hearings in UK Magistrates' Courts, and fines have also historically been small.
A recent illustrative example is the fining of a toy manufacturer following a prosecution by Thurrock Council Trading Standards. The company pleaded guilty to the import and supply of unsafe toys at a hearing in Southend Magistrate's Court on April 14, 2021. Initial raiding of the premises by TS uncovered toys without relevant safety documents, and further testing confirmed the toys presented risks of choking asphyxiation. The company was ordered to pay approximately GBP4,100. The prosecution was said by the Council to be brought after "repeated attempts" to encourage the company to comply with its legal obligations.
There are three main causes of action typically employed by claimants pursuing product liability claims in the UK. There are certain strategic advantages offered by each suit which might make them preferable to certain claimants in certain circumstances; however, often claimants elect to pursue more than one of the causes of action in parallel, in respect of the same facts, to increase the likelihood of success and overcome some of the limitations of certain causes of action.
"Strict liability" Statutory Regime under the Consumer Protection Act 1987 (CPA)
The CPA creates a no-fault liability scheme in respect of defective products which have caused personal injury or damage to private property.
Under the regime, the following entities have joint and several liability:
The following three key elements of the cause of action must be established by the claimant.
Section 3 of the CPA establishes there is a defect in the product "if the safety of the product is not such as persons generally are entitled to expect". The court will take into account all of the circumstances when assessing the safety of the product, including:
The landmark case of Colin Gee & Others v DePuy International Limited  EWHC 1208 (QB) (Gee) provides the following guidance on the application of this statutory test:
Generally, death, personal injury or any property loss (property for private use, occupation or consumptions) are damages for which claimants can seek compensation under the CPA.
Damage to the product is excluded from the scope of recoverable heads of damage. There is also a minimum monetary value of GBP275 that the property damage suffered must exceed in order to be entitled to pursue a claim under the CPA.
There must be a causal link between the product defect and the damage/injury sustained. The traditional English law tests for causation apply to product liability cases.
Tortious Liability – Negligence
Manufacturers or other actors in the supply chain (mostly where a manufacturer cannot be identified) can be liable in common law negligence in respect of a defective product.
To bring a successful claim in negligence, a claimant must prove, on the balance of probabilities, that:
The key distinguishing feature of such actions is that the claimant must establish fault on the part of the defendant. For this reason, this claim is generally considered to be more difficult to bring than that under the no fault mechanism of the CPA.
Breach of Contract – Express or Implied Statutory Term
Consumers that are party to a contract with a seller or supplier of products can pursue a breach of contract claim if a product supplied is defective or otherwise fails to conform to the contract of sale.
The seller may be exposed in respect of breach of either express terms, or those implied by the Consumer Rights Act 2015 (CRA) in respect of (i) the fitness for purpose of the product, (ii) it being as described, (iii) it being of satisfactory quality.
To bring a claim in contract, a claimant must prove, on the balance of probabilities, the following.
There are different requirements to bring the three causes of action mentioned in 2.1 Product Liability Causes of Action and Sources of Law in relation to product liability claims in the UK, as follows.
Consumers (“any person who purchases or uses the product in question for private use”) have legal standing to bring product liability claims. Persons who purchase or use goods for the purpose of resale or commercial use are expressly excluded from the definition of consumers. In order to have a right of action under the CPA, the consumer must have suffered damage of a kind covered by Part 1 of the CPA.
Any person to whom a duty of care is owed can bring a negligence claim in circumstances where that duty is breached and they sustain a reasonably foreseeable loss or damage caused by a defective product.
A claimant need not know the defendant in order to bring a successful claim in negligence. A claim may be brought by a consumer/purchaser of the product, a person who uses the product, or a third-party bystander who is injured by the product.
Generally, because of the doctrine of "privity of contract", only the parties to a contract can enforce the terms of that contract. However, a third party may, in certain circumstances, seek enforcement under the Contract (Rights of Third Parties) Act 1999, unless these rights have been expressly excluded.
There are strict time limits for bringing civil claims, including product liability claims, in England and Wales.
Negligence and Contract
Under The Limitation Act 1980, claims involving personal injury must be brought within three years from the date that the damage occurred or from the date that the claimant knew, or reasonably ought to have known, that they had a cause of action (“the date of knowledge”). Knowledge can be acquired from the date that the claimant knew the identity of the defendant or realised the significance of their injury.
For non-personal injury claims, the claim must be brought within six years from the date on which the damage or loss occurred, or three years from the date of knowledge for claims concerning latent damage. The three-year limitation period can be extended at the court’s discretion.
Working in tandem with the above-mentioned time limits, the CPA contains a ten-year long-stop provision, allowing claims under it to be brought within ten years from the date on which the product was put into circulation. Absent issuing of court proceedings within that timeframe, rights under the CPA are extinguished and cannot be extended by the court.
Prior to Brexit the jurisdiction of UK courts, as opposed to other EU member state courts, was determined by the operation of EU-level laws. Post-Brexit the situation is as below.
Generally, UK courts, as with other European-based courts, will assume jurisdiction to try a case where either the injury, loss or damage occurs, or where both parties are domiciled, in that country.
Prior to the UK leaving the EU, where a defendant was domiciled in England, the English court had jurisdiction and could not decline jurisdiction pursuant to Owusu v Jackson (Case C-281/02)  ECR I-1383. Now that the UK has left the EU, this no longer applies and UK-domiciled defendants are able to challenge the English court’s jurisdiction on grounds of it not being the appropriate forum.
In order to invoke jurisdiction of English courts in respect of negligence claims, it is sufficient for a defendant to be physically present in England and Wales to enable the claimant to serve proceedings on that defendant.
Contractual terms agreed by both parties ordinary determine the applicable law, jurisdiction and location of proceedings in respect of contractual breaches.
There are mandatory pre-action protocols applicable in respect of product liability claims, under the Civil Procedure Rules Practice Direction on Pre-Action Conduct and Protocols, that must be complied with prior to commencement of formal claims.
The following Pre-Action Protocols may typically be applicable to product liability claims:
The above-mentioned Pre-Action Protocols ordinarily dictate the following pre-action procedural steps:
Breach of these protocols can have a substantive impact on the ability to commence formal proceedings and/or can have negative costs consequences for the defaulting party, with the court potentially taking the following actions:
There are broad document preservation obligations imposed on parties to proceedings, including product liability matters, in England and Wales. These rules work in tandem with rules regarding document disclosure. Please refer to 2.7 Rules for Disclosure of Documents in Product Liability Cases for further detail.
Under Civil Procedure Rules (CPR) Practice Direction 31B (paragraph 7), once litigation is contemplated, parties must ensure that all potentially disclosable documents (including any relevant products, devices, design files, testing information, etc) are preserved. Please refer to 2.7 Rules for Disclosure of Documents in Product Liability Cases for further detail.
Under this provision, past, present and future documents must be preserved.
Failure to comply with these requirements, including by interfering with evidence by deleting, overwriting, updating or destroying documents, has far-reaching consequences, including the following measures which the courts can and do impose:
There are far-reaching disclosure requirements in respect of product liability cases in the UK.
CPR Part 31 sets out the parties’ responsibilities. Generally, as part of "Standard disclosure", parties to an action are required to disclose those documents which:
The court, in its discretion, may limit or dispose of the above requirements (CPR 31.5). CPR 31 does not apply to claims entering the small claims track (see 2.10 Courts in Which Product Liability Claims Are Brought). However, a court will ordinarily order standard disclosure, requiring each party to file and serve on the court and all parties copies of all documents upon which they intend to rely.
Parties are required to conduct a reasonable and proportionate search for the above-mentioned disclosable documents. Disclosure obligations are ongoing – ie, requiring continual disclosure until cessation of the matter, including in respect of documents created during the proceedings.
Electronic Document Disclosure
Given the prevalence of electronic documents and sources in modern litigation, specific rules apply to electronic documents. An electronic document is defined as any document held in electronic form (eg, emails, text messages, voicemails, word processed documents, social media messages and databases). CPR 31, Practice Direction 31A and 31B set out rules of disclosure of electronic documents in multi-track claims (though a court can apply these rules to small or fast track claims also), and relevantly, provide, amongst other things, for the following.
A party requesting the specific disclosure of electronic documents ,which are not reasonably accessible, must demonstrate the relevance of those documents in order to justify the costs and burden of retrieving them.
The parties must advise the court before the first scheduled case management conference (CMC) if an agreement has been reached concerning electronic disclosure. If an agreement has not been reached before the first scheduled CMC, the parties will be required to identify issues to put before the court for directions. It may be considered reasonable for a party to search for relevant documents using "key word searches" if a full review of every document would be considered unreasonable or disproportionate in terms of costs and review time involved.
There are prescriptive requirements for expert evidence in respect of product liability claims in England and Wales courts, as set out in the following CPR provisions:
Generally, the above provisions provide that parties’ use of experts is limited:
Other requirements include the following.
Recently, courts have increasingly limited the use of experts used in cases in an attempt to control costs. Accordingly, it is important that if an expert is instructed, parties should manage costs carefully, including by the following means.
In lower value claims, use of a single joint expert to address both parties’ positions may be the most cost-effective solution.
In respect of small claims or fast-track matters, experts will generally be directed not to attend the hearing, except in limited circumstances where the court deems that necessary.
In high-value claims where parties instruct their own experts, the court may direct a joint discussion between experts for the purpose of identifying and discussing the issues in the proceedings and, where possible, direct the experts to reach an agreed opinion on those issues. The court may direct that, following the discussion, the experts prepare a joint statement for the court setting out the issues on which they agree and disagree (with reasoning).
In respect of each cause of action in respect of product liability claims, the claimant bears the onus of proof. The standard of proof required, in respect of each discrete action, is to prove the case against the defendant on the balance of probabilities (civil standard).
Courts in Which Product Liability Cases Are Brought
The forum in which a product liability is heard is dictated by the value and/or complexity of the claim. Claims all commence, in the first instance, in either the High or County Court. Thereafter, courts allocate these defended claims to one of three procedural tracks, at an early stage:
Multi-track claims can be heard at either the High Court or County Court. Claims with a value less than GBP50,000 which are commenced in the High Court are generally transferred to a County Court unless there is a specific reason for them to be heard at the High Court (for example, where the case concerns particularly difficult questions of law or cases which might attract significant public interest).
In general, in the first instance, product liability cases are heard by a single judge who will generally be alive to the potential complexity of such claims and will allow evidence from a range of expert disciplines and lay witnesses where required. On appeal in the Court of Appeal or Supreme Court, cases may be heard by three or five judges. Jury trials do not take place in civil product liability cases.
There is no upper threshold for the award of damages in product liability cases generally.
Claimants that succeed with an action in negligence are entitled to an award of damages, the aim of which is generally to place that claimant in the position they would have been had the negligence not occurred.
Appeals in respect of product liability claims follow the general rules applicable to appeals for all civil claims in England and Wales. These rules are as follows.
The nature of defences available depends on the cause of action pursued.
Given the statutory nature of the CPA, defences available are limited to those provided under the legislation, as follows:
In practice, negligence claims are most often defended on the basis that the requisite elements of the cause of action have not been established. For example, there was no duty of care owed, there was no breach of said duty and/or there was insufficient evidence to establish causation.
Other common defences to claims in negligence are as follows.
Again, contractual claims are often defended in practice on the basis that not all elements of the claim are made out. For example, there was no contract in place or the contractual terms did not include the term allegedly breached.
Otherwise, the following defences may be available in contract claims:
Under the CPA, it is a statutory defence to allege that the fact of compliance with mandatory regulatory standards introduced a product defect (see 2.12 Defences to Product Liability Claims).
Furthermore, whilst the area is still considered an area of development for judicial consideration, it is generally accepted that whilst compliance or lack thereof with regulatory obligations is a persuasive factor in determining whether or not a product is defective, it is by no means decisive.
Wilkes v DePuy International Limited  EWHC 3096 (QB) made it clear that compliance with appropriate mandatory regulatory standards and/or the grant of regulatory approval are appropriate circumstances to take into account under the CPA statutory test for whether a product is defective. It was said by the court that whilst these factors are not complete defences to a claim under the CPA, they would be “powerful evidence” to indicate that the level of safety contemplated by the CPA had been reached, and that against that backdrop “it may be challenging” for the claimant to make out a case that a higher level was expected. Compliance with the manufacturer’s own specification and standards could also be persuasive on the same basis.
The link between regulatory decisions and/or approvals is important to other product-related matters and is further illustrated in the case of Volkswagen Emissions Litigation,  EWHC 783 (QB). In that matter the English High Court held it was bound under EU law (pre-Brexit) by the German type-approval authority’s finding that certain vehicles contained a “defeat device”, and the defendants’ attempt to re-litigate that decision was an abuse of process.
Non-adherence to regulatory requirements is a separate cause of action, which can attract criminal liability. Please refer to 1.5 Penalties for Breach of Product Safety Obligations.
The general principle for payment of costs in English law applies to product liability cases: the losing party pays the costs of the successful party (including fees, court fees and disbursements including expert fees).
The court can award costs on two bases.
In product liability claims involving damages for personal injury or death, the regime of qualified one-way costs shifting (QOCS) applies. In practice, this means that in most claims where a claimant is unsuccessful, the claimant will not be responsible for the defendant’s costs. However, the QOCS provisions may not apply if the claim is struck out, or if the court determines that the claimant was fundamentally dishonest. If the claimant’s claim is successful, they may recover their costs from the defendant, subject to a "set-off" of any (interlocutory) costs orders made in the defendant’s favour.
Costs are subject to a formal assessment procedure if they are not or cannot be agreed between the parties.
The court has a wide discretion to vary any of the above general positions regarding costs, however.
As with all civil claims in England and Wales, there are many litigation funding options regularly used by product liability claimants to fund their litigation. The following are common mechanisms used in product liability cases:
Lawyers can charge success fees, and third-party funding is permissible.
Notably, for the above agreements entered into after 1 April 2013, successful claimants can no longer recover success fees, after the event (ATE) premiums or other arrangement costs from the defendant.
Several mechanisms, both informal and formal, exist in respect of group actions in England and Wales, as set out below.
Group litigation orders
A group litigation order (GLO), under CPR 19 Section III, allows the management of multiple claims which give rise to common or similar issues of fact or law. Claimants to these actions must “opt in”. In the process of GLO proceedings, there will be a trial of issues that are common to all underlying claims. Lead cases that are considered the most appropriate can be chosen and they are used to allow the parties to put common issues into context. Decisions made in respect of these lead cases are binding on all parties to the GLO. This is the most commonly used formal mechanism in respect of product liability claims.
Representative actions, under CPR 19 Section II, can be brought by one or more claimants (the Qualified Representative Entity) on behalf of a group considered to have the “same interest”. The appeal decision in Lloyd v Google LLC  EWCA Civ 159 determined that the “same interest” meant, in practice, those who were victims of the same alleged wrong and had sustained the same damage where the defendant was unable to raise a defence specifically responding to a claim by one represented claimant that did not equally apply to all others in the group. Accordingly, a group would not be considered to have the “same interest” if defences were applicable in some individual claimant claims but not to others. The matter has been appealed to the Supreme Court and was heard in April 2021. The Supreme Court’s decision is eagerly anticipated. These actions operate on an "opt-out" basis, such that all group members will be automatically included in the group and represented in the action, and a judgment will be binding on all those represented unless they expressly state they wish to be excluded. Such actions are rare, although there are signs they may become more widely used.
The courts can also manage group litigation informally, including by hearing one or more representative test cases at trial while staying remaining cases. The test case decision is not binding on parties to the other claims; however, the decision is intended to determine common issues relevant to the subsequent cases to assist parties to resolve remaining claims without further litigation.
Product liability cases do not commonly reach trial in England and Wales. Such claims that do reach trial, are often in respect of medical devices or pharmaceutical products rather than general consumer products.
There is a small body of cases that have assisted in interpreting statutory tests under the no-fault mechanism of the CPA. Of these, the Gee judgment remains the seminal decision in product liability. That case related to metal-on-metal hips group litigation in England in Wales. The court found in favour of the defendant manufacturer in concluding that the claimant’s argument that the products had a “tendency” to cause soft tissue reactions (adverse reaction to metal debris (ARMD)) was “untenable” on the basis it would render all similar hip prostheses defective and is “directly contrary to the spirit and objectives” of the CPA. Based on a lack of evidence, even though the court accepted the approach, the court also rejected the claimant’s alternative argument that the products had “an abnormal potential for damage”.
Gee adopted much of the reasoning of an earlier seminal product liability case, Wilkes v DePuy International Limited  EWHC 3096 (QB), but departed from A v National Blood Authority  3 All E.R. 289, a somewhat controversial case which previously provided guidance on how to approach product liability cases. The Wilkes method of “abnormal potential for damage” was considered favourably, but no finding was made on the basis of that test due to a lack of claimant evidence. In doing so, the A v NBA approach, of first identifying “the harmful characteristic which caused the injury” was discredited.
The court in Gee:
The above position taken in Gee was largely approved in another case involving a metal-on metal hip prosthesis, Hastings v Finsbury Orthopaedics Limited and Stryker UK Limited  CSOH 96. In this Scottish matter the court found for the defendant manufacturer. That finding was recently upheld on appeal ( CSIH 6), but is now subject to further appeal likely to be heard in 2022.
Divergence of UK Laws from EU Position
Brexit, alongside parallel legislative developments at EU and UK level, has resulted in the increasing divergence of product safety laws across the region. The timing has meant the immediate divergence of UK laws from EU laws in some instances, for example medical devices. Otherwise, the UK looks poised to make a decision to actively depart from the EU in other instances by the creation of new legislation, for example as foreshadowed by ongoing consultations in respect of UK product safety laws generally and genetically modified organism (GMO) legislation.
Multiplication of Product Compliance Obligations across Europe
The above phenomenon also means that there are now separate and distinct requirements across the region, including, by way of example, the requirement for UK and/or EU-based notified bodies and/or UKCA, UKNI, CE marking on products. Such multiple requirements are a departure from the prior Europe-wide product safety regime, which operated on the basis of maximum harmonisation and single market principles. There are strict timelines and rules attached to these new UK-only requirements which companies need to be aware of. Furthermore, UK-based companies continuing to sell in the EU must be aware of ongoing EU obligations. Generally, EU compliance practices are more accepted in the post-Brexit UK, during some ongoing transition periods allowed in some instances, than UK compliance practices will be in the EU.
New Enforcement Practices
In line with a Europe-wide ramp up of product safety enforcement, there is an increased focus on market surveillance and increased empowerment of regulators, including by way of implementation of new legislation regarding the same.
Focus on Online Selling
In line with the general principles of UK product liability laws, which expose companies to liability notwithstanding the mode of sale (ie, online sales are included), there is now an increased focus on properly ascribing responsibility to online sellers in respect of product safety compliance obligations and breaches of the same, including by way of requirement to have a local entity in place to nominally be responsible for these issues. The EU-led "Product Safety Pledge" practices may yet be implemented in the UK also. Given the further growth of online sales during the COVD-19 pandemic, this topic is one of particular focus for regulators and law makers alike.
Development of Collective Redress Regime
The much-talked-about collective redress regimes to bring about US-style "class actions", including in respect of consumer law issues specifically, are poised to change the product liability landscape across Europe, with the EU Directive on representative actions having now come into force. The UK, not having adopted the EU laws prior to Brexit, will be able to take its own stance in respect of this area of law. In this vein, the recent UK Supreme Court decision of Mastercard Incorporated and others v Walter Hugh Merricks CBE  UKSC 51, as delivered on 11 December 2020, demonstrates that, in the right circumstances, an English court will not stand in the way of a group action.
Convergence of Multi-sector Product Safety Laws
Whilst there is a divergence of product safety laws from a geographical perspective, there is, in parallel, a convergence of laws in terms of product safety issues in the UK. For example, issues formerly considered primarily privacy concerns are now increasingly being considered product safety issues. This is particularly the case in respect of radio equipment and medical devices, and there is an increasing reliance on parallel or potentially relevant separate product safety regimes across other sectors. For example, the food contact materials laws are now being relied upon for cosmetics packaging in certain circumstances.
Corporate Social Responsibility and Environmental Stainability
There has been a broadening of product compliance obligations to incorporate concepts of corporate social responsibility, environment and sustainability and increased focus on these areas. In line with EU-based initiatives that the UK partook in prior to Brexit, including the EU Green Deal and Circular Economy practices, there is an increased focus on product compliance requirements now contemplating this broadened scope.
Modernisation of Product Safety and Liability Regimes
As part of an ongoing review at EU level in respect of the fitness of product liability laws to respond to issues created by modern technologies, there is currently a debate regarding the application of the CPA to new technologies, for example, in software supplied over-the-air (OTA). This type of software is updated wirelessly (and used in products such as smart pacemakers) and several questions are currently being debated, including:
If the CPA is updated to adapt to new technologies, we may see a proliferation of product liability group actions where there has been a data breach in relation to smart consumer products.
There are wide-ranging imminent policy developments in respect of product liability and safety in the UK, including as a result of Brexit but also in response to long-standing issues that were being grappled with for some time at an EU level.
Product Safety Law
In March 2021, the UK government announced its plans to review and strengthen the UK’s current product safety laws to ensure that they are fit to deal with emerging innovations and technologies. The UK Product Safety Review Consultation "Modernising Product Safety Laws to Ensure they are fit for the 21st Century" focusses primarily on product safety and covers consumer products such as toys, electrical equipment and cosmetics but excludes medical and healthcare products, food products, vehicles, chemicals and construction products. The result of the review, and any hard or soft laws created on the basis of the same, would mark a significant development in UK product safety laws, which are over 30 years old.
The review is in parallel to a similar review held at EU level, which has been ongoing for several years, including by two European Commission Expert Groups. The positions taken by the EU and UK after each respective review could result in a departure of the two sets of product safety laws and further onerous requirements for companies operating in both markets.
Connected Products and Cybersecurity
In April 2021, the UK government published a policy paper providing an overview of the government’s updated intentions for proposed legislation to regulate the cybersecurity of connected consumer products. The government’s aim is to implement a new robust scheme of regulation to protect consumers from insecure connected products, mandating base requirements and disclosures for those selling such products.
On 26 May 2021, the new EU Medical Devices Regulation (EU) 2017/745 (MDR) became applicable and brought EU legislation into line with new technical advances in medical devices and changes in medical science. Against the backdrop of perceived historical issues with medical device safety in Europe generally, the new laws aim to create a more robust, transparent, and sustainable regulatory framework, to improve clinical safety and create fair market access for manufacturers and healthcare professionals. It is anticipated that the UK will introduce similar domestic legislation.
On 21 April 2021 the European Commission published its proposal for a regulation laying down harmonised rules on artificial intelligence with the first ever legal framework on AI to address the risks and trustworthiness of AI. We anticipate that the UK government will seek to implement similar measures in the UK.
Sustainability and Environment
Following several related initiatives, the UK government is currently undertaking a consultation on waste prevention proposals for products, the “Waste Prevention Programme for England”. This UK-led initiative mirrors a parallel EU initiative of a similar nature called the Sustainable Products Initiative and addresses topics such as end of life, repair, reuse and remanufacturing and extended producer responsibility. The consultation currently focuses on construction products, textiles, furniture, electronics, vehicles, food and plastic packaging.
Food Technological Practices
The UK government, following an EU-initiative of the same nature, is currently consideration the scope of GMO legislation.
The impact of COVID-19 on all stakeholders (business, third parties, governments, regulators and insurers) has been unprecedented. Given its importance to the fight against COVID-19, the life sciences industry has been disproportionately impacted.
In particular, the pandemic has resulted in a demand for the rapid production of specific products, such as diagnostic tests, vaccines, treatments and personal protective wear. The race to combat COVID-19 has also been a catalyst for a shift towards the following trends in the regulatory framework and processes, as well as industry practices.
Product liability is the area of law governing the liability of producers, suppliers and distributors of defective products. In the UK, claims relating to product liability may be brought in negligence, breach of contract or pursuant to the Consumer Protection Act 1987 (CPA), the implementing legislation which transposed the EU Product Liability Directive 85/374/EEC (PLD) into UK law.
Consumer products have evolved considerably since the CPA came into force over 30 years ago. At that time, the World Wide Web was yet to go live, and CD-ROMs were at the forefront of technology. The products on the market then were more simplistic in nature and tended to be physical items, for example, a car or a washing machine, that were not subject to updates or modifications once they had left the factory gates. The traditional risks of personal injury and property damage associated with these products were tangible and widely understood.
Fast-forward thirty-plus years and many of the products that we use today have features and characteristics that could not have been imagined in the 1980s, for example, remote access and wireless application protocols like Bluetooth, with products capable of manual or automated modification via software updates. Connected devices, commonly referred to as the internet of things (IoT) and technologies powered by AI (hereafter referred to as "emerging technologies" for the purpose of this report), including robotics, continue to develop at lightning speed and have set the stage for ongoing technological advancement. Research by Statistica suggests that, by 2030, around 50 billion of these connected devices will be in use around the world. From wearable health monitoring devices to home security systems to virtual AI assistants like Apple’s Siri, consumers’ increasing reliance on these emerging technologies has changed the way we live today, and this has been brought to the fore by the COVID-19 pandemic.
With technology having developed faster than the law, the way that the CPA applies, or indeed whether it does apply, to these emerging technologies is far from clear. The unique features and characteristics of these technologies present challenges to the existing legal framework and raise questions as to whether it is fit for purpose, or the extent to which it may need to be adapted. We examine how these challenges have been recognised by legislators and what the future may hold for product liability legislation in the UK.
Emerging Technologies and CPA Claims
Minding the liability gap
With the exception of A v National Blood Authority , which concerned transfused blood, CPA claims in England and Wales have predominantly concerned stand-alone, physical products, usually involving an easily identifiable producer and physical damage. By way of example, the recent landmark authorities of Wilkes v DePuy International Limited  and Gee & others v DePuy International Ltd  (Gee) concerned hip implants, and Wilson & Ors v Beko Plc  involved a fridge freezer. Although the CPA definition of "product" is relatively wide in scope, its application to emerging technologies has yet to be tested.
Product or service
The CPA imposes strict liability on a producer for damage caused by a defective product, sometimes referred to as "no fault liability". A claimant must prove the defect and that the defect caused the damage claimed.
Notably, the CPA only applies to products, not the provision of services. Section 1(2) of the CPA explains that a product “means any goods or electricity and… includes a product which is comprised in another product, whether by virtue of being a component part or raw material or otherwise”.
The distinction between "product" and "service" has not posed any great challenge to the application of the CPA thus far. However, as recognised by the European Commission (the Commission) in its Fifth Report on the application of the PLD (2018), there are open questions as to what separates a product from a service in the context of emerging technologies, where products and services typically have a close interaction. For example, an AI-powered medical device, like a connected pacemaker, comprises the physical hardware of the pacemaker and cloud-based software which produces patient data.
Whether software is to be considered a product as defined by the CPA, or a service, is fundamental to the application of the CPA to emerging technologies. It is conceivable that AI-based software, or data that is integrated into hardware as an intangible “component part”, could be considered a product. This issue was addressed at European level as early as 1988, not long after the PLD had come into force, with Lord Cockfield of the European Commission stating that “the Directive applied to software in the same way, moreover, that it applies to handicraft and artistic products”. Despite this direction, these issues continue to be the subject of extensive debate by European and UK legislative bodies.
More recently, in VI v KRONE-Verlag Gesselschaft mbH & Co KG , the CJEU ruled that it is clear from the interpretation of the the PLD that inaccurate health advice in a printed newspaper, which, when followed, causes injury to the reader, does not constitute a "defective product" within the meaning of its provisions. The CJEU considered that the provision of inaccurate advice, which by its nature constituted a "service", was unrelated to the printed newspaper and further, the service did not concern either the presentation or the use of the newspaper. Accordingly, the service was not part of the inherent characteristics of the printed newspaper which alone permits an assessment as to whether the product is defective. The CJEU ruled that liability of service providers and liability of manufacturers of finished products constitute two distinct liability regimes, as the activity of service providers cannot be equated with those of producers, importers and suppliers. Further, it considered that a liability regime applicable to providers of services should be governed by separate legislation. This case offers an insight as to how a court may approach defective product claims brought in respect of emerging technologies, where the line between what is considered a product and a service is blurred.
Why the ongoing debate?
If software is considered a service, a consumer would be precluded from bringing a defective products claim under the CPA but could pursue an action in negligence or breach of contract. To bring a claim in negligence, the consumer would need to demonstrate that the supplier of the service had not acted with reasonable skill or care, which is potentially more challenging than bringing a claim under the CPA as it involves an examination of the supplier’s actions. Furthermore, it could become problematic for courts to apply, for example, a “reasonable software standard”, instead of the reasonable person standard.
Who is a producer?
The CPA imposes strict liability on a producer, or those who hold themselves out to be a producer. As emerging technologies typically comprise software that is subject to regular updates, questions may be raised as to which person(s) is considered a producer for the purposes of the CPA. For example, is the software developer or the engineer responsible for the updates liable for damage caused by the software? Might the software itself, or the human using the technology, be considered a producer?
Scope of "damage"
Section 5 of the CPA restricts recoverable damages to death, personal injury, or damage to private property exceeding GBP275 but excludes damage to the defective product itself. However, whilst a vulnerability in software resulting in a cybersecurity attack arguably has the potential to render a product defective if the producer failed to protect the device from such attacks, it is questionable whether the scope of any consequential immaterial damage, such as the unauthorised disclosure of personal data (or any resulting Information Commissioner's Office (ICO) fines), will be covered by the CPA. Guidance may be sought from EU level discussion where it has been proposed that “immaterial loss” should be taken into account in respect of any future civil liability regime for AI.
The approach to "defect"
Section 3 of the CPA provides that a product is defective "if the safety of the product is not such as persons generally are entitled to expect". As the CPA applies to a range of products from toys to medical devices, this is a flexible test. In assessing the safety of a product, the court will take into account all of the circumstances it considers factually and legally relevant to the evaluation of safety on a case by case basis. These factors may include safety marks, regulatory compliance and warnings, and what might reasonably be expected to be done with the product.
What people generally are entitled to expect
In Gee, the court confirmed that the test for defect is objective and asks what people are generally entitled to expect when the product was released to market, not what the claimant actually expected. The application of this test to emerging technologies will be not be straightforward, particularly given the fast pace of development.
Furthermore, whilst entitled expectation is judged at the date of supply of a product, determining the date of supply may be difficult where a product contains software that is subject to automatic modification. For example, if an update to software contained within AI-powered robotic surgical equipment causes it to malfunction, resulting in injury to a patient, is the date of supply the date the equipment was supplied to the hospital, or the date the software was updated?
“All of the circumstances”
In the UK, industry standards in respect of connected consumer products were first published in 2018 via a voluntary Code of Conduct setting out the security principles to be applied by producers and other relevant industry stakeholders. A new European Standard on connected product security was subsequently adopted in 2020, with the UK government contributing significantly to its development. When considering “all of the circumstances” for the purposes of considering whether an emerging technology is defective under the CPA, a court may therefore take into account the absence of published industry standards prior to 2018, in particular where the emerging technology has caused damage prior to that date.
The courts’ likely approach to defect in emerging technologies
Although the approach to defect in respect of a connected device is yet to come before the UK courts, some direction may be sought from the European case of Boston Scientific Medizintechnik GMbH v AOK Sachesn-Anhanlt-Die Gesundheitskasse  (Boston). Here, the court was willing to find a product defective within the meaning of the PLD where it belonged to a group of products where there was the potential for failure. Whilst the decision in Boston was fact-specific and concerned high-risk implantable medical devices, the application of a "presumption of defect" is perhaps superficially attractive in the context of emerging technologies where a product’s functionality has been unexpectedly compromised. However, it is arguable that this approach is only likely to prove persuasive if the compromised functionality poses similar life threatening risks to that of the pacemaker device that was the subject of Boston.
Establishing a causal link between defect and damage can be an onerous burden on a consumer, particularly if the claimant is unable to establish what it is about a product that makes it defective and the cause of the damage. The burden may feel even heavier in the context of a complex emerging technology. For example, a user of a healthcare application may not be able to determine why an algorithm within the software has made a particular patient diagnosis, that resulted in injury. Determining causation can be further complicated by multiple users and operators of the software in question. Problems may arise if the chain of causation has been broken, particularly if the consumer misused the software or did not follow the manufacturer’s instructions.
Application of the ten-year longstop period
The CPA provides for a ten-year longstop provision which extinguishes any right of action for damages brought under the CPA more than ten years after the product was first supplied. The court will not allow circumvention of the ten-year longstop, as confirmed by Wilson & Ors v Beko Plc .
It is questionable whether the longstop is fit for purpose in respect of emerging technologies. For example, if an autonomous vehicle becomes faulty as a result of a software update performed ten years after the vehicle was supplied, is the longstop period calculated against the date the vehicle itself was supplied, or the date of the software update which potentially changes the characteristics of the vehicle? Unless legislators clarify this issue, producers of emerging technologies could be at risk of open-ended liabilities lasting the product’s lifetime, of which the likely consequence is increased product prices and insurance premiums.
In February 2021, the Berlin Regional Court ruled that for products which comprise individual parts that are put into circulation on different dates, it is those dates which are relevant for the purpose of the longstop period and not the date the products were subsequently assembled for use. This decision offers an insight into how courts could apply the longstop to claims concerning emerging technologies where software changes arguably result in the constitution of a new product, or where hardware and software components are manufactured by different manufacturers at different times.
Current defences under the CPA – will they survive?
Section 4(1)(d) provides one of the defences to a defective products claim where “the defect did not exist in the product at the relevant time”. The application of this defence to emerging technologies has been considered by the EU’s Expert Group on Liability and New Technologies (Expert Group) who recommend that a producer should still be liable for defects, even if the defects appear after the product was put into circulation, as long as the producer was still in control of updates to, or upgrades on, the technology.
Section 4(1)(e) also provides a "development risks defence" where “the state of scientific and technical knowledge at the relevant time was not such that a producer of products of the same description as the product in question might be expected to have discovered the defect if it had existed in his products whilst they were under his control”. A producer of emerging technologies may seek to rely on this defence to assert that a product risk was not reasonably foreseeable at the time of programming and/or that the programming was in line with the relevant industry standards at the time of development. However, there may be difficulties in applying this defence to certain emerging technologies, particularly if the level of safety of those technologies is not yet fully known. This was recognised by the Expert Group who recommended that this defence should not be available for emerging technologies generally, providing that the producer was still in control of updates to, or upgrades on, the technology, and where it is predictable that unforeseen developments might occur.
Future-Proofing Product Liability
EU driving change
The EU has long recognised that emerging technologies, particularly artificial intelligence (AI), have a significant role to play in economic development, acknowledging the importance of evaluating existing legislation to ensure that the EU is ready for the digital age. The regulation of emerging technologies has already materialised within the medical devices sphere with the introduction of the Medical Device Regulations and In Vitro Diagnostic Regulations (2017/745 and 746) that, belatedly, came into force on 26 May 2021.
The EU is now leading the charge for future reform, showing a commitment to developing legislation that balances the promotion of innovation with consumer protection, whilst protecting citizens’ fundamental rights. For example, recent proposals call for a restriction on the use of “real” time identification in publicly accessible places.
In a post-Brexit era, the proposed reform will not be implemented in the UK. Nevertheless, given the global nature of the AI market, UK product manufacturers will be directly affected when seeking to sell their products in the EU. Furthermore, as the UK is independently taking similar initiatives, it is anticipated that it will largely reflect any future legislative changes that may be made at European level.
Focus on products and AI
In 2018, the Commission published its fifth report on the application of the PLD, evaluating its function and performance. It concluded that, despite the increased complexities of modern products, the PLD continues to serve its purpose but signalled that certain concepts may need to be updated, including “product” and “defect”.
The above-mentioned Expert Group was subsequently formed to establish how effectively the existing EU liability framework would operate in relation to emerging technologies with a view to drawing up future guidance on the PLD. Their findings culminated in the Commission’s White Paper on AI in February 2020, which set out proposals for a harmonised regulatory framework for AI. The White Paper was accompanied by a “Report on the safety and liability implications of Artificial Intelligence, the Internet of Things and Robotics” (the Report). The Report does not advocate an overhaul of the entire product liability regime but, instead, acknowledges that provisions explicitly covering new risks presented by emerging digital technologies could be introduced to provide more legal certainty, for example, the mental safety risks to users and the risks of faulty data at the design stage. The Report also acknowledged uncertainty as to how, and to what extent, certain risks, including cyber-threats and loss of connectivity, are sufficiently addressed by the PLD or other existing European legislation.
In October 2020, the European Parliament (the EP) made recommendations to the Commission for a civil liability regime for AI, to take the form of a regulation. Notably, the recommendation acknowledges that the PLD is “an effective means of getting compensation for harm triggered by a defective product but should nevertheless be revised to adapt it to the digital world and to address the challenges posed by emerging digital technologies, ensuring, thereby, a high level of effective consumer protection, as well as legal certainty for consumers and businesses”. The EP urged the Commission to assess whether the PLD should be transformed into a regulation, to clarify the definition of "products" by determining whether digital content and digital services fall within its scope, and to consider adapting concepts including "damage", "defect" and "producer".
The EP also called on the Commission to:
The EP proposes a strict liability regime for high-risk AI systems, with high-risk defined as “a significant potential in an autonomously operating AI-system to cause harm or damage to one or more persons in a manner that is random and goes beyond what can reasonably be expected”. Unlike the PLD, this strict liability regime does not require the affected person to prove if, and how, the AI-system was faulty. For AI systems not classified as high-risk, the recommendations provide that the operator shall be “subject to fault-based liability for any harm or damage that was caused by a physical or virtual activity, device or process driven by the AI system”, making it clear that the operator will not be able to escape liability by arguing that the harm or damage was caused by an activity, device or process driven by the AI system.
On 21 April 2021, the Commission published its long awaited proposals for a regulation laying down harmonised rules on AI. The proposals impose strict controls and extensive risk management for the most risky forms of AI, including the requirement to undergo conformity assessments, the drawing up and maintenance of technical documentation, the implementation of quality management systems and affixation of CE-markings to indicate conformity with the Commission’s proposed regulation, before products are released to market. The proposals have wide-ranging applicability and will affect both AI providers and users inside and outside the EU.
The Commission pledges to propose, in 2022, measures adapting the liability framework to the challenges of emerging technologies to ensure that victims who suffer damage to their life, health or property because of emerging technologies have access to the same compensation as victims of other technologies and other products. It also proposes the possibility of a revision of the PLD. With the CPA being the implementing legislation that transposed the PLD into UK law, UK legislators will undoubtedly be following these developments very closely.
UK product safety and liability review
Although not as advanced as the EU, the UK has taken, and continues to take, similar steps to address whether its existing product safety and liability regimes meet the challenges of emerging technologies.
We have seen the recent introduction of sector-specific legislation governing emerging technologies. In 2018, the Automated and Electrical Vehicles Act came into force imposing liability on an insurer for damage caused by an insured automated vehicle. Developments subsequently followed in the medical devices arena with the introduction of the Medicines and Medical Devices Act 2021, which provides the Secretary of State for Health with wide powers to amend the existing regulatory framework for medical devices and medicines post-Brexit, including the improvement of medical device safety and performance through advances in technology.
On 11 March 2021, the government opened a consultation via its UK Product Safety Review (the Review), exploring changes to existing product safety laws to ensure the framework is fit for the future. This includes a call for evidence from stakeholders to consider how and to what extent the existing framework may need to be adapted in respect of liability and enforcement. Whilst the CPA is not the central focus of the Review, it acknowledges that its provisions do not reflect emerging technologies like internet-enabled devices, AI and 3D printing. The Review expressly excludes food, chemicals, medical or healthcare products, construction products or vehicles, all of which are subject to separate regulation.
The potential review and reform of the CPA is, however, being mooted by the Law Commission as part of its 14th Programme of Law Reform, having recently invited views as to whether the CPA should be extended to cover all software and other tech developments, citing the similar challenges that have been considered and addressed by the EU.
Although the government’s Review and the Law Commission’s 14th Programme are still in their infancy, change is on the horizon and the UK product liability framework will inevitably be subject to amendment. Interested stakeholders will be watching these developments closely and, in particular, the extent to which the UK will mirror Europe’s proposals.