Authors: Robert Nešpůrek, Pavel Amler, Tomáš Chmelka
For the first time since 1985, the European Commission (EC) has decided to change legislation concerning liability for defective products. The primary objective of the related Directive is to respond to the rapid development of new technologies, to significantly extend the range of products offered on the internal market and, in connection with this, to maintain a balance between the obligations of producers and consumers. The Directive is currently in the proposal stage and may therefore be subject to further changes.
Most significant changes
The new Directive changes the definition of a product to include software (whether or not it is integrated into a tangible product), and the developer or producer of the software should be regarded as the producer within the meaning of the Directive. The new Directive does provide exceptions to this rule, but these apply only to free software and open-source software developed or supplied outside the business activities.
While the general 10-year time limit for making a claim for compensation for damage caused by a product defect remains unchanged in the new Directive, the proposal foresees the introduction of an extended time limit of 15 years in cases of latent personal injury, especially in cases where the symptoms of a personal injury emerge later. Similarly, the EC is trying to accommodate consumers by removing the current minimum threshold of EUR 500 for making a claim.
However, the change with potentially the most significant impact is the introduction of an obligation for a potential wrongdoer to disclose relevant evidence in court. In practice, this means that the producer against whom a claim for compensation for damage is made will have to disclose information about the manufacture of the product and its operation to the court on a mandatory basis, after the plaintiff has submitted relevant evidence and facts. This change is considered by the new Directive as one of the presumptions of product defectiveness.
The second presumption of product defectiveness presupposes a causal link between the defect in the product and the damage caused if it is proven that the product is defective and the nature of the defect corresponds to the type of damage caused.
The new Directive also introduces a so-called presumption of defectiveness or causality. In other words, if the court finds that the technical or scientific complexity of the product in question is too high, then it is sufficient for the injured party to demonstrate that the product contributed to the damage and it is likely that the product was defective or that its defectiveness is a likely cause of the damage (or both).
Special regime for artificial intelligence
The EC has also submitted the proposal for a Directive on liability for damage caused by artificial intelligence (currently only in Czech and Estonian) as part of the planned legislative package.
The Directive largely follows the Proposal for a Regulation on artificial intelligence (AI) published in 2021. To a large extent, the Directive takes terminology from and refers to this Proposal.
Two major areas of this Directive concern primarily the facilitation of the position of the injured parties, by reducing their burden of proof and facilitating access to evidence during court proceedings. This Directive creates a presumption of culpable breach of liability where the wrongdoer's AI system fails to comply with the AI Regulation - it is a major simplification of the injured party’s burden of proof.
The last significant change is the introduction of an information obligation for companies developing high-risk AI systems as defined in the Proposal for the AI Regulation (i.e., those that have an impact on security or fundamental rights). These companies will now have an obligation to the courts to disclose relevant technical documentation relating to the system. Failure to do so will give rise to a presumption of failure to exercise due care against them.
Although these are currently only proposals for new European legislation, from our viewpoint, they are much more consumer friendly. For this reason, we recommend monitoring this legislative process, as these new regulations may have a significant impact on technology companies engaged in software and artificial intelligence.
On 6 January 2023, an amendment to the Czech Civil Code came into effect, introducing new rules on contracts for the provision of digital content and digital services. Under the amendment, digital content means software, applications, e-books or audio files in any form (e.g., also in smart watches or smart phones) and digital services mean, e.g., video, audio or other file sharing services, digital games or social networks.
Who is affected by the amendment and what are the obligations arising from it?
For the purposes of the amendment, a provider means a person who makes digital content or digital services available - it is not a publication but making them available to the user for his/her own use. This could be, for example, simply making an e-book available via cloud storage or email.
, The new regulation only applies to contracts for which the provider is paid. However, this formulation also includes "payment" by disclosing personal data that the provider further uses for his own purposes (e.g., statistics or advertising). On the other hand, if the provider provides free open-source software and process the data disclosed by the user only to improve his product (e.g., in the context of its security or interoperability), he will not be subject to the amendment.
The Czech Civil Code now establishes the provider's obligation to provide contractually agreed updates - in the event of defects due to failure to provide updated content, the provider will then fully be liable for defects in the digital content or digital service.
The provider is also obliged to provide updates that are necessary to ensure that the digital content is provided free of defects, both for long-term contracts and for one-off performance. For both types of performance, the provider is also liable for defects, if any.
Customer's claims
The customer’s right to claim for defects in the digital content or digital service depends on whether the content or service is provided for a certain period of time or on a one-off basis. In the first case, the customer may complain about defects that become apparent for the duration of the contractual relationship. In the latter case, the customer may complain about defects that become apparent within two years of making the content or service available. When a claim is made, the provider bears the burden of proof and must prove that the digital content or service is not defective.
B2B v B2C
In the case of contracts between businesses, it is sufficient to follow the new rules when concluding a contract from the effective date of the amendment, i.e. from 6 January 2023. For contracts between businesses and consumers, the new legislation is stricter - the new rules will also apply to contracts concluded before the effective date of the amendment. In a relationship between businesses, it is of course possible to exclude the application of certain provisions by a contract. In contrast, in the relationship between the business and the consumer, such exclusion is not possible if it is intended to weaken the position of the consumer.
Traditionally, the consumer also has extended options to withdraw from the contract. The law expressly provides for a 14-day period from the conclusion of the contract, as well as allowing the consumer to withdraw due to defects in the digital content or digital services, or due to a breach of the contract by the provider.
The amendment to the Czech Civil Code entails significant changes to the supply of digital content and digital services and therefore we cannot but recommend a thorough review of purchasing processes, business terms and conditions, complaints policies and other relevant documentation, especially in relation to consumers, to ensure that they comply with the new regulation.
The Council of the European Union under the Czech Presidency approved in November 2022 the final text of the Directive on measures for a high common level of cybersecurity across the Union, known as the NIS 2 Directive. This Directive builds on the existing NIS Directive 1, significantly broadens the range of obliged entities and removes frequently criticised shortcomings.
Who will be covered by NIS 2?
Until now, the NIS 1 Directive has affected a relatively narrow range of entities in seven sectors and three areas of digital services. Based on the NIS 2 Directive, any entity that meets two conditions simultaneously - it must provide one of the services listed below and at the same time must qualify as a so-called medium-sized or large-sized enterprise within the meaning of Commission Recommendation 2003/361/EC (i.e. an enterprise that employs 50 or more employees or has an annual turnover of at least EUR 10 million or CZK 250 million) - will now be subject to this regulation.
The NIS 2 Directive divides entities into:
What new obligations does NIS 2 introduce?
NIS 2 imposes a number of obligations on the entities concerned, in particular the obligation to adopt appropriate and proportionate technical and organisational measures to manage security risks.
NIS 2 also introduces the responsibility of management bodies for the cybersecurity measures taken and the duty of supervision. In order to acquire sufficient knowledge and skills, members of management bodies are also obliged to attend regular training in cybersecurity.
At the same time, NIS 2 introduces a general reporting obligation for any incident that has a significant impact on the provision of services.
GDPR-style penalties
For companies that fall under the new regulation and fail to implement all technical and security requirements, the NIS 2 Directive entails an incentive in the form of significant penalties. In the event of a security incident and refusal to cooperate with the supervisory authority, these companies may be fined at least EUR 10 million or 2% of their total worldwide annual turnover.
Preparation of Czech legislation
At the same time, a new Czech Cybersecurity Act together with eight implementing decrees is already in the pipeline. The Czech National Cyber and Information Security Agency, which is responsible for the implementation of NIS 2, has launched a public consultation. Suggestions can be sent by 26 February this year. The proposal envisages unification of the existing classification of obliged persons into a single category of “regulated service provider”, for which it introduces two different regimes depending on the size and sector - with higher obligations (these will be regulated in a decree largely copying the current decree on cybersecurity) and lower obligations (for the latter a new decree will be prepared to supplement the existing regulation).
When will NIS 2 come into effect?
The final text of the Directive was published in the Official Journal of the EU on 27 December 2022 and will enter into force on the 20th day after its publication. Subsequently, Member States will have 21 months to implement the Directive in their national legislation, i.e. specifically, implementation must take place by 17 October 2024.
We recommend all companies that could be affected by this new legislation to consider all the risks associated with cybersecurity, read the Directive as soon as possible, and monitor legislative developments in the Czech Republic in the field of cybersecurity.
At the end of last year, the Czech Ministry of Health submitted a long-awaited draft amendment to the Health Services Act (in Czech only), which (among other things) aims to establish a clear legal framework for the provision of telemedicine services. Telemedicine is understood as the provision of health services via information technology remotely, but its legal definition and the conditions under which such services can be provided have so far been lacking in the legislation.
Current status
An amendment to the Czech Health Services Act effective from 1 January 2022 has made it possible to provide consultancy services outside healthcare facilities via remote access. In practice, however, telemedicine can encompass a much broader range of services, such as making detailed records of the patient’s health using digital technologies or making decisions about the patient's treatment remotely, which cannot be subsumed under consultation services. The current legislation is thus not sufficient for telemedicine.
What does the draft amendment say?
The draft amendment sets out only very general parameters for the conditions under which telemedicine services can be provided (in the words of the draft amendment “only under the conditions provided for by law” and “if the technical requirements for the quality and security of communication are met”). The forthcoming implementing decree should provide more detailed specifications. However, the draft amendment at least provides a definition of telemedicine health services, which it considers to be health services that are provided remotely using telecommunications and information technologies.
According to the current wording of the draft amendment, it will be possible to provide the following services outside of a healthcare facility:
Communication safety and quality
Health service providers are still obliged to have an established health care facility with material and technical equipment. Under the current wording of the draft amendment, this obligation will probably also apply to health service providers providing health services exclusively by remote means. However, it is not clear from the current wording of the draft amendment whether it will still be necessary for the patient to visit the physician’s office at least once (or in which cases).
When providing telemedicine services through information technology, the draft amendment also requires that the safety and quality of communication between the health service provider and the patient be ensured. The requirements for the minimum technical characteristics of the information technology used are to be set out in an implementing decree, which is likely to include, for example, a requirement to use an encrypted communication channel, to ensure proof of the identity of the patient and the health service provider, etc.
The draft amendment, which, in addition to telemedicine, also includes the regulation of the electronic medical record keeping, is currently in the comment procedure and its final wording may still change. However, if the current wording of the draft amendment is approved, it could come into effect as early as July 2023.
