The EU’s new software liability framework is coming and FOSS developers should care
Amidst the legislative discussions around AI and cybersecurity, the EU is trying to figure out the right liability framework for software, including free software. Wikimedia shares the view that companies shouldn’t get a free pass for their services just because they open sourced their code. At the same time, we don’t want to see coders, who share their work with the public and peers in order to learn, tinker or to improve a free project, worry about liability too much. They need clear and effective safeguards.
Wikimedia is also looking at this issue as a developer of free software projects, like MediaWiki and Wikibase. We have several entities that develop free software professionally, Wikimedia Foundation, Wikimedia Deutschland and Wikimedia Sverige, but code is also being contributed by volunteers.
Fragmented Legislative Procedures
The EU is currently working on a new liability regime for software, including free software. What makes the entire process extremely complex to follow is that there is no single piece of legislation that tries to deal with the issue and all its complexities. Instead the EU legislator tries to handle this almost on the go, as a secondary aspect to other, politically pressing, issues. Practically, the new liability regime for free software will be designed by three legislative files:
- The Artificial Intelligence Act (AI Act)
- The Revised Product Liability Directive (rPLD)
- The Cyber Resilience Act (CRA)
The good news is that some sort of exemption or distinguishing between software in general and free software is part of the conversation around all three proposals. The rPLD and the CRA were proposed by the European Commission with at least a recital to give some protection. The AI Act, which came much earlier and is currently in a hot phase of parliamentary committee compromises, is also likely to see an amendment protecting free software.
The Debate, Proposal and Problem
The main debate happens around the CRA, but as the AI Act came first and amendments need to be finalised soon, it gets plenty of focus by lawmakers and lobbyists as well.
The current proposals for liability protections in the different legislative proposals (AI Act, rPDL and CRA) are vague and included in recitals, instead of proper articles. Recitals are “merely” rules for judges on how to interpret articles, so they are a kind of a second row of the law. They can, however, be where the actual core decisions are rooted, and anyways we are right now stuck with them as legislative material to discuss. For instance, here is the first part of Recital 10 from the CRA:
In order not to hamper innovation or research, free and open-source software
developed or supplied outside the course of a commercial activity should not be
covered by this Regulation.
In principle we agree with the rationale of the recital, but we think the language won’t be efficient and effective because:
- “outside the course of a commercial activity” reads well at first, but it is not able to encompass many borderline cases, leaving them without protection in practice. For instance, Wikimedia’s MediaWiki software is used by Wikipedia but also by many commercial entities and for fundraising, so would likely not be exempt.
- The exemption is pivoted towards innovation and research.What does this mean to other types of uses?
- The exemption is part of a recital, instead of an article and recitals are not legally binding, only give guidance to courts.
- We need the same or compatible language across all three acts.
A Possible Balance
It is a tricky balance to achieve. Cyber security, liability for AI and other products is a serious issue. Corporations shouldn’t get a free pass by just opening up a little. As a society, we also need ways to strengthen our defenses and go after malicious actors. But we also have an interest in protecting individual tinkerers, not-for-profits, starting entrepreneurs and academic research.
We have had many and long calls, including with the Free Software Foundation Europe, and were able to agree on the following suggestions:
- Liability should be shifted to those deploying free software instead of those developing free software.
- Those who significantly financially benefit from this deployment should have to make sure the software is compliant (e.g. CE compliant in the case of the CRA).
- Free software should be considered code that comes with the four freedoms to use, study, share, and improve the code.
- The language across the three pieces of legislation needs to be aligned.
More precisely, instead of making the liability decision dependent on “commercial activity” vs. non-commercial activity, it should firstly depend on deployment vs. development, and only secondly it should matter whether money-making is involved, and thirdly the size of the entity should count. In other words: The responsibility to fulfill liability requirements should be moved towards those deploying these solutions, if they are in addition also substantial profit-oriented companies.
Legally this third aspect of making size count could be done by drawing the line at “micro enterprises”, a term already defined in EU law (Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises).
This way not-for-profits, academia and the proverbial individual coder who earns a bit of money on the side to pay rent would be excluded. Other enterprises wouldn’t be.
A global rulebook
It is a very complex debate and its implications will be long lasting. At the same time the proposals and positions seem to change weekly and are spread across three groups of negotiators. But it is a debate that’s worth engaging in, as the EU has demonstrated it can create global blueprints for the rules regulating the digital world. Whatever gets agreed here and now might end up being copied in other regions of the world.