Understanding upcoming requirements in the EU and their impact on businesses
In today’s consumer-driven world, ensuring the safety and reliability of products is paramount. Hence, product safety and compliance are critical issues that every company involved in the supply chain should be aware of. This is even more true when it comes to products powered by artificial intelligence (“AI”), which pose new risks due to their interconnectivity, self-learning capabilities and increased exposure to cybersecurity vulnerabilities.
While the AI Act (a product safety law for specific AI systems), is currently attracting a lot of attention, the General Product Safety Regulation (GPSR) should not be overlooked. It is another at least partially AI-specific product safety law in the EU, which was adopted in June 2023 to adequately address AI-related product risks. Whereas the AI Act is entirely AI-specific, the revisions to the general product safety legislation aim to – amongst others – address the integration of AI technology into existing product safety frameworks and introduce AI-specific requirements. Similar to the AI Act, the new legislation is a portion of the so-called AI Package as part of the EU’s approach to regulating AI (details here).
As AI technologies become increasingly prevalent in various industries, particularly consumer products, this article aims to provide an overview of the key regulatory changes resulting from the new GPSR and how they specifically impact consumer products powered by AI (“AI-powered consumer products”). Even with regard to the revised or new requirements of the GPSR that are not exclusively AI-specific, the GPSR may still have significant implications for AI-powered consumer products. Therefore, whereas Part 1 of this article deals with the AI-specific requirements of the GPSR, Part 2 provides an overview of the new requirements that, whilst not exclusively AI-specific, may still have a significant impact on AI-powered consumer products.
Background to the revisions
The need to update current product safety rules is driven by several critical factors, in particular the emergence of new technologies and the evolving nature of AI-powered consumer products. Rapid technological advances have led to the creation of innovative consumer products such as health and fitness trackers, service robots and smart home systems, which often use AI to enhance their functionality. AI, whether predictive or generative AI, may improve product performance, personalisation and automation but it also presents unique safety challenges.
For example, an AI-powered vacuum cleaner could fail to accurately detect obstacles due to overfitting, and AI-powered healthcare devices could make incorrect diagnoses or treatment recommendations due to incomplete training data, potentially putting people’s health at risk. Existing product safety regulations were inadequate to address these unique risks, and an updated regulatory framework was needed to better protect consumers using these new technologies. While the GPSR introduces specific modifications to the existing framework to en-sure the safety and accountability of AI-powered consumer products, it also continues to apply to products without AI functionality. Therefore, even if only some of the changes are AI-specific, they all affect AI-powered consumer products and their risk exposure in one way or another.
The upcoming legal framework
The GPSR (Regulation (EU) 2023/988), which entered into force on 12 June 2023 and will be applicable from 13 December 2024, is a revised version of the General Product Safety Directive (Directive 2001/95/EC, “GPSD”). It aims to improve the safety framework for non-food consumer products by imposing specific product conformity requirements on economic operators, primarily manufacturers, to ensure that only safe products are placed on the EU market. The GPSR inter alia addresses the challenges of new technologies and acts as a safety net for consumers and a regulatory framework to fill gaps in existing or future product-specific legislation, ensuring a high level of consumer protection. The GPSR covers risks not addressed by sector-specific legislation, including, but not limited to, general product safety requirements, standards for online marketplaces, obligations in case of accidents, consumer information and remedies, product safety recalls and the operation of the Rapid Alert System.
Key changes under the GPSR
The GPSR addresses, amongst others, AI-related product risks. The Regulation introduces several important changes and requirements for economic operators placing AI-powered consumer products on the EU market. The new AI-specific requirements are detailed below.
1. Coverage of AI-powered consumer products excluding stand-alone AI-software
The GPSR retains the broad definition of “product” from the previous GPSD. It is defined as any item that is either intended for consumers or likely to be used by consumers, even if it was not originally intended for them. The GPSR therefore covers both consumer products in general and AI-enabled consumer products more specifically. Although, this is not a change in the law, it is now clear that stand-alone AI software is not covered by the GPSR. This was controversial under the GPSD. However, the fact that the EU legislator did not explicitly include (AI) software in the definition, although it is included in related legislation, namely the revised Product Liability Directive (Article 4(1)), for which EU policymakers reached a political agreement in December last year, must be taken as a clear indication that it was deliberately left out of scope. Moreover, the inclusion of (AI) software was explicitly recommended by the EU Commission’s report on the safety and liability implications of Artificial Intelligence, the Internet of Things and robotics (page 11, see here).
The GPSR therefore only applies to AI embedded in physical consumer products, as opposed to pure AI-based stand-alone software. There are many examples of such consumer products embedding AI technology in the form of predictive and/or generative AI. For example, smart home appliances (such as a washing machine) can incorporate predictive algorithms to analyse usage patterns, environmental factors and user preferences in order to optimise energy consumption, adjust settings for efficient operation or even anticipate maintenance needs. Similarly, a smart refrigerator with generative AI capabilities can analyse the food inside and generate meal suggestions or recipes based on available ingredients. Equally, personalised health devices (e.g., fitness trackers) can analyse data such as heart rate, sleep patterns or activity levels to provide personalised health insights or generate customised exercise plans.
2. Updated meaning of “safe products” under the GPSR
The GPSR updates the aspects to assess whether a product is a “safe product”. It includes risks arising from product interconnectivity, cybersecurity and AI elements in product function-ality. This change recognises the evolving nature of AI-powered consumer products and addresses the unique risks associated with interconnected and technologically advanced products, including post-market risks.
Manufacturers are therefore required to consider the specific risks associated with AI elements in product functionality, and to establish mechanisms for post-market monitoring of AI-powered consumer products. This could include collecting user feedback, monitoring product usage and performance data, promptly addressing any issues identified, and retraining or fine-tuning AI algorithms as new data becomes available or user patterns change. This approach ensures that the product remains effective, adapts to evolving user needs, and addresses potential biases or inaccuracies due to changes in data patterns. For example, if AI algorithms in smart home devices such as smart thermostats are not regularly updated to reflect new conditions, the system may not accurately control heating systems, leading to incorrect recommendations, unnecessary spending or compromised building safety.
3. Allocation of responsibilities in the supply chain in case of substantial modifications to AI-powered consumer products
The GSPR emphasises that when a natural or legal person places a product on the market under their own name or substantially modifies a product, they should be recognised as the manufacturer and assume associated obligations. The update in legislation aims to clarify the responsibilities of economic operators when a person other than the original manufacturer significantly modifies the product. This is particularly relevant for AI-powered consumer products, which often undergo rapid technological advancements and updates provided by parties other than the original manufacturer.
Modifications to AI-based products can involve changes to software, algorithms, or data processing capabilities, which can have a substantial impact on the product’s behaviour and performance. Third-party software developers, data providers, system integrators, or service providers may be involved in these modifications.
Determining responsibility for safety standards and risks associated with modified AI-powered consumer products becomes complicated as the original manufacturer may not have control over the modifications made by third parties and it is unclear when exactly a modification is considered substantial. This complexity in accountability and compliance can create liability risks. Clear agreements between manufacturers and modifiers are therefore crucial to effectively address these issues.
For further information, please contact:
Dr. Nils Lölfing, Bird & Bird