How the Commission Set Out to Torpedo Web3 Without Even Realizing It

Daniel Sch?nberger, Chief Legal Officer, Web3 Foundation

By expanding the Product Liability Directive to software and making developers strictly liable for exploited bugs, the European Commission might pose an extinction-level threat to the nascent Web3 space. The industry was not at the table and the regulator seems to be sleepwalking over the opportunity to create a better web. Feedback may be provided to the Commission until 11 December 2022 here.?

The European Commission recently released a legislative package designed to update the European Union’s (EU) liability rules to meet evolving challenges in the digital age. Work on these policy proposals began more than five years ago as the result of increased coverage of advancements in Artificial Intelligence (AI) by mainstream news outlets. As a senior executive at a leading US technology firm I joined many stakeholders to engage with this process from its inception.

A while ago, I moved on and joined Web3 Foundation, dedicated to building a better internet, where the user has control over their data (also referred to as the decentralized web, Web3 or Web 3.0). Admittedly, I lost sight of the Commission’s liability work. After all, the Commission initially focused on the challenges related to robots, AI and the Internet of Things (IoT) with no clear focus on crypto and blockchain as a priority for the new rules. Unfortunately, the recent release of a proposal for a revised Product Liability Directive (PLD) came as an unexpected shock to many stakeholders.

The PLD lays out harmonized liability rules for damages incurred by consumers caused by defective products. The framework incorporates a strict liability standard for producers regardless of fault that cannot be excluded or limited by contract. A consumer simply needs to establish a damage claim and a causal link between the damage and a defect in a given product. Historically, the strict liability standard has focused on offline and hardware products such as failed brakes on a car. These offline and hardware products have been generally defined as “movables”.

The Commission’s proposed revision will dramatically undermine a familiar, well-functioning and balanced framework and for the first time define standalone software as a covered product under the standard. Additionally, the range of compensable damages would be expanded beyond personal injury and damage to property to include “material losses resulting from loss or corruption of data”. For example, if a hacker exploits a cybersecurity vulnerability of a software product, the software developer would be liable for damages, for example by compensating the loss resulting from an erased music library. This treatment of software, including software as a service like cloud computing, contravenes universally accepted and understood business and legal practices.???

First of all, there is broad agreement among technology and governmental stakeholders that software resembles a service rather than a product. Decades of software development has fostered a universal acceptance and acknowledgement that code can’t be released entirely “bugfree” and is viewed as an iterative process. Producers and consumers work cooperatively to identify software performance “bugs” and develop and implement patches to address these issues. A blanket requalification of software as products does not seem justified or consistent with established business and legal precedent.

A more effective approach would be to establish classifications for software to distinguish and differentiate classes of software, and only extend the PLD to those that already qualify as quasi products because of their inherent potential to cause comparable harm. For example, software defined as a medical device under the Medical Devices Regulation standard, or software that drives the physical interface of a hardware product, like a drone, better exemplify the types of products the Commission seeks to include in the revised PLD.

Second, strict liability always shifts the procedural advantage to the claimant seeking compensation. This standard of liability is reserved generally for abnormally hazardous instances, like the conduct of a motor vehicle, the maintenance of a defective building or other structures, or the operation of a power plant. In each of these situations the health and safety of innocent bystanders are immediately at risk. A uniquely different scenario than a? case of harm resulting from the loss or corruption of data that merely constitutes economic loss. In such instances it seems just and reasonable to require some form of fault or negligence on part of the defendant. Under current international and sovereign legal systems, no jurisdiction applies a strict liability standard for the loss of data resulting from a “software defect”.

Traditional software developers and big tech alike disagree with the Commission’s revision. Rightfully, they argue such a liability framework would impede innovation and yield unacceptable overhead, preventing and delaying the development of useful products and services for the consumer market. The application of these proposed standards on the loss of data carries even greater significance when the perceived loss relates to crypto assets.? Consumers can obtain a clear valuation of their loss based on a spot market valuation. ? Since all transactions are immutably logged on the blockchain, evidence for a specific loss, for example through the malicious exploitation of a cybersecurity vulnerability by a hacker, is easily established.?

The vision of a decentralized web that will readjust the existing power imbalance in the current Web 2.0 world rests on blockchain technology. Most modern protocols that operate at scale are proof-of-stake networks that only take a tiny fraction of the energy consumption of proof-of-work networks, still prevalent for example in the Bitcoin protocol. In a proof-of-stake network, security features and governance rely on the staking of utility tokens that are native to a specific protocol, such as the DOT token within the Polkadot protocol as it was initially launched by Web3 Foundation. The PLD uses the definition of data established in the Data Governance Act. Under this act, “data” is defined as “any digital representation of acts, facts or information [...] including in the form of sound, visual or audiovisual recording”. Utility tokens and other crypto assets are fundamentally different from such “data” envisioned by the Commission in the context of the PLD, as they are “a digital representation of value or rights which may be transferred and stored electronically” as set out in the Markets in Crypto Assets Regulation (MiCA). Thus if at all, they should fall within the exclusive remit of financial market regulation. In MiCA, the EU recently issued comprehensive legislation that applies to crypto assets and related services. If a fundamental need to protect consumers against the loss of crypto assets was warranted, policymakers would have already addressed it through their legislative deliberations.?

Notwithstanding the foregoing, due to the lack of clarity of a poorly drafted PLD, utility tokens, and other crypto assets, could still erroneously be understood by plaintiffs as “data” leading to years of litigation. Thus, even in the current bear market, the overall liability exposure of the crypto industry could well be north of one trillion dollars, including cryptocurrencies, utility tokens, NFTs and other digital assets.?

According to the recitals of the proposal, the PLD “should not apply to free and open-source software developed or supplied outside the course of a commercial activity”. Thus, there are arguments that some base-layer protocols which are open-source and sufficiently decentralized like Polkadot do not fall within the proposed definitional scope. However, perspectives outlined in the recitals are not reflected in the actual law which lacks clarity. The Commission did not fully consider the unique attributes of crypto and blockchain technologies when drafting their proposal. This was made evident in the failure to mention “crypto” or “blockchain” in the proposal at all. The industry was focused on MiCA and not at the table.?

However, collateral damage and the upheaval to well-established and supported norms can still be avoided through the creation of a safe harbor. At a bare minimum the law should exempt those layer 0 and 1 protocols that provide for the new architecture of Web3, and are use case and content agnostic, much like TCP/IP or HTTP(S). The developers of these constitutional underpinnings of the decentralized web should not be liable for any bugs which are a universally acknowledged component of software development. Unfortunately, this would still leave developers building on top of this base stack exposed to a swath of liability litigation. Therefore a comprehensive safe harbor under the PLD is necessary to allow for optimal innovation, addressing — at a minimum — liability for economic harm resulting from the loss or corruption of data by deleting the respective language from the draft. Alternatively this could be done by clarifying that crypto and other digital assets will be exempt from the PLD because they fall within the sole remit of MiCA.

A safe harbor will empower stakeholders to build upon this emerging and necessary technology free from risks of poorly conceived rights of action for perceived harm. Web3 technology is still nascent, and hacks will occur. The market has the potential to mature and empower future internet users’ greater latitude in developing the technology of tomorrow.? Unfortunately, a regulatory environment that fosters legal and economic uncertainty will ultimately deter any investment and innovation in this space.?

In a longstanding legislative battle, the EU has tried to rein in big tech. It still remains to be seen if the GDPR, DSA, DMA, AI Act, DSM Directive etc. will keep their proclaimed promises. Personally, I don’t believe that the issues of Web 2.0 can be solved by the law. A much more efficient and roots-up way is to provide for real user choice based on a new and decentralized web architecture, eliminating the need for information intermediation. Polkadot and many other Web3 projects are fundamentally European success stories. But the safest and fastest way to put an end to their growth and adoption is by bad regulation like the revised PLD. Ironically, the beneficiaries would be once more those big tech companies that the law tries to get hold of in the first place.

Feedback may be provided to the Commission until 11 December 2022 here.