EU Parliament suggests civil liability regulation for artificial intelligence. Possible collisions ahead with IMO civil liability collisions?

On 22 October the European Parliament sent a draft regulation to the Commission for a new strict liability regime for operators of AI systems. Its salient features are.

Scope

Art 2

This Regulation applies on the territory of the Union where a physical or virtual activity, device or process driven by an AI-system has caused harm or damage to the life, health, physical integrity of a natural person, to the property of a natural or legal person or has caused significant immaterial harm resulting in a verifiable economic loss.

Definitions

Art 3

(c)  ‘high risk’ means a significant potential in an autonomously operating AI-system to cause harm or damage to one or more persons in a manner that is random and goes beyond what can reasonably be expected; the significance of the potential depends on the interplay between the severity of possible harm or damage, the degree of autonomy of decision-making, the likelihood that the risk materializes and the manner and the context in which the AI-system is being used;

(d)  ‘operator’ means both the frontend and the backend operator as long as the latter’s liability is not already covered by Directive 85/374/EEC;

(e)  ‘frontend operator’ means any natural or legal person who exercises a degree of control over a risk connected with the operation and functioning of the AI-system and benefits from its operation;

(f)  ‘backend operator’ means any natural or legal person who, on a continuous basis, defines the features of the technology and provides data and an essential backend support service and therefore also exercises a degree of control over the risk connected with the operation and functioning of the AI-system;

(g)  ‘control’ means any action of an operator that influences the operation of an AI-system and thus the extent to which the operator exposes third parties to the potential risks associated with the operation and functioning of the AI-system; such actions can impact the operation at any stage by determining the input, output or results, or can change specific functions or processes within the AI-system; the degree to which those aspects of the operation of the AI-system are determined by the action depends on the level of influence the operator has over the risk connected with the operation and functioning of the AI-system;

(h)  ‘affected person’ means any person who suffers harm or damage caused by a physical or virtual activity, device or process driven by an AI-system, and who is not its operator;

(i)  ‘harm or damage’ means an adverse impact affecting the life, health, physical integrity of a natural person, the property of a natural or legal person or causing significant immaterial harm that results in a verifiable economic loss;

(j)  ‘producer’ means the producer as defined in Article 3 of Directive 85/374/EEC. (the Product Liability Directive)

Strict liability for high-risk AI-systems

Article 4

1.  The operator of a high-risk AI-system shall be strictly liable for any harm or damage that was caused by a physical or virtual activity, device or process driven by that AI-system.

2.  All high-risk AI-systems and all critical sectors where they are used shall be listed in the Annex to this Regulation…

3.  Operators of high-risk AI-systems shall not be able to exonerate themselves from liability by arguing that they acted with due diligence or that the harm or damage was caused by an autonomous activity, device or process driven by their AI-system. Operators shall not be held liable if the harm or damage was caused by force majeure.

4.  The frontend operator of a high-risk AI-system shall ensure that operations of that AI-system are covered by liability insurance that is adequate in relation to the amounts and extent of compensation provided for in Articles 5 and 6 of this Regulation. The backend operator shall ensure that its services are covered by business liability or product liability insurance that is adequate in relation to the amounts and extent of compensation provided for in Article 5 and 6 of this Regulation. If compulsory insurance regimes of the frontend or backend operator already in force pursuant to other Union or national law or existing voluntary corporate insurance funds are considered to cover the operation of the AI-system or the provided service, the obligation to take out insurance for the AI-system or the provided service pursuant to this Regulation shall be deemed fulfilled, as long as the relevant existing compulsory insurance or the voluntary corporate insurance funds cover the amounts and the extent of compensation provided for in Articles 5 and 6 of this Regulation.

5.  This Regulation shall prevail over national liability regimes in the event of conflicting strict liability classification of AI-systems.

Amount of compensation

Article 5

1.   An operator of a high-risk AI-system that has been held liable for harm or damage under this Regulation shall compensate:

(a)  up to a maximum amount of EUR two million in the event of the death of, or in the event of harm caused to the health or physical integrity of, an affected person, resulting from an operation of a high-risk AI-system;

(b)  up to a maximum amount of EUR one million in the event of significant immaterial harm that results in a verifiable economic loss or of damage caused to property, including when several items of property of an affected person were damaged as a result of a single operation of a single high-risk AI-system; where the affected person also holds a contractual liability claim against the operator, no compensation shall be paid under this Regulation, if the total amount of the damage to property or the significant immaterial harm is of a value that falls below [EUR 500](9).

Limitation period

Article 7

1.  Civil liability claims, brought in accordance with Article 4(1), concerning harm to life, health or physical integrity, shall be subject to a special limitation period of 30 years from the date on which the harm occurred.

2.  Civil liability claims, brought in accordance with Article 4(1), concerning damage to property or significant immaterial harm that results in a verifiable economic loss shall be subject to special limitation period of:

(a)  10 years from the date when the property damage occurred or the verifiable economic loss resulting from the significant immaterial harm, respectively, occurred, or

(b)  30 years from the date on which the operation of the high-risk AI-system that subsequently caused the property damage or the immaterial harm took place.

Of the periods referred to in the first subparagraph, the period that ends first shall be applicable.

Fault-based liability for other AI-systems

Article 8

1.  The operator of an AI-system that does not constitute a high-risk AI-system as laid down in Articles 3(c) and 4(2) and, as a result is not listed in the Annex to this Regulation, shall be subject to fault-based liability for any harm or damage that was caused by a physical or virtual activity, device or process driven by the AI-system.

2.  The operator shall not be liable if he or she can prove that the harm or damage was caused without his or her fault, relying on either of the following grounds:

(a)  the AI-system was activated without his or her knowledge while all reasonable and necessary measures to avoid such activation outside of the operator’s control were taken, or

(b)  due diligence was observed by performing all the following actions: selecting a suitable AI-system for the right task and skills, putting the AI-system duly into operation, monitoring the activities and maintaining the operational reliability by regularly installing all available updates.

The operator shall not be able to escape liability by arguing that the harm or damage was caused by an autonomous activity, device or process driven by his or her AI-system. The operator shall not be liable if the harm or damage was caused by force majeure.

3.  Where the harm or damage was caused by a third party that interfered with the AI-system by modifying its functioning or its effects, the operator shall nonetheless be liable for the payment of compensation if such third party is untraceable or impecunious.

4.  At the request of the operator or the affected person, the producer of an AI-system shall have the duty of cooperating with, and providing information to, them to the extent warranted by the significance of the claim, in order to allow for the identification of the liabilities.

National provisions on compensation and limitation period

Article 9

Civil liability claims brought in accordance with Article 8(1) shall be subject, in relation to limitation periods as well as the amounts and the extent of compensation, to the laws of the Member State in which the harm or damage occurred.

 There are also provisions regarding contributory negligence, Article 10, joint and several liability, Article 11, recourse for compensation, Article 12.

There are no carve-outs as regards existing civil liability conventions for maritime claims such as the CLC, Bunker Oil Pollution Convention, HNS Convention, which are strict liability based, and the 1910 Brussels Collision Convention which is fault liability based. This is in contrast to the exclusions contained in the 2004 Environmental Liability Directive whose territorial scope was widened with the 2013 Offshore Safety Directive. The current proposal applies to the “territory of the Union” which would encompass the territorial sea of Member States and, in the light of the ECJ’s decision in Commun v Mesquer, loss or damage manifesting on land from an oil spill in the exclusive economic zone of a Member State would come within the scope of the Regulation. As such, it has the capacity to conflict with existing strict liability conventions as enacted in national laws (see the priority of the regulation stipulated in art 4(5)) where autonomous vessels come into operation at MASS Levels 3 and 4, if these are regarded as ‘high risk’. If that were the case, collision liabilities involving such vessels would be dealt with by a strict liability regime, as opposed to the current fault based regime under the Brussels Collision Convention 1910.

First Intergovernmental Standard on AI & Cyber Risk Management

In giving evidence to the Public Accounts Committee (PAC) on Cybersecurity in the UK Sir Mark Sedwill (Cabinet Secretary, Head of the UK Civil Service and UK National Security Advisor) asserted, “the law of the sea 200 years ago is not a bad parallel” for the “big international question” of cyberspace governance today (see Public Accounts Committee Oral evidence: Cyber Security in the UK, HC 1745 [1st April 2019] Q93).

In making this assertion Sir Mark may have had in mind articles such as Dr. Florian Egloff’s Cybersecurity and the Age of Privateering: A Historical Analogy in which the author asserted: 1. “Cyber actors are comparable to the actors of maritime warfare in the sixteenth and seventeenth centuries. 2. The militarisation of cyberspace resembles the situation in the sixteenth century, when states transitioned from a reliance on privateers to dependence on professional navies. 3. As with privateering, the use of non-state actors by states in cyberspace has produced unintended harmful consequences; the emergence of a regime against privateering provides potentially fruitful lessons for international cooperation and the management of these consequences.”

In our IP Wales Guide on Cyber Defence we note: “Since 2004, a UN Group of Governmental Experts (UN GEE) has sought to expedite international norms and regulations to create confidence and security-building measures between member states in cyberspace. In a first major breakthrough, the GGE in 2013 agreed that international law and the UN Charter is applicable to state activity in cyberspace. Two years later, a consensus report outlined four voluntary peace time norms for state conduct in cyberspace: states should not interfere with each other’s critical infrastructure, should not target each other’s emergency services, should assist other states in the forensics of cyberattacks, and states are responsible for operations originating from within their territory.

The latest 2016-17 round of deliberations ended in the stalling of the UN GGE process as its members could not agree on draft paragraph 34, which details how exactly certain international law applies to a states’ use of information and communications technology. While the U.S.A. pushed for detailing international humanitarian law, the right of self-defence, and the law of state responsibility (including the countermeasures applying to cyber operations), other participants, like China and Russia, contended it was premature.”

Indeed China has gone further and condemned the U.S.A. for trying to apply double standards to the issue, in light of public disclosures of spying by their own National Security Agency (NSA).

Sir Mark went on to reveal that because cyberspace governance is being only partly addressed through the UN, “we are looking at coalitions of the willing, such as the OECD and some other countries that have similar systems to ours, to try to approach this.”

Evidence of this strategy in operation can be seen at Ministerial Council Meeting of the Organisation for Economic Co-ordination and Development (OECD) on the 22nd May 2019 when 42 countries adopted five value-based principles on artificial intelligence (AI), including AI systems “must function in a robust, secure and safe way throughout their life cycles and potential risks should be continually assessed and managed.”

The recently created UK National Cyber Security Centre (NCSC) has sought to give substance to this principle through offering new guidance on cybersecurity design principles. These principles are divided into five categories, loosely aligned with the stages at which a cyberattack can be mitigated: 1. “Establishing the context. All the elements that compose a system should be determined, so the defensive measures will have no blind spots. 2. Making compromise difficult. An attacker can target only the parts of a system they can reach. Therefore, the system should be made as difficult to penetrate as possible. 3. Making disruption difficult. The system should be designed so that it is resilient to denial of service attacks and usage spikes. 4. Making compromise detection easier. The system should be designed so suspicious activity can be spotted as it happens and the necessary action taken. 5. Reducing the impact of compromise. If an attacker succeeds in gaining a foothold, they will then move to exploit the system. This should be made as difficult as possible.”

Alec Ross (Senior Advisor for Innovation to Hillary Clinton as U.S. Secretary of State) warns that, “small businesses cannot pay for the type of expensive cybersecurity protection that governments and major corporations can (afford)” A Ross, Industries of the Future (2016). It remains to be seen to what extent cybersecurity design principles will become a financial impediment to small business engaging with AI developments in the near future.

14th IISTL Colloquium on New Technologies and Shipping/Trade Law

Sponsored by 

The Institute’s 14th Annual Colloquium will be held on 10-11 September 2018. The subject of this year’s event is new technologies and their present and future effect on shipping and trade law.

14th IISTL Colloquium

To register for this event, please visit our Eventbrite page.

Continue reading “14th IISTL Colloquium on New Technologies and Shipping/Trade Law”