Document Actions


The Digitalisation Of Cars And The New Digital Consumer Contract Law

  1. Peter Rott


Cars are paradigmatic for the digitalisation of goods. Therefore, smart cars are chosen as an example to illustrate the application of the new rules of the Sale of Goods Directive (EU) 2019/771 and the Digital Content and Services Directive (EU) 2019/770 to goods with digital elements and to goods with incorporated and inter-connected digital content or services as supplied by the trader or by third parties. The article flags the demarcation between the two Directives and discusses potential grounds for non-conformity of smart cars with the contract. It then focuses on the consequences that the inclusion of incorporated and inter-connected digital content or services may have on the remedies that the consumer has available. It also briefly touches on the issue of damages that may be of great relevance in practice but that the two Directives do not tackle. The article concludes that although the allocation of liability with the seller would seem to make the consumer’s life easier, different rules for hardware and digital content and services within the Sale of Goods Directive can lead to complications. The parallel application of the Sale of Goods Directive and the Digital Content and Services Directive exacerbates this issue where the consumer acquires digital content and services separately. Vice versa, the seller would seem to have a vital interest to not have many third parties (beyond the manufacturer) being involved with the car, if only for reasons of cybersecurity.


1. Introduction*


One main objective of the new Sales of Goods Directive (EU) 2019/771 [1] (SGD) and even more of the Digital Content and Digital Services Directive (EU) 2019/770 [2] (DCSD) is to make EU consumer contract law fit for the digital market [3] by introducing or clarifying the related consumer rights.


Given the fact that a large part of sales law litigation relates to cars, [4] not only since the Volkswagen diesel scandal, this article focuses on the implications that the two directives have on the car industry, and vice versa, on consumers that purchase cars. Cars are paradigmatic for the digitalisation of goods and for their interconnectivity with third party content and services. The relevant data flows have therefore been intensely discussed by data protection lawyers, [5] whereas access to and evidential value of data that is generated in cars is an issue of relevance when it comes to accidents. [6]


Data protection is, however, not the theme of this article which rather deals with malfunctioning of all kinds; although, a car may also not be in conformity with the contract because it sends more personal data to the seller or third parties than is necessary and consented to by the consumer. After an introduction to the various ways by which cars are nowadays digitalised (2.), this article first deals with the demarcation of the scopes of application of the two Directives, which follow the same concepts but differ in their details (3.). It then discusses various scenarios of non-conformity (4.) and analyses the related remedies under the applicable directives, using German case law under the old Directive, due to its abundance, to illustrate problems and possible solutions (5.). Complementing the analysis, the article looks for solutions outside the two directives where they do not provide for a remedy (6.), before it offers some conclusions (7.).


2. The digitalisation of cars


Cars have been digitalised for a long time. Software is employed for essential internal functions of the car, such as engine control, and for manifold assistant systems, such as parking assistants. Consumers can also interact with their cars with gadgets such as car keys with remote control functions, and more recently, systems have been developed by which the consumer can interact with cars via apps over the internet (provided the consumer and the car both have access) or via human-machine interface (HMI) built into the car. [7] Contact to the outside world has been established for a long time via navigation systems that rely on GPS data. Cars nowadays must also be equipped with an eCall system that automatically calls an emergency number in the event of a serious accident. [8] The high tide is reached with more or less automated or autonomous cars [9] where the internal digital system (so-called telematics box) constantly interacts with external systems and transmits data into and out of the car. According to the United Nations Economic Commission for Europe (UNECE), cars today contain up to 150 electronic control units and about 100 million lines of software code. [10]


Notably, a multitude of players may be involved in the digitalisation of cars. Traditionally, mass-market cars have been distributed through independent car traders, the sellers, whereas the consumer has not had a contractual relationship with the manufacturer. One of the exceptions is Tesla that distributes its cars online to customers and concludes with each customer a contract which includes Tesla’s obligation to provide updates. For online services, the situation has somewhat changed. Such digital services, usually sold in service packages, are often distributed directly by the manufacturers themselves. Examples are the ConnectDrive system of BMW, Me connect of Mercedes Benz and We Connect of Volkswagen. [11] And when it comes to non-essential features such as a navigation system, or elements of ’infotainment’, other third-party suppliers may be directly or indirectly involved.


All digital features are not necessarily available at the time of the sale or the delivery of the car. One can imagine new features, such as seat heating that is controlled via an app where those seats are built into the car at a later stage. The same applies to digital services: the car as delivered may, in principle, only provide for the connectivity for a navigation system or for infotainment, whereas the relevant system can be added by the consumer from a provider of her own choice. [12] These different circumstances are considered in the following analysis of the new Directives and their application to the car sector.


3. Which Directive applies to which aspect of digitalisation?


The European Commission has placed much emphasis on the demarcation of the scopes of application of the mutually exclusive directives. [13] That demarcation is of utmost importance for the consumer as we shall see in the following.


3.1. Goods with digital elements


The Sale of Goods Directive obviously applies to the car as such. The Directive also applies to “goods with digital elements” that come under the notion of “goods”, according to Article 2(5)(b) SGD. Goods with digital elements are defined as “tangible movable items that incorporate or are inter-connected with digital content or a digital service in such a way that the absence of that digital content or digital service would prevent the goods from performing their functions.” A car with elements such a digital engine control or a navigation system is obviously still a good. Nobody would have doubted that even before the adoption of the Sale of Goods Directive.


3.2. Incorporated and inter-connected digital content or services


There is, however, the issue of the classification of the digital elements themselves that is addressed in Article 3(3) sentence 2 of the Directive. According to this sentence, the Sale of Goods Directive also applies to “digital content or digital services which are incorporated in or inter-connected with goods in the meaning of point (5)(b) of Article 2, and are provided with the goods under the sales contract, irrespective of whether such digital content or digital service is supplied by the seller or by a third party.” This is a major difference to the current law of most Member States where in particular, digital services would be regarded as service contracts with usually only fault-based liability in place. [14]


3.2.1. Necessary for performing the functions of the good


The reference to Article 2(5)(b) means that incorporated and inter-connected digital content or services only fall into the scope of application of the Directive, if “the absence of that digital content or digital service would prevent the goods from performing their functions”.


This is obvious when the good in question (here: a car) does not work at all without its operational system or for example, with a keyless car where the digital key does not work.


But how about a navigation system? Cars can indeed still operate without one! The same applies to an infotainment system. We therefore must take a closer look at the definition and its legislative history. In its first proposal of 2015, [15] as well as in the amended proposal of 2017, [16] the European Commission only touched on the issue in recital (13) according to which the proposed directive “should apply to digital content integrated in goods such as household appliances or toys where the digital content is embedded in such a way that its functions are subordinate to the main functionalities of the goods and it operates as an integral part of the goods.”


The criteria of “main functionalities” and “subordination” were criticised in academic writing as being unclear. [17] It is, for example, debateable whether a navigation system belongs to the main functionalities of a car, [18] although it seems that some drivers and passengers are nowadays unable to use traditional maps. Be that as it may, these criteria are not present anymore in the definition of goods with digital elements. This leads to the first conclusion that the notion of “performing their functions” does not require them to be main functions. [19] Moreover, the definition of goods with digital elements suggests that a good may have to perform more than one function (‘performing their functions’). [20]


Which functions then does a car have to perform? The answer can be found in the Directive itself: (1) the functions that the parties have agreed on (see Article 6(a) and (b) SGD) [21] and the functions that are normal for goods of the same type or that the consumer can reasonably expect (Article 7(a) and (d) SGD) and that the parties have not explicitly excluded (Article 7(5) SGD). [22] This conclusion is confirmed by recital (14) SGD that refers to a contractually agreed function and by recital (15) SGD that refers to the normal functions of goods that the consumer can reasonably expect, and to public statements about the good and its digital features.


Thus, where a car is sold or advertised as providing for a navigation system, the relevant digital content and service comes under the scope of the Sale of Goods Directive according to Article 3(3) sentence 2 SGD. Some uncertainty remains with new smart products as their “normal” functions are somewhat dynamic. [23]


However, a navigation system (and more so with an autonomous car) needs more than hardware and digital content to digest data that is sent from the outside as it also needs the external data itself. Thus, Article 3(3) sentence 2 SGD also mentions inter-connected digital content or services (in the absence of which the good would be prevented to perform its functions). This would include, for example, traffic data for a navigation system, as recital (14) SGD confirms. In other words, the seller would have to make sure that data flows and that incoming data is in conformity with the contract.


3.2.2. Provided with the goods under the sales contract


Article 3(3) SGD additionally requires that the digital content or service be “provided with the goods under the sales contract”.


Again, the digital features do not need to be expressly agreed upon in the contract, they can also objectively form part of the contract. Thus, the objective criteria for the conformity of goods with the contract (Article 7 SGD) affect the scope of application of the Directive. As mentioned above, recital (15) SGD refers to the normal functions of goods that the consumer can reasonably expect, and to public statements about the good and its digital features.


Moreover, the SGD may apply where the incorporated or inter-connected digital content or digital service is not supplied by the seller itself but is supplied, due to the sales contract, by a third party. What matters is only that the provision of the digital content or service forms part of the contract which is not defeated by the fact that the consumer may have to accept a licensing agreement (EULA) with the third party (see recital (15) SGD). Thus, it does not matter whether the digital elements of the navigation system are supplied by the seller of the car, or by its manufacturer, or by another third party. [24] The inclusion of third-party digital content and digital services into the contract relationship with the seller of the good is perhaps the most important feature of the Directive, as it means that the seller is responsible for their functioning and the consumer does not need to deal with different suppliers: [25] a one-stop mechanism, as it is known, for example, from product liability law. It is then for the seller, through his right of redress under Article 18 SGD, or under specific contractual arrangements with the third party, to take recourse from the third party that may be ultimately responsible for the non-conformity. [26]


Finally, recital (14) SGD clarifies that it does not matter whether digital content that fulfils a contractually agreed function is pre-installed or added subsequently. This is meant to prevent circumvention of the rules on non-conformity and remedies. Therefore, sellers cannot avoid their liability by including a term into the sales contract, according to which the consumer can, once the contract is concluded, download the relevant functions from the manufacturer’s website.


At the other end of the spectrum, an entirely new additional function and the relevant digital content and services that are added subsequently would not fall into the ambit of the original contract. Recital (16) SGD mentions the example of a game application that the consumer downloads from an app store onto a smart phone. In relation to cars, this could be, for example, a newly developed autonomous parking assistant that can be applied via an app on the consumer’s smartphone or HMI. Of course, the seller of the car cannot be held responsible for malfunctioning digital elements that the consumer adds unilaterally. [27] In that situation, the Digital Content and Services Directive may apply to the digital content and services.


The most complicated situation arises where the sales contract mentions certain functionalities and the good provides for the connectivity of such functionalities but the contract states that they need to be acquired separately from a third-party service provider. In principle, the Directive allows for such a separation, as the second example that the EU legislator gives in recital (16) SGD illustrates: the parties can agree that the consumer buys a smart phone without a specific operating system and the consumer subsequently concludes a contract for the supply of an operating system from a third party. Indeed, the consumer may have a particular interest in choosing from a selection of operating systems. According to recital (16) SGD, this separate contract could even be concluded through the seller as intermediary of the third-party service provider. This would take the digital service out of the scope of the sales contract and therefore out of the Sale of Goods Directive also. It may then fall into the scope of the Digital Content and Services Directive which would be the ideal solution for a seller who wants to avoid liability for the digital content and service.


Clearly, there is a tension between this rule and the mandatory nature of the Sale of Goods Directive under Article 21 SGD. The exceptional character of the exclusion of third party digital content and services from the sales contract suggests that the separation must be “genuine” rather than an artificial separation of contracts that circumvents the general one-stop concept of the Sale of Goods Directive.


For example, one could see an artificial separation of contracts if the consumer needed to register for the built-in service package on the manufacturer’s website to obtain the service free of charge. The mere fact that the consumer could obtain the service for free shows that the provision of the service forms part of the sales contract. This would even apply where the service was only temporarily for free, whereafter the consumer would have to pay for it.


Similarly, the separation of contracts would seem to be artificial where the consumer has no choice concerning the third-party digital content or service provider when it is pre-determined in the sales contract. This interpretation would be in line with other areas of EU consumer law. For example, under the Consumer Credit Directive 2008/48/EC, [28] the concept of “linked credit agreements” is meant to prevent the artificial separation of contracts that form a “commercial unit”. [29] Under the Consumer Rights Directive 2011/83/EU, [30] “ancillary contracts” [31] share the fate of the main contract even if the ancillary goods or services are provided by a third party.


3.3. Separately acquired digital content or services


As Directives (EU) 2019/770 and 2019/771 are mutually exclusive, the Digital Content and Services Directive only covers digital content and digital services that does not come under Article 3(3) sentence 2 SGD, see Article 3(4) DCSD. In particular, this would be third-party digital content and digital services that are not foreseen in the sales agreement but that the consumer acquires separately. [32] Again, examples could be a navigation system or an infotainment system.


If the (genuinely) new additional function and the relevant digital content and services come with a good (e.g. heat-able seats which replace the original seats), the new package would, of course, come under the Sale of Goods Directive; however, with a new sales contract, potentially with a new seller.


3.4. Why does it matter?


The consequence is that different rules may apply to the same problem such as the malfunctioning of the navigation system, although the European Commission has made an effort to streamline the relevant rules of the two directives. [33] It was, however, a deliberate decision of the EU Commission and the Council (against the position of the European Parliament) [34] to place embedded software under the rules on the sale of goods together with the goods it is embedded in. [35]


In principle, the two Directives follow the same structure, and they have introduced almost identical rules on conformity and remedies. [36] There are, however, some differences between them. For example, only the Sale of Goods Directive leaves Member States the option to maintain or introduce a notification period, and only the Digital Content and Services Directive knows the trader’s right to modify the digital content or digital service. [37]


The most crucial point, however, is determining the addressee of potential remedies, as mentioned above. Whereas under the Sale of Goods Directive the consumer must only approach the seller for all problems, in case of the parallel application of the Sale of Goods Directive (to the car) and the Digital Content and Services Directive (to additional digital content and services), the consumer has different contract partners to turn to. The latter may be particularly burdensome if the additional digital content or services are provided by a trader outside the EU which is another reason why circumvention of the Sale of Goods Directive must be prevented. [38]


4. Types of non-conformity


One can think of a great variety of problems caused by the digital elements of a car. Obviously, the most dramatic situation is where the software of an automated or autonomous car fails and causes an accident. The accident may also be caused by a hacker’s attack. [39] A navigation system with an incorrect map may lead the (inattentive) driver into a canal rather than on a road, or make her miss an important appointment. Concerning privacy and economic interests, the car may transmit data to third parties without the consent of the driver or owner which could allow these third parties to personalise insurance tariffs or trace the movements of the driver. Moreover, software can be used by a third party to turn off the car externally (e.g. to take the car hostage for an unpaid bill). Software could even be manipulated to deceive type approval authorities, and cars could fail to meet the relevant legislative standards on, for example, NOx emissions.


In brief, both the Sale of Goods Directive and the Digital Content and Services Directive apply subjective and objective criteria on conformity. Compared to the Consumer Sales Directive 1999/44/EC, the objective criteria have been strengthened in that they are only ruled out by the agreement of the parties if the consumer was specifically informed that a particular characteristic of the goods was deviating from the objective requirements for conformity and the consumer expressly and separately accepted that deviation when concluding the sales contract (Article 7(5) SGD and Article 8(5) DCSD).


All the aforementioned digitalisation issues are relevant for the conformity of the car with the contract. Next, the article considers the situation of a car with digital elements that comes entirely under the Sales of Goods Directive before briefly addressing the cumulative application of the Sale of Goods Directive and the Digital Content and Services Directive.


4.1. Non-conformity of the car under the Sale of Goods Directive


4.1.1. Defects affecting the main functions of the car


It is obvious that a deficient operation system of a car disrupts its conformity with the contract. Importantly, the consumer does not need to show what exactly is wrong with the car. It suffices to show that the car, or a specific feature of it, does not work for whatever reason; this could be a hardware or a software defect. [40] This view was confirmed, in the context of the reversed burden of proof under Article 5(3) of Directive 1999/44/EC, in the case of Faber  [41] where a car caught fire. The Court of Justice concluded that it was not for the consumer to show why the car caught fire but that the simple fact that it did made it defective. [42]


4.1.2. Defeat devices


A defeat device is a car software that interferes with or disables emissions controls under real-world driving conditions, even if the vehicle passes formal emissions testing. Defeat devices, in particular those used by the Volkswagen group, have featured prominently in the case law of the courts of many Member States in the past few years. The decisions in which courts have held cars with defeat devices not to be in conformity with the contract are countless. Importantly, this is not only because the promised environmental advantages of the allegedly cleaner diesel cars are not present but also because of the legal risks related to the potential withdrawal of the admission of the car to the road. [43]


4.1.3. Safety and security


Cars must be safe. In this regard, compliance with legislation and technical standards is of particular importance as Article 7(1)(a) SGD confirms. Notably, the new Type Approval Directive (EU) 2019/2144 [44] requires a number of digital safety features that will become mandatory in 2022, such as warning of driver drowsiness and distraction (e.g. smartphone use while driving), intelligent speed assistance, reversing safety with camera or sensors, and data recorder in case of an accident (‘black box').


Security has always been an element of conformity as well. [45] It is now explicitly mentioned in Article 7(1)(d) SGD as one of the elements of objective conformity with the contract. In particular, this includes cyber security [46] which means that the car, or rather its software, must be shielded against third-party attacks by hackers that try to take control of the car. [47]


In this context, the obligation under Article 7(3) SGD to inform the consumer of and supply her with updates, including security updates, that are necessary to keep the car in conformity plays a major role. Indeed, software may have been secure at the time of the delivery of the car but have become insecure afterwards due to technological development.


Beyond these observations, the details are quite unclear. For example, it has always been discussed whether consumers may reasonably expect absolute security, [48] or whether they expect software to be “hackable”. [49] Moreover, it may be unclear at which point in time a car needs a security update and, consequently, whether an update is provided too late. The correct answer seems to be that consumers may expect a reasonable level of security. The industry standard (ISO/SAE 21434 - Road Vehicles – Cybersecurity Engineering) that the Society of Automotive Engineers (SAE) elaborated in cooperation with the International Standardisation Organisation (ISO) [50] could serve as a minimum standard, at least for cars that are sold after that standard has been adopted. Moreover, in June 2020, UNECE adopted two new UN Regulations on Cybersecurity and Software Updates. [51]


4.1.4. The digital brick


Apart from hackers, the seller could interfere with the car by way of a so-called digital brick. [52] A digital brick allows the seller to switch a digital device off remotely, for example, to enforce an (alleged) claim against the consumer. In a case before the LG Düsseldorf, the Verbraucherzentrale Sachsen successfully challenged a contract term by RCI Banque S.A. that leased car batteries to consumers. [53] The term allowed RCI Banque S.A. to stop the reload of the battery in case of its own termination of the contract with the consumer. Similarly, one could think of such software allowing the car manufacturer to switch off the car if the consumer does not pay for her subscription for connected car services. If such a system were present in a car without consent and even knowledge of the consumer, this would render the car nonconforming with the contract.


4.1.5. Unlawful data export


Finally, the situation where the car sends data to third parties without the consent of the driver or the owner appears to be, first and foremost, an issue of data protection law. The situation has, however, also been discussed in the context of sales law. In a decision of 2015, the OLG Hamm accepted that in principle the integration into the car of a device that sends unauthorised data to an insurance company would make the car defective (although in this case the court concluded that there was no such device). [54]


The Digital Content and Services Directive explicitly addresses that issue. According to Recital (48) DCSD, “[f]acts leading to a lack of compliance with requirements provided for by [the General Data Protection] Regulation (EU) 2016/679, including core principles such as the requirements for data minimisation, data protection by design and data protection by default, may, depending on the circumstances of the case, also be considered to constitute a lack of conformity of the digital content or digital service with subjective or objective requirements for conformity provided for in this Directive.” Tom Nichini TN One of the examples presented in Recital (48) DCSD is the situation where the trader of an online shopping application fails to take the measures provided for in the General Data Protection Regulation for the security of processing of the consumer's personal data and as a result, the consumer's credit card information is exposed to malware or spyware. According to the EU legislator, that failure could also constitute a lack of conformity of the digital content or digital service within the meaning of this Directive, as the consumer would reasonably expect that an application of this type would normally possess features preventing the disclosure of payment details.


Although the Sale of Goods Directive does not present a corresponding recital, there is no reason why the reasonable consumer expectations towards data security of embedded software or towards digital content that comes under the Sale of Goods Directive should be any different. The difference is not the result of a deliberate choice, [55] rather it seems that the corresponding situation under the Sale of Goods Directive was simply overlooked.


4.1.6. Practical problems


One practical problem is that, as a starting point, non-conformity must be present at the time of delivery (Article 10(1) SGD). However, this is different where, as in the case of goods with digital elements, the sales contract provides for a continuous supply of the digital content or digital service over a period of time. In that situation, the seller is also liable for any lack of conformity of the digital content or digital service that occurs or becomes apparent within two years of the time when the goods with digital elements were delivered, Article 10(2) SGD. [56] Consequently, it is essential for the seller’s liability whether the defect is in the digital content or service, or in the hardware.


For example, let us assume that brakes failed so that a car crashed and burned out. How shall the consumer find out whether the problem was with the physical properties of the brakes or with the related software?


Of course in the first year, the extended reversal of the burden of proof, now Article 11 SGD, is of help. [57] This rule is certainly even more consumer-friendly than the old six months period of Article 5(3) of the Consumer Sales Directive. Importantly, as mentioned above, the Court of Justice in its Faber decision turned against a narrow interpretation of that rule. The consumer only had to show that the good was not in conformity with the contract which was fairly easy after the burn out as cars are not supposed to catch fire. Then, it is on the seller to show that the cause of the fire had not been present in the car at the time of delivery.


If the defect becomes apparent after more than a year, the burden of proof is still on the seller if the sales contract provides for the continuous supply of the digital content or digital service over a period of time. However, the reversal of the burden of proof only relates to the conformity of the digital content or service with the contract and not to the good. Thus, the demarcation of the potential causes of non-conformity becomes relevant again, as well as the question of who must prove whether the physical or the digital elements caused the problem.


According to traditional rules of civil procedural law, it would be for the consumer to show which of the two rules apply. This may be easy in the case of a failing infotainment system but very difficult in the case of a digitally operated part of the car. It therefore seems to be justified to extend the logic of the Court of Justice in Faber that the seller has to prove the software was still in conformity with the contract and therefore, the problem was caused by the hardware or the consumer. This should be possible for the seller as software is not susceptible to wear and tear. If the trader succeeds in showing the software conformed with the contract after the expiry of one year, the consumer will have to prove that the hardware was nonconforming with the contract at the time of delivery.


4.2. Non-conformity under the Digital Content and Services Directive


As mentioned above, the conformity requirements of the Sale of Goods Directive and Digital Content and Services Directive are substantially the same. Thus, the above considerations relating to the non-conformity of digital content and services apply.


In practical terms, problems may arise when it is unclear why, for example, the car was hacked. Was it the original embedded digital content of the car or its connectivity, or was it digital content that was added later by a third party under a separate contract? Whereas in the case of the car with embedded digital content, a solution by way of the reversal of the burden of proof appears to be possible, in the case of two separate contracts the consumer would have to pick the right defendant for a claim which is more complicated. The consumer would certainly need to consult an (expensive) expert.


Thus, from a consumer perspective, there are strong arguments not to have different providers of digital content and services related to a car, although this situation could of course be exploited by the seller or the manufacturer of the car through charging higher prices.


5. Remedies


The new directives have, in principle, retained the remedies of the Consumer Sales Directive 1999/44/EC with further concretisation and they have made the hierarchy between the remedies mandatory for the Member States. [58] Moreover, in the context of digitalisation, in the case of goods with digital elements, Article 7(3) SGD and Article 8(2) DCSD have introduced an obligation to ensure that the consumer is informed of and supplied with updates, including security updates, that are necessary to keep those goods in conformity, whereby the details of that obligation differ in accordance with the contractual agreement. [59]


5.1. Remedies under the Sale of Goods Directive


If the car (including its digital elements as well as digital content and service that are incorporated in or inter-connected with goods and are provided with the goods under the sales contract) is not in conformity with the contract, the seller must repair or replace the car, according to Article 13(2) SGD.


5.1.1. Repair


Repairing the car would mean updating the relevant software which the seller probably cannot do but the manufacturer should be able to do. [60] Surely, the seller cannot simply plead impossibility if he cannot repair, i.e. update, the software himself; rather, as Article 7(3) SGD indicates, the seller must ensure the supply of relevant updates to the consumer (by the manufacturer or other third parties). Authors therefore suggest that the seller should try to get the manufacturer to conclude an additional contract with the consumer related to software updates; [61] this does not, however, release the seller from his own obligation.


Ultimately, if the third party, for whatever reason does not supply the required update and the car manufacturer does not either, it will usually be disproportionate for the seller to develop an update himself, and he will have the right to reject repair under Article 13(3) SGD. [62]


5.1.2. Replacement


Whether or not replacement is possible will depend on the nature of the problem. Of course, the seller could replace the whole car, which is of no use if all cars of the same type use the same defective software. The separate replacement of a navigation system that is not deeply integrated with other functions would seem to be possible as there are several systems on the market, whereas the replacement of an integrated parking assistant system may be impossible.


5.1.3. Reduction in price and termination


If the seller fails to repair or replace the car, or rejects to do so, the consumer will be left with the choice between reduction in price and termination of the contract (Article 13(4) SGD), whereby the termination of the contract is only possible where the defect is not considered minor (see Article 13(5) SGD).


What defects are minor has already been discussed under the Consumer Sales Directive, and the Sale of Goods Directive brought no further clarification. In relation to cars, safety-relevant elements, such as defective brakes, or defective software of a brake assistant, for that matter, are not minor. Where non-essential features are at stake, other criteria come into play. In relation to a defective navigation system, the OLG Köln focused on the costs of the navigation system and its repair or replacement in relation to the price of the car. In the case at hand, the costs of the navigation system of 2.390 Euros plus the repair costs exceeded 5% of the purchase price of the car, thus the defect was not considered minor. [63] In contrast, the OLG Düsseldorf considered the defective remote control in the steering wheel of the infotainment system as minor non-conformity as it was still possible to control the infotainment system with a button elsewhere. Therefore, the safety of driving was only slightly affected; as the remote control was of course meant to allow the driver to use the infotainment system without turning his eyes off the road. [64]


The issue was also vividly discussed in relation to defeat devices where the seller, or rather the manufacturer, provided a software update. First instance courts were divided on the matter [65]. Over time, however, courts including those of higher instance leaned towards non-minor classification of the non-conformity, as doubts had arisen about negative consequences of the software update for fuel consumption and other emissions. Moreover, the loss of market value remained with the affected cars. [66]


5.2. Remedies under the Digital Content and Services Directive


The remedies under Article 14 DCSD mirror the ones under Article 13 SGD, whereby digital content can be brought into conformity by way of an update or replacement of the software. Of course, the mere digital content provider cannot be asked to replace the hardware and thus, the car or its components. Otherwise, a reduction in price and termination of the contract come into play, as under the Sale of Goods Directive.


6. Damages

6.1. Damages under sales law


One of the risks related to defective software is the risk of an accident and thus, the risk to suffer damages car beyond the vehicle itself. Like the Consumer Sales Directive 1999/44/EC, the new directives do not cover damages resulting from defective goods, digital content or digital services but leave that issue with Member States. The reason is simply that the laws on damages of Member States differ so greatly that chances to find common ground were considered slim. The most relevant difference relates to fault. For example, English law imposes strict liability on the seller even when it comes to damages in principle; whereas German law is fault-based concerning damages under sales law (even though it is for the seller to prove that he has not acted negligently). [67]


The fault-based system has severe implications. The seller is only liable for the breach of his contractual obligation to deliver goods in conformity with the contract if an ordinary, diligent seller had known of the defect, or discovered it. According to established German case law, however, a retailer that only passes on goods received from the producer or another supplier is under no obligation to examine or test the goods. [68] As long as there is no reason to doubt the conformity of the goods with the usual quality, there is no negligent act. Nor is the seller vicariously liable for actions nor omissions of suppliers, or even the producer, as these are not vicarious agents. [69]


When it comes to embedded or inter-connected digital content or digital services that are related to a car, the seller who is not identical to the manufacturer will rarely ever be liable for damages. [70]


6.2. Damages resulting from digital content or digital services


When damage results from digital content or digital services that are not embedded in the car itself, the question is primarily what type of contract is at stake. In that sense, the old and fierce debates about the contractual classification of digital content and services that enticed the European legislator to introduce a classification neutral system of remedies [71] may well prevail at the national level.


Digital services under the Digital Content and Services Directive would surely be classified as services, where damages are usually fault-based. As to the classification of digital content that is supplied online, the Member States have taken different approaches until now, ranging from sales contracts to service contracts. [72]


But even the classification of the whole package of the good, its embedded software and integrated and interconnected digital content and services as sales law under the Sales of Goods Directive does not necessarily apply to the national regimes relating to damages. In contrast, some of these elements would likely be classified as services for that purpose with the result that liability for the service components could remain fault-based even in Member States that apply strict liability to damages under sales law.


7. The broader perspective


The seller’s liability (with its limitations) is only part of the picture. Where the seller is not liable for damages or when the seller goes bankrupt, as happened to some major car traders in Germany due to the Volkswagen scandal, the potential liability of other actors – the car manufacturers and third parties providing digital content or services – comes back to the fore. The relevant areas of law are product liability law and general tort law, where much is still unclear in relation to digital content and digital services.


In particular, controversy exists surrounding whether or not software is a product in the terms of Article 1 and 2 of the Product Liability Directive 85/374/EEC, [73] and. if it is regarded as a product in principle, whether this also applies where software is transmitted online or only applied remotely in terms of software as a service. [74] This problem has of course been known for many years [75] but the European Commission has still not presented a proposal for an amendment of the Product Liability Directive. [76] At the national level, Member States can apply their product liability laws to software through a concretising implementation of the Product Liability Directive or as an extension of the product liability regime to items that are not covered at all by the Directive. However, many Member States have not taken an express position to the issue yet either.


Beyond product liability law, general tort law provides for a more flexible answer to damages caused by defective software but it is generally fault-based. Moreover, the consumer again faces the problem of identifying the right defendant where multiple players are involved.


8. Conclusions


The Sale of Goods Directive bundles in the person of the seller liability for non-conformity of goods including its embedded digital content as well as digital content and services which are incorporated in or inter-connected with goods and are provided with the goods under the sales contract. This even applies to digital content or a digital service that is supplied by a third party. In the case of cars, this would appear to cover most of the digital content and services. It has the advantage that the consumer has one addressee of their claim who must sort out the problem with the manufacturer or other third parties, although different rules for hardware and digital content and services may still complicate the enforcement of remedies. On the other hand, the consumer does not have a contractual relationship with the third party which may be detrimental when it comes to damages claims. Manufacturers may be included in the contractual relationship via guarantees, which is clearly beneficial for consumers.


Despite the liability risk, it does not seem to be a promising marketing strategy to offer cars with limited digital content and only connectivity for third-party content (thereby decreasing the liability of the seller), as the consumer would seem to prefer to have at least the essential digital content from the same supplier. At the same time, third party digital content seems to increase the risk for the car seller in the case of non-conformity that the seller has not caused In the case of a security gap, for example, the seller must identify the right defendant for a redress claim. Thus, sellers would logically to try to involve the fewest number of third parties, ideally only the manufacturer. Indeed, this is currently the rule as the consumer has limited choice between different service packages provided by the car manufacturer. Other third parties mainly get involved with older cars that were not equipped with relevant digital features when they were produced. [77] This may, in turn, have negative effects on competition between digital content and service providers around cars and therefore on consumers, when it comes to price levels. Thus, the new liability regime may well produce effects on the market structures around smart cars.


* by Peter Rott, Carl von Ossietzky University of Oldenburg

The author would like to thank Christina Kirichenko for valuable comments on an earlier draft.


[1] [2019] OJ L 136/28.

[2] [2019] OJ L 136/1.

[3] See recital (5) SGD and recital (5) DCSD. Another objective is sustainability, which is however less visible in the actual rules; see Klaus Tonner, ‘Die EU-Warenkauf-Richtlinie: auf dem Wege zur Regelung langlebiger Waren mit digitalen Elementen’ (2019) Verbraucher und Recht 363.

[4] See only Peter Rott, ‘German case law two years after the implementation of the Directive 1999/44/EC’ (2004) German Law Journal 237.

[5] See, for example, Alexander Roßnagel and Gerrit Hornung (eds), Grundrechtsschutz im Smart Car (Springer, 2019).

[6] See, for example, Daniela Mielchen, ‘Verrat durch den eigenen PKW – wie kann man sich schützen?’ (2014) Straßenverkehrsrecht (SVR) 81; Thomas Balzer and Michael Nugel, ‘Das Auslesen von Fahrzeugdaten zur Unfallrekonstruktion im Zivilprozess’ (2016) Neue Juristische Wochenschrift 193; Christian Armbrüster, ‘Automatisiertes Fahren – Paradigmenwechsel im Straßenverkehrsrecht?’ (2017) Zeitschrift für Rechtspolitik 83, 85.

[7] See Truiken Heydn, ‘Internet of Things: Probleme und Vertragsgestaltung’ (2020) MultiMedia und Recht 503.

[8] See Regulation (EU) 2015/758 concerning type-approval requirements for the deployment of the eCall in-vehicle system based on the 112 service, [2015] OJ L 123/77.

[9] On the various degrees of autonomy see, for example, Paul T. Schrader, ‘Haftungsrechtlicher Begriff des Fahrzeugführers bei zunehmender Automatisierung von Kraftfahrzeugen’ (2015) Neue Juristische Wochenschrift 3537, 3540; Keri Grieman, ‘Hard Drive Crash’ (2018) JIPITEC 294.

[10] UNECE, UN Regulations on Cybersecurity and Software Updates to pave the way for mass roll out of ‎connected vehicles,

[11] See Elisa May and Justus Gaden, ‘Vernetzte Fahrzeuge’ (2018) Zeitschrift zum Innovations- und Technikrecht 110, 111.

[12] Normally, however, there is no such choice, and the connected services are usually provided by the car manufacturer.

[13] On the legislative history of the demarcation see Jasper Vereecken and Jarich Werbrouck, ’Goods with Embedded Software: Consumer Protection 2.0 in Times of Digital Content?’ (2019) 30 Indiana International and Comparative Law Review 53, 67 f. On alternative proposals by academic authors see Karin Sein and Gerald Spindler, ‘The new Directive on Contracts for the Supply of Digital Content and Digital Services – Scope of Application and Trader’s Obligation to Supply – Part 1’ (2019) European Review of Contract Law 257, 269 ff.

[14] For German law, see for example Heydn, n 7, 508.

[15] COM(2015) 635.

[16] COM(2017) 637.

[17] See, for example, Michael Grünberger, ‘Verträge über digitale Güter’ (2018) 218 Archiv für civilistische Praxis 213, 287; European Law Institute, Statement on the European Commission’s Proposed Directive on the Supply of Digital Content to Consumers (2016), available at, 10. See also the comments of the Dutch Senate of 29 March 2016, Council doc. ST 7757 2016 INIT.

[18] See also Pia Kalamees and Karin Sein, ’Connected Consumer Goods: Who is Liable for Defects in the Ancillary Service?’ (2019) Journal of European Consumer Markets Law 13, 14.

[19] See also Karin Sein, ‘“Goods with Digital Elements” and the Interplay with Directive 2019/771 on the Sale of Goods’ (2020), available at , 3.

[20] Italics added.

[21] See also Tonner, n 3, 367.

[22] See also Sein and Spindler, n 13, 272; Gerald Spindler and Karin Sein, ‘Die endgültige Richtlinie über Verträge über digitale Inhalte oder Dienstleistungen’ (2019) MultiMedia und Recht 415, 416; Sein, n 19, 4; Lea Katharina Kumkar, ‘Herausforderungen eines Gewährleistungsrechts im digitalen Zeitalter’ (2020) Zeitschrift für die gesamte Privatrechtswissenschaft 306, 321.

[23] See also Sein and Spindler, n 13, 272; Spindler and Sein, n 22, 417; Kumkar, n 22, 318.

[24] On the latter situation in the case of Renault cars and navigation systems provided by TomTom see Kalamees and Sein, n 18, 14.

[25] See also Dirk Staudenmayer, ‘Kauf von Waren mit digitalen Elementen – Die Richtlinie zum Warenkauf’ (2019) Neue Juristische Wochenschrift 2889; id., ‘Die Richtlinie zu den digitalen Verträgen’ (2019) Zeitschrift für Europäisches Privatrecht 663, 672 f.

[26] For considerations concerning the right of redress see Vereecken and Werbrouck, n 13, 71 f.

[27] See also Spindler and Sein, n 22, 417; Sein, n 19, 5.

[28] [2008] OJ L 133/66.

[29] A linked credit agreement is defined as a credit agreement where: (i) the credit in question serves exclusively to finance an agreement for the supply of specific goods or the provision of a specific service, and (ii) those two agreements form, from an objective point of view, a commercial unit. A commercial unit shall be deemed to exist where the supplier or service provider finances the credit for the consumer or, if it is financed by a third party, where the creditor uses the services of the supplier or service provider in connection with the conclusion or preparation of the credit agreement, or where the specific goods or the provision of a specific service are explicitly specified in the credit agreement, see Article 3(n) of Directive 2008/48/EC, for the consequences of a linked contract see Article 15 of Directive 2008/48/EC.

[30] [2011] OJ L 304/64.

[31] An ancillary contract is defined as a contract by which the consumer acquires goods or services related to a distance contract or an off-premises contract and where those goods are supplied or those services are provided by the trader or by a third party on the basis of an arrangement between that third party and the trader, see Article 2(15) Consumer Rights Directive.

[32] See Tonner, n 3, 367. The application of free and open-source software, to which the Digital Content and Services Directive does not apply (as Art. 3(1) DCSD requires a price to be paid), is unlikely in relation to cars.

[33] See Staudenmayer, ‘Die Richtlinie zu den digitalen Verträgen’, n 25, 667 f.

[34] See EP doc. A8-0375/2017, 100 f.

[35] See Council Policy Note 9261/18 of 24 May 2018, 4 f.

[36] See also Ivo Bach, ‘Neue Richtlinien zum Verbrauchsgüterkauf und zu Verbraucherverträgen über digitale Inhalte’ (2019) Neue Juristische Wochenschrift 1705. For a thorough analysis of the Digital Content and Services Directive see Sein and Spindler, n 13; id., ‘The new Directive on Contracts for the Supply of Digital Content and Digital Services – Conformity Criteria, Remedies and Modifications – Part 2’ (2019) European Review of Contract Law 365. See also Dirk Staudenmayer, ‘Auf dem Weg zum digitalen Privatrecht – Verträge über digitale Inhalte’ (2019) Neue Juristische Wochenschrift 2497.

[37] For an analysis of the differences see Tonner, n 3, 369; Sein, n 19, 8.

[38] See also Sein, n 19, 6.

[39] On the various ways by which hackers can take control of a car, see Hervais Simo, Michael Weidner and Christian Geminn, ‘Intrusion Detection – Systeme für vernetzte Fahrzeuge – Konzepte und Herausforderungen für Privatheit und Cybersicherheit’ in Roßnagel and Hornung (eds), n 5, 311, 320 ff; Manuela Martin and Kathrin Uhl, ‘Cyberrisiken bei vernetzten Fahrzeugen – (Produkt-)Haftungsrechtliche Fragestellungen im Zusammenhang mit Hackerangriffen’ (2020) Recht – Automobil – Wirtschaft 7, 8.

[40] See, for example, OLG Köln, 12 December 2006 – 3 U 70/06 (2007) Neue Juristische Wochenschrift 1694. See also Jorge Morais Carvalho, ‘Sale of Goods and Supply of Digital Content and Digital Services – Overview of Directives 2019/770 and 2019/771’ (2019) Journal of European Consumer and Markets Law 194, 200.

[41] CJEU, 4 June 2015 – C-497/13 Froukje Faber v Autobedrijf Hazet Ochten BV, ECLI:EU:C:2015:357.

[42] For more details, see Peter Rott, ‘Improving consumers’ enforcement of their rights under EU consumer sales law: Froukje Faber’ (2016) Common Market Law Review 509.

[43] See BGH, 8 January 2019 – VIII ZR 225/17 (2019) Neue Juristische Wochenschrift 1133.

[44] [2019] OJ L 325/1.

[45] See also Benjamin Raue, ‘Haftung für unsichere Software’ (2017) Neue Juristische Wochenschrift 1841, 1843; Sebastian Rockstroh and Christopher Peschel, ‘Sicherheitslücken als Mangel’ (2020) Neue Juristische Wochenschrift 3345, 3348; Thomas Riehm and Stanislaus Meier, ‘Rechtliche Durchsetzung von Anforderungen an die IT-Sicherheit’ (2020) MultiMedia und Recht 571, 573; Thomas Söbbing, ‘Security Vulnerability: Ist eine Sicherheitslücke in einer Software ein Mangel i.S.v. § 434 BGB?’ (2020) IT-Rechtsberater 12.

[46] See also Staudenmayer, ‘Kauf von Waren mit digitalen Elementen’, n 25, 2891.

[47] Another target of hackers may be personal data, see Maria Fetzer and Peter Hense, ‘“Ein Auto, ein Computer, ein Mann“ – Connected Cars zwischen infantiler Vision und Consumer Privacy‘ (2020) Datenschutz-Berater 144.

[48] See Raue, n 45, 1843.

[49] For that latter approach see a recent judgment of OLG Köln, 30 October 2019 – 6 U 100/19 (2020) MultiMedia und Recht 248, although in relation to an inexpensive smartphone. The case was not a sales law case but turned on the question of whether the seller had omitted to give the consumer essential information in terms of Article 7 of the Unfair Commercial Practices Directive 2005/29/EC. See also the critique by Thomas Riehm and Stanislaus Meier, ‘Anmerkung’ (2020) MultiMedia und Recht 250.

[50] See Martin and Uhl, n 39, 9.

[51] For details see UNECE, n 10.

[52] See also Christiane Wendehorst, ‘Die Digitalisierung und das BGB’ (2016) Neue Juristische Wochenschrift 2609, 2612.

[53] LG Düsseldorf, 11 December 2019, 12 O 63/19, available at

[54] OLG Hamm, 2 July 2015 - 28 U 46/15 (2016) Zeitschrift für Datenschutz 230.

[55] See also Sein and Spindler, n 36, 372, who can see „no real policy reason behind that“.

[56] For detailed analysis see Vereecken and Werbrouck, n 13, 73 ff.

[57] Ibid., 77 f.

[58] For details, see Vereecken and Werbrouck, n 13, 78 ff.

[59] For details, see Pia Kalamees, p. 156 in this volume; Robert Schippel, ‘Die Pflicht zur Bereitstellung von Software, Updates and Upgrades nach der Richtlinie über digitale Inhalte und Dienstleistungen (2020) Kommunikation & Recht 117.

[60] See also Schippel, n 59, 119.

[61] See Heydn, n 7, 508.

[62] See also Kalamees and Sein, n 18, 14; Sein and Spindler, n 36, 376.

[63] OLG Köln, n 40.

[64] OLG Düsseldorf, 8 January 2007 – I U 177/06 (2008) Neue Juristische Online-Zeitschrift 601.

[65] See the references in Carl-Heinz Witt, ‘Der Dieselskandal und seine kauf- und deliktsrechtlichen Folgen’ (2017) Neue Juristische Wochenschrift 3681, 3684.

[66] For an overview, see Kolja van Lück, ‘Kaufrechtliche Ansprüche des Käufers im Diesel-Abgasskandal’ (2019) Verbraucher und Recht 8, 10 f.

[67] See § 280 para. 1 BGB.

[68] See BGH, 25 September 1968 – VIII ZR 108/66 (1968) Neue Juristische Wochenschrift 2238.

[69] See BGH, 21 June 1967 - VIII ZR 26/65 (1967) Neue Juristische Wochenschrift 1903; BGH, n. 45, 2239; BGH, 18 February 1981 - VIII ZR 14/80 (1981) Neue Juristische Wochenschrift 1269.

[70] See also Rockstroh and Peschel, n 45, 3350.

[71] See recital (19) DCSD.

[72] See Marco B.M. Loos et al., Analysis of the applicable legal frameworks and suggestions for the contours of a model system of consumer protection in relation to digital content contracts (2011), available at

[73] According to Art. 2 of Directive 85/374/EEC (as amended), product means all movables, even though incorporated into another movable or into an immovable.

[74] For recent overviews of the discussion, see Charlotte de Meeus, ‘The Product Liability Directive at the Age of the Digital Industrial Revolution: Fit for Innovation?’ (2019) Journal of European Consumer and Markets Law 149; Peter Rott, ‘Produkthaftung im Zeitalter der Digitalisierung’ in Anja Hentschel, Gerrit Hornung and Silke Jandt (eds), Mensch – Technik – Umwelt: Verantwortung für eine sozialverträgliche Zukunft, Festschrift für Alexander Roßnagel (Nomos, 2020) 639; both with further references.

[75] See, for example, the 5th Report from the Commission on the application of the Product Liability Directive, COM(2018) 246, 2, and the Staff Working Document Liability for emerging digital technologies, SWD(2018) 137, 9 ff.

[76] For the latest considerations of the European Commission see its Report on the safety and liability implications of Artificial Intelligence, the Internet of Things and robotics, COM(2020) 64; on which see Friedrich Graf von Westphalen, ‘Produkthaftungsrechtliche Erwägungen beim Versagen Künstlicher Intelligenz (KI) unter Beachtung der Mitteilung der Kommission COM(2020) 64 final’ (2020) Verbraucher und Recht 248; Astrid Seehafer and Joel Kohler, ‘Künstliche Intelligenz: Updates für das Produkthaftungsrecht?’ (2020) Europäische Zeitschrift für Wirtschaftsrecht 213.

[77] See, for example, the CarConnect offer by Deutsche Telekom,



Any party may pass on this Work by electronic means and make it available for download under the terms and conditions of the Digital Peer Publishing License. The text of the license may be accessed and retrieved at

JIPITEC – Journal of Intellectual Property, Information Technology and E-Commerce Law
Article search
Extended article search
Subscribe to our newsletter
Follow Us