This seems to be about liability for injury, not liability in general. It's probably about software that manages critical processes or hardware which might cause physical harm if malfunction.
CMIIW, but this appears to be an attempt to clarify who is at fault when a device malfunctions due to software issue and allow a manufacturer in Czechia to use software from Poland without dealing with differences on Czech and Polish laws and regulations over software.
Exactly. That's why the red tape and paperwork increased in UK once they left the EU.
The gist is, there are about ~30 countries that have their own laws and regulations(the exact number differs because it's not just the EU-only thing) and EU swoops in, makes up a regulation and tells all the members states and associated countries to align their laws and regulations with the EU stuff and you end up with 30 or so countries that have about the same laws and regulations instead of 30 very different laws and regulations. As a result, you don't have to deal with the laws of 30 countries - at least that's the idea but AFAIK EU is not unified enough to make this as smooth as desired - yet.
I'm all for improving trade, improving general cooperation, recycling rules/laws. The EU here did get a little too big with the curvature of a banana being mentioned.
However, I think a _LOT_ of people start to take issue when you say, "OK we're standardizing the way you vote now", "We're standardizing the way rights are structured in your country", "We now place the EU as a supreme directive with a foreign court on certain issues".
I can see the appeal, but this has a concerning dark side when it's brought in not through voting, but through treaty and trade in the real-world.
Notice how I'm avoiding saying crony-capitalizm or a alike.
I wish the EC was more successful in lasting by itself or the EU more flexible and less like a bag of hammers on certain issues which required a soft-touch.
I'm not a fan of red tape, but less of a fan of 'Brussels' (I'm not being lyteral) dictating law over a multi-layered legal system with various existing rights and paths to appeal. Hence why I personally voted for Brexit.
Yes I'm now working with those new laws and red-tape day to day (boy you think industy had it bad look into academia at times), but most of the issues I see come from foreign entities being in denial of Brexit happening and now drafting in draconian laws that look like they're punishing britain, even if it's just a case of the EU never thought to harmonize EU<->UK relations into 1 concrete set of agreements after the fact.
(Yes, Boris and alike did NOT help by sitting across the table acting like spolit childrean at a birthday party. No to mention the whole NI thing dominating discussions because the US has some dealings here historically (I'm being polite!) and for some reason dragged them in whenever there was a 'threat to the peace accords'...)
In summary, I like the idea, I just wish people didn't power-grab under the guise of standardization. (Huh, isn't that Intel with USB3, x86, ... or Apple with lightning, wifi, ...)
Let's face it, a lot of people will take issue with _anything_ you'd say, for just about anything you choose as example and for different sets of "a lot of people". So while you are right, I cannot take it as an argument for either way. It's just the human nature and by extension the nature of democracy. It's also human to have sometimes leaders looking like acting irrationally, although they are very rational following their own goals which not always overlap with their voters and even less with their non-voting citizens. The only thing I don't approve in your text is blaming the others for not delivering something according to my taste. Like, if I'm not in the EU, there should be zero expectation that the EU does something I like.
Brussels doesn't dictate any laws, member countries send elected and appointed people to Brussels then those people come together and agree on what to do and how to do it together and publish the directives like this one.
Countries like UK don't have a say on it anymore because they left the organization. EU doesn't impose any red tape over UK, it's just that if a British company wants to trade with EU needs to prove that they are doing it in accordance with the trade agreements with EU and that their products meet the EU standards.
For example, the UK companies will need to prove that the product that they sell in EU is mainly made in UK and not just an import from China(EU doesn't want UK to be hub for circumvention of trade deal, if China wants to sell stuff to EU they should do it with EU-China trade deals), then they will need to prove that their products meets the EU standards(EU doesn't want to import products that don't EU standards. Since UK is no longer a member, they can produce products that don't meet the EU standards and as a result UK companies need to prove that they meet EU standards).
That's why there's so much red tape and paperwork, this is to allow UK not to produce their stuff in accordance with the EU regulations and sign their own trade deal. For example, UK is now free to import chlorinated chicken from the USA and lead-paint from China if that's what they want or in less cynical words, UK is free to trade with the rest of the world in their own terms. That was one of the core promises of Brexit anyway and it was delivered.
> In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market. Developing or contributing to such software should not be understood as making it available on the market. Providing such software on open repositories should not be considered as making it available on the market, unless that occurs in the course of a commercial activity
Can't this wording easily be interpreted that commercial entities publishing open source software counts as a commercial activity? Wouldn't that kill corporate sponsored open source overnight? You could even argue Redhat (IBM) would be responsible for every user of any of their linux kernel patches/services no?
> Only now every user of the software in Europe has recourse to sue you if you make a mistake, instead of just your paying customers.
Only if they somehow directly got it from GP, through some kind of commercial thing. I doubt downloading stuff from Github for personal use qualifies.
The way I read it, this directive wants to ensure that for any digital product sold on the EU market, there exist some entity that can be sued in EU jurisdiction; within the Union, that would be the vendor; outside - a vendor representative, or an importer. Which is a perfectly reasonable expectation to have, and it's how it mostly works with physical goods and services (aliexpress notwithstanding).
If you don't like cookies and don't want to be tracked, perhaps you should disable all cookies in your browser.
It's really simple, you'll get no more cookies ever. That tracking vector is totally disabled and you have full control over it. There's absolutely no need for a cookie banner for a person to be free of cookies.
Which isn't helping [0], cookies are just a more convenient shortcut for fingerprinting, and GDPR is not against cookies but tracking and profile building so prevents those too. The removal of cookies by the majority of people would bring up "Fingerprint banners"
Cookie pop-ups is a clear case of "malicious compliance" and I guess all spying companies hoped they could make it so annoying that citizens of EU would revolt or something.
Didn't work, instead many more people (at least here in EU) are now aware how how bad the spying has become.
It's easy: if you as a website owner transfer personally identifiable information to a third party and it's not strictly necessary to provide your service, then you need consent from the user.
If you would refrain sharing that info, you wouldn't need to ask for consent.
There is no law that asks for cookie popups
I would like more sites asking consent when passing info to a 3rd party becomes necessary (in relation to a requested service, like when you use location services in a phone app, for example) instead of asking for bulk consent for the whole site visit.
Probably built by a web gency who added tracking, perhaps even GA, so there was need for a cookie pop up banner. Why that website would need tracking and profiling is beyond me.
I think every website should understand how and by who their website is used. I don't consider this "spying." If you walk into a brick and mortar store the shopkeeper has every right to count that you came in, and watch where you go in the store to optimize it. The web should be no different.
Fortunately there are in fact cookieless analytics systems that people can use to get this information why not being required to have the stupid cookie popup.
Yes, a brick and mortar store can absolutely profile you without consent if they wished, and so can a website. The only condition is not collecting PII.
Your first paragraph describes GDPR, which does not require cookie popups.
But there is also the e-privacy directive (older than GDPR) that does require a cookie popup for any cookie not strictly required to deliver the service. Regardless of whether it tracks PII. So this also applies if for example you only want to know whether someone is a returning visitor or a new visitor without storing any identifier.
The worst cookie pop-ups come from a Florida company, that is hell-bent on punishing the whole internet for not allowing them to invade privacy.
They not only do some shoddy attempt of malicious compliance, they don't even do it actually right, for example EU law says if you have an accept all button, you must have a reject all button, but they don't do that.
Also the law doesn't give an exception for "legitimate interest", yet when you open their menu to disable manually everything (that by the law, should be disabled by default, except cookies essential to keep the site working), they have a bunch of random tracking cookies enabled because it is "legitimate interest". I think the only reason they weren't sued out of existence yet, is because it is a US company, thus they don't have to actually follow EU laws or something. (or they act like that, at least, I am not a lawyer).
Is there a requirement in the EU laws that the popups need to be in a specific language? I've seen plenty of websites in the EU that uses a non-english language in the popup and there is no option to switch to another language to understand what you are agreeing to.
Websites don't have to show cookie popups, unless they want to track you, gather or sell data on you, etc. The issue here lies with the websites, not with the legislation.
It will probably be similar to when a physical product is defective because of a faulty 3rd party component.
More importantly, as a professional software developer, the testing of my product should find problems in 3rd party components. If I chose poorly and the 3rd party component doesn't do what it's supposed to do, that's my responsibility. I can't just slough it off onto someone else.
The EU has two primary types of legislation, regulations and directives. There are other things such as recommendations etc, but those are usually pretty clear from their name, so I'll exclude those from the explanation. A simple way to think about a regulation is essentially an EU-wide law, it applies the way it was written in Brussels across all of EU. Directives, that's the one in the article, are more like interfaces. They're a guideline of goals to achieve, and every country must implement their own version of the directive.
Why do directives even exist? Because the legal landscape can be widely different between EU countries. Directives give every country flexibility in implementing them in a way that is consistent with the way their laws work, existing precedents, etc. The downside is obviously that the implementations will somewhat differ from country from country.
This means that unless the implementations between countries are fairly consistent, the definition of what working as intended means will vary from country to country.
> There are times when a feature is used in a way which was not intended by the developers. Now do the developers have to publish their test scenarios?
I think the vendor will need to be a lot more clear about what the supported use case is; and what use cases aren't supported.
Interesting to see from the press release that Right to Repair is being cracked down upon:
When a product is repaired and upgraded outside the original manufacturer’s control, the company or person that modified the product should be held liable.
Will we see companies sue repair shops or compatible component manufacturers in order to prevent potential injury to their customers. Interesting times.
EU has been pretty vocal about "Circular Economy" and also the right to repair for ages, so I do not expect a bona-fide repair job brings anybody in legal trouble.
But conversely: Should the original manufacturer be responsible if somebody installs hacked-up "performance" software in a car ?
There's something called "The American Rule" which sets USA apart from pretty much the rest of the world.
In USA, win or loose, each party pays their own lawyer.
This is why USA has lawyers often work on "contingency" where they nominally work for free, but receive a large fraction of any settlement or award if the case is won.
In the rest of the world, and specifically in EU where this applies, the looser pays the winner's (reasonable) legal fees.
Not saying that lawyers are not greedy in EU, but not in the way USAnians are used to think about lawyers.
Is the exemption for open source adequate? There are clear exemptions for non-profits and source distribution, but what about things such as FOSS distributed as binaries in commercial Linux distro repos?
2.
[…]an economic operator shall not be exempted from liability where the defectiveness of a product is due to any of the following, provided that it is within the manufacturer’s control:
(a)a related service;
(b)software, including software updates or upgrades;
(c)a lack of software updates or upgrades necessary to maintain safety;
(d)a substantial modification of the product.
Not sure if (a) or (d) would be more applicable, but I think it would be covered ?
Honestly, it's about time. I've paid for so many things that fail because of defective software, and had limited or no recourse.
As a result, software companies are incentivized to make software full of hardly-used features with limited testing; because there are no consequences when software doesn't do what the claim is.
I've talked to various people over the last couple of years, and it seems Colonial Pipeline was the big eye-opener for politicians in USA: Nobody could be sued, even though they were aware of the problems.
In EU I've heard more about ransomware in general and the behavior of Microsoft and Oracle in license negotiations and "audits" in particular.
But the overall tenor is that politicians have had it up to here with the IT industry's "What me worry?" attitude to quality, responsibility and liability.
So I can't just blame my bullshit on "the computer" or say that AI ate my homework and have to own it? Terroble times. Next thing, evil bureacrats will then make me actually care and owm broken accessibility.
I wonder if this will speed up the push to "renting" software as opposed to buying it.
By that I mean, in order to use any software product, you will need to phone home and what you do is logged on a server. This way, the vendor may be able to find a way to blame you for a violation.
Now (or at one time), you could buy Microsoft Office and use it without an internet connection.
With this, maybe that option will be gone, companies can blame the EU for requiring a internet connection and the user is stuck being logged/spied on agreeing to this via an EUL.
This is an absolutely terrible argument. So much shrinkwrapped software phones home these days well before this law. MS Office has required it for years! Look up MS Office XP (2001).
This seems to be about liability for injury, not liability in general. It's probably about software that manages critical processes or hardware which might cause physical harm if malfunction.
CMIIW, but this appears to be an attempt to clarify who is at fault when a device malfunctions due to software issue and allow a manufacturer in Czechia to use software from Poland without dealing with differences on Czech and Polish laws and regulations over software.
That's the entire point of EU directives: The differences should be so small that it will not matter to anybody.
Exactly. That's why the red tape and paperwork increased in UK once they left the EU.
The gist is, there are about ~30 countries that have their own laws and regulations(the exact number differs because it's not just the EU-only thing) and EU swoops in, makes up a regulation and tells all the members states and associated countries to align their laws and regulations with the EU stuff and you end up with 30 or so countries that have about the same laws and regulations instead of 30 very different laws and regulations. As a result, you don't have to deal with the laws of 30 countries - at least that's the idea but AFAIK EU is not unified enough to make this as smooth as desired - yet.
The only problem is where should this end?
I'm all for improving trade, improving general cooperation, recycling rules/laws. The EU here did get a little too big with the curvature of a banana being mentioned.
However, I think a _LOT_ of people start to take issue when you say, "OK we're standardizing the way you vote now", "We're standardizing the way rights are structured in your country", "We now place the EU as a supreme directive with a foreign court on certain issues".
I can see the appeal, but this has a concerning dark side when it's brought in not through voting, but through treaty and trade in the real-world. Notice how I'm avoiding saying crony-capitalizm or a alike.
I wish the EC was more successful in lasting by itself or the EU more flexible and less like a bag of hammers on certain issues which required a soft-touch.
I'm not a fan of red tape, but less of a fan of 'Brussels' (I'm not being lyteral) dictating law over a multi-layered legal system with various existing rights and paths to appeal. Hence why I personally voted for Brexit.
Yes I'm now working with those new laws and red-tape day to day (boy you think industy had it bad look into academia at times), but most of the issues I see come from foreign entities being in denial of Brexit happening and now drafting in draconian laws that look like they're punishing britain, even if it's just a case of the EU never thought to harmonize EU<->UK relations into 1 concrete set of agreements after the fact.
(Yes, Boris and alike did NOT help by sitting across the table acting like spolit childrean at a birthday party. No to mention the whole NI thing dominating discussions because the US has some dealings here historically (I'm being polite!) and for some reason dragged them in whenever there was a 'threat to the peace accords'...)
In summary, I like the idea, I just wish people didn't power-grab under the guise of standardization. (Huh, isn't that Intel with USB3, x86, ... or Apple with lightning, wifi, ...)
Let's face it, a lot of people will take issue with _anything_ you'd say, for just about anything you choose as example and for different sets of "a lot of people". So while you are right, I cannot take it as an argument for either way. It's just the human nature and by extension the nature of democracy. It's also human to have sometimes leaders looking like acting irrationally, although they are very rational following their own goals which not always overlap with their voters and even less with their non-voting citizens. The only thing I don't approve in your text is blaming the others for not delivering something according to my taste. Like, if I'm not in the EU, there should be zero expectation that the EU does something I like.
Brussels doesn't dictate any laws, member countries send elected and appointed people to Brussels then those people come together and agree on what to do and how to do it together and publish the directives like this one.
Countries like UK don't have a say on it anymore because they left the organization. EU doesn't impose any red tape over UK, it's just that if a British company wants to trade with EU needs to prove that they are doing it in accordance with the trade agreements with EU and that their products meet the EU standards.
For example, the UK companies will need to prove that the product that they sell in EU is mainly made in UK and not just an import from China(EU doesn't want UK to be hub for circumvention of trade deal, if China wants to sell stuff to EU they should do it with EU-China trade deals), then they will need to prove that their products meets the EU standards(EU doesn't want to import products that don't EU standards. Since UK is no longer a member, they can produce products that don't meet the EU standards and as a result UK companies need to prove that they meet EU standards).
That's why there's so much red tape and paperwork, this is to allow UK not to produce their stuff in accordance with the EU regulations and sign their own trade deal. For example, UK is now free to import chlorinated chicken from the USA and lead-paint from China if that's what they want or in less cynical words, UK is free to trade with the rest of the world in their own terms. That was one of the core promises of Brexit anyway and it was delivered.
Ps: banana curvature thing is a Euromyth[0].
[0]https://en.wikipedia.org/wiki/Euromyth
The banana curvature trope is a right-wing talking point designed to get people mad about consumer protection laws. It’s not an example of overreach:
https://voxeurop.eu/en/how-bonkers-brussels-went-bananas-the...
EU countries have 2 years to legislate the national implementations.
FOSS exemption but only for "outside commercial activity" - whatever that will mean.
I guess that guy in Nebraska is safe, but not so sure about my own one-man company.
[dead]
> In order not to hamper innovation or research, this Directive should not apply to free and open-source software developed or supplied outside the course of a commercial activity, since products so developed or supplied are by definition not placed on the market. Developing or contributing to such software should not be understood as making it available on the market. Providing such software on open repositories should not be considered as making it available on the market, unless that occurs in the course of a commercial activity
Can't this wording easily be interpreted that commercial entities publishing open source software counts as a commercial activity? Wouldn't that kill corporate sponsored open source overnight? You could even argue Redhat (IBM) would be responsible for every user of any of their linux kernel patches/services no?
If not, what does this wording actually apply to?
That guy in Nebraska from the XKCD comic is probably safe.
I'm not convinced that my one-man company is, since I derive most of my income from FOSS software.
But that seems quite fair to me.
Only now every user of the software in Europe has recourse to sue you if you make a mistake, instead of just your paying customers.
Your total liability went to infinity overnight (in 2026 anyways).
>I'm not convinced that my one-man company is, since I derive most of my income from FOSS software.
It's a bit of a problem that it's hard to even tell as well.
> Only now every user of the software in Europe has recourse to sue you if you make a mistake, instead of just your paying customers.
Only if they somehow directly got it from GP, through some kind of commercial thing. I doubt downloading stuff from Github for personal use qualifies.
The way I read it, this directive wants to ensure that for any digital product sold on the EU market, there exist some entity that can be sued in EU jurisdiction; within the Union, that would be the vendor; outside - a vendor representative, or an importer. Which is a perfectly reasonable expectation to have, and it's how it mostly works with physical goods and services (aliexpress notwithstanding).
Who will be liable for "defective" directives and regulations? I would like to sue someone for all the wasted time and effort around cookie popups.
While I don't like cookie popups, I prefer them to the alternative - websites silently tracking me however they wish.
If the industry didn't want cookie popups, perhaps they should have respected the DNT header[1].
[1] https://en.wikipedia.org/wiki/Do_Not_Track
If you don't like cookies and don't want to be tracked, perhaps you should disable all cookies in your browser.
It's really simple, you'll get no more cookies ever. That tracking vector is totally disabled and you have full control over it. There's absolutely no need for a cookie banner for a person to be free of cookies.
https://support.mozilla.org/en-US/kb/block-websites-storing-...
Which isn't helping [0], cookies are just a more convenient shortcut for fingerprinting, and GDPR is not against cookies but tracking and profile building so prevents those too. The removal of cookies by the majority of people would bring up "Fingerprint banners"
[0] "Yes! You are unique among the 2926891 fingerprints in our entire dataset." https://amiunique.org/fingerprint
Ironic that this site, attempting to raise awareness about online privacy issues, has a cookie banner...
Cookie pop-ups is a clear case of "malicious compliance" and I guess all spying companies hoped they could make it so annoying that citizens of EU would revolt or something.
Didn't work, instead many more people (at least here in EU) are now aware how how bad the spying has become.
It's easy: if you as a website owner transfer personally identifiable information to a third party and it's not strictly necessary to provide your service, then you need consent from the user.
If you would refrain sharing that info, you wouldn't need to ask for consent. There is no law that asks for cookie popups
Yes, e.g. there is no law for cookie popups, you can use cookies without consent if you use cookies say for session handling.
I would like more sites asking consent when passing info to a 3rd party becomes necessary (in relation to a requested service, like when you use location services in a phone app, for example) instead of asking for bulk consent for the whole site visit.
Even the EU's own official web portal [1] has a cookie pop-up that covers half the screen of my mobile phone when I visit it.
[1] https://europa.eu/
Probably built by a web gency who added tracking, perhaps even GA, so there was need for a cookie pop up banner. Why that website would need tracking and profiling is beyond me.
I think every website should understand how and by who their website is used. I don't consider this "spying." If you walk into a brick and mortar store the shopkeeper has every right to count that you came in, and watch where you go in the store to optimize it. The web should be no different.
Fortunately there are in fact cookieless analytics systems that people can use to get this information why not being required to have the stupid cookie popup.
"I think every website should understand how and by who their website is used"
1. You don't need cookies or profiling for that - use Simple Analytics et. al.
2. You can ask for my consent, but you can't profile me against my will
3. A brick and mortar store does not profile me without my consent.
Yes, a brick and mortar store can absolutely profile you without consent if they wished, and so can a website. The only condition is not collecting PII.
Difficult, they try from time to time, then they get fake email adresses and fake zip codes in their database.
(Not using loyalty cards or CCs)
Your first paragraph describes GDPR, which does not require cookie popups.
But there is also the e-privacy directive (older than GDPR) that does require a cookie popup for any cookie not strictly required to deliver the service. Regardless of whether it tracks PII. So this also applies if for example you only want to know whether someone is a returning visitor or a new visitor without storing any identifier.
The worst cookie pop-ups come from a Florida company, that is hell-bent on punishing the whole internet for not allowing them to invade privacy.
They not only do some shoddy attempt of malicious compliance, they don't even do it actually right, for example EU law says if you have an accept all button, you must have a reject all button, but they don't do that.
Also the law doesn't give an exception for "legitimate interest", yet when you open their menu to disable manually everything (that by the law, should be disabled by default, except cookies essential to keep the site working), they have a bunch of random tracking cookies enabled because it is "legitimate interest". I think the only reason they weren't sued out of existence yet, is because it is a US company, thus they don't have to actually follow EU laws or something. (or they act like that, at least, I am not a lawyer).
EDIT: linkedin link to the offending company: https://www.linkedin.com/company/getadmiral/
Is there a requirement in the EU laws that the popups need to be in a specific language? I've seen plenty of websites in the EU that uses a non-english language in the popup and there is no option to switch to another language to understand what you are agreeing to.
Websites don't have to show cookie popups, unless they want to track you, gather or sell data on you, etc. The issue here lies with the websites, not with the legislation.
There's no rule requiring cookie popups.
People here love them but it's become the same as just about every ToS. No one reads them, you just bash whatever button lets you get to the page.
The EU essentially mandated popups.
Sue the companies that design or use these anti-user cookie pop-ups.
It's the politicians, that's why vote them in and out every few years.
Who decides the definition of "what was suppose to work" in the context of a given software product?
There are times when a feature is used in a way which was not intended by the developers. Now do the developers have to publish their test scenarios?
What if the bug is in 3rd party library? Add to it the complexity of open-source code.
> What if the bug is in 3rd party library?
It will probably be similar to when a physical product is defective because of a faulty 3rd party component.
More importantly, as a professional software developer, the testing of my product should find problems in 3rd party components. If I chose poorly and the 3rd party component doesn't do what it's supposed to do, that's my responsibility. I can't just slough it off onto someone else.
The EU has two primary types of legislation, regulations and directives. There are other things such as recommendations etc, but those are usually pretty clear from their name, so I'll exclude those from the explanation. A simple way to think about a regulation is essentially an EU-wide law, it applies the way it was written in Brussels across all of EU. Directives, that's the one in the article, are more like interfaces. They're a guideline of goals to achieve, and every country must implement their own version of the directive.
Why do directives even exist? Because the legal landscape can be widely different between EU countries. Directives give every country flexibility in implementing them in a way that is consistent with the way their laws work, existing precedents, etc. The downside is obviously that the implementations will somewhat differ from country from country.
This means that unless the implementations between countries are fairly consistent, the definition of what working as intended means will vary from country to country.
In the end, a court of justice (in EU, not in USA!) does.
It's not a bad first approximation to expect courts in EU to very sensible and fair.
> There are times when a feature is used in a way which was not intended by the developers. Now do the developers have to publish their test scenarios?
I think the vendor will need to be a lot more clear about what the supported use case is; and what use cases aren't supported.
Interesting to see from the press release that Right to Repair is being cracked down upon:
When a product is repaired and upgraded outside the original manufacturer’s control, the company or person that modified the product should be held liable.
Will we see companies sue repair shops or compatible component manufacturers in order to prevent potential injury to their customers. Interesting times.
EU has been pretty vocal about "Circular Economy" and also the right to repair for ages, so I do not expect a bona-fide repair job brings anybody in legal trouble.
But conversely: Should the original manufacturer be responsible if somebody installs hacked-up "performance" software in a car ?
Of course not!
Why would companies do that? They won't be held liable once it's modified.
So they have the monopoly on repairs
So this means it will be easier/possible to sue developers/companies for defective software? How is this anything other than a cash grab by lawyers?
There's something called "The American Rule" which sets USA apart from pretty much the rest of the world.
In USA, win or loose, each party pays their own lawyer.
This is why USA has lawyers often work on "contingency" where they nominally work for free, but receive a large fraction of any settlement or award if the case is won.
In the rest of the world, and specifically in EU where this applies, the looser pays the winner's (reasonable) legal fees.
Not saying that lawyers are not greedy in EU, but not in the way USAnians are used to think about lawyers.
So no: This is genuine consumer protection.
Is the exemption for open source adequate? There are clear exemptions for non-profits and source distribution, but what about things such as FOSS distributed as binaries in commercial Linux distro repos?
Doesn't the word "Commercial" in "Commercial Linux distro" answers that?
Will this prevent shut downs of games that rely on central server, like what happened to The Crew?
If you look at page 51 it says:
2. […]an economic operator shall not be exempted from liability where the defectiveness of a product is due to any of the following, provided that it is within the manufacturer’s control: (a)a related service; (b)software, including software updates or upgrades; (c)a lack of software updates or upgrades necessary to maintain safety; (d)a substantial modification of the product.
Not sure if (a) or (d) would be more applicable, but I think it would be covered ?
Honestly, it's about time. I've paid for so many things that fail because of defective software, and had limited or no recourse.
As a result, software companies are incentivized to make software full of hardly-used features with limited testing; because there are no consequences when software doesn't do what the claim is.
I wonder if CrowdStrike's fiasco played a role in this.
I've talked to various people over the last couple of years, and it seems Colonial Pipeline was the big eye-opener for politicians in USA: Nobody could be sued, even though they were aware of the problems.
In EU I've heard more about ransomware in general and the behavior of Microsoft and Oracle in license negotiations and "audits" in particular.
But the overall tenor is that politicians have had it up to here with the IT industry's "What me worry?" attitude to quality, responsibility and liability.
You greatly overestimate the speed at which bureacracy moves
You have no idea how slow governments are.
I hope the EU are liable for software that they make defective by their own security legislation.
[dead]
So I can't just blame my bullshit on "the computer" or say that AI ate my homework and have to own it? Terroble times. Next thing, evil bureacrats will then make me actually care and owm broken accessibility.
I wonder if this will speed up the push to "renting" software as opposed to buying it.
By that I mean, in order to use any software product, you will need to phone home and what you do is logged on a server. This way, the vendor may be able to find a way to blame you for a violation.
I hate to admit it, but the EUrocrats who drafted this are smarter than that:
All software is covered, sold, licensed, embedded, rented.
Even the cloud services tied to products are covered.
Yes, but only B2C.
Why would renting software be any different? If you rent a defective car, the company that rents it to you is still liable.
Now (or at one time), you could buy Microsoft Office and use it without an internet connection.
With this, maybe that option will be gone, companies can blame the EU for requiring a internet connection and the user is stuck being logged/spied on agreeing to this via an EUL.
A company cannot exempt itself from product liability with an EULA.
Cloud services are also explicitly mentioned as covered.
This is an absolutely terrible argument. So much shrinkwrapped software phones home these days well before this law. MS Office has required it for years! Look up MS Office XP (2001).
In your imagination maybe.