The Millennium Bug and Product Liability
The millennium bug may well give rise to some claims in strict product liability under the Consumer Protection Act 1987. This article considers the likelihood of success of such claims. It concludes that, as the Act only applies to products supplied within ten years of the harm being caused, claims relating to products supplied within the last ten years are likely to succeed as the risk of the millennium bug was known by 1990. The development risks defence therefore would seem to have no application. Indeed it is suggested that the defectiveness standard is a more appropriate mechanism for determining whether it is just to impose liability and there seems no reason why liability should not be imposed for the millennium bug. Indeed this may be one instance where there is a difference between liability in negligence and strict liability, since exceptionally some producers might be able to argue they acted reasonably in marketing a non Y2K compliant product.
Keywords: product liability, millennium bug, development risks.
This is a Refereed Article published on 30 June 1999.
Citation: Howells G, 'The Millennium Bug and Product Liability', 1999 (2) The Journal of Information, Law and Technology (JILT). <http://elj.warwick.ac.uk/jilt/99-2/howells.html>. New citation as at 1/1/04: <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/1999_2/howells/>
The turn of the millennium promises to be a difficult time for consumers. Not only will hotels and restaurants hike their prices, but many consumers may also be affected by the millennium bug. This may, if not resolved, cause, inter alia, financial records to be lost or become confused and domestic appliances, like videos and burglar alarm systems, to malfunction. These issues raise interesting questions of financial services and sale of goods law. However, this essay will not consider these issues (for discussion of the issues relating to sale of goods see Bradgate (1999)), but rather will concentrate on the possibility of serious personal injury resulting from the millennium bug and the resulting legal consequences.
Millennium bug induced damage could arise in numerous ways. An aeroplane could have a non-Y2K compliant component, or more likely air traffic control equipment could have bugs. Medical equipment could contain millennium bugs. Electricity supplies could go crazy. The possibilities are numerous and scary and the technical issues are better understood by others than myself. However, the chance of wide scale chaos should be limited if adequate compliance strategies are put in place, at least by the strategic industries. Nevertheless, it is likely that some personal injuries will be caused by products containing millennium bugs. Claims may of course be based on contract or negligence. However, my concern will be to consider to what extent the strict liability regime introduced by the European Product Liability Directive will provide redress.
My strategy will be to first sketch out, in section 2, different phases in the knowledge of the Y2K problem in order to use these as yardsticks by which to judge liability. Section 3 notes that for claims under the Directive this issue of knowledge may be of little practical relevance as the Directive will, in any event, only provide redress for products marketed after 1 January 1990 by which time the producers should have been aware of the problem. In section 4, products with millennium bugs will be tested against the defectiveness standard. It will be argued that this standard provides as good a mechanism as possible for allocating risk. Section 5 considers the impact of the development risks defence, which is intended to provide a defence for producers who could not have known of the risk posed by their products when they marketed them. Section 6 addresses the issue of which party in the supply chain should be sued. Finally, some conclusions are drawn in section 7.
In theory one of the characteristics of strict product liability should be that it judges the condition of the product rather than the behaviour of the producer. This should mean that the producer's knowledge of the millennium bug problem is of little relevance. However, we shall see that both in applying the defectiveness standard and the development risks defence the question of knowledge can play a key role. For the purpose of this essay it will be assumed that those in the computer industry who needed to know of the millennium bug problem had (or should have had) the relevant knowledge by 1990 (the significance of this date is explained in section 3). Indeed as a similar problem arose in some earlier computers over the change of decades it is probably correct to surmise that those in the computer industry should have been aware of this problem from a much earlier time.
In trying to determine whether risks should have been taken account of there are at least three perspectives that need to be assessed. There is the factual knowledge of the risk, access to that knowledge and acceptance of the risk. Furthermore there then arises another set of issues as to the use to which that knowledge should be put. To what extent should this new knowledge affect the product design, warnings and instructions, bearing in mind the impact of such changes on the product's utility and any increased costs?
Few risks are completely new discoveries. Most could have been discovered if one had thought to piece together the available knowledge and data. However, for so long as these connections have not been made we can say that the risk was at the pre-discovery stage. However, at some point a risk is discovered. We shall call this the discovery stage. Some discoveries are so obvious that they are accepted as being correct straightaway. However, many new discoveries are not accepted automatically for they may challenge traditional thinking or require verification. Some discoveries may at first be viewed as heretical by mainstream science and only gain minority support. Over time this new knowledge may become accepted by the majority and eventually, for discoveries which become part of the accepted knowledge, there comes a point when the discovery arrives at the recognition stage. At this stage those who argue against the 'new' discovery are themselves treated as being on the fringes of the scientific community.
During the pre-discovery stage industry cannot of course be expected to know of or take such risks into account. This does not mean that liability should not be imposed for unknowable risks. There have been some US decisions which take this line, (Beshada v John-Manville Products Corpn (1982), but this is not likely to be the position under current US law (ALI; 1997) and it is not the case in Europe, certainly where the development risks defence is available.
The earliest point from which the most strict liability regimes begin to bite is at the discovery stage. Once a risk has progressed to the recognition stage then even a negligence regime would expect a producer to take account of the risk. One difference between negligence and strict liability is therefore the extent to which producers must take account of risks before the recognition stage. Where could liability bite between the discovery and the recognition stage? It depends upon what view is taken of (i) the need for knowledge of the discovery to be disseminated, and (ii) for the discovery to be accepted as valid. It is important to note that how legal systems answer these questions reflects the particular form of strict liability they wish to have. (Terry N; 1991)
Regarding dissemination, simply telling colleagues about the discovery may not be enough. Presenting the research at a conference may not even be enough, especially if the proceedings are not made public. It is more likely to be sufficient if the research has been published in some form. Although the issue of accessibility of the publication may arise and this is likely to turn upon the language and breadth of circulation of the publication. If all this sounds more like negligence than strict liability, then please do not shoot the messenger.
We shall see that the level of dissemination required before liability is imposed under the strict liability regime of the EC Directive may be roughly equivalent to that under a negligence regime. The difference between negligence liability and the form of strict liability introduced by the EC Directive may lie in the level of recognition of risk that is required. Under a negligence regime a producer would not be liable if he failed to take into account risks so long as others in the industry took the same approach, (Bolam v Friern Hospital Management Committee (1957)) so long as they were not behaving wholly unreasonably (Bolitho v City and Hackney Health Authority (1997), see also Rowland (1999)). Under a strict liability regime one can imagine a producer being liable for risks once proven knowledge of them was accessible to him, even if when first published this knowledge was viewed as heretical or had been otherwise criticised.
Of course there are lots of nuances, but it might be useful to imagine a continuum showing the various stages at which liability might be imposed. The following staging posts could be imagined:-
1. Pre -discovery stage (unknowable risks),
3. Post-discovery stage - dissemination - minority opinion.
4. Post - discovery stage - dissemination - majority acceptance (but minority disagree for valid reasons).
5. Recognition stage.
Whereas negligence would only impose liability at stage 5, we shall see that the EC Directive will certainly impose liability at stage 3. However there remain many debates about what is adequate dissemination and indeed about whether dissemination is a proper condition of liability.
It should not be overlooked, however, that just because the EC Directive will require producers to take account of risks at an earlier stage than negligence, it does not follow that all products containing that risk will be defective, for the Directive's defectiveness standard itself contains the notion of acceptable risk. Negligence and strict liability regimes might of course be expected to handle risks in different ways. Negligence regimes typically consider it reasonable to market goods which pose risks to safety so long as the benefits outweigh the risks. A strict liability regime could impose liability even for reasonable risks, but again as with unknowable risks, we shall see that most strict liability regimes are in fact quite conservative and do not impose liability for reasonable risks. This is despite the fact that imposing strict liability for unknowable and reasonable risks could be seen to be in line with many of the relevant rationales i.e. risk spreading, loss distribution, cost internalisation. The point will be returned to that the defectiveness standard itself provides a flexible means of ensuring fair results in a way which balances the desire to compensate the individual against the wish not to strangle useful and innovative industries without the need to resort to a development risks defence.
The discussion of knowledge of risk in the last section is important, because one of the key issues in any product liability claim is likely to be when the millennium bug problem was first discovered/made public (to bring strict liability claims) and when it was first generally recognised as something that responsible businesses should address (to bring negligence claims). However, such claims are only viable if there is an action that can be legally brought. In this respect it is important to remember that actions under the Product Liability Directive are only possible in respect of products supplied after the implementing legislation came into force, which for most member states was 1988. Even more significantly, it should be remembered that the Directive bars actions ten years after the product was supplied (Article 11). As damage within the context of the Product Liability Directive can only occur when the bug causes personal injury or property damage when things go wrong on 1 January 2000 - the cost of preventive action would most likely be deemed economic loss and outside the scope of the Directive - this means that no claim under the Directive can be brought for products supplied before 1 January 1990. As most commentators seem to suggest that the millennium bug was widely recognised as a problem by this date, much of what follows may seem to be of little practical impact. However, it may be relevant if parties contest when the issue became public knowledge, and will be useful in the context of other jurisdictions which do not have the ten year bar and where older products may give rise to debates about the state of knowledge when the product was marketed. It is possible that actions in negligence will be brought if a strict liability claim is time-barred. It will be argued that for a strict product liability claim it should be sufficient that experts had appreciated that there was a problem that needed to be addressed. The fact that this knowledge may have remained within the technical world and had not seeped into the consciousness of wider sections of industry until a later date may be an issue in a negligence action, but should not assist in the defence of a strict liability product claim.
Art. 6 of the Product Liability Directive provides that:
'1. A product is defective when it does not provide the safety which a person is entitled to expect, taking all the circumstances into account, including:
(a) the presentation of the product;
(b) the use to which it could reasonably be expected that the product would be put;
(c) the time when the product was put into circulation.
2. A product shall not be considered defective for the sole reason that a better product is subsequently put into circulation.'
The Product Liability Directive therefore judges the product by the standards prevalent when it was marketed. The relevant safety expectations are those of the time of marketing, rather than those which prevailed when damage was suffered. Clearly we would not expect a product sold today to contain millennium bugs, the question is would we have accepted these at the time the product was originally sold? This is different from the development risks defence, to be considered in the next section. That defence assists the producer of a product that did not meet the safety expectations of the time of marketing, because of risks the producer could not reasonably be expected to have knowledge of at that time. In contrast, within the definition of defectiveness there is an inherent acceptance that safety is a relative and developing concept and so products should not be treated as defective simply because safer alternatives are later developed, so long as the product complied with the state of the art at the time of marketing. Naturally, continuing to market the same product would lead to liability, once safer alternatives had been developed. Equally it should be noted that whilst the development of safer products should not lead automatically to the conclusion that the product was defective, it is nevertheless possible to lead evidence of subsequent improvements to suggest that the product could have been designed in that way when originally marketed.
However, the Product Liability Directive's defectiveness standard provides a far more general shield to producers than one based upon the changing state of the art. It does not impose liability simply because a risk associated with a product materialises and causes harm. A product need not be absolutely safe; it must only provide the safety that a person is entitled to expect. The definition is circular and does not greatly assist in determining what safety the consumer is entitled to expect.
There are two general approaches to the interpretation of the Product Liability Directive's defectiveness standards. One focuses on the consumer, the other on the producer. Plaintiffs are likely to favour an interpretation that seeks to ask what expectations can consumers legitimately expect? Taking their lead from the General Product Safety Directive's definition of a safe product, consumers might reasonably expect products 'not [to] present any risk or only the minimum risks compatible with the product's use'. The presence of the millennium bug would seem clearly to infringe this as the bug presents a risk which is not one that is in any way incidental to the product's use. A more generous interpretation to producers is to read into the definition an assumption that consumers can only expect producers to behave reasonably. As one US court has put it:
'In considering the reasonable expectations of the ordinary consumer, a number of factors must be considered including the relative cost of the product, the gravity of the potential harm from the claimed defect and the cost and feasibility of eliminating or minimising the risk'. (Seattle-First National Bank v Tabert (1975; p. 779))
The producers might counter that they used a two figure date code in order to save memory at a time when this was expensive and that consumers would not have expected them to have done otherwise, because this would have dramatically forced up the price of the product. Indeed they might say that they thought these products would be obsolete by the turn of the century and could not have foreseen that the reason why many are still in use was because the pattern became one of adding on to existing computers rather than replacing them. However, against this it could be argued that the cost of eliminating the millennium bug, once recognised, is minimal in comparison to the now apparent risks. Whilst I would still argue a product containing the millennium bug is defective the more substantial point is that the defectiveness standard provides an adequate forum to air the issues.
The next section considers the development risks defence. I am critical of this defence, partly because I believe the general defectiveness standard (despite its problems) provides a better framework within which to assess products and provide relief for innovative products whose development should not be hampered by product liability laws. If one was dealing with an unknown risk i.e. with a product marketed before anybody had even contemplated the problem, then it might be possible to argue that, at that time, consumers could not expect the products sold to have contained protection against the change of date to 1 January 2000. This could be justified on the basis of protecting a fledgling information technology industry. This argument is not very convincing, however, for, if they had been asked, consumers would probably not have been satisfied at being exposed to danger by the change of date at the end of the millennium. The risk was great and there was no difference in utility between a product that was Y2K compliant and one that was not. Moreover, one should be careful about limiting liability for industrial sectors simply because the exposure is likely to be great. If the whole industry was threatened with collapse that might be a different matter, but, as industry has been given sufficient notice of the problem, firms can take steps to remedy any problems and so the burden of product liability will only fall on those that have not reacted diligently to knowledge of this new risk. Whatever one's view of how the matter should be decided, the important point can be made that the defectiveness standard itself provides a balancing mechanism for producing a just solution, which can take due account of producer arguments, without having to invoke the development risks defence.
The EC Directive provides a defence for a producer where 'the state of scientific and technical knowledge at the time when he put the product into circulation was not such as to enable the existence of the defect to be discovered' (article 7(e). The Consumer Protection Act 1987, by contrast, provides a defence where 'the state of scientific and technical knowledge at the relevant time was not such that a producer of products of the same description as the product in question might be expected to have discovered the defect if it had existed in his products while they were under his control.' This seemed to be more generous to producers by introducing as the touchstone of liability the concept of expectation of discovery rather than the fact of discovery and by making this assessment in the light of the producer's peers in the same sector.
In infringement proceedings brought by the European Commission against the United Kingdom because of the wording of its development risks defence the European Court of Justice found the Commission had not proven its case. This is not quite the same thing as finding the United Kingdom to be in compliance, but, nevertheless, in Commission v United Kingdom (1997) both the Advocate-General and the Court gave important indications about the scope of the defence.
On the one hand the Court's interpretation of the defence is rather stringent. For instance, the Court stressed that the defence could not be satisfied simply because the standard precautions in the industrial sector in question had been complied with (paras 26 and 36). It also stressed that it was concerned with the most advanced knowledge, and this presumably includes knowledge which later turns out to be correct even if at the time it was doubted (para 27). However, the Court added the gloss that this knowledge must have been accessible (paras. 29-30). The Advocate General talks of producers not being expected to know of the research of a brilliant Asian researcher published only in Chinese, for whilst 'state of knowledge' must include all data in the information circuit of the scientific community as a whole, this must be read in the light of a reasonableness test based on the actual opportunities for the research to circulate (paras. 23-24). The Court's interpretation would therefore seem to protect the producer until stage 3 as listed in section 2 above. In other words, the producer would not be able to use the defence once the discovery had been disseminated regardless of whether the risk was generally accepted as valid at the time of dissemination.
With respect to the millennium bug, it seems that there would be no room for the development risks defence to provide a defence to producers. By 1990 - the earliest date from which liability can ensue - the millennium bug was known of and fairly widely discussed, at least in the technical literature. The fact that some people did not know of it (or even some sectors) would not seem to help, for the Court clearly favoured an objective approach to liability and would not be willing to see the subjective elements in the United Kingdom law given prominence.
The EC Product Liability Directive offers a number of options as to potential defendants. Producers, own-branders and importers into the EC are all potential targets as well as suppliers if they fail to inform the injured party within a reasonable period of time of their own supplier or the producer/importer. However, to keep matters simple we will assume that it is the producer who is being sued. It is important to remember that the Directive defines the producer as both the manufacturer of a finished product or the manufacturer of a finished product (article 3). As many millennium bug problems will result from a component containing a chip malfunctioning there will therefore be two potential producers to sue - the producer of the component and the producer of the finished product. Component manufacturers do have a specific defence where the defect was attributable to the design of the product in which the component has been fitted or to instructions given by the manufacturer of the product. It would not seem likely that this defence would be applicable since the final product manufacturer is most unlikely to have asked for a non-millennium compliant component. Even if there had been a conscious decision to only use two date digits to save money this would most likely be a decision taken by the software firm rather than the company they were supplying.
Both the producer of the final product and the component are therefore likely to be liable. They will both certainly be liable for consequential personal injury and product damage caused by the product malfunctioning due to the millennium bug. However, neither will seemingly be liable for the damage to the product itself. This results from art. 9 which defines 'damage' to include 'damage to, or destruction of, any item of property other than the defective product itself'. In the case of the liability of the final supplier this is a straightforward application of the distinction between products liability and liability for the quality of products under sales of goods law. In the case of the component manufacturer this throws up an anomaly, for the component does cause damage to a product other than itself i.e. the final product, but this does not seem to be covered. For the purposes of damages the product is treated as being one final product, even though 'product' is defined in art. 1 of the Directive as 'all moveables...even though incorporated into another movable...or into an immovable.' Therefore whilst producers of component parts are classed as producers in their own right, the only product is the final one.
If a product, put into circulation after 1 January 1990, causes personal injury, death or property damage, there will almost certainly be a claim in strict product liability (as introduced by the EC Directive); the millennium bug problem was known of by that time and, since it is a fairly easy design fault to remedy, consumers would expect to be protected against it. This may be one instance where the move to strict liability (even with a development risks defence) from negligence may make a difference. Some sectors might be able to avoid a negligence claim by arguing that they behaved reasonably in marketing products that were not Y2K compliant until such time as the danger became widely recognised and the need to act was appreciated by their sector. It might even be possible to argue that for some sectors this date was after 1990. However, one suspects that the courts would in any event be quite demanding in their application of standard of reasonable care, so the difference between strict liability and negligence may in fact be more theoretical than real.
On a more general level it is instructive to note that the general issues of imposing liability for an unknown risk or one which it might be argued was reasonable to expose the public to can be adequately handled within the framework of the defectiveness standard itself. When applying the defectiveness standard a wider set of policy issues can be addressed and balanced than is possible under the development risks defence. This is a good reason to simplify product liability law by removing the development risks defence. The European Commission has promised a Green Paper on products liability in the autumn and removal of the development risks defence should be at the centre of those discussions.
Bradgate R (1999) 'Beyond the Millennium: The Legal Issues, Sale of Goods Issues and the Millennium Bug' Journal of Information, Law and Technology (JILT) 1992 (2). < http://elj.warwick.ac.uk/jilt/99-2/bradgate.html>
Rowland D (1999) 'Negligence, Professional Competence and Computer Systems' Journal of Information, Law and Technology (JILT) 1992 (2). <http://elj.warwick.ac.uk/jilt/99-2/rowland.html>
1. This paper was presented at the Seventh International Conference of the International Association for Consumer Law, The Consumer in the Globalised Information Society, Helsinki, 20-22 May 1999 and will also be published in a book based on the proceedings of that conference. The author would like to acknowledge the helpful comments he received on that occasion as well as the views of the guest editor (Diane Rowland) and an anonymous referee of this Journal.
2. Council Directive 85/374/EEC on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products: OJ 1985 L210/29. This law has been implemented in the United Kingdom by the Consumer Protection Act 1987. There are some minor differences between UK and EC law, but the focus will be on EC law as that allows us to consider the main principles and also makes the article more accessible to an international audience.
5. I have suggested elsewhere that the different attitude to consumer expectation standards in the US and Europe might be explained by US juries being more likely to take the consumer perspective and ask whether they would have expected to be harmed in that way by the product, whilst European judges are more likely to look at the test from the producer's perspective and ask how safe can consumers reasonable expect producers to make the product? See Howells and Mildred (1998 ).
6. Council Directive 92/59/EEC on general product safety: O.J. 1992 L 228/24. In Howells and Wilhelmsson (1997; pp 38-39), the point is made that the defectiveness standard can be influenced by the regulatory regime.
7. For fuller consideration of this decision see Howells and Mildred (1998), where we make the point that the Court in fact left too many unanswered questions, for example, concerning when material would be treated as being accessible.
8. Although there remain questions as to when the dissemination is sufficient to deem the information accessible.
11. But, I have insufficient technical knowledge to determine that matter.