Here is an English translation of an interview with Andreas Eustacchio from EUSTACCHIO Rechtsanwälte in Austrian magazine “Die Presse” for a recent special edition on “digitisation” of software updates, IoT, cybersecurity and connected cars.

“Over the air” software updates for networked cars are not comparable to routine updates for smartphones, says technology and industry attorney Andreas Eustacchio.

Software updates are the norm for smartphones. They are also on the rise for IoT-enabled devices and connected cars. What does that mean for users?
First of all, you have to make a clear distinction between updates and upgrades. From the user’s point of view, the advantage of pure updates is not perceptible at first glance. This is because updates are always intended to reflect the current security standard so that the device can continue to be used as before without any functional restrictions and free of cyber attacks. A clear distinction must be made between software upgrades, i.e., improvements that go beyond maintaining the function and give the user greater convenience when using products with digital content. These can be driving assistance systems in cars, a “smart” refrigerator, but also additional tools for the “smart” fitness watch. From a seller’s point of view, upgrades always represent an attempt to bind existing customers to their products. Updates, on the other hand, serve to maintain functionality and are intended to close newly identified security gaps.

To what extent is this distinction legally significant for product and software developers?
Until now, users of products with digital content could not be sure that they would also be provided with the necessary updates during the term of the contract. Especially if the use of a product depends on an update, the lack of the corresponding software update can limit the product in its original function or make it worthless. Already up to now, it was possible to insist that this warranty defect be remedied by an update. Since January 1, 2022, the Consumer Warranty Act (VGG) has been in force, and with it an express obligation to update the software free of charge. This applies to sellers or dealers even if the products they sell contain software that is provided to the user directly by the software company at the time of purchase. This obligation to update applies not only to transactions with consumers (B2C), but also to those between entrepreneurs (B2B). However, entrepreneurs may also contractually modify and exclude the update obligation.

For how long is this obligation to update?
At least for two years after the physical product is handed over. However, this can also be a longer period. The law speaks rather vaguely of the period that the consumer can reasonably expect, taking into account the circumstances and the nature of the contract.

What if a user does not want updates?
Since the function update always also represents a contractual deviation from the original subject matter of the contract, the user must be specifically informed of this under the VGG and he must expressly and separately consent to the function update. If the user refuses to consent, the obligation to update does not apply.

Why should anyone do that?
No software developer can promise completely error-free programming. It cannot be ruled out that a malfunction could be infiltrated via a software update and that this is the very reason why a security update is necessary, keyword hacking and cybersecurity.

What about vehicles with software-driven assistance systems, or “connected cars” for short, whose updates can make the difference between safety and life and death?
In the case of safety-relevant software, an update is always mandatory, regardless of warranty periods or reasonably expected periods of use. However, there is no explicit legal provision on this. Rather, this results from the various legal provisions on product safety, product compliance, and product monitoring obligations, not only vis-à-vis one’s own contractual partner in the B2B supply chain, but vis-à-vis every product user.

What does this mean for manufacturers?
Specifically, it is not sufficient to simply provide users with software for the purpose of security updates, in the sense of an obligation to provide it, in order to avert a serious risk to life and limb. Rather, manufacturers may even have a duty to perform updates if they want to prevent damage and avoid later liability consequences with high compensation payments. And this obligation exists regardless of whether they themselves are contractual partners of the users of their vehicles or not. Particularly in the case of vehicle manufacturers, there is usually no direct contractual relationship with the vehicle user due to the supply chain.

When would a user have a claim for damages due to a software update?
For example, if a software update results in the restriction of other functions of the same product. A case from the Munich Regional Court on September 13, 2021 illustrates this: According to the purchase contract, a height-adjustable Tesla (15 cm up and down) was equipped with “Enhanced Autopilot” at a cost of 6,000 euros, for a total purchase price of 154,430 euros. This feature had to be downloaded separately. When the user pressed the download button, he assumed that it was the update of this very autopilot, but instead it restricted the height adjustability function, which came as a surprise to the user. According to the court, the user should have been informed in advance about the exact content and consequences of the update. This is not comparable to a routine software update for a smartphone, according to the court, because the update overrode another existing function. Because it was outside the warranty period, the buyer had a claim for damages to rescind the purchase contract because the height adjustment could no longer be reversed. This was not affected by the fact that the software for the download was not provided by the seller, but directly by Tesla Inc. This was considered to be the vicarious agent of the dealer.

Data can also be illegally siphoned off through system interventions. Who actually has the right to use this data?
If the data generated by a vehicle in conjunction with the license plate, the vehicle identification number or device-specific identification numbers allow conclusions to be drawn about a person, this is personal data and therefore protected under the General Data Protection Regulation (GDPR). They may only be processed with the consent of the person concerned. Nevertheless, most people do not even know whether and which data car manufacturers use from them and their car. This also applies to a number of data that are not personal, but are generated by the vehicle. In practice, the user or the off-brand repair shop is denied access to it. Under the EU Commission’s draft “Data Act,” manufacturers are to share this data and also make it available to third parties free of charge.