I was considering EUPL for a small open source project I'm currently working on, but the license's paragraph 8 looks like EUPL puts licensor in worse position than other FOSS licenses.
The parts I'm writing about are:
In the cases of wilful misconduct
and
or damages directly caused to natural persons
I understand wilful distribution of malware to be considered "wilful misconduct" and be punishable by law. But what about more nuanced situations? Something like accidental malware distribution because it happens to be in software's dependency chain. Would a lack of virus scanners run during distribution process (something most FOSS developers don't do as far as I know) be considered wilful misconduct? Or not doing something, because to licensor's best knowledge it's not necessary but in the end turns out to be, but the damage is already done - for instance not implementing some still emerging security practice from the get go?
The second part seems more worrisome. I'm not a lawyer, but it looks like if something happened to someone for whatever reason, be it a bug in licensor's software causing eg. data loss, a licensor would be fully liable if the damage was done to a natural person. I have read a few documents discussing EUPL and licensing in general, and it looks like FOSS licensor would be better protected by, for instance, Apache License 2.0, which does not differentiate natural persons from juridical persons. As far as I know, some countries, eg. Poland, do not allow to completely waive liability for damages done to natural persons, but in specific cases and the aforementioned fragment from EUPL seems to put more liability on licensors than countries' laws would. Given the
the Licensor will be liable under statutory product liability laws as far such laws apply to the Work
fragment also found in paragraph 8. of EUPL, wouldn't that be enough to cover liability requirements in countries with more strict laws?
How to use the EUPL on Joinup has a short comment on this:
Liability for such damages are generally excluded by the EUPL licence, to the extent permissible by applicable law. Exceptions, as spelled out in Article 8 of the licence, could be your wilful misconduct (for example by distributing a computer virus) or direct damages to natural persons, which are not likely to occur regarding public sector software (risks look theoretical, and it seems that such case has never been met).
So the risks are recognized, but maybe EUPL was simply not intended to be used by single FOSS developers or independent FOSS teams?
Comments
This is an interesting discussion.
The main reason why there is no “total” exclusion of liability (like in most other licences) is that a preliminary legal study demonstrated that such exclusions are invalid according European and Member States’ law, for example in Germany.
Therefore, be sure that if you license under – lets’ say the MIT or Apache license – a seemingly harmless program that actually and wilfully hides malware, you will be liable if someone asks you for compensation and you will not be exempt from liability because license disclaimers.
The EUPL states “wilful” just to exclude liabilities resulting from accidental or involuntary inherited corruptions, and it will be to the victim to prove the wilful misconduct.
Another question refers to statutory product liability laws.
In Europe, product liability is a matter of public order. This is an extra-contractual liability regime which benefits any victim (consumer or professional) of a product safety defect, whether or not bound by a contract with the producer. So here also, the EUPL provides a useful warning that the license cannot help to circumvent the law. No other license could do that anyway in case the law would be applicable.
There is also a third warranty mention worth noting, which is almost never mentioned in other licenses: in article 6, the EUPL includes a CDO (contributor declaration of origin), stating that both the original licensor and all subsequent contributors “grant that copyright in their contribution is owned by them or licensed to them and that they have the power and authority to grant the Licence”.
Through all these provisions, the EUPL attempts to be honest facing legal reality, and to establish balanced rights, not for the licensor only, but also for the recipient.
Thank you very much for your reply!
Just in case I was unclear: I am totally against waiving liability for wilful misconducts. I was rather afraid that accidental or involuntary events might be interpreted as results of wilful actions in some circumstances, because the word "wilful" might be interpreted in multiple ways, but I guess this would be up to court to decide case-by-case. I had also mixed up Apache License's Disclaimer of Warranty paragraph with Limitation of Liability - apologies for that.
So, if I understand you right, when a natural person acquires something from other person from EU, even for free and without any warranty, the one who gives is unconditionally responsible for the quality of the given good in terms of both wilful and accidental or involuntary usage results.
On the one hand, I completely understand the reasoning to protect recipients. But on the other hand, FOSS developers often give away very complex systems for free. Systems that are inherently impossible to be proven 100% bug-free. And many FOSS systems start as endeavours of single developers person or small developer groups group - people who are as vulnerable as recipients.
If the European law works as I got from your comment, this is actually a pretty huge burden, especially for single developers or small developer groups and given potentially large group of software recipients.
As for the licence's honesty about the EU law, doesn't the "Licensor will be liable under statutory product liability laws as far such laws apply to the Work" cover this? If it does, then the "or damages directly caused to natural persons" would unnecessarily lock future software versions from stronger developer protections (should the law change in the future) until the software is re-licensed, which is very hard for FOSS with multiple contributors.
I believe that your understanding that “when a natural person acquires something from other person from EU, even for free and without any warranty, the one who gives is unconditionally responsible for the quality of the given good in terms of both wilful and accidental or involuntary usage results.” Is probably going too far.
There is a valid EUPL liability exclusion in case there is no wilful misconduct. So the EUPL excludes liability if the software default results from a bug or from any involuntary insertion. But in all licensing cases (and not only through the EUPL), it is true that a license liability exclusion clause does not constitute an absolute protection in case the product liability law is applicable. However, if the software is distributed for free (which is not automatic, since no open license forbid to sell the covered software) this should have an impact on the judge decision in case someone has a claim. So the judge decision will not ony depend on the license itself (and its liability exclusion clauses) but on other aspects as well: is there a wilful misconduct, is the price requesting a warranty, at the contrary is software given for free, etc.
A recent (2020) French study on software producer liability (La responsabilité des fournisseurs de systèmes numériques - https://www.economie.gouv.fr/files/files/directions_services/cge/responsabilite-fournisseurs-numeriques.pdf ) highlights that there are few legal actions in this field and that when software is distributed for free “as a service”, natural person are not at the origin of such actions. Most of them are initiated by consumer associations or by authorities due unfair competitions or discriminations resulting from these on-line services (against Google, Amazon, Facebook, Twitter/X etc.).
Once again thank you for your support!
The "Except in the cases of wilful misconduct or damages directly caused to natural persons" makes me understand that I could be liable either in case of wilful misconduct or in case of direct damage to natural persons for whatever the cause of the latter. Like, "either wilful misconduct towards anyone, or anything else but just only towards natural persons". The part after "or" seems to be general, without any exclusions.
But maybe I'm misunderstanding this sentence? Or perhaps I'm misunderstanding what "direct damage to natural persons" actually means - is it possibly anything, like e.g. data corruption or data loss, or is it "death of a consumer or personal injury" like in 1.(a) in ANNEX to COUNCIL DIRECTIVE 93/13/EEC ? Could you help me with understanding that?
In general, I think it would be much safer to have something akin to "except in the cases of wilful misconduct, licensor shall not be liable for anything to the maximum extent of applicable law". This way the license would be honest too, but also wouldn't introduce unnecessary liability whenever applicable law tends to be more lax, or after the applicable law changes or after licensor's place of residence changes.
PS. I didn't mention that, but I really like the idea of EUPL, most of its contents and availability in all European languages. Thank you for that!
IMHO, "direct damage to natural persons" actually means "death of a consumer or personal injury". It could happen when software regulates an autonomous vehicle (or the automatic pilot of an aircraft). May be this should be clarified in a next EUPL version, or in the FAQ.
Finally, the fundamental idea that was once more highlighted during the 22 November "OSOR turns 15' event, is "People and rights first". The issue with most liability exclusion clauses is that they only protect the developer (and more widely the "licensor", which according to the EUPL could be one of the GAFAM companies delivering AI, social networks and other remote services through the cloud). No one cares about people. They are cases where AI and massive processing of “big data” can be used to accurately profile people, influence them with targeted and biased news, and even manipulate them to distort democratic votes. Depending on the case, this could also be considered as "wilful misconduct".
It's a late reply on my part, but thank you very much for your time and detailed responses!