THE COMPUTER LAW A N D SECURITY REPORT 6 CLSR

and the Hadley Byrne principle if the action for breach of contract failed. Future computer users who propose to sue their suppliers - no doubt as a last resort after more conciliatory courses have been explored to no avail - need to consider all the available legal avenues. The best results are likely to be achieved by computer users who take self-help measures e.g. keeping a

record of discussions with the suppliers' staff and compiling a 'computer break-down diary" and seeking professional advice promptly if problems persist, Consumer law may not provide a satisfactory solution to every problem, but it is far more flexible than many businessmen realise.

Mart in Edwards, Solicitor, Mace Et Jones E~ Co., Liverpool. Author of 'Understanding Computer Contracts'

PRODUCT LIABILITY- THE E.E.C. DIRECTIVE

For the software industry, plagued in recent times by unchecked counterfeiting, a more litigous market and falling margins, the new EEC Directive on Product Liability may be about to bring more headaches. And an industry which in many ways seeks to draw a distinction between itself and other goods based industries, is becoming concerned about the possible implications.

THE DIRECTIVE

The Directive (85/374/EEC) was eventually adopted in July of last year after more than nine years of discussions. Its objective is to give similar protection to consumers of defective goods throughout the Community by harmonising those laws of Member States which are concerned with product liability. The U K must adapt its laws to give effect to the Directive by July 1988. As the law stands at present in this country, the purchaser of defective goods has a contractual remedy against the person who supplied him with those goods. However, if that purchaser wishes to take action against the original manufacturer, he has to prove negligence, and the onus of proof rests with the purchaser. But ever since the Pearson Commission report of 1978, there has been growing pressure for the imposition of strict (no fault) liability for personal injury resulting from defective products. The Directive places strict liability on producers of defective products that cause damage. Damage is defined as death, personal injury or damage to goods for private use. No proof of negligence is required.

SOFTWARE

So, is it likely that software could fall within this definition ? It is becoming increasingly common these days for producers of packaged software to describe it as 'products'. But see Report on RRX Industries v Lab. Con Inc 9th Court US Court of Appeals on page21 of this isue). Even the legislation of recent years has failed to categorise software. It is not 'goods' under the Sale of Goods Act 1979, and packaged software is not likely to constitute 'services' under the Supply of Goods and es Act 1982. Even the freshly enacted Copyright (Computer Software) Amendment Act 1985 dodged the issue somewhat by equating software with other "literary works'. It therefore seems possible that many of the liabilities for defective software are regulated by common law principles. One then has to consider what is the nature of damage or injury contemplated by the Directive. In particular, does it extend to commercial damage ? At present, product liability insurance provides cover only for

damage caused by tangible objects. Moreover, in most cases involving software, the risk is more one of economic loss than of damage to the person or property. In the field of negligence, there again seems to be a trend towards an extension of liability to cover precisely this area of risk. The Directive, however, does not extend protection to economic loss. Each jurisdiction must determine its own position on this. In the United States the growing relevance of this area of law to the software industry is clear.

THE MOLINA BILL

This Bill, introduced in California last year, gave protection to purchasers of software when the software proved defective or failed to meet advertised capabilities and specifications. The purchaser was given the right to return the software within six months if these warranties were breached. In any ensuing legal action, triple damages could be claimed. The progress of the Bill has been delayed due to opposition from the U.S. Software industry who have pointed out the impossibil i ty of producing error free software. Nevertheless, the Bill is likely to be re-introduced this year.

THE U.K.

In this country, the common law is probably more effective in setting expected standards and in providing remedies when those standards are not met. Whilst many contracts contain an 'entire agreement' clause, seeking to disclaim responsibility for claims made in promotional literature or by eager salespeople, it seems probable that warranties of merchantability and fitness for purpose wil l be implied into contracts relating to the sale, lease or licence of software, and these will be enforceable.

THE RESPONSE

Legislation along the lines of the Molina Bill cannot be ruled out however, and this would be bound to impose severe restraints on the industry. It would seem sensible therefore to pre-empt such government measures by adopting standards or codes of conduct within the industry. Trade associations in the U.S, are already advocating this form of response, and the Computing Services Association could perform a similar role in this country. It is not unreasonable to offer a warranty that for a Limited period, software will perform to a published description or specification. The outcome should force suppliers to pay more attention to the accuracy of their advertising. This warranty should be qualified bytwo further provisions. Firstly, if

MARCH - APRIL THE COMPUTER LAW A N D SECURITY REPORT

software fails to perform as specified, the supplier should have the opportunity of modifying it so that it does. Secondly, if this cannot be done at an economic cost, there should be some ceiling on the liability of the supplier related to the value of the software. The adaption of such standards or criteria would, I believe, remove the need for any type of restrictive or punitive legislation.

This would also have implications for the insurance industry. Suppliers of software presently take out professional indemnity insurance against the risk of this form of liability.

Recent years have seen a rapid escalation in the costs of this type of insurance, largely due to the fact that underwriters have little experience of claims in this area of the market. It is reasonable to assume that the general adoption of a performance to specification warranty, backed up by a reasonable limitation of liability, would at least provide some form of yardstick

with which to measure risk exposure.

CONCLUSION

As I have suggested, the precise impact of the EEC Directive on the software industry has yet to be properly determined. There wi l l doubtless be a period of consultation, and the Department of Trade and Industry has already invited representations. This period gives the industry an opportunity to adopt its own code, acceptable to its members, rather than face yet another set of rules inflicted by government. The very existence of such a code would provide a degree of certainty to user and supplier alike, and would help to pinpoint real cases of dishonest conduct. It is to be hoped that such an approach can be effectively lobbied, and that the wider concept of strict liability for "defective' software will be resisted.

David Greaves

DATA PROTECTION: A CHALLENGE FOR LOCAL GOVERNMENT

By its very nature a local authority needs to deal with a vast range of information about indiv iduals- as employees, suppliers, rate-payers, tenants, pupils, students, users of municipal cultural and sports facilities, as disabled persons, old people, voters, borrowers, lenders, property owners and developers. Some of this information is highly sensitive; some of it is relatively trivial but a lot is computerised and therefore much is covered by the Data Protection Act, 1984.

THE PRIORITY: REGISTRATION

With the triggering of the Act on November 11 th last, registration is the immediate priority because on May 11 th it wil l become an offence to hold or process personal data unless it is registered (or exempt). Registration for a local authority is likely to be a complex business, not only because the registration form itself is fairly daunting, but also because of the wide range of systems held by local authorities. Often computer stored information will not at first sight appear to be registerable, but further examination will reveal a requirement. The now abolished G.L.C. for example have uncovered a system run by the Fire Brigade which is designed to pinpoint the chemical hazards at sites within the GLC area, but which includes the name and address of a contact for each of the sites. The system must be registered because it is also used to find any local expert on a particular chemical and its hazards, processing the data by reference to the listed contacts.

Most local authorities will need to register as data users who also carry on business as computer bureaux. This is because in some cases specific arrangements will exist for processing data from another local authority. With increased emphasis on security against the loss of data, which the Act has engendered, many councils will be making reciprocal stand-by arrangements for processing each other's data in the event of disaster or breakdown.

Problematic is the situation where the authority, in the person, perhaps, of a college or school, permits an employee to use its equipment (the school micro?) for extra-curricular work. In this case the individual employee is the data user and the authority the computer bureau. In fact there seems little point in a local authority, or indeed any data user with an installation of any size, not registering as a computer bureau as well since it involves neither extra cost nor extra burdens. Registration will be in the name of the Council, which is the legal entity, not the separate Departments. However, that leaves the question of those bodies which do have separate legal status - the Electoral Registration Officer and voluntary aided schools, for example.

REGISTRATION DECISIONS

To complete their registration each council will have to decide whether to opt for single or multiple registration, and what, and how many, addresses to register for the purposes of subject access. These decisions have some potential for political disagreement in that a single registration, combined with several addresses for access, would facilitate the data subject's access to his data. With subject access two years away, however, it would seem more sensible to treat these as technical decisions and postpone the political questions to the drawing up of a subject access policy in 1986. A single registration would not only make for complicated form filling, but may turn each request for subject access into a major search against the clock, throughout the authority's systems in every department for all the data on the data subject. Multiple registration would not prevent an authority having a policy of offering a data subject a copy of data held under other registrations in a timescale and form suited to its abilities to extract the data, rather than in accordance with the statutory requirements. Similarly a single registered address for access would not