The article makes it clear that (as the author understands it, at least) someone who uses open source software in their commercial product is liable; the people who wrote the open source code [1] are not.
> If a user is harmed by software, the person they paid (targeted ads would count) must compensate them for the harm – unless the software provider can prove their software played no role in the ... harm. If open source resources are [used by] your code, you’re responsible for their performance too. *The open source resource licensed away their liability to you*.
(Emphasis mine)
[1] Assuming they used a license that limits liability, such as Apache.
This is about liability for the organization that releases a product to be liable for it - all parts of it - regardless of whether some of those parts were developed by 3rd parties (e.g. Apache). But again, the headline and most of the article are not clear about this.
The article is attempting to create a scare about things that have always been true. If a telco's services crash the telco has to compensate customers even if it was a postgres failure that caused it by failing to authorise handsets for a connection in a cell. For example.
> What if an open source project is used directly by consumers, and causes them harm? The public policy is clear: they must be compensated.
It's expressly not clear what the implications here are, according to the article.
The telco has service agreement with customers and it's clear exactly what service it was supposed to do and failed. Where is such agreement for a random github repository? To put it a bit ad absurdum, say user supplies parameter to your math function so that it divides by zero and it results in some injury or loss. Who is liable for that? Shold judge try to parse some piece of code for whether it was reasonable for user to expect passing zero will work?
The article directly contradicts this:
> What if an open source project is used directly by consumers, and causes them harm? The public policy is clear: they must be compensated. Does it matter if they signed a license or didn’t pay someone? Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them. Someone should be strictly liable.
If you sell a product e.g. a car and the brakes don't work you are liable
If you sell a product e.g. a medical software which calculates and runs your insulin pump and it responds to a division by zero error with injection 1000x the amount of insulin your are liable.
You don't have to focus on the how, only on if it was your product and was sold to a customer.
Who was at fault (product or customer) will be decided in a lawsuit.
If you don't sell anything then these laws don't apply to you, even if the article seems to be unclear about that.[1]
https://www.europarl.europa.eu/news/de/press-room/20231205IP...
Edit: Somebody linked the full EU briefing: https://www.europarl.europa.eu/RegData/etudes/BRIE/2023/7393...
On Page 5 there is a passage about how free-of-charge open source software is excluded and also who is liable in a commercial activity:
With the aim of not hampering innovation: (i) free and open-source software developed or supplied outside the course of commercial activity, as well as (ii) the source code of software, should be excluded from the definition of products covered under the proposal.
As far as the broader scope of the proposal compared to the existing PLD on liable parties is concerned, Article 7 of the revised PLD lists the types of 'economic operators' which can be held liable for defective products, by introducing a layered approach to liability depending on the different qualification of the economic operator.
Among the list of economic operators are:
(i) the manufacturer of a product or component,
(ii) the provider of a related service, (iii) the authorised representative, (iv) the importer, and (v) the fulfilment service provider or the distributor. The manufacturer should be liable for damage caused by a defect in their product or components. An innovation introduced in the revised PLD is considering any economic operator who has substantially modified the product outside the control of the manufacturer liable for any defect. Such a party is then considered as a manufacturer.
When a manufacturer is established outside the EU, the revised PLD would further attribute liability for a defective product to the importer and the authorised representative in the EU. As a last resort, the fulfilment service provider (offering at least two of: warehousing, packaging, addressing and dispatching of a product, without having ownership of the product), will be held liable when the importer and authorised representative in the EU are based outside the EU.
Distributors of a defective product (offline and online sellers) can also be held liable upon request by a claimant and when the distributor fails to identify any of the above operators.
Online platforms should be liable in respect of a defective product on the same terms as such economic operators when performing the role of manufacturer, importer or distributor.
There's a reference to "Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008", which does not distinguish for-profit activity at all. Just "all poducts on market and all who manufacture and distribute shall conform".
(if you receive donations, it isn't commercial activity. If you display ads like Firefox or Brave, it is)
I don't understand why you want to know what the provider is?
For the purpose of liability and open source the definition is that any open source free of charge software is excluded from the proposed changes, so the provider doesn't matter.
This can be seen in the first link,on the third headline bullet point "Not applicable to free-of-charge open-source software" as well as the second paragraph.
The provisional agreement on the liability of economic operators for damage caused by defective products aims to respond to the increase in online shopping (including from outside the EU) and the emergence of new technologies (such as AI) as well as to ensure the transition to a circular economic model. In order not to stifle innovation, the rules will not apply to open-source software developed or supplied outside of a commercial activity.
I also added the the briefing of the proposed EU law with the details
Then somebody linked it in a comment below and then it was fairly easy as I knew what to search for from the short description in the first link.
The part you quoted continues with:
> Their business is bankrupt, their files are in a hacker’s hands, or their own customers are suing them.
Those are not consumers. That's B2B and comes with significantly lesser protections (if any) in EU law due to the EU’s view of B2B relationships being less asymmetrical w/r/t power and businesses being better at assessing the risks.
The implications are clear because this is not some new thing the EU conjured out of thin air but rather an expansion of which products will fall under the PLD, so we know how this has shaken out historically.
The long and short of it is that with physical merchandise, manufacturers have long been liable if their products caused damage (e.g., batteries of electric scooters catching fire). Still, when it came to software, companies often just shrugged and said, “We provided it as is, so tough luck.” The EU now says that's simply not good enough, and software companies should be held to the same liability standards as merchandise manufacturers.
Software lobbyists, of course, don't like this, so to stop that, they've decided to spread FUD about FOSS.
That's it, that's the story.
0: https://www.bigtechwiki.com/index.php/Developers_Alliance
It's not exactly such way.
This is only case, if you are 21 or 25 years old (depend on country/state) and if you have insurance which cover this case, or if you have some juridical document for exactly this case.
For example if you toddler/teenager, NOT accompanied by an adult, will be responsible people, who have responsibility to restrict your appearance (entrance) in this park.
So in EU, usage of OSS or products with OSS dependencies, will be effectively prohibited for teenagers. This is not very large share of customers, but approximately 7% of EU residents.