OTA updates and their contractual pitfalls
Skip to main content
Select location Germany
Insight

OTA updates and their contractual pitfalls

Silke Goschler
08/02/2024
Dr Susanne Weckbach
 

Locations

Germany

Over-the-air updates (OTA) are a central element of modern vehicle architectures. They enable software functions to be updated retrospectively, errors to be rectified, and new features to be activated – all without a visit to the workshop. However, this technical innovation comes with considerable legal challenges, particularly in contract law, product liability law, data protection, and IT law.  

1. OTA updates as a subject matter of contracts: New requirements for service specifications 

Traditional supply contracts in the automotive industry have traditionally focused on hardware components. With OTA updates, software becomes a central component of the contract. This requires a precise service description that should regulate the following points, among others:  

  • Update frequency and obligation 

  • Functionality and compatibility 

  • Fallback options in the event of faulty updates 

2. Liability and warranty: Who bears the risk of faulty updates? 

A faulty OTA update can impair safety-related functions or render vehicles inoperable. The following must therefore be clarified in the contract: 

  • Who is liable for software errors? 

  • How is a distinction made between warranty and maintenance? 

  • What response times apply in the event of critical errors? 

The question also arises as to whether an OTA update is considered a “new product” within the meaning of product liability law – with corresponding consequences for recall obligations and the scope of liability. 

3. Data protection and consent: OTA updates in the context of the GDPR 

Many OTA updates require access to personal data, such as driving profiles, location data, or usage behavior. The GDPR imposes strict requirements in this regard: 

  • Transparency and user information 

  • Consent requirements 

  • Purpose limitation and data minimization 

Particularly critical: Updates that are carried out without active consent or that subsequently change functions can be problematic under data protection law. 

4. Technical and organizational requirements: Contractually secure IT security 

OTA updates open up new areas of vulnerability to cyberattacks. Contracts should therefore contain clear IT security requirements, such as: 

  • Encryption and authentication 

  • Penetration tests and security certifications  

  • Incident response processes 

Regulatory requirements such as UNECE R155/R156 or the IT Security Act 2.0 must also be taken into account. 

Conclusion: OTA updates require new contractual standards 

OTA updates are fundamentally changing the legal landscape in the automotive industry. Companies must adapt their contracts to minimize liability risks, meet data protection requirements, and ensure technical standards. Close cooperation between technical, legal, and compliance teams is essential.  

Would you like to make your OTA processes legally compliant? Our interdisciplinary team supports you in contract drafting, risk analysis, and regulatory implementation – feel free to contact us. 

Areas of Expertise

Commercial and Distribution
Data Protection

Related Work Areas

Automotive & Mobility
Technology