Should Tort Law Impose New Duties of Care for Harm Caused by AI Systems and Automated Decision-Making?

Introduction

The proliferation of artificial intelligence systems and automated decision-making processes across healthcare, transport, finance, criminal justice and consumer services has exposed a structural tension within the law of negligence. The existing duty of care framework, developed primarily to address harm caused by human agents exercising identifiable judgment, struggles to accommodate harm arising from opaque algorithmic processes where multiple parties contribute to the design, deployment and operation of an AI system, yet none exercises the kind of proximate, foreseeable control that traditionally grounds tortious liability. The question of whether tort law should impose new duties of care for such harm is not merely a policy preference; it is a doctrinal necessity driven by the inadequacy of the current incremental approach to novel duty situations.

This essay argues that the existing Caparo Industries plc v Dickman [1990] 2 AC 605 framework, while flexible in principle, is insufficient in practice to impose coherent duties of care upon the producers, deployers and operators of AI systems, principally because the opacity and autonomy of such systems undermine the foreseeability, proximity and fairness requirements upon which novel duties depend. Accordingly, tort law should recognise new, specifically articulated duties of care — or, more precisely, should develop the existing framework through targeted statutory or judicial innovation — to address the distinctive features of AI-caused harm: emergent behaviour, distributed agency, informational asymmetry and the difficulty of proving fault. However, the form this development should take is contested, and this essay critically evaluates the competing options — including strict liability, a rebuttable presumption of fault, and enhanced statutory duties — before concluding that a calibrated approach combining a rebuttable presumption of negligence for high-risk AI systems with a residual duty of explicability offers the most doctrinally coherent and practically effective response.

The Current Duty of Care Framework and Its Application to AI

The modern English law of negligence determines the existence of a duty of care through the three-stage test established in Caparo Industries plc v Dickman [1990] 2 AC 605: foreseeability of harm, a relationship of proximity between claimant and defendant, and the requirement that imposing a duty be fair, just and reasonable. This framework operates incrementally, by analogy with established categories, following the approach endorsed by Lord Bridge. Where a novel situation arises, the court asks whether it is sufficiently analogous to an existing duty category to justify recognition of a new duty (Nolan, 2013).

Applied to AI systems, each limb of the Caparo test presents distinctive difficulties. Foreseeability, in its orthodox sense, requires that a reasonable person in the defendant’s position would have foreseen the type of harm that occurred. Yet many AI systems, particularly those employing machine learning, generate outputs through processes that their designers cannot fully predict or explain — the so-called “black box” problem (Burrell, 2016). A manufacturer of an autonomous vehicle, for example, may foresee the general risk of collision, but may be unable to foresee the specific decision pathway by which the system’s neural network responds to a novel road scenario. The question is whether general foreseeability of the category of harm suffices, or whether the opacity of the causal mechanism defeats foreseeability in any meaningful sense. On orthodox principles, it should suffice: Hughes v Lord Advocate [1963] AC 837 established that the precise chain of causation need not be foreseeable provided that the type of harm is foreseeable. Nevertheless, there is a qualitative difference between unforeseeable physical chain reactions and unforeseeable algorithmic decision paths, because the latter involve a form of autonomous “reasoning” that the defendant may have deliberately rendered opaque in pursuit of optimisation (Selbst and Barocas, 2018).

Proximity raises further difficulties. In a typical product liability or professional negligence case, the relationship between the defendant and the claimant is relatively identifiable: manufacturer and consumer, doctor and patient, solicitor and client. In the AI context, harm may result from the combined contributions of multiple actors — the developer of the training data, the designer of the algorithm, the deployer who integrates the system into a specific context, and the operator or user who activates it. The supply chain of an AI system is typically longer and more fragmented than that of a conventional product. As Chagal-Feferkorn (2019) has argued, this distributed agency makes it difficult to identify which party stands in a relationship of sufficient proximity to the claimant to ground a duty of care. The incremental approach, which requires analogy with established categories, may therefore fail to capture the distinctive relational structure of AI-caused harm.

The third limb — fairness, justice and reasonableness — is arguably the most contested. Courts have used this limb to refuse duties in circumstances where imposing liability would create indeterminate liability, interfere with regulatory schemes, or impose disproportionate burdens on defendants. In Michael v Chief Constable of South Wales Police [2015] UKSC 2, the Supreme Court declined to impose a duty of care on the police for failure to protect a member of the public, partly on the ground that it would not be fair, just and reasonable given the public policy implications. A similar argument might be raised against imposing broad duties on AI developers: the chilling effect on innovation, the difficulty of defining the standard of care, and the risk of indeterminate liability could all militate against recognition of a novel duty. However, as discussed below, these objections are not insuperable and may be outweighed by competing considerations of justice and corrective fairness.

Why the Existing Framework Is Insufficient

The difficulty is not merely that the Caparo test is hard to apply to AI — it is that its incremental methodology presupposes a degree of factual and causal transparency that AI systems systematically deny. Three features of AI-caused harm make the existing framework structurally inadequate rather than merely difficult to apply.

First, the opacity problem undermines the fault inquiry itself. Negligence requires proof that the defendant fell below the standard of a reasonable person. In Bolam v Friern Hospital Management Committee [1957] 1 WLR 582, the standard was defined by reference to responsible professional practice. But what constitutes “reasonable” design or deployment of an AI system is frequently unclear, particularly where the system’s behaviour emerges from training on data sets whose biases may be latent and undetectable at the design stage (Wachter, Mittelstadt and Floridi, 2017). The claimant, who lacks access to the system’s training data, architecture and decision logs, faces an acute informational asymmetry that makes it extremely difficult to prove that the defendant’s conduct was unreasonable. This is not a conventional evidential difficulty; it is a structural feature of the technology that existing rules on disclosure and burden of proof were not designed to address.

Second, the problem of emergent behaviour challenges orthodox causation. Where an AI system generates a harmful output through a process that was not explicitly programmed but emerged through machine learning, the causal link between the defendant’s act (designing or deploying the system) and the harm may be attenuated. The “but for” test from Barnett v Chelsea and Kensington Hospital Management Committee [1969] 1 QB 428 may be formally satisfied — but for the defendant’s deployment of the system, the harm would not have occurred — but the qualitative question of whether the defendant’s conduct was the legally operative cause of the harm is less straightforward. This is particularly acute where the harm results from an interaction between the AI system and its operating environment that neither the developer nor the deployer could have specifically anticipated.

Third, the distributed agency problem means that no single defendant may bear the kind of direct, proximate responsibility that negligence typically requires. The developer may argue that the deployer used the system in an unintended context; the deployer may argue that the developer’s algorithm was flawed; the operator may argue that neither provided adequate training or warnings. The result, as the European Commission’s Expert Group on Liability and New Technologies (2019) observed, is a “liability gap” in which injured parties may be unable to recover despite suffering clearly wrongful harm. The existing law of joint and several liability and contribution under the Civil Liability (Contribution) Act 1978 may mitigate this problem in some cases, but it does not address the prior question of whether any of these parties owes a duty of care in the first place.

Product Liability: A Partial but Incomplete Solution

It might be objected that the Consumer Protection Act 1987 (CPA 1987), which implements the Product Liability Directive (85/374/EEC), already provides a route to strict liability for defective AI products, thereby reducing the need for new negligence duties. Under Part I of the CPA 1987, a “producer” is strictly liable for damage caused by a “defect” in a “product,” where defect is defined by reference to the safety that persons generally are entitled to expect (s. 3). This standard is, in principle, capable of application to AI systems embedded in physical products such as autonomous vehicles or medical devices.

However, the CPA 1987 regime has significant limitations in the AI context. First, the definition of “product” in s. 1(2) refers to “goods” and “electricity,” and it remains uncertain whether standalone software — such as an AI decision-making algorithm not embedded in a physical product — constitutes a “product” for the purposes of the Act. The question was considered but not definitively resolved in English law, and academic opinion is divided (Howells, 2020). The European Commission’s proposal for a revised Product Liability Directive, published in September 2022, explicitly extends the definition of product to include software and AI systems, but this has not yet been implemented in domestic UK law post-Brexit. Second, the “development risks” defence in s. 4(1)(e) of the CPA 1987 permits a producer to escape liability if the state of scientific and technical knowledge at the time was not such that a producer of products of the same description might be expected to have discovered the defect. For AI systems whose harmful behaviour emerges through learning processes after deployment, it is arguable that the defect did not exist at the time of putting the product into circulation, potentially engaging this defence. Third, the CPA 1987 does not cover pure economic loss or many forms of algorithmic discrimination, both of which are increasingly significant harms caused by automated decision-making.

Accordingly, while the CPA 1987 provides a partial framework, it does not remove the need for new tortious duties. The regime was designed for tangible manufactured products and does not adequately address the distinctive risks of autonomous, adaptive and opaque AI systems (Machnikowski, 2019).

The Case for New Duties of Care: Corrective Justice and Risk Allocation

The normative case for imposing new duties of care rests on two complementary foundations: corrective justice and efficient risk allocation.

From a corrective justice perspective, as articulated by Weinrib (1995) and applied to tort law by Stevens (2007), a person who wrongfully causes harm to another is under a duty to repair that harm. The difficulty with AI-caused harm is that the concept of “wrongfulness” presupposes a degree of human agency and fault that may be absent in the algorithmic context. However, corrective justice does not necessarily require individual moral blameworthiness; it requires a normatively significant connection between the defendant’s conduct and the claimant’s loss. Deploying an AI system that causes harm is, on this view, analogous to creating a dangerous instrumentality: the defendant has introduced a risk into the world from which the claimant has suffered, and that fact alone may be sufficient to ground a duty. This reasoning finds support in the strict liability imposed on keepers of dangerous animals under the Animals Act 1971, and in the rule in Rylands v Fletcher (1868) LR 3 HL 330 for non-natural use of land. The analogy is not exact — AI systems are ubiquitous in ways that dangerous animals and escaping reservoirs are not — but the underlying principle that those who create and control distinctive risks should bear the costs of their materialisation is applicable.

From a risk allocation perspective, the economic analysis associated with Calabresi (1970) and applied to English tort law by Cane (2013) supports imposing liability on the party best placed to prevent, insure against and distribute the costs of AI-caused harm. In most cases, this will be the developer or deployer of the AI system, who possesses superior knowledge of the system’s capabilities and limitations, can invest in testing and monitoring, and can spread the cost of liability through pricing and insurance. The claimant, by contrast, typically has no ability to assess or mitigate the algorithmic risk. Imposing the duty on the developer or deployer therefore promotes allocative efficiency and incentivises precautionary investment in AI safety.

These arguments are not without objection. It may be argued that imposing broad duties on AI developers would stifle innovation and impose indeterminate liability, particularly where the AI system interacts with third-party data or is deployed in contexts unforeseen by the developer. This concern has some force but is overstated. Tort law already manages comparable risks through doctrines of remoteness, contributory negligence and the scope of duty principle clarified in South Australia Asset Management Corporation v York Montague Ltd [1997] AC 191 (the SAAMCO principle, subsequently refined in Manchester Building Society v Grant Thornton UK LLP [2021] UKSC 20). A carefully calibrated duty, rather than an indiscriminate one, can address the risk of over-deterrence without leaving claimants unprotected.

Competing Models for New Duties: Strict Liability, Rebuttable Presumption and the Duty of Explicability

If the case for new duties is accepted in principle, the critical question becomes the form they should take. Three principal models merit evaluation.

Strict liability for AI-caused harm

A strict liability model would impose liability on the operator or producer of an AI system for harm caused by that system, regardless of fault. This approach has been advocated by some scholars (Vladeck, 2014) and finds a partial analogue in the European Parliament’s 2020 resolution calling for strict liability for operators of high-risk AI systems. The advantage of strict liability is that it eliminates the claimant’s difficulty of proving fault in the face of algorithmic opacity. It also aligns liability with the party who profits from the AI system’s operation and is best placed to insure against the risk.

However, strict liability has significant drawbacks. It removes the incentive for claimants and third parties to exercise reasonable care in their interactions with AI systems, potentially exacerbating moral hazard. It treats all AI-caused harm as equivalent, without distinguishing between systems that are poorly designed and those that cause harm despite reasonable precautions. And it departs from the general fault-based structure of English tort law, which has historically resisted broad strict liability outside specific statutory regimes. As Lord Hoffmann observed in Transco plc v Stockport Metropolitan Borough Council [2004] 2 AC 1, the rule in Rylands v Fletcher should not be extended to create a general regime of strict liability for all ultra-hazardous activities. Imposing strict liability for all AI systems risks creating precisely the kind of expansive, unprincipled liability regime that English law has traditionally sought to avoid.

A rebuttable presumption of fault

A more calibrated approach, recommended by the European Commission’s Expert Group on Liability and New Technologies (2019) and subsequently reflected in the proposed EU AI Liability Directive (2022), is to impose a rebuttable presumption of fault where an AI system causes harm. Under this model, the claimant must prove that the AI system caused the harm, but need not prove that the defendant was at fault; instead, the burden shifts to the defendant to demonstrate that it took reasonable care in the design, testing, deployment and monitoring of the system. If the defendant discharges this burden, liability does not attach.

This model has considerable advantages. It addresses the informational asymmetry between claimant and defendant without abandoning the fault principle. It preserves the incentive for defendants to invest in AI safety while recognising that the claimant is structurally unable to identify the specific failure within an opaque system. It is also more consistent with the existing structure of English negligence law, which already employs evidential presumptions in analogous contexts: the doctrine of res ipsa loquitur, as applied in Scott v London and St Katherine Docks Co (1865) 3 H & C 596, shifts the evidential burden to the defendant where the facts speak for themselves. Extending a similar presumption to AI-caused harm would represent an incremental development rather than a radical departure.

The principal objection to this model is that it may be difficult for the defendant to rebut the presumption where the AI system’s decision-making process is genuinely opaque — even to the developer. If the developer cannot explain why the system produced a particular output, it may be unable to demonstrate that it took reasonable care. This creates a de facto strict liability regime for opaque systems, which may be a feature rather than a bug: it incentivises developers to use more transparent and explicable AI architectures. However, it also risks penalising developers who use opaque systems for legitimate reasons, such as superior accuracy in medical diagnosis, where the opacity is an inherent feature of the most effective technology rather than a failure of design (Zerilli et al., 2019).

A duty of explicability

A third approach, which can complement either of the foregoing models, is to impose a specific duty of explicability on the developers and deployers of AI systems. This duty would require that any party deploying an AI system that may foreseeably affect the rights or interests of others must be able to provide a meaningful explanation of the system’s decision-making process, at least to a level sufficient to enable the affected party to challenge the outcome and to permit a court to assess whether the system operated as intended. This approach draws on the emerging right to explanation in data protection law — Article 22 of the UK General Data Protection Regulation (UK GDPR), read with Articles 13-15 and Recital 71 — and would extend it into the tort context as a standard of care rather than a data subject right.

The duty of explicability has the advantage of directly addressing the opacity problem. If the defendant cannot explain the system’s decision, this failure would itself constitute a breach of duty, irrespective of whether the system’s output was “correct” in a technical sense. This approach has been supported by scholars including Wachter, Mittelstadt and Russell (2018), who argue that counterfactual explanations — explaining what would have needed to be different for the system to have produced a different outcome — provide a practically feasible standard of explicability.

Nevertheless, a duty of explicability faces conceptual and practical limits. Not all AI systems are equally explicable, and imposing a uniform standard risks excluding beneficial but inherently opaque systems from lawful use. Moreover, the duty of explicability addresses the epistemic dimension of the problem but does not, by itself, determine liability for the harm caused. It therefore works best as a component of a broader duty framework rather than as a standalone solution.

The Preferred Approach: Calibrated Duties for a Risk-Based Framework

The strongest approach, on both doctrinal and normative grounds, is a risk-based framework that imposes differentiated duties depending on the nature and severity of the AI system’s potential impact. This approach draws on the regulatory model adopted by the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), which classifies AI systems by risk level, and adapts it to the tort context.

For high-risk AI systems — those deployed in contexts where they may cause physical injury, significant economic loss or interference with fundamental rights, such as autonomous vehicles, medical diagnostic systems and automated credit or employment decisions — a rebuttable presumption of fault should apply, coupled with a duty of explicability. The developer and deployer of such systems should be presumed to be at fault where the system causes harm, unless they can demonstrate that they exercised reasonable care in design, testing, deployment and monitoring, and that they can provide a meaningful explanation of the system’s decision. This combination addresses both the informational asymmetry and the opacity problem, while preserving the fault principle as a residual safeguard.

For lower-risk AI systems — such as recommendation algorithms, content moderation tools and automated customer service systems — the existing Caparo framework, supplemented by a duty of explicability, should suffice. The incremental approach can accommodate these cases by analogy with existing duty categories, particularly where the harm is primarily economic or reputational rather than physical. In such cases, the principal doctrinal innovation required is not a new duty of care but a clearer articulation of the standard of care applicable to AI design and deployment, informed by industry standards, regulatory guidance and expert evidence.

This calibrated approach has several advantages. It avoids the over-inclusiveness of a blanket strict liability regime while addressing the under-inclusiveness of the unaided Caparo framework. It allocates burdens in proportion to risk and informational advantage. It incentivises transparency and safety investment without prohibiting the use of beneficial but inherently complex AI systems. And it is consistent with the general structure of English tort law, which already differentiates the standard and scope of duty according to context, as seen in the distinction between the duty owed by professionals (Bolam) and the general standard of reasonable care.

Critically, the question of institutional competence arises: should such duties be developed by the courts or by Parliament? The incremental common law method is well-suited to developing the standard of care and refining the application of existing doctrines to AI-related facts. However, the more structural innovations — the rebuttable presumption of fault and the duty of explicability — are better suited to legislative intervention, because they involve a deliberate reallocation of the burden of proof and the creation of affirmative obligations that go beyond the common law’s traditional reactive posture. The Law Commission’s ongoing work on AI and the law, together with the UK Government’s 2023 AI White Paper (Department for Science, Innovation and Technology, 2023), provides a foundation for such legislative development, although the Government’s current preference for a “pro-innovation” regulatory approach may delay the imposition of new tortious duties.

Counterarguments and Limitations

Several objections to the imposition of new duties of care merit acknowledgment. First, it may be argued that existing regulatory frameworks — including the UK GDPR, sector-specific regulation by the Financial Conduct Authority and Medicines and Healthcare products Regulatory Agency, and forthcoming AI-specific regulation — provide sufficient protection without the need for new tort duties. This argument has some force for harms that fall within established regulatory regimes, but it overlooks the fact that regulation and tort serve different functions: regulation is prospective and systemic, while tort provides retrospective, individual corrective justice. The existence of regulation does not preclude tortious liability, as established in X (Minors) v Bedfordshire County Council [1995] 2 AC 633, although the relationship between the two may affect the fairness inquiry under Caparo‘s third limb.

Second, it may be objected that the pace of technological change renders any fixed duty framework quickly obsolete. This is a legitimate concern, but it applies equally to all technology-related regulation and does not justify inaction. The common law’s incremental method and Parliament’s capacity to amend legislation provide mechanisms for adaptation. Moreover, the proposed duties are framed at a sufficient level of generality — reasonable care, explicability, a presumption of fault — to accommodate technological development without requiring constant revision.

Third, the concern about chilling innovation deserves careful treatment. There is a genuine risk that over-broad liability will deter investment in beneficial AI applications, particularly in sectors such as healthcare where the potential gains are substantial but the risks of liability are high. However, this risk must be weighed against the equally genuine injustice of leaving individuals without a remedy for harm caused by systems they cannot understand, control or hold accountable. The calibrated, risk-based approach proposed here is designed to minimise the chilling effect by concentrating the most demanding duties on the highest-risk systems, where the case for liability is strongest and the need for precaution most acute. As Cane (2013) has argued, the fear of over-deterrence is often overstated in tort scholarship, because empirical evidence on the relationship between tort liability and innovation is limited and equivocal.

Conclusion

The existing duty of care framework under Caparo is not incapable of application to AI systems, but it is structurally insufficient to address the distinctive features of AI-caused harm: algorithmic opacity, distributed agency, emergent behaviour and acute informational asymmetry. These features are not merely evidential difficulties; they undermine the foundational assumptions of the fault-based negligence inquiry and create a liability gap that leaves injured parties without effective redress. The partial protection offered by the CPA 1987 and existing regulatory regimes does not close this gap.

Tort law should therefore impose new duties of care for harm caused by AI systems, but the form of those duties must be carefully calibrated to the level of risk. For high-risk AI systems, a rebuttable presumption of fault, combined with a duty of explicability, provides the most doctrinally coherent and practically effective response. It addresses the claimant’s epistemic disadvantage, preserves the fault principle as a meaningful constraint, incentivises transparency and safety investment, and is broadly consistent with the existing structure of English tort law. For lower-risk systems, the incremental development of the Caparo framework, informed by a clearer standard of care for AI design and deployment, is likely sufficient. Legislative intervention is preferable for the structural elements of this framework — the presumption and the explicability duty — while the courts remain well-placed to develop the standard of care incrementally. The strongest reason for imposing new duties is not hostility to innovation but fidelity to the foundational principle that where one party creates and controls a risk from which another suffers, the law should provide an effective mechanism for accountability and repair.

References

• Burrell, J. (2016) ‘How the machine “thinks”: understanding opacity in machine learning algorithms.’ Big Data & Society, 3(1), pp. 1–12.
• Calabresi, G. (1970) The Costs of Accidents: A Legal and Economic Analysis. New Haven: Yale University Press.
• Cane, P. (2013) Atiyah’s Accidents, Compensation and the Law. 8th edn. Cambridge: Cambridge University Press.
• Chagal-Feferkorn, K. (2019) ‘The reasonable algorithm.’ University of Illinois Journal of Law, Technology & Policy, 2019(1), pp. 111–147.
• Department for Science, Innovation and Technology (2023) A Pro-Innovation Approach to AI Regulation. Cm 815. London: HMSO.
• European Commission Expert Group on Liability and New Technologies (2019) Liability for Artificial Intelligence and Other Emerging Digital Technologies. Luxembourg: Publications Office of the European Union.
• Howells, G. (2020) ‘Product liability for AI and software.’ In: Aplin, T. (ed.) Research Handbook on Intellectual Property and Digital Technologies. Cheltenham: Edward Elgar, pp. 397–414.
• Machnikowski, P. (2019) ‘Liability for damage caused by artificial intelligence systems.’ In: Liability for Artificial Intelligence and Other Emerging Digital Technologies, European Commission Expert Group Report.
• Nolan, D. (2013) ‘Deconstructing the duty of care.’ Law Quarterly Review, 129, pp. 559–588.
• Selbst, A.D. and Barocas, S. (2018) ‘The intuitive appeal of explainable machines.’ Fordham Law Review, 87(3), pp. 1085–1139.
• Stevens, R. (2007) Torts and Rights. Oxford: Oxford University Press.
• Vladeck, D.C. (2014) ‘Machines without principals: liability rules and artificial intelligence.’ Washington Law Review, 89(1), pp. 117–150.
• Wachter, S., Mittelstadt, B. and Floridi, L. (2017) ‘Why a right to explanation of automated decision-making does not exist in the General Data Protection Regulation.’ International Data Privacy Law, 7(2), pp. 76–99.
• Wachter, S., Mittelstadt, B. and Russell, C. (2018) ‘Counterfactual explanations without opening the black box: automated decisions and the GDPR.’ Harvard Journal of Law & Technology, 31(2), pp. 841–887.
• Weinrib, E.J. (1995) The Idea of Private Law. Cambridge, MA: Harvard University Press.
• Zerilli, J. et al. (2019) ‘Transparency in algorithmic and human decision-making: is there a double standard?’ Philosophy & Technology, 32(4), pp. 661–683.

Table of Cases

• Barnett v Chelsea and Kensington Hospital Management Committee [1969] 1 QB 428
• Bolam v Friern Hospital Management Committee [1957] 1 WLR 582
• Caparo Industries plc v Dickman [1990] 2 AC 605
• Hughes v Lord Advocate [1963] AC 837
• Manchester Building Society v Grant Thornton UK LLP [2021] UKSC 20
• Michael v Chief Constable of South Wales Police [2015] UKSC 2
• Rylands v Fletcher (1868) LR 3 HL 330
• Scott v London and St Katherine Docks Co (1865) 3 H & C 596
• South Australia Asset Management Corporation v York Montague Ltd [1997] AC 191
• Transco plc v Stockport Metropolitan Borough Council [2004] 2 AC 1
• X (Minors) v Bedfordshire County Council [1995] 2 AC 633

Table of Legislation

• Animals Act 1971
• Civil Liability (Contribution) Act 1978
• Consumer Protection Act 1987
• Product Liability Directive 85/374/EEC
• UK General Data Protection Regulation (UK GDPR)
• Regulation (EU) 2024/1689 (EU Artificial Intelligence Act)