Our experience shows that clients are increasingly interested in applying solutions based on artificial intelligence (AI) to streamline their work and gain a competitive advantage. However, plans to implement AI are accompanied by concerns regarding legal compliance, especially given that EU regulations that explicitly address the issue of artificial intelligence are not finalized yet.
AI regulations
Currently, there is no universally applicable legislation imposing specific obligations in connection to AI. However, this lack of regulation is not expected to last long. The finalization of the basic act – the Regulation of the European Parliament and of the Council laying down harmonized rules on artificial intelligence (artificial intelligence act) and amending certain union legislative acts (“AI Act”) – is scheduled still for this year. The Commission, the Parliament and the Council are currently negotiating the final wording of the AI Act in the course of a so-called “trilogue”. The regulation will primarily impose obligations on providers of AI systems, as well as on entities using AI systems which are under their control.
The most common doubts about AI
Notwithstanding the regulations which specifically concern AI, using AI should also be analyzed in light of the regulations which are already in place. The most frequently raised questions concern the following issues:
- determining who is entitled to the rights to AI-generated materials (completions) and determining the rules for using such materials, including identifying consequences of combining such completions with the client’s own solutions;
- determining the entity liable for intellectual property rights violations which are a result of using AI solutions and using completions/materials created by generative AI (e.g. determining which entity is responsible for claims of copyright infringement of entities whose materials were used to train models);
- potential access of the AI system provider to data which is entered into the model, particularly in the course of analyzing and filtering content to verify if the system is used properly (e.g. if it is used for a dangerous purpose);
- using client data to further train the models of the provider;
- GDPR compliance, in particular with regard to respecting the rights of data subjects and implementing the requirements related to automated data processing (including profiling), as well as the problem of providing false personal data in the output generated by AI solutions.
The answers to the concerns above may be found primarily in the contract with the AI system provider and also in technical documentation describing the data flow or in the service configuration options.
In addition to the above, necessary changes in the client’s own organization should be assessed to ensure using AI solutions in accordance with the law and in a way which mitigates the risks specific to such solutions (e.g. the risks of over-reliance on AI systems or the so-called hallucinations of AI solutions). These activities usually include preparing appropriate rules for the use of AI, updating data protection documentation or implementing rules for human control of the AI-generated material.
When identifying legal risks and their solutions, it is worth remembering that there are considerable differences not only between different versions of AI solutions, but – most importantly – between AI service providers, especially regarding the ways in which they regulate the above issues in their contracts or in the architecture of their services. The situation in this area is often very dynamic – for example, recently Microsoft published the Microsoft Copilot Copyright Commitment which states that, starting October 1st, Microsoft will extend existing contractual liability rules for intellectual property infringement with regard to commercial Copilot services (including Copilot for Microsoft 365 Copilot, GitHub Copilot) and Bing Chat Enterprise. As a result of the above, Microsoft will defend the customer and pay any amounts awarded in adverse judgments/settlements in the event that the client is sued by a third party for infringement of intellectual property rights through the use of Copilot services or the generated responses (excluding trademarks). To benefit from the above, it is necessary to use the protections and content filters built into the services by Microsoft and not to use the services intentionally to create infringing materials. The obligation to defend against claims related to the use of AI-generated content by AI systems is undoubtedly an important change in the approach to the client, and may facilitate any decision regarding using AI.
Implementing AI is already possible
Despite many valid points regarding the risks of using AI, what is common for new technologies, it should not be assumed, without further analysis, that implementing such systems in an organization is currently not possible, particularly given the still-ongoing work on the AI Act. The regulations which are in force in Poland do not generally prohibit the use of such solutions. However, it is important to approach this topic thoroughly, including by properly defining the rights and obligations of the user and the AI solution provider, defining the ways in which AI solutions can be used in the organization as well as adjusting internal procedures. Many entities are already using this technology in their daily work, showing many interesting applications of AI (e.g. efficient document review, performing summaries and analysis of large amounts of text) and how many further benefits it can bring.
