Publications

1. A company utilizing third-party AI tools, or

2. An investor or acquirer evaluating a target company that uses third party AI tools.

1. Specific Use: Before a company makes a decision as to whether to use a third-party AI tool, it is crucial to gain a comprehensive understanding of the intended use and exact use case. For example, a tool that is used internally is likely to raise fewer issues. Conversely, a tool to write code or that will be integrated with a company’s product gives rise to more significant legal concerns.

2. Dependency: Companies should then assess potential “dependency” risks and be aware that third-party AI tools, like any software, are subject to change, suspension, and potential pricing updates. Assessing the tool’s stability and lawfulness is crucial to mitigate any potential disruptions or operational challenges. For example, some regulators started investigations in various countries which could impact the availability of such tools in their territories. In addition, a number of class actions have been filed in various countries on various grounds, including copyright grounds.

3. Terms and Conditions Review: Determining the exact version of the AI tools being used is crucial since different versions may have varying terms, licensing structures, and functionalities that can impact ownership, intellectual property rights, and integration with existing systems. It is also important to be aware that the AI tools terms may be updated from time to time without notice or user approval. These terms are likely to include limitation of liability clauses, indemnification clauses or representations and warranties that are likely to create legal risks or obligations to any company using their tools. Reviewing the terms and conditions associated with the third-party AI tools is therefore essential. In this context, companies may have to update their customer agreements or terms and conditions to incorporate relevant disclaimers, limitations of liability, and align with the tool provider’s policies.

4. Ownership: Companies must also address ownership rights when utilizing AI tools to create content. This may require a thorough review of the tool’s specific terms governing ownership. In addition, this may impact the company’s ability to provide certain representations and warranties in investment rounds or potential acquisitions. Likewise, the fact that an AI tool´s terms assign certain rights to you with respect to a certain output does not mean that the output will automatically be copyrightable or protected by IP laws, or not subject to a third-party claim. In each case, assessing the necessity and applicability of copyright and IP laws to the output in question will be necessary for the company to understand its copyrights and IP rights and therefore its ability to prevent others from using or copying the same output. Pursuant to the AI tool terms, companies using third party AI may be required to grant a license to use the input not only for receiving the output but also for other purposes, such as training purposes. Accordingly, companies using AI tools should ensure that they have all the required permissions, rights and authorizations to upload such input even if they are not the owners of such content/material.

5. Open Source: This is particularly relevant for companies that use third party AI tools to write code. There are a number of challenges associated with this, such as establishing which output is subject to which open-source license or providing necessary attributions. We suggest that companies which plan on using such tools to write code should use code-scanning software in order to determine which open source components are being used in the generated code (or, in case of copyleft licenses, ensure they are used in a manner which is separate and independent from the company’s code), and should also use certain protective filters (such as the one offered by GitHub CoPilot) to mitigate the risk that output is infringing or otherwise in breach of the respective open source license agreement.

6. Liability: Evaluating the tool’s potential risks, such as copyright infringement or damages caused by AI tools will help allocate responsibility and consider appropriate disclaimers and limitation of liability clauses in agreements with customers and terms of use. In this context, please note that some jurisdictions like the EU are currently working on legislation or amendments to existing legislation to include new liability rules with respect to damages caused by AI tools.

7. Privacy: Companies should exercise caution regarding the inclusion of personally identifiable information (PII) or personal data (PD) in prompts from AI generation tools or other AI tools, to protect privacy of data subjects, and to avoid liability. A review of the tool’s data protection practices and privacy practices will be necessary for you to comply with your own privacy obligations. This is particularly relevant to companies subject to the GDPR, the UK GDPR or CCPA given their hefty fines.

8. Confidential Information and Trade Secrets: Caution should also be exercised about inputting confidential information or trade secrets into AI tools. Inputting confidential information may result in loss of trade secret protection or result in breaches of customer agreements or confidentiality duties, and liability under contractual provisions may be excluded from a liability cap.

9. Unreliability: One should always remember that these AI tools are just that—tools. They do not replace human input in entirety. AI tools generate responses that its algorithm decides as the best answer and not necessarily the most correct or accurate answer.

10. Upcoming AI Laws and Regulations: In the next few months, new AI regulations will be implemented in various countries. These regulations will impose new obligations on companies that either develop AI tools or use third-party AI tools. The requirements will include transparency and explainability, bias detection and removal, risk assessments, and more. It is important for companies to monitor these developments and ensure compliance with their obligations. Similar to GDPR, noncompliance with these requirements could lead to fines, enforcement actions, litigation, and loss of business opportunities, both in terms of commercial deals and corporate deals.