Contracts and procurement
Given the intricate and ever-evolving nature of AI-related IT solutions, along with the regulatory landscape, it is crucial for businesses to prioritize the recognition, identification, and assessment of legal risks when developing and acquiring AI-related IT solutions. Due to the lack of an AI-specific regulatory framework in most jurisdictions, businesses will need to rely on contractual protections to safeguard against potential risks posed by AI-related IT solutions. Specifically, standard “off-the-shelf” IT service contracts may not adequately address the unique risks associated with AI-related IT solutions – although a well-drafted and comprehensive IT contract should get you most of the way there! Therefore, businesses need to conduct detailed analysis of contract document for the procurement of AI-related IT solution. By treating these legal risks as a top priority, businesses can mitigate potential challenges, ensure compliance, and establish a strong foundation for successful AI-related IT solution implementation.
Effectively managing these risks is paramount to prevent adverse outcomes, including reputational damage and non-compliance with regulations. By proactively addressing relevant legal risks, businesses can reduce the likelihood of disputes with AI-related IT solution service providers and their clients, protect their reputation, and ensure long-term operational resilience in the face of technological advancements and regulatory shifts.
Key legal risks / issues
1. Improperly developed AI-related IT solution: The implementation of an improperly developed AI-related IT solution can expose businesses to various types of liabilities. AI-related IT solutions must comply with relevant legal and regulatory requirements, including those related to intellectual property, data protection, privacy, and cybersecurity. For example, if the data used to train the machine learning model of an AI-related IT solution is acquired through misappropriation or in violation of intellectual property rights, it can lead to third-party claims or non-compliance with laws and regulations. Similarly, this might apply to businesses’ use of open source software to develop their own AI-related IT solution. Such violations may result in penalties, reputational harm, and legal consequences. Therefore, it is crucial to ensure that the AI-related IT solution was developed in accordance with the relevant laws and regulations to mitigate potential liabilities.
2. AI Failure: Although AI-related IT solutions operate purely based on algorithms and could potentially be more reliable than manual operations in certain processing activities, they are not infallible. For example, an AI-empowered chatbot may provide incorrect responses to customers, leading to disputes or breaches of contract. This risk may be enhanced where AI-related IT solutions are tasked with making autonomous decisions without direct human oversight. Businesses should be assessing risk tolerance in adopting such AI-related IT solutions and have the opportunity to mitigate some of these risks by way of contract.
3. Use of Customer Data: AI-related IT solutions rely on businesses to feed extensive datasets to enhance the AI-related IT solutions’ machine learning models through continuous learning and improvement. In scenarios where businesses own valuable data that holds commercial significance (which may be provided to the service provider or used to feed the machine learning models), it would likely have a vested interest in limiting the service provider’s utilization of such data for purposes solely limited to the provision of the AI-related IT solution itself, with restrictions ceasing the use of such data when the engagement is terminated for alternative commercial purposes and benefits.
Actions for consideration
1. Due Diligence: Not all risks need to be addressed via contract. To ensure a successful procurement of an AI-related IT solution, conducting thorough AI-specific due diligence on the chosen service provider PRE-CONTRACT is crucial. This assessment should cover various key aspects, including the quality and nature of the training data used, open source software incorporated, as well as associated data rights and licenses leveraged to construct the algorithm. Additionally, it’s important to evaluate the service provider’s AI-related IT solution development practices and verify their compliance with relevant laws and regulations and industry best practices regarding release and code management and software development protocols. To achieve this, businesses should request the AI-related IT solution service provider to complete a customized risk questionnaire addressing these matters. By carefully analyzing the results of this due diligence process, businesses can effectively assess potential risks associated with third-party liabilities arising from the utilization of the AI-related IT solution.
2. Protective Clauses: To mitigate the risk of third-party liabilities, businesses can incorporate a set of protective clauses into their IT procurement contracts. As mentioned, this does not necessitate a substantial re-write of an organization’s existing IT template, but rather a surgical and focused review on discrete matters. This typically involves an indemnity clause where the service provider is liable for losses resulting from third-party claims (for example, the obligation to defend the business and cover any adverse judgments in specific situations, such as copyright infringement arising from the use of AI-related IT solution outputs). Additionally, audit rights to allow an organization to continuously monitor the service provider’s performance to detect contractual breaches and non-compliance with laws and regulations. Representations and warranties on the quality of the AI-related IT solution further enhance accountability and ongoing oversight, establishing clear expectations regarding liability and enhancing legal protection for the business.
3. AI Governance Framework: To mitigate the risk of non-compliance by the service provider with relevant laws and regulations, as well as associated reputational risks, businesses should consider including a comprehensive and well-defined AI governance framework in the contract. This framework should clearly define the scope of applicable laws and non-binding legislations/guidelines. Additionally, it should establish clear guidelines and standards for the service provider, ensuring adherence to ethical, technical, data, and legal principles when offering AI-related IT solution solutions. For instance, service providers may be required to provide transparent documentation of the AI models and data sources, fostering accountability and enabling businesses to better assess the reliability of the AI-related IT solution.
4. Protecting Ownership of Data: To prevent the service provider from claiming ownership or misusing the data provided by the business, it is crucial for the business to include express contractual terms that establish the business’ ownership of all pre-existing materials utilized by the AI-related IT solution. Additionally, the business should clearly define its position on how service providers can utilize the provided data. Implementing stringent guidelines on data usage is another important step for businesses to consider. By doing so, businesses can effectively protect their proprietary information, maintain control over their data, and ensure that the service provider’s actions align with the agreed-upon terms and conditions, even after the termination of the AI-related IT solution.
Related contacts
Rachel Reid
Head of Artificial Intelligence, US E: rachelreid@eversheds-sutherland.com T: +1 404 853 8134 View profile
© Eversheds Sutherland. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities. Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.
Share this page