Artificial intelligence, generative AI, machine learning, large language models and similar technologies (“AI”) are quickly becoming a mainstay of business software. There is no doubt that AI has endless possibilities as it provides the ability to process vast amounts of data to learn and automate various processes. Generative AI only takes this potential further, allowing an AI user to generate text, images, audio, and video with a few keyboard strokes. There are, however, several considerations that businesses should consider before jumping headlong into AI, such as data ownership and control, data privacy and compliance, and vendor risk management.
Who owns and controls the data processed by AI?
At a high level, AI use includes three types of data: (1) input, (2) the data set that is used by the AI to process that input, and (3) output. For example, for ChatGPT, input would be a prompt, output is what ChatGPT provides in text, and ChatGPT uses a data set that it has accumulated to create that output.
The focus on AI is generally input and output, and AI users should ensure they are provided with ownership of as many rights as they need to their input and resulting output. Yet, another key consideration is the data set the AI uses to produce the output. Depending on the AI solution and vendor, the data set may be one of several variations. The AI vendor may (1) own the data set; (2) use a customer-specific data set; or (3) require incorporation of each customer’s data into the AI vendor’s overall data set to help train the AI model for the benefit of every customer. Depending on the version of the data set used, the ownership of the output may be unclear and the confidentiality of the input could be at risk. If an overall data set of all data is used, for example, use of a customer’s confidential information to train the AI model for the benefit of every customer may result in the AI utilizing that data to generate content for future users that reflects or discloses the confidential information in some way. Another consideration is who owns – and therefore controls – the content of the data set.
Depending on the context, these risks could be merely hypothetical or extremely likely. To clear up these questions, and before entering into any agreement, businesses should ask the AI vendor how the data is being processed. These questions include, “Will the data be processed in a closed system where the AI model is only using your data?” or “Is the data being processed in an environment that trains the AI model for all users?” The answers to these questions may direct the contract negotiations of the parties to ensure protection of your data.
Are there data privacy or other compliance risks?
A corollary question is whether you can provide the input or use the particular data set or resulting output. If input includes personal information, various state and federal laws may apply that may restrict or prevent disclosure without (at a minimum) prior consent from the individual. Even with that consent, due diligence requires an assurance from the AI vendor that steps have been taken to ensure the AI solution is not generating biased, misleading, or infringing output that could subject the business to third-party liability. Additional questions arise around the security measures taken to protect the data set, particularly if that data set is in a “closed system” of only the customer-provided data that is hosted by the vendor. Many vendors have policies or internal processes that address these concerns, and these policies, processes, and concepts can become important negotiating tools to ensure that risks associated with AI are adequately allocated in limitations of liability, indemnity, and similar contract provisions.
What obligation does the vendor have to change with the legal landscape?
Yet another question is what – if anything – the vendor would be required to do in the event of new law or industry practice. The legal landscape surrounding AI is far from determined, and it will likely take time for law to catch up with technology. So, a particular use of AI that is allowed today may have regulatory constraints in the future. The AI vendor agreement could contemplate these changes and include steps the vendor must take to address them or termination rights for your business in such an event. Ultimately, consideration should be made to try and avoid having to pay for an AI solution that cannot be used or will require unexpected future legal or technological investment.
The above are just a few of the key considerations when deciding whether to engage a third party for use of their AI.
