Contractual perspectives on the use of data

Data usage can raise several legal issues relating to liability regulations, information security, regulation of ownership to the data, etc. The following example can be used as an illustration: A supplier licenses technology that collects data about the production or production environment of a customer. The data enables the customer to enhance its own production and streamline its operations and achieve increased quality. In the supplier agreement, the supplier typically retains the intellectual property rights to the technology. However, the regulations governing the use of the data collected by this technology may not be as thoroughly defined. 

The parties will normally have agreed that the customer can use the data, which is often the primary purpose of the agreement. However, it may be unclear whether this use is exclusive or if the supplier is also permitted to use the data for its own purposes, such as product development or training its AI solutions. If an AI solution is fed confidential or competitive information about the customer, there is a risk that this information could be disclosed, either directly or indirectly, to competitors. Additionally, the customer's data may be subject to confidentiality obligations towards its other contractual counterparts, such as subcontractors. Consequently, the supplier's use of the data could be contrary to the customer's interests in several ways. 

When drafting the agreement, careful consideration of potential issues is therefore essential. A customer should carefully consider any contractual clauses that allow a supplier to use customer data, while a supplier should ensure that the contract does not prohibit the intended use of customer data. It is essential to find a solution that strike a balance and protects the interests of both parties.

The handling and use of trade secrets should be a key consideration when drafting an agreement. Trade secrets are defined in the Directive on Protection of Trade Secrets as information that: (i) is secret, meaning it is not generally known or easily accessible to those who typically handle such information; (ii) has commercial value because it remains confidential; and (iii) has been subject to reasonable efforts by the person lawfully in control of the information to maintain its secrecy. If trade secrets are carelessly inputted into an AI solution without contractual protections, they may lose their status and protection as trade secrets. To safeguard this information, it is possible to specify in the contract that trade secrets (and other sensitive information) are excluded from the rights granted to the supplier by defining “customer data” accordingly. However, implementing this in practice can be challenging. Another important commercial consideration is whether it is justifiable to use general insights and know-how to further develop an AI product, especially if this could benefit competitors. Consequently, many companies are implementing internal bans and guidelines on the use of AI tools to mitigate the risk of unintentionally sharing sensitive information.

An additional issue that is the regulation of liability. The use of AI solutions involves several inherent risks, as these systems can be inaccurate, make mistakes, or produce biased results. When businesses adopt AI solutions, various liability-related concerns arise, particularly since underlying errors and biases can be difficult to detect but may lead to significant consequences. For example, a few years ago, Amazon halted its experimentation with an AI-based recruitment system after discovering it favoured men over women. In a hypothetical scenario where such a solution is used, a company could potentially violate applicable laws. This raises a crucial contractual question: If the customer faces liability and suffers economic losses as a result, can they seek compensation from the AI provider?

In principle, the customer is responsible for any corporate penalties imposed by authorities and potential compensation claims from candidates who believe they have been overlooked. However, the customer may pursue claims against the AI provider if the identified bias constitutes a breach of the agreement between the company and the AI provider. In theory, the customer could also claim compensation from the AI provider based on tort, while candidates might make direct claims against the customer. However, such scenarios are likely impractical. If a dispute arises, challenging evidentiary assessments will emerge: Would the customer have reached a different outcome if the AI tool had no selection biases or if they had not used the AI tool? Did the customer take sufficient measures to mitigate the known risks associated with such biases?

Another important example to consider is the contractual allocation of liability when an AI tool generates results that infringe on third-party intellectual property rights. Generative AI solutions are often trained on large datasets—comprising images, text, and other content sourced from the internet. As a result, this training data may be protected by intellectual property rights. When such AI solutions create new content, there is a risk that the generated output may closely resemble the protected training data, potentially leading to infringement of third-party intellectual property rights.

Moreover, scraped data used for training AI solutions may be subject to licensing provisions, including open-source licenses. Some open-source licenses, such as the GPL, require that derivative works be distributed under the same terms. These licensing requirements can be problematic in a commercial context, where companies generally want to maintain the proprietary nature of their source code and distribute it under their own licenses. We have seen companies face demands from open-source licensors claiming breach of contract and copyright infringement. Such situations can result in cease-and-desist orders and compensation claims.

From an intellectual property perspective, proving fault is not necessary to establish an infringement. If the generated content is similar enough to existing protected works, using the AI solution could lead to cease-and-desist letters and claims for compensation. This risk is especially high when the AI model is trained on a limited dataset. From a contractual standpoint, the customer is generally responsible for their use of the content generated by the AI solution.

Companies that use AI solutions should be mindful of these risks when negotiating agreements with AI providers. For example, it may be appropriate to include regulations that ensure the AI provider has secured the appropriate licenses for the training data or that the AI solution will not be trained on specific content, such as open-source licensed source code. It could also be relevant to implement contractual regulations that ensure the customer is indemnified for potential breaches of third-party intellectual property rights.