Series: Main considerations when drafting an AI license agreement

Many companies are already developing, or have developed, their own artificial intelligence (AI) systems^[1]. In the coming years, the majority of companies will likely provide licenses to customers or license AI systems from a third-party.

In this article series, we set out to discuss some key issues that will be relevant to consider in commercial license agreements for AI systems, either for an on-premise AI system or for an AI SaaS solution.

We have previously presented the content of the proposed Artificial Intelligence Act (the "AI Act"), which aims to harmonize and regulate the use of AI by establishing the conditions for development and use of trustworthy AI systems in the EU/EEA. In December 2022, the Council of the European Union adopted its common position ("General Approach") on the AI Act. On 14 June 2023, the EU Parliament adopted its negotiating position on the AI Act ("EP Mandate"). The next step is for the Commission, the Council and the Parliament to negotiate the final form of the law. The following views are therefore based on the wording in the EP Mandate as of 14 June 2023.

The AI Act follows a risk-based approach and establishes obligations for providers and deployers^[2] of AI systems, depending on the level of risk that the AI system can generate. Although this article focuses on the territorial scope of the AI Act under a license agreement without a middleman, it is important to note that both importers, distributors and authorized representatives of providers of AI systems may also be subject to the AI Act.

A company developing an AI system, or having an AI system developed with a view to placing it on the market or putting it into service, under its own name or trademark, whether for payment or free of charge, is defined as a "provider" and subject to the AI Act ("AI licensor"). Furthermore, a licensee of an AI system ("AI licensee") will typically be considered a "deployer" under the proposed AI Act, since the term "deployer" includes any natural or legal person using an AI system under its authority, except where the AI system is used in the course of a personal, non-professional activity.

As is the case for the GDPR, the proposed AI Act has an extra-territorial scope and may result in non-European AI licensors or AI licensees being subject to the act. There are currently three different scenarios in which an AI licensor or an AI licensee will be covered by the territorial scope of the AI Act.

Firstly, the proposed AI Act is applicable to AI licensors placing on the market or putting into service an AI system in the EU/EEA, irrespective of whether the AI licensors are established within the EU/EEA or in a third country. This means that AI licensors that first make an AI system available in the EU/EEA will be covered by the AI Act, i.e., any supply of an AI system for distribution or use on the EU/EEA market in the course of a commercial activity, whether in return for payment or free of charge. Furthermore, companies that supply an AI system for first use directly to the deployer or for their own use in the EU/EEA for its intended purpose, will be subject to the obligations of the AI Act.

Secondly, the AI Act will be applicable to AI licensees that have their place of establishment or who are located within the EU/EEA.  

Finally, the AI Act will also be applicable to AI licensors and AI licensees of AI systems that have their place of establishment, or who are located, in a third country where either Member State law applies by virtue of a public international law, or the output produced by the AI system is intended to be used in the EU/EEA.

This means that certain AI systems that are neither placed, put into service, nor used in the EU/EEA will nevertheless be subject to the obligations of the AI Act. The reasoning behind this extra-territorial scope is to prevent the circumvention of the act. The AI Act's Recital 11 presents the following use case for this far-reaching scope of the act: 

"This is the case for example of an operator established in the Union that contracts certain services to an operator^[3] established outside the Union in relation to an activity to be performed by an AI system that would qualify as high-risk. In those circumstances, the AI system used by the operator outside the Union could process data lawfully collected in and transferred from the Union, and provide to the contracting operator in the Union the output of that AI system resulting from that processing, without that AI system being placed on the market, put into service or used in the Union."

One main difference from the extra-territorial scope of the GDPR that is worth noting is that the AI Act will only apply to an AI system placed on the market or put into service outside the EU/EEA by a provider or distributor within the EU/EEA, if the system is classified as prohibited AI. The GDPR, on the other hand, applies to all processing taking place outside the EU/EEA where the controller or the processor is located within the EU/EEA. However, it should be noted that this wording in the current draft of the AI Act is only included in the EP Mandate, and the final regulation of the territorial scope is still up for discussion in the EU.

In accordance with official statements from the EU commission, the aim is to reach an agreement and adopt the AI Act by the end of the year. Companies will then likely have a 24-month grace period before the AI Act is enforceable and the rights and obligations set out therein can be exercised.

A general advice when drafting and negotiating a license agreement that will likely be subject to the upcoming AI Act, is to consider whether your company, either as a licensor or a licensee, may be subject to the obligations and requirements set out in the act. If that is the case, further considerations should be made with respect to the possible implications for the specific regulations in the agreement. In the coming editions of this article series, we will take a closer look at some of the relevant topics to consider, such as, e.g., warranty provisions.  

<sup>[1] The definition of an "AI system" is still under debate, but the proposed definition of an AI system as of June 2023 in the EP Mandate is "a machine-based system that is designed to operate with varying levels of autonomy and that can, for explicit or implicit objectives, generate outputs such as predictions, recommendations, or decisions, that influence physical or virtual environments;"

[2] Both the Commission and the Council propose the term "user" instead of "deployer".

[3]As of the EP Mandate from June 2023, an "operator" means "the provider, the deployer, the authorized representative, the importer and the distributor".</sup>