Generative artificial intelligence (AI) continues to be a hot topic as pundits, media outlets and entrepreneurs consider the opportunities presented in industries ranging from health care to finance. Although there are many potential applications of generative AI, these opportunities also pose legal and ethical concerns that must be carefully managed. For early-stage companies utilizing and offering generative AI tools, navigating these waters is critical to their long-term success.
Training Data: Licensing and Privacy Concerns
Generative AI models are trained on large amounts of data, which can include personal data, confidential information, data protected by copyright and/or information regulated by various laws. Because of these legal requirements, companies must carefully consider the data used to train their generative AI models. A few key concepts are discussed below.
Data lineage. Companies should identify, track and understand where data originates, how it moves through the organization and how it evolves over time. Identifying the source of data used to train a model can help companies determine whether they have sufficient rights to utilize the data for training purposes.
Licensing training data. Some companies are now considering licensing arrangements to specifically obtain rights to use data to train generative AI models and subsequently generate output data. For companies building generative AI tools, it may be appropriate to enter into licensing arrangements with content owners prior to using the data to ensure the companies obtain sufficient rights.
Data anonymization and pseudonymization. Although removing personal identifiers from datasets is not a foolproof way to ensure compliance with privacy laws, these techniques can help mitigate privacy risks by removing or altering identifying information where personal data is used to train a generative AI model. This mitigates against the risk of identifiable data appearing within outputs from the model. As discussed more below, it is important for businesses to consider whether the data used to train AI models is subject to regulatory requirements and whether those requirements permit such uses of data.
Data minimization. Although large datasets are required to train models, companies should still try to minimize the amount of sensitive and personal data used for these purposes. These efforts can help reduce overall privacy risk and align with fundamental principles of data protection laws.
Regulatory Landscape: A Moving Target
The legal framework governing generative AI is still evolving. As the technology continues to advance, the legal requirements will also change. Although the law is still playing catch-up with the technology, several jurisdictions have already implemented regulations specifically targeting AI, and others are considering similar laws. Businesses should stay informed about emerging regulations and adapt their practices accordingly.
AI-specific regulations. Several jurisdictions have already enacted laws that specifically govern the development and use of AI, and others are considering such legislation. These laws impose additional obligations on developers and users of generative AI, including with respect to permitted uses, transparency, impact assessments and prohibiting discrimination. For example, the European Union’s Artificial Intelligence Act regulates AI systems based on their risk level, with higher-risk applications facing stricter requirements. Similarly, the Colorado Artificial Intelligence Act imposes requirements on developers and deployers of high-risk AI systems. For entrepreneurs, staying abreast of these developments is crucial.
Data protection laws. In addition to AI-specific laws, traditional data privacy and security laws – including the EU General Data Protection Regulation (GDPR) and U.S. federal and state privacy laws – still govern the use of personal data in connection with generative AI. For example, under GDPR the use of personal data requires a lawful basis, such as consent or legitimate interest. In addition, many other data protection laws require companies to disclose how they use and disclose personal data, secure the data, conduct data protection impact assessments and facilitate individual rights, including the right to have certain data erased. Companies must consider whether their AI systems can feasibly comply with such requirements.
Some Risks to Consider
The development and use of generative AI presents a variety of risks, including with respect to infringement, defamation and product liability. Entrepreneurs must be proactive in mitigating these risks by implementing content verification processes, including human review, and adopting risk management processes. The goal should be to develop trustworthy AI that is valid, reliable, safe, secure, resilient, accountable, transparent, explainable, interpretable, privacy-focused and fair.
Inaccurate results. Because generative AI models create output based on statistical calculations, the technology can yield inaccurate and/or misleading information. For businesses that rely on AI-generated content, these inaccuracies can have serious implications, and various risks arise where users rely on incorrect information. Content created by generative AI should be reviewed for accuracy by human moderators before being published.
Amplification of historical biases. Generative AI can also repeat and even amplify biases that exist within the training data. Developers of models should therefore work to mitigate against bias by utilizing valid and representative data during training. In addition, decision-makers’ reliance on output should be tempered to ensure that the model is not suggesting a discriminatory action or causing a disparate impact.
Defamation: AI systems can also produce false or defamatory content. Although traditional defamation law focuses on human-generated content, the lines are blurred when it comes to AI. The creators, deployers and even users of the AI could potentially face legal action with respect to defamatory content, depending on the jurisdiction and the specifics of the case. However, implementing robust fact-checking mechanisms and human oversight can help mitigate this risk.
Copyright infringement. If an AI model is trained on copyrighted material without sufficient permissions and/or generates content that is substantially similar to copyrighted material, it could lead to infringement claims. Startups should carefully consider the copyright implications of training data and the generated output.
Product liability. If an AI-powered product causes harm due to inaccurate information, the developer could also face product liability claims. Because of this, ensuring the accuracy and reliability of AI outputs is paramount. Clear disclaimers about the nature of AI-generated content and its potential inaccuracies can help manage user expectations and reduce liability.
Transaction risk. For companies hoping to raise venture capital investment or eventually be acquired, failing to adequately consider some or all of the risks identified above could result in a much longer due diligence process, an expensive clean-up effort or – worst case – a transaction that fails to close.
Best Practices
To navigate the complex legal landscape surrounding generative AI, early-stage companies should consider the following.
Invest in data quality. Companies building generative AI tools should ensure that the data used to train the AI models is accurate, relevant and free from bias. In addition, the licensing agreements for such data should be carefully reviewed to ensure that the company is obtaining sufficient rights for the intended use case.
Risk management and review. Implementing robust fact-checking mechanisms, human oversight and risk management processes (including, for example, those based upon the National Institute of Standards and Technology AI Risk Management Framework) can help mitigate the risks presented by generative AI tools. Conducting regular audits of AI systems can help companies identify and cure potential privacy and liability risks before they manifest into legal issues. These audits should assess the data used for training, the outputs generated by the AI, and the processes in place for monitoring and mitigating risks. In addition to audits, conducting AI impact assessments can provide insights into the broader societal and legal implications of AI deployments. These assessments should be revisited regularly, especially as AI models are updated and new regulations come into force.
Privacy by design and default. Adopting a “privacy by design” approach involves embedding privacy considerations into the development process of AI systems from the outset. This includes limiting data collection, ensuring data anonymization and incorporating features that allow users to control their data. Moreover, “privacy by default” ensures that the strictest privacy settings apply automatically without requiring users to take action. For example, if an AI application offers personalized recommendations, the default settings should not collect more data than necessary to provide this service. AI systems should also be developed to facilitate individuals’ rights under data privacy laws. For example, with respect to the right to erasure under many privacy laws, one approach is to design AI models that are capable of dynamic retraining or updating to exclude specific data upon request.
Implement robust testing and validation. AI models should be rigorously tested to identify and address inaccuracies.
AI ethics committees. Given the complex ethical and legal issues surrounding generative AI, some companies may find that establishing an AI ethics committee provides valuable oversight. This committee can be tasked with reviewing AI deployments, ensuring compliance with legal standards and advising on ethical considerations. The committee should include a diverse group of stakeholders, including legal experts, data scientists and representatives from affected communities. This diversity ensures that different perspectives are considered, leading to more comprehensive risk management strategies.
Contract language. For companies acquiring IT products and services from a vendor that is developing or could develop AI products, consider including language in the contract that restricts what the vendor can do with the company’s data. For companies licensing AI products from another vendor, include robust language in the contract that addresses the various risks outlined above that might be relevant in that circumstance.
A strong legal and compliance team. Companies should also seek expert advice to navigate the legal and regulatory complexities of AI development, including with respect to contract negotiation and compliance efforts.
Insurance coverage. Companies should consider AI-specific insurance policies that can help protect against potential liabilities. Additionally, for those offering AI-based services, having clear contracts and terms of service that outline the responsibilities and limitations of AI usage can help mitigate legal exposure to customers.
Conclusion
By understanding the legal challenges AI presents and implementing appropriate safeguards, early-stage companies can realize opportunities with AI while minimizing exposure. Staying informed about evolving regulations, adopting best practices for risk management and seeking legal counsel when necessary are all essential steps in navigating the complex landscape. As the legal environment surrounding AI continues to develop, proactive engagement on these issues will not only protect businesses but also contribute to the responsible and ethical advancement of technology.
About the Authors
Chris Sloan is a shareholder in Baker Donelson’s Nashville, Tennessee, office and leads the firm’s Blockchain and Digital Assets Technology practice. He represents both technology and brick-and-mortar clients in matters involving software, IT and other vendor contract negotiations and transactions and assists early-stage, high-growth businesses with a variety of business law and intellectual property law matters. He can be reached online at [email protected] and at our company website https://www.bakerdonelson.com/.
Andrew Droke is a shareholder in Baker Donelson’s Nashville, Tennessee, office and a member of the firm’s Data Protection, Privacy and Cybersecurity practice. He advises clients on complex data use and sharing arrangements, digital health strategies, technology agreements, and information privacy and security compliance considerations. He can be reached online at [email protected] and at our company website https://www.bakerdonelson.com/.
Source link
