As Gen AI reshapes business, what will the legal landscape look like?

The rise of generative artificial intelligence has sparked debate around various legal, regulatory and compliance considerations.

The advent of generative AI (Gen AI) has brought about revolutionary capabilities to generate human-like content, including text, images and even music. While it creates a wide range of opportunities in various industries, there are significant legal, regulatory and compliance considerations that need to be taken into account in the use and development of Gen AI. This article discusses some of these and explores strategies organizations can take to mitigate risk.

Intellectual property

Perhaps one of the most critical legal concerns related to Gen AI is its potential impact on intellectual property rights. As Gen AI has the ability to create original work, questions arise regarding who holds the rights to these creations. In fields such as art and music, copyright law protects the rights of the creators. However, when the creator is an AI algorithm, it becomes increasingly difficult to define the ownership of the resulting content.

Most legal frameworks around the world, including Switzerland, recognize humans as the owners of intellectual property rights. Therefore, it is crucial to establish guidelines and regulations to determine whether AI-generated works should be granted the same protection. These guidelines would need to consider the extent of human involvement in the creation process and whether the AI algorithm can be considered an autonomous creative entity. Striking the right balance between encouraging innovation and protecting artists’ rights will be essential in addressing this challenge.

Data protection

Gen AI systems often require vast amounts of data to learn and produce content accurately. However, this reliance on data raises concerns about privacy and security. One Gen AI model which has sparked debate concerning data privacy and security is ChatGPT. The data collection method used to train ChatGPT may be unlawful if data was scraped from a source without the consent of the data owners. The data collected may include personal or sensitive data for which consent is required under relevant data protection laws, notably the EU General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP). Transparency is another important aspect of data privacy in the context of Gen AI such as ChatGPT. Users should be informed of how their personal data is being collected, processed, and used, and should have the ability to access or control their personal data as required.

From a regulatory perspective, various data protection authorities have spoken out about the risks generative AI models pose to data privacy and security. Most notably, earlier this year the Italian Data Protection Authority Garante temporarily prohibited the use of ChatGPT, primarily due to its unlawful collection of personal data and lack of protection for minors. Following this, the Swiss Federal Data Protection and Information Commissioner released a statement providing cautionary advice for organizations intending to use ChatGPT. Additionally, the European Data Protection Board announced the creation of a task force specifically for the purpose of investigating ChatGPT, reiterating the need for proper regulation of such Gen AI systems.

Ethical questions

Ethical considerations surrounding Gen AI are also vast and multifaceted. Policymakers and developers must grapple with questions such as: How can the technology be regulated to prevent the misuse of AI-generated content? Should there be limitations on certain types of content that can be generated by Gen AI? How can Gen AI be developed in a way that it does not manipulate or deceive others?

A significant challenge of Gen AI is its potential to produce bias or discriminatory outputs. Gen AI is prone to hallucinations and can generate false or misleading information that could harm consumers. In a legal context, questions may arise regarding the degree to which a person relies on information provided by Gen AI. These ethical dilemmas must be addressed to ensure that Gen AI is used to better society without infringing upon privacy, security, or cultural norms.

Legal developments

The rapid rise of Gen AI has also impacted legislative debates on the EU Artificial Intelligence Act (AI Act), which aims to regulate the development and use of AI in the European Union. The European Parliament substantially amended the European Commission’s initial proposal, notably introducing specific rules that apply to Gen AI systems. In particular, providers of Gen AI systems will have to train, design and develop the system in such a way that there are state-of-the-art safeguards against the generation of content in breach of EU laws. Providers must also document and provide a publicly available detailed summary of the use of copyrighted training data and comply with stronger transparency obligations.

Given the significant advances made by Gen AI and its potential impact on society, EU legislators are evidently pushing towards placing stringent requirements for those operating such AI systems. As a result, organizations deploying Gen AI must ensure that they comply with relevant regulations and guidelines, specifically those related to AI and data protection.

What can your organization do to prepare?

As the technological landscape evolves, so too does the regulatory environment. For many organizations, this rapid change poses a challenge in terms of in-house capacity and expertise. Against this background, it can be helpful to work with an external provider for a status quo analysis or ongoing support. Some steps you may consider include:

• Arrange a health check to identify general compliance gaps relating to the use of Gen AI and get recommendations on remedial actions.
• Seek expert regulatory advice on the compliant use of Gen AI in consideration of requirements issued by financial regulators.
• Have your draft AI policies and processes reviewed, carry out product risk assessments and get guidance to ensure compliance with legal and ethical requirements.
• Ensure you understand how to carry out the data protection impact assessments (DPIAs) relevant for your organization’s use of Gen AI to ensure compliance with applicable data protection legislation.

Acknowledgement

We kindly thank Cathy O’Neill for her valuable contribution to this article.