AI & Practical Legal Tips: Contracting Considerations in the Procurement of AI Solutions
In the second part of our series on the procurement and deployment of AI solutions, we outline below some practical tips for organisations on key areas to address when contracting for an AI solution.
Intellectual Property
Rights of ownership and use around intellectual property will be an important component of any contract for the provision of an AI solution. The types of IP-related provisions that your organisation might wish to consider when contracting for an AI solution include:
- Assurance from the AI provider that it owns or has the necessary licences and permissions to grant you requisite rights to use and benefit from the AI solution;
- Confirming that the AI solution has been created and trained in compliance with IP laws and that your use of the AI solution will not infringe any third party IP rights;
- Confirmation the AI solution does not incorporate any open source code or, if it does, that use of the AI solution will not subject your organisation’s confidential or proprietary information to disclosure pursuant to open source licensing requirements;
- Clarity on the ownership of any bespoke IP developed under the agreement and on ownership of outputs. Typically, organisations will either seek to own or at least have a broad licence to use any outputs from the AI solution.
Data Protection
AI solutions frequently involve the processing of large volumes of personal data so ensuring that robust data protection provisions appear in your contract with the AI provider will be crucial. The types of AI-specific points to address in the data protection provisions of your contract with the AI provider include:
- The AI provider should provide assurance as to the provenance of data used to train its AI solution and confirmation that the solution has been developed and trained in compliance with data protection laws.
- Your organisation will need a level of understanding around how the AI solution works for its own risk assessment purposes and depending on the use/risk of the systems, you may also need to be able to explain the AI solution’s output and associated decisions for compliance with data protection laws. Therefore, the AI provider should commit to providing meaningful information to explain the logic involved in producing its solution’s outputs.
- The accuracy of outputs generated by AI solutions will be another important data protection consideration so organisations should seek assurances as to the accuracy of such outputs (including that they won’t cause unlawful discrimination).
Information Security
The security of AI solutions will be paramount, particularly when they are processing large volumes of data. Therefore, your contract with the AI provider will require robust provisions relating to information security, including:
- Commitments from the provider around compliance with your organisation’s prescribed security requirements and/or a specific industry standard (e.g. ISO/IEC 42001, ISO 27001).
- Commitments from the provider around operational resilience and business continuity.
- Commitments from the provider to cooperate and engage with your organisation’s security testing and tabletop cybersecurity or resilience exercises, where appropriate.
- Obligations around reporting material security incidents affecting your organisation and/or its use of the AI solution.
AI Act
In the reasonably near future, organisations making use of AI solutions in the EU will also have to contend with the requirements of the AI Act which will be particularly relevant when making use of an AI solution that is deemed high risk under the AI Act. For such high risk AI solutions, a number of contractual assurances will be required from the provider, including:
- Commitments from the provider around compliance with key aspects of the AI Act such as provision of technical documentation, ensuring traceability and access to logs, addressing potential biases and providing a quality management system to allow for incident reporting.
- Provision of assistance and information from the provider to help your organisation comply with the AI Act (including in respect of record-keeping and logging requirements).
- Rights of audit for your organisation and its regulators to verify the provider’s compliance with the AI agreement and its contractual commitments to your organisation.
Your organisation may also wish to consider including a clause which allows it to revisit the terms of the contract if necessary for compliance with the AI Act as regulatory guidance and market practice around the AI Act evolves in the next 12 to 18 months.
AI standard contractual clauses
The European Commission has helpfully produced suggested standard contractual clauses for the procurement of high risk and non-high risk AI solutions by public organisations. These documents are currently in draft form (available here) but will nonetheless be helpful for public and private organisations alike when looking to create or review AI contracts.
Stay tuned for the next article in our series which will deal with the policies and documentations that organisations should maintain to manage the procurement, use and oversight of AI solutions. Please also feel free to contact any of the authors of this article for more information.
The authors would like to thank Tasin Islam for his assistance in drafting this briefing.