On 12 July 2024, new legislation on artificial intelligence (Artificial Intelligence Act, “AI Act”) was published in the Official Journal of the European Union. The AI Act was designed to apply primarily to business entities using artificial intelligence (AI) and aims to establish a regulatory framework for its use while ensuring appropriate supervision.

A potential response to the new regulations could be a compliance check and the introduction of internal guidelines that establish rules for working with artificial intelligence within the organisation. The use of AI-powered tools requires ensuring that these solutions are used by the company’s staff in a secure and responsible manner, and that the system meets the regulatory standards and will continue to do so in the future.


1. Will the regulations apply to your company?

The AI Act applies primarily to providers of AI systems (entities making their AI systems available to other entities, e.g. OpenAI) and deployers of AI systems (entities using AI technology across various sectors but do not control AI, e.g. an entity using AI for decision-making processes).

Business entities will be required to inform natural persons (employees,

clients, clients’ employees) that they are interacting with AI, explain the purposes of data processing by AI, and disclose that the data may potentially be shared with AI system providers. Regular risk assessments and ensuring compliance with the legal provisions will also be required.

The AI Act may apply to your organisation if:


2. Obligations under the AI Act

The result of this assessment will often determine whether it is necessary to put procedures and technical measures in place to continuously monitor the compliance with the AI Act and privacy protection regulations.

These obligations may include:

1Risk identification and assessment: business entities must verify whether the IA systems that they use, including new tools, fall within the high-risk category. High-risk systems are used, for instance, across such areas as health, education, employment, critical infrastructure, law enforcement, etc.

2Transparency and information disclosure to users: business entities must ensure that AI systems intended to interact with natural persons are designed and developed in such a way that these natural persons are informed about such interaction unless it is clear from the circumstances and context of the system’s use.

3Data security and protection: business entities must ensure that AI systems are secure and comply with the data protection regulations (GDPR).

4Monitoring and audit: business entities using high-risk AI systems should monitor their operation and audit them regularly to ensure the compliance with the AI Act.

5Cooperation with providers: if a business entity uses AI systems provided by external providers, it should cooperate with them to ensure that the systems comply with the AI Act.

6Training and awareness: business entities should ensure training for their employees on using AI systems and managing risks associated with such use.


3. Key clauses to include in internal AI usage terms and conditions

1Use of technology partners’ services: most of AI-powered products are based on models developed by other companies. It is important to inform users that their data may be shared with entities devising these models.

2IP rights the issue of ownership of AI-generated content and terms on which users may claim ownership or use rights should be clarified (Recital 28 AI Act).

3Data privacy and security: it is important to explain how user data are collected, used and protected. It is essential. given the sensitive nature of data processed by AI systems (Recital 28 AI Act).

4Limitation of liability: the rules of the company’s liability related to an AI product should be determined, in particular in scenarios where an AI result causes indirect or unintended consequences (this issue will soon be governed under the AILD).

5AI disclaimers: it is crucial to include a disclaimer stating that AI-generated content may not be accurate and that the company is unable to verify its accuracy. This disclaimer should be prominently displayed in the product interface (Recital 49 AI Act).

6“Be a good human” clause: as it is difficult to control how users can misuse AI, this clause notifies users that if they use AI contrary to the permitted use, their account may be suspended or terminated (Recital 58 AI Act).

7Restriction on sharing and publishing AI-generated content: There should be an explicit restriction prohibiting users from using AI-generated content in violation of the terms and conditions (usage regulations). Users should bear full responsibility for the content they publish (Article 52 AI Act).


4. What if you do not comply with the AI Act?

Sanctions for violating the AI Act will be governed under national legislation, however, the Act outlines their fundamental structure. The sanctions are categorised under a three-level violation system:

The highest fines will be imposed for using prohibited systems due to an unacceptable level of risk involved. Fines reach up to 30 million euro or up to 6% of an entity’s annual turnover.

The second highest fines are stipulated for the non-compliance with certain obligations.  Breach  of  the  relevant  provisions  is  subject  to  fines of up to 20 million euro or up to 4% of an entity’s annual turnover.

Provision of information requested by national authorities or notified bodies that  is  untrue,  incomplete  or  misleading  is  subject  to  a  fine of up to 7.5 million euro or 1% of an entity’s total turnover.


5. What we can do for you

To prepare your organisation for the new requirements, we will:


download newsletter


Contact:
Krzysztof Brant – Attorney-at-law | Senior Associate in the Personal Data Protection and Transactions M&A and Corporate Law

Michał Pietrzyk – Attorney-at-law | Senior Associate in the IP / IT , Contracts (Commercial) and German Desk Teams