Artificial Intelligence 2022

Legal Issues in AI

Data is created at the rate of 1.7 million bytes per second per user. Data becomes useful when it is converted from data into information, and then converted from information into insights. Artificial intelligence, or AI, is a set of technologies that accelerate the generation of insights that are actionable insights. 

An emerging and significant business and legal development is that companies’ use of AI is changing. Before it was “the company uses AI from time-to-time in specific cases”. Now it is “the company is an AI-enabled company”. This reflects that AI is a sea change in how companies do business. 

AI-enabled companies use AI internally and externally, tactically and strategically. Internal uses are to reduce costs and to achieve competitive advantage. External uses include monetising data and leveraging a company’s relative power in its strategic alliances to become a senior member of the business partnership. Overall, new technology and data analytics platforms are creating new ways to leverage corporate assets and to create new business opportunities. 

AI’s power depends on data. As a result, AI is best analysed in combination with data and connected devices such as the internet of things (IoT), and even specialised versions such as the internet of medical things. From a business perspective, data is a corporate asset, not just a problem set for privacy and database breaches. From a legal perspective, data issues are multidimensional and cross-disciplinary – that is, data issues involve different types of data from different sources and are subject to different areas of law simultaneously. This requires cross-functional legal services. A data privacy issue is not simply a privacy issue but, in most cases, will also involve IT technology and services, cloud computing, the legal status of digital assets, the structuring of business partnerships, tax issues, etc. 

AI as a Change Agent

As noted, companies use AI strategically to add business capabilities and enhance their position in the marketplace. Change involves risk, but so does not changing. For example, data has a life cycle, especially when used in AI, and keeping outdated data risks greater liability in the event of a data breach. AI as a change agent requires that the company’s data and AI professionals work in concert with the IT department. For many companies, this combination is a new way of implementing business transformation or, specifically, digital transaction. AI requires data management and a supporting – and often improved – IT infrastructure, with the support of the law department and outside counsel. AI as a change agent also requires work with compliance officers. It is easier to build in regulatory compliance than to retrofit after the work is done. 

AI Requires an Updated IT Infrastructure

AI has changed how lawyers should draft agreements because AI has changed the ecosystem of technology and data transactions. Effective AI requires an IT infrastructure that delivers data as and when needed. AI uses:

• personal and non-personal data;
• private and public data;
• first-party and third-party data, regulated and unregulated data;
• structured and unstructured data;
• data stored on-premises and in the cloud; and
• data provided by the company and obtained through data-as-a service third parties.

Further, data is not just collected, it is generated, including machine-generated data from machine learning.

The AI ecosystem is a multi-stakeholder, multi-vendor and multi-technology, self-operated and vendor-provided data services environment. To unlock the value of AI, the IT and data ecosystem should not be balkanised but rather should be redesigned to provide increased data interoperability. This, in turn, requires agreements to enable if not require co-operation between vendors. For example, corporate law departments should establish and enforce company-wide policies that establish minimum levels of co-operation between vendors and minimise siloed data operations.

What is AI?

Having established the connection between data and AI, and the supporting IT infrastructure, let us address the question of “what is AI?” First, AI is not a single technology but a set of technologies which include the following. 

Algorithms

An algorithm is a set of instructions that tells a computer how to process data. Algorithmic bias is a potential threat to the integrity of AI results, and can result from human biases that become built into the algorithm.

Machine learning

In machine learning (ML), a machine learning algorithm processes data and generates correlations or predictions without relying solely on rules programmed into the algorithm. Often, IT personnel or data professionals provide data sets of objects or images (such as X-rays of specific tumours in healthcare AI) that they classify to train the ML algorithm to identify correlations in the training data and other objects or images. The algorithm is said to “learn” because it recalculates the weight it gives to different factors in the training images in order to optimise its prediction, such that the quality of the predictions increases over time with more training data. 

Deep learning

Deep learning is a subset of machine learning, based on artificial neural networks where the algorithms perform multiple layers of processing in order to extract progressively higher-level features from data. 

Neural networks

The name and structure of neural networks used in deep learning are based on how biological neurons signal one another in the human brain. Artificial neural networks consist of node layers, which contain an input layer, one or more hidden layers and an output layer. Each node connects with another and has an associated weight and threshold. When the output of an individual node exceeds a specified threshold value, the note is activated and sends data to the next layer in the network. When the threshold is not met, then no data is transmitted to the next layer in the network.

“Black box”

The “black box” part of AI occurs when human beings do not know what weight the algorithm assigns to different factors in order to reach a prediction. For example, physicians want to know what weight an algorithm is assigning to different factors – when the algorithm predicts whether a tumour is cancerous or benign – in order to rely on the prediction in making a diagnosis and determining a course of treatment.

Company AI and Data Policies

Data does not manage itself. Algorithms and data analytics have to be monitored for bias. An important function of corporate law departments is in creating, enforcing and, as technology and methodologies improve, updating corporate data and AI policies. The policies should combine regulatory compliance with corporate rules for use of data and AI analytics for both internal use and external use. An example of internal use would be to reduce costs and improve the efficiency of operations; an example of external use would be to commercialise data or the results of data analytics.

The AI aspects of these policies should address the following.

Best efforts to discover algorithmic bias

For example, a financial institution would become subject to regulatory scrutiny if it systematically denied mortgages or issued credit cards bearing higher than normal interest rates to people living in a particular neighbourhood (eg, related to ethnic or racial background) because of assumptions about the credit-worthiness of an individual based on opinions about the neighbourhood rather than on data about the specific individual; in this case, the financial institution would be subject to penalties for “red-lining” (basically, drawing a red line around a neighbourhood on a map).

The bank could run the same risk it if purchases data from third-party sources to use in making credit terminations and then repurposes it. The third-party dataset could have been originally developed for advertising, and embedded in it could be classifications of individuals for advertising purposes, based on such neighbourhoods. While this classification may not be deemed discriminatory for advertising, when the data is repurposed for credit evaluation purposes, the machine learning scoring of individuals would be based on those classifications that could digital red-line, and potentially invite the same regulatory scrutiny. Thus, corporate data policy requires testing to try and uncover algorithmic bias.

Conducting due diligence of third-party data

Similar to the above, the corporate policy should require a vetting of the purposes for which a third-party dataset was created, to determine whether, when repurposed, it will distort the machining learning carried out by the company.   

Protecting against disclosure of corporate data that provides a competitive advantage

This means identifying the data when it is in a database. It may also involve establishing a hierarchy of sensitive data, and establishing access and use privileges. This can be done on both a general corporate level and also created for specific projects to address the rights and responsibilities of team members on a particular project.   

Protecting against reverse e ngineering

Protecting against disclosing data that, while uncontroversial at face value, may in fact enable a third party to “reverse engineer” the data to discover a proprietary technique, such as a bank’s trading strategies, a pricing model, or even the identity and sources of critical components for company proprietary products when those components provide a technology or competitive advantage. This may include protecting the company’s supply chain. 

Preventing premature disclosure

Preventing premature disclosure of patentable inventions that could prejudice obtaining patent rights.

Structuring the use of proprietary algorithms

Structuring the use of proprietary algorithms to protect the company in joint ventures, strategic alliances and other business partnerships where today’s partner can be tomorrow’s competitor.

Establishing corporate rules

Corporate rules should be established in relation to the following:

• governing when to run two machine learning algorithms simultaneously to validate correlations and the accuracy of predictions;
• for company personnel to follow for external licensing; and 
• for terms of licences that are required when the company is receiving a licence.

Approval process for terms of IT acquisition agreements

This is to address the point made above that AI requires an IT infrastructure that meets specific requirements. This part of the policy is to ensure the terms of the agreements with different vendors meet those requirements.

Corporate requirements for licensing company data to third parties

When regulated data is involved, or when the company is in a regulated industry, the policy is a combination of regulatory compliance, the company’s determination of how it achieves regulatory compliance, and corporate policies that are in addition to those dictated by regulatory requirements.

Determining the company personnel to be involved in issuing and evaluating RFP from AI and IT vendors, and in selecting vendors

As a practical matter, this means involving the chief data officer, the chief analytics officer, the chief digital officer or others in the company's data department. These data professionals are not part of the IT organisation, and include data modellers, data architects, data integrity officers and data governance officers.

Subpoenas

Establishing procedures and escalation paths for responding to subpoenas and establishing AI and data controls to protect against unnecessary production.

Data life cycle management

Determining how long to store data in different categories, including with respect to regulatory compliance and corporate use of data, as well as its value in external monetisation.   

AI and Data Issues in Mergers, Acquisitions and Divestitures

Rights in corporate assets are important aspect of mergers, acquisitions and divestures. Machine learning algorithms and data are valued corporate assets and, therefore, now play an important role in these transactions. For example, in divestitures, both the business of the spin-off company and the company divesting the spin-off company will have needs in the data, and the rights will initially reside in the divesting company. Issues to be address include: 

• which data and algorithms can be divided and assigned to one company or another;
• which have to be shared because of the benefits to each; and
• whether the divesting company will have to provide transition services to the spin-off company. 

This issue is compounded when the data resides in one database, or when data need by both companies resides in multiple databases and in different company buildings or different geographic locations. This is further compounded by the lack of clear legal standards of how data is owned. Additional issues are whether third parties may retain rights in the data that is intended to be owned by the spin-off, and whether licences to use third-party algorithms allow use by the spin-off under existing licences or if new licences are required. 

Dividing a common database raises the question of which company has exclusive rights in a specific dataset. If this is contested, an arbitrator or panel of arbitrators or other neutrals can be designated to decide the allocation. A multiparty panel may be needed to provide the expertise in data science and industry knowledge.

The issues in an acquisition are the same as the above, but in reverse. These include the AI technologies and data that the acquired company is able to provide to the acquiring company, and whether the acquitting company needs additional licence or rights from third parties to use the technology and data used by the acquired party.        

In both divestitures and acquisitions, a transition services agreement may be required when one of the companies needs to use the IT infrastructure of the other to conduct machine learning for a temporary period, or have the other party host data. Transition service agreements used in outsourcing provide a model in how to structure this arrangement. In each case, special due diligence is required to cover the overlapping rights provided under the governing agreements and controlling law.

“Solid” Internet Specification and how it Applies to AI

“Solid” – which stands for “socially linked data” – is a set of internet specifications developed by Sir Tim Berners-Lee, the inventor of the World Wide Web, in collaboration with the Massachusetts Institute of Technology. It is a Web 3.0 “web decentralisation project” designed to give individuals more control of which persons and things access and use their data. “Things” means the applications on the internet. In this sense, Solid is designed to “fix” the World Wide Web, where individuals currently have limited control over how their data can be used.

Solid makes use of “pods” (personal online data storage), which are storage areas controlled by individuals, and which function as secure personal web servers for data. Each pod has access rules that are specific to it. Individuals have the right to grant or revoke access to data in their pods (an individual can have more than one pod). Any person or application that accesses data in a pod uses a unique ID. Solid’s access control system uses these IDs to check whether an entity or internet application has the right to access and use data in the pod. 

The connection between AI and Solid is that an individual can use AI to determine which data to load into the pod. The individual controls the machine learning algorithm, and can change algorithms and thus the data loaded into the pod. The algorithm can be trained to screen for data features to be included and excluded from the pod. Because a pod controls access and use of the data, it indirectly controls the use of a third-party AI to which the pod owner has granted use rights. A related issue is how the individual gains the right to use machine learning algorithms to perform analytics and determine the data to be loaded in the pod. 

Proposed Licensing Paradigm: “Decision Rights”

As a practical matter, it is often difficult for parties to a transaction to reach an agreement on ownership of data because the scope of ownership and its status under intellectual property rights is unclear under the present state of the law. A party is often concerned that by assigning ownership rights it will be giving up rights it may need in the future. Accordingly, parties focus on sharing data and the scope of use rights under sharing arrangements.

If we shift the focus from ownership to data use – because that is often the real issue involved – then we need a legal framework to govern the scope of use and sharing with particularity in order to protect both providers and users of datasets.

This article proposes “Decision Rights” as that legal framework. Decision Rights is a licensing model that defines the purpose of conducting analytics and the use of the results in terms of decisions that can be made based on them. The model also provides the entity controlling the data with a mechanism to grant (and enforce) rights in in the same data to different users for different purposes, thus enhancing data monetisation and revenue generation. Decision Rights protect against regulatory sanctions by putting boundaries on the data use that constrain the use rights on downstream parties. Under a Decision Rights framework, those entities owning or controlling a database would grant a set of rights defined by the decisions that can be made and, if desired, limit the rights to a business unit or even specific individual. This framework applies to all industries. The following example is a digital healthcare scenario.

Hospital No 1 uses robots to patrol the corridors to locate areas that need emergency cleaning. The images captured by the robots incidentally capture patient beds lined up in the hallways awaiting entry into operating rooms and transfer between operating rooms and recovery rooms. Hospital No 2 seeks to optimise patient transfer and optimisation of the use of the operating room by eliminating bottlenecks and reducing the time patients spend out of their hospital rooms and waiting in staging areas.

Hospital No 1 can grant Hospital No 2 the right to use the images only for the purposes outlined above. To do this, Hospital No 1 could structure the right to use its images only for the purpose of analysing the image data and using that to optimise the use of its facilities. In addition, Decision Rights is a way to protect both Hospital No 1 and No 2 through using Decision Rights to control use in onward transfers of datasets created by Hospital No 2 without compromising Hospital No 1’s decisions to provide different rights to different users.

AI, the Internet of Things and Cybersecurity

Connected devices, also referred to as the internet of things (IoT), generate rich data sets for machine learning. Connected devices, by their nature, introduce cybersecurity risks. The devices, while "smart", are often relatively simple devices (eg, a device whose function is to serve as a monitor) and, as such, they are subject to cyber-attacks. Moreover, because they are by definition connected, cybersecurity risks need to be addressed on three levels.

The first level is that of the individual device; the second level is the internet of things network formed by connecting a set of related devices that are designed to work together; the third level is the integration of the set of connected devices with the company’s core IT infrastructure. A device itself or the IoT of which it is a part can be an avenue for a cyber-attack, including for the company’s larger IT systems. 

In addition, a cyber-attack carries the risk of an intentional malicious change to the data that will adversely affect data analytics and the decisions a company makes based upon them. In this sense, a data cyber-attack can be a form of corporate sabotage.

AI Prediction

AI considerations in healthcare and autonomous vehicles will converge. In both fields, AI decisions can lead to bodily injury or even death. Artificial intelligence is used to determine whether it is a shadow or a pedestrian, a malignant or a benign tumour. Solutions to hacking risks, enhancing data integrity and uncovering the weight given to specific factors by machine learning models to open the AI "black box" to analysis will be shared, upgraded, and used in both fields because of the overlapping requirements of automotive engineers and physicians. Automobiles will enhance patient care, and healthcare will improve driver safety.

Conclusion

Accelerating advances in AI will accelerate innovation in how companies conduct business, but require enhanced IT equipment and new technology agreements to provide the new type of integration between data, the IoT and machine learning. Machine learning will lead to corporate use of more sophisticated analytics to provide deep learning and neural networks. 

Artificial intelligence brings great power, but also brings risks arising from both algorithmic bias and the difficulty of discerning the weight that AI technologies assign to different factors in generating predictions and other output on which businesses rely. 

Artificial intelligence as a change agent impacts on how companies staff innovation projects. An AI project requires integration of the skills and services of a company’s data professionals and IT staff in ways that are different from other corporate technology projects. This change is among the ways in which using new AI technology and analytics platforms requires cross-functional teams to successfully become an AI-enabled company.