Legitimate concerns about the unethical use of AI and its risks prompted the EU Council to approve the EU AI Act on May 21, 2024. Following constructive talks, the Act was published in the official EU Journal on July 12, 2024, and will enter into force on August 1, 2024. The EU’s 27 member states unanimously endorsed the AI Act, affirming the political agreement reached in December.
The act is designed to spur the growth and deployment of safe and trustworthy AI systems throughout the EU’s single market. Other objectives are to safeguard the fundamental rights of EU citizens, enhance public confidence in AI, and stimulate innovation and investment across Europe. The Act is also notably broad in scope, impacting all the market actors in the AI value chain within the EU. Naturally, efforts to comply with its provisions will introduce numerous intellectual property (IP) considerations.
This article examines the Act’s posture on IP. We’ll also explore the obligations it imposes on AI providers and how these impact the protection of third-party copyright holders. Finally, we will investigate how the Act reconciles its goal of promoting transparency in AI usage with the IP principle of trade secret confidentiality.
The EU AI Act at a glance
This comprehensive 458-page document represents the world’s first extensive legislation on AI. It seeks to regulate AI technology, particularly addressing its associated risks, while promoting its responsible use. The Act extends its influence to the entire global AI value chain under its reach. Among its key objectives are the protection of fundamental rights and human values. It also aims to implement harmonized standards to achieve the following goals:
- Providers introducing AI systems to the EU market or putting them into service, whether based in or outside of the EU;
- Any providers of AI systems based within the EU;
- Importers or distributors placing AI systems on the EU market or making them available within the Union;
- Product manufacturers that incorporate AI systems into their offerings and place these products on the market under their own name or trademark; and
- Users of AI products and services within the EU.
The EU AI Act’s risk-based model
The Act is rooted in European values of fundamental rights and protection, adopting a risk-based approach. Under this model, certain AI systems are allowed, while those likely to pose high risk are subject to stringent regulations. AI systems with intolerable levels of potential harm are outrightly banned. The final draft of the legislation categorizes AI systems according to four risk levels, namely:
Minimal risks
The lowest risk level. A press release from the EU Parliament cited that “The vast majority of AI systems fall into the category of minimal risk.” An example of an AI system classified as low-risk would be Spam filters.
Obligation(s): For minimal-risk applications, AI providers and deployers are required to commit to codes of conduct to internally regulate its use, regardless of whether they’re established in the EU or not.
Limited risks
Interactive AI applications like Chatbots, Deep Fakes, and content of Gen. AI systems (video, images, audio) that can generate or manipulate content are classified as limited-risk AI systems.
Obligations: Companies using or providing these systems must be transparent. Users must be informed that they’re interacting with an AI system (unless already obvious). This way, a user can decide whether or not to proceed with their use of the system.
High-risk systems
AI systems deemed high-risk are so-called because they are typically involved in high-stakes situations that could put EU citizens in harm’s way. They include systems for evaluating credit eligibility, health insurance, job applications of candidates, and safety components of products (for instance, the use of AI in robot-assisted surgeries), and the use of AI in privacy & public services.
Obligation(s): Besides the duty to be transparent about AI use, they must follow certain “conformity requirements”, including the disclosure of technical documentation, system operations and data management procedures (including data acquisition, collection, analysis, labelling, and storage). All of these documentation will be assessed by the relevant authority.
Unacceptable risk
The EU uses the term “unacceptable” to classify AI systems it deems to pose serious potential harm on individual rights and the society at large. They include:
AI Systems that manipulate human behaviour in a way that takes away their autonomy or free will;
AI Systems used to infer the emotions of a person in the workplace;
AI Systems that exploit people’s vulnerabilities. (disability, socio-economic situation, or age);
AI Systems profiling people for social scoring purposes; and
AI Systems that identify people (remote biometric identification) based on facial images or their sensitive data.
Obligation(s): Because they violate EU values, e.g., on fundamental human rights, AI systems deemed an “unacceptable risk” are prohibited.
Exemptions: which AI Systems get the nod?
AI systems used in military, defence, and national security contexts fall outside the scope of the EU AI Act. The same applies to legitimate research and innovation. If your AI system is used in a personal and non-professional context, the Act will not apply. Similarly, free and open-source AI systems fall into this category, unless they’re marketed as high-risk AI systems involved in banned AI practices or pose transparency risks.
Gen AI: The erosion of copyright protection
Popular innovations like Robotics, Natural Language Processing (NLP), Machine Learning (ML), and Deep Learning (DL) are subsets of AI that are gaining traction among AI providers. However, it is no surprise that Generative AI is a key area of concern for regulators.
Despite the possibilities it offers, Generative AI may pose significant risks to the rights of IP holders. You may wonder how this is possible. Generative AI ingests already-existing content and uses it as training data to deliver similar output. Left unregulated, Gen AI can, at best, subtly endorse IP rights violations. At worst, it challenges traditional notions of authorship and copyright, significantly undermining the essence and value of human creativity.
When these Gen AI systems are not infringing on copyrights by mining vast amounts of text, images, code, and data for large-scale reproduction, they could mislead the public, spread bias, and breach privacy rights. And we are already witnessing these issues play out. A notable example is NOYB of Austria’s complaint against Open AI. In this case, a public figure asked the chatbot for details about his birthday, and the chatbot provided false information.
Attempts to get OpenAI to honour his rights under the GDPR to rectify or erase the data failed. The situation was further complicated when Open AI refused to disclose information about the source data. In response to the unprecedented scale of IP copyright infringements, creatives are beginning to push back.
Recently, the Recording Industry Association of America and several US record labels sued AI music generators Suno and Udio for allegedly training their AI models by using the copyrighted works of their artists without permission.
Similarly, Universal Music Group brought a copyright lawsuit against Anthropic last year, alleging that the company used artists’ lyrics to train its chatbot, Claude AI, without authorization. Content producers are also joining the resistance. News platforms such as the New York Times have accused Open AI (Chat GPT) of copyright infringement. Other legal disputes involve Gen AI companies like Anthropic, Stability AI, Midjourney, DeviantArt, and even AI chipmakers Nvidia.
IP-related obligations in the EU AI Act
It’s worth noting that the Act does not alter pre-existing obligations under Union law (See Recital 45). Thus, EU laws on personal data, consumer protection, social policy, national labour laws and practices, and copyright laws such as the EU DSM Copyright Directive still apply. Regarding IP rights, the Act implements several measures to regulate AI and establish safeguards for copyright protection. The following are some key provisions:
Requirements for providers of GPAI Models (General Purpose AI Models)
From a regulatory standpoint, GPAI models (including foundation models and Gen AI) are among the most impactful AI applications. As a result, providers of these models bear a significant share of obligations under the EU AI Act:
Article 53 (1)(c) sets out compliance requirements. Providers must “put in place a policy to comply with Union law on copyright and related rights, and in particular to identify and comply with, including through state-of-the-art technologies, a reservation of rights expressed pursuant to Article 4(3) of Directive (EU) 2019/790;”
In laying out transparency requirements, the Act in Article 53 (1)(d) directs providers to “draw up and make publicly available a sufficiently detailed summary about the content used for training of the general-purpose AI model, according to a template provided by the AI Office.” The motive behind this is clear: to give IP holders easy access to data used in training AI systems. This enables them to identify and enforce their copyrights. For AI providers, this provision ensures they cannot obstruct investigations by claiming that such training materials (including said data) are trade secrets, and as such, protected from any obligation to disclose under law.
The import of this provision is crucial, given that one of the practical challenges of copyright protection in AI cases is proving that a copyrighted work was part of the training data. For instance, in the case involving Getty Images and Stability AI, Stability AI was alleged to have used over 12 million of Getty Images’ copyrighted images, captions, and metadata to train its text-to-image AI system without a license or compensation. The saving grace in this case — and not many IP holders will be so fortunate — was that Getty Images found its watermark on some of the output images from Stability AI’s proprietary AI art generator, Stable Diffusion. Beyond the obvious copyright infringement claim, the legal intricacies of the case expanded to include claims of database rights infringement, trademark infringement and passing off.
Additionally, AI providers must comply with information-sharing requirements when putting their systems on the market. Article 53 (1)(b) mandates that AI providers create and disclose documentation to those looking to integrate general-purpose AI models into their AI systems. This requirement must be met “without prejudice to the need to observe and protect intellectual property rights and confidential business information or trade secrets in accordance with Union and National law”
Record-keeping requirements are outlined in Article 53 (1)(a), it stipulates that providers should “draw up and keep up-to-date the technical documentation of the model, including its training and testing process and the results of its evaluation,” Providers and deployers should be guided by the Act to determine what information needs to be fully disclosed and what needs to be documented for potential later disclosure.
Obligations under TDM (Text and Data Mining)
Recognizing the need for proportionality in compliance requirements (i.e., that AI compliance requirements should operate based on the risk associated with the AI model), the act makes certain allowances for text and data mining activities for non-commercial purposes and scientific purposes.
It also aims to reduce the compliance barriers for SMEs and startups (see Recital 109) to ensure a level playing field. Recital 105 places an obligation in these cases to seek permission from the copyright holder(s) to use their content for data training purposes, except for cases where certain limitations and exceptions apply.
These are contained in the Directive (EU) 2019/790 and they include cases involving scientific research, and where the rightsholders reserve their right to opt-out from having their text/data mined. For clarity, Recital 105 affirms that the exceptions set out in Article 4 of the Copyright Digital Single Market (CDSM) Directive also extend to the use of copyrighted content for AI model training.
Restriction of content generated in breach of third-party IP rights
A combined reading of the texts appears to broadly impose an obligation on deployers, providers, and users of AI systems to use AI responsibly and in a way that prevents third-party AI infringements. While the Act does not specifically address third-party IP rights, certain provisions (for instance, Article 78(1)) implicitly prohibit the generation of content that contradicts the Union’s values, — one of which is the inviolability of intellectual property — rule of law, and fundamental rights.
Given that the EU UI Act regulates AI use in alignment with other Union laws (including Copyright laws), AI deployers, providers, and users are advised to avoid generating content that is unlawful, discriminatory, or violates fundamental rights. This extends to content that infringes on third-party IP rights, as such violations would not only contravene the spirit of the AI law but also the letters of the Copyright rules.
How does the EU AI Act affect IP Holders?
At first glance, the transparency requirements in the Act might appear to conflict with the protection of trade secrets, confidentiality, and third-party IP obligations. However, this is not the case. The Act balances its regulatory objectives with crucial IP considerations, ensuring that even the AI Office is constrained from any regulatory overreach that could lead to infringement.
Specifically, Article 108 of the EU AI Act, requires the AI Office to exercise its oversight “… without verifying or proceeding to a work-by-work assessment of the training data in terms of copyright compliance.” This underscores that the Act does not intend to override copyright laws provided for under Union law.
Regarding AI providers, the current situation raises important questions about applicable transparency standards. The phrase “sufficiently detailed summary” used in the obligation to disclose is ambiguous. How detailed will the documentation be? How will these transparency requirements reconcile with the need to protect trade secrets?
Perhaps a temporary solution could be the Codes of Practice (Article 56), which serve as an interim standard to be implemented within the timeframe of GPAI model provider obligations taking effect (in 12 months) and before the full adoption of the standards (in over 3 years). With third-party IP rights being a vulnerable point in the IP protection framework, the Act’s alignment with IP laws and other EU regulations offers some legal recourse. This alignment has set the stage for the current wave of IP infringement litigations rocking the AI ecosystem.
The road ahead…
Whether it involves copyrights, trademarks, patents, or trade secrets, one constant challenge that continually redefines the boundaries of IP protection is new technology, with Generative AI being the latest example. As the act enters into effect, there are ongoing efforts to deepen the understanding of AI/ML technology to enhance IP protection. The complexity of foundation models and generative AI calls for more inquiry. Unlike discriminative AI, which focuses on classifying proprietary or licensed data sets (such as spam filters), Generative AI is built to ingest vast data sets, making traditional licensing approaches challenging.
Under the EU AI Act, the primary responsibilities for IP protection fall on the providers. Therefore, AI leaders would benefit from a cross-functional approach to compliance that includes IP lawyers and tech specialists, emphasizing copyright compliance throughout the AI supply chain. Proactive measures like implementing built-in guardrails (such as filtering both input and output data or incorporating human oversight) to sieve out output data that infringe on third-party IP rights, may prevent possible infringements.
It is important that providers assess the risk of IP infringement in the data used and secure the necessary permissions to disclose any third-party information required under the Act. Alternatively, AI companies can view IP compliance as an opportunity to innovate and create new markets. Stakeholders are already recognizing the potential: partnerships for licensed data use are being formed, exemplified by Open AI’s deal with TIME and YouTube’s negotiations with record label giants, Warner, Sony, and Universal, to license their songs for training its AI song generator tool. Even AI dataset licensing companies have formed a trade group to advance the interests of IP holders.
Ultimately, IP considerations should serve as the foundation for responsible AI use, paving the way for sustainable innovation in AI technology.