The integration of artificial intelligence (AI) into business processes offers enormous opportunities for increasing efficiency and innovation. At the same time, the use of AI presents companies with new legal challenges and risks. This article highlights the most important legal aspects and provides advice on effective risk management when using AI in a corporate context.
Legal Framework for AI in Germany and the EU
On August 1, 2024, the Artificial Intelligence Act came into force in the EU, establishing a comprehensive legal framework for AI. This law will be fully applicable from August 1, 2026, with some exceptions for certain provisions. In addition to this specific EU AI Act, various existing areas of law are also relevant to the use of AI:
- Data protection law: The GDPR must be observed, particularly when processing personal data using AI systems.
- IT security law: The IT Security Act and the NIS Directive set requirements for the security of IT systems, including AI.
- Liability law: The Product Liability Directive and national liability rules are relevant for AI-supported products and services.
- Copyright: Copyright issues arise, especially with AI-generated works.
The EU AI law follows a risk-based approach, classifying AI applications into different risk categories and setting out corresponding requirements. This complements existing legislation and creates a specific framework for the development and use of AI systems.
Data Protection Challenges with AI
The use of AI raises specific data protection issues. These include:
- Lawfulness of data processing: The processing of personal data by AI systems must be based on one of the legal bases listed in Art. 6 GDPR.
- Purpose limitation and data minimization: AI systems often process large amounts of data. This can conflict with the principles of purpose limitation (Art. 5 para. 1 lit. b GDPR) and data minimization (Art. 5 para. 1 lit. c GDPR).
- Transparency and information obligations: The complexity of AI systems can make it difficult to fulfill the information obligations under Art. 13 and 14 GDPR.
- Automated decisions: For AI-supported automated decisions, the requirements of Art. 22 GDPR must be observed. This grants data subjects the right not to be subject to a decision based solely on automated processing.
To overcome these challenges, it is advisable to carry out a data protection impact assessment in accordance with Art. 35 GDPR for AI projects and to implement privacy-by-design concepts.
Liability Issues When Using AI
The use of AI introduces new liability issues, especially when AI systems make autonomous decisions:
- Product liability: For AI-supported products, the question arises as to the extent of a manufacturer's liability for damage caused by autonomous decisions made by the AI.
- Fault-based liability: Determining fault can be challenging with self-learning AI systems whose decision-making processes are not always comprehensible.
- Distribution of the burden of proof: The complexity of AI systems can make it difficult for injured parties to prove a causal link between the AI's use and any damage that has occurred.
Companies should define clear responsibilities for AI systems and consider specific insurance solutions where appropriate.
Copyright Aspects of AI-Generated Content
AI systems can generate creative works such as texts, images, or music, which raises various copyright issues:
- Protectability: Are AI-generated works protectable under copyright law? According to the current legal situation in Germany, a human act of creation is required for copyright protection.
- Authorship: Who owns the rights to AI-generated works? Is it the developer of the AI, the user, or the AI itself?
- Training material: The use of copyrighted works to train AI systems can raise copyright infringement concerns.
Companies should exercise caution when using AI-generated content and, if necessary, make contractual arrangements for the granting of rights.
Discrimination Risks and Ethical Considerations for AI
AI systems can unintentionally make discriminatory decisions if they have been trained with biased data sets. This can lead to violations of the General Equal Treatment Act (AGG), particularly in areas like personnel selection or lending. Companies should:
- Check AI systems for possible bias.
- Use diverse and representative training data.
- Conduct regular audits of AI decisions.
- Develop ethical guidelines for the use of AI.
Risk Management and Compliance for AI Applications
Effective risk management for the use of AI includes several key steps:
- AI governance: Establishing clear structures and responsibilities for AI projects.
- Risk assessment: Conducting regular risk assessments for AI applications.
- Documentation: Comprehensive documentation of AI systems, including training data and decision logic.
- Training: Regular training for employees on the legally compliant use of AI.
- Monitoring: Continuous monitoring and evaluation of AI systems.
- Contingency plans: Development of contingency plans in the event of malfunctions or unexpected results from AI.
Practical Tips for Companies Integrating AI
Drawing on expert IT legal experience, the following practical tips for companies can be derived:
- Legal due diligence: Carry out a comprehensive legal review before implementing AI systems.
- Data protection by design: Integrate data protection requirements into the development and use of AI systems from the outset.
- Transparency and explainability: Strive for AI systems that are as transparent and explainable as possible to meet legal and ethical requirements.
- Contract design: When procuring AI systems or services, ensure that responsibilities and liability issues are clearly regulated in the contract.
- Ethics guidelines: Develop internal ethics guidelines for the use of AI.
- Interdisciplinary teams: For AI projects, rely on interdisciplinary teams that combine technical, legal, and ethical expertise.
Conclusion
The use of AI in a corporate context offers enormous opportunities, but requires careful management of the associated legal and ethical risks. A proactive approach to the legal framework and the implementation of robust risk management are crucial to fully exploit the potential of AI while ensuring compliance. Given the complexity and constantly evolving legal and technological landscape, it is advisable for companies to seek specialized legal and technical expertise when implementing AI systems.