Legal Insights on Balancing the Opportunities of AI with TM & Partners

On 12 September we were delighted to welcome members to a breakfast seminar on the Legal Insights on AI hosted by TM & Partners. The seminar was led by Alexandra Rosell and Karolina Kjellberg, senior associates, and part of the firm’s Tech group. Alexandra and Karolina highlighted that rigorous fulfilment of regulatory requirements related to information security lay the foundations for an effective use of AI tools with more reliable outputs. Find a summary of their key points below:

There are certain risks related to using AI, that are addressed by the EU and the UK in both different and similar ways. Both have adopted pro innovation approaches, while addressing information security and data protection risks connected to AI, such as the complexity of the technologies used, and the lack of transparency regarding the way they work and use data.

The UK addresses AI legislation with an agile and sector specific approach which relies on regulation through already existing frameworks. Whilst the EU has a risk-based approach that aims to provide a common legal framework for all EU-countries. They have proposed an AI act that is planned to be agreed upon by the end of this year. Both solutions have clear ambitions to balance the risks and opportunities of ai. They also require a transparent, traceable, non-discriminatory, environmentally friendly, and diligently controlled use.

The respective AI legislations include many requirements that align with information security requirements of other legislative documents, such as the GDPR (and its UK equivalent), NIS Directive, DORA and the Cyber Security ACT that are required to be followed simultaneously. For instance, the use of AI brings up issues related to automated decision making and overlaps with the GDPR. Certain businesses are also subject to cyber security and ICT-risk management that overlap with DORA. Companies also need to address questions related to intellectual property rights. Certain cross-border agreements, such as collective licenses are not automatically applicable post-Brexit. These types of regulations rarely contain requirements on concrete measures. Instead, most regulations prescribe a risk-based approach in protecting information by focusing on confidentiality, integrity, and availability.

Karolina and Alexandra recommend the incorporation of AI into businesses when proper implementation projects are carried out, including risk assessment, analysis, and continuous monitoring. Using a legal strategy of fulfilling regulatory requirements as guidelines rather than viewing them as obstacles, ought to result in fulfilling the legal requirements and an effective use of AI tools with more reliable outputs.