Article

Contracting for Generative AI and mitigating Generative AI supply chain risks

Deloitte Legal Whitepaper

Generative AI (GenAI) is a subset of artificial intelligence (AI) that uses training data to produce new content, including text, images, audio, video, and software code. Its use is becoming increasingly prevalent as organisations seek to increase productivity and drive growth through the efficiencies in time, resources and cost which GenAI offers.

According to a Deloitte survey in 2024, over 79% of CEOs expect GenAI to transform their organisations in the next three years. Alongside the opportunities that it creates, however, GenAI presents numerous legal, ethical, and operational challenges. These include the creation of content that may infringe third party intellectual property rights, data privacy and security concerns, the risk of bias in the materials GenAI produces, and the increasingly complex web of law and regulation which impacts GenAI. As the prevalence of GenAI continues to grow, it is becoming increasingly important to manage the risks associated with GenAI, both when procuring it for direct use and when GenAI is used in the supply chain.

 

Click here for larger view.

 

Key legal issues in connection with GenAI

The introduction of GenAI in companies raises a number of legal issues that need to be considered when procuring and using this technology:

  • Data protection: GenAI systems often process vast amounts of data during their training and operation, and additional legal obligations can apply to the use of personal data in and by GenAI systems. For example, EU and UK law set specific requirements in relation to automated decision-making about individuals which produce legal or similar significant effects, on top of standard data protection obligations
  • Intellectual property rights: The question of whether GenAI systems infringe intellectual property rights is complex and varies from jurisdiction to jurisdiction. It is crucial to clarify the ownership rights to the content generated by GenAI and to ensure that no protected works are used without permission.
  • Confidential information: Companies must ensure that the use of GenAI does not violate confidentiality agreements, especially if data from third parties is used.
  • AI regulation: The regulatory requirements for GenAI vary around the world. Non-compliance can lead to significant penalties, so companies must ensure that they comply with all relevant regulations.
  • Inaccuracy and black box: GenAI systems can provide inaccurate results that are presented as correct. The "black box" nature of these systems makes it difficult to understand the decision-making processes, which makes it harder to comply with transparency requirements.
  • Liability and bias: Companies need to be aware of the legal liability that may arise from inaccurate or biased GenAI results. This includes the risk of discrimination, e.g. on the basis of gender.
  • Environmental, social and governance (ESG): The high energy consumption of GenAI systems can have an impact on companies' ESG obligations. Discrimination in the results can also have social consequences.

The purpose of this white paper is to explain on a largely jurisdiction-neutral basis critical contractual issues and risks to consider in relation to GenAI procurement and give an overview of some of the key steps an organisation should consider to address and mitigate these issues and risks effectively.

Contractual requirements for the procurement of GenAI systems

When procuring GenAI systems, companies should consider a number of specific risks in their contracts:

  • Data protection: It must be ensured that all data protection requirements are met in order to enable compliant use of the GenAI systems. This includes clarifying the roles of data controllers and data processors and ensuring that data processing is transparent and traceable.
  • Training materials: Companies should have a clear picture of the data sets used for GenAI training and ensure that they are used lawfully. This can be secured through contractual assurances and indemnities.
  • (Further) use of the data: The limits of the use of input and output data should be clearly defined in order to maintain confidentiality and protect business secrets.
  • Support in implementing the requirements of the EU AI Act: The EU AI Act places specific requirements on the providers and users of AI systems. Companies must ensure that they comply with these requirements, especially when procuring GenAI systems or using them in their supply chain. This includes the implementation of risk management systems, verification of input data and compliance with transparency and security requirements. The company must be assured of adequate support from the provider.
  • Sector regulation: In many industries, there are additional regulations that must be taken into account when procuring GenAI systems. Companies should ensure that their contracts require the provider to support compliance with these regulations.
  • Liability: Companies should carefully consider the liability risks associated with the use of GenAI and ensure that these risks are covered by appropriate contractual provisions such as indemnities and limitations of liability.
  • Cybersecurity: Cybersecurity aspects should be taken into account when negotiating with the provider. Companies should therefore ensure that the provider has appropriate security measures in place and that these are included in the contract.
  • Cost control: GenAI systems can be costly to operate, particularly due to high energy consumption and expensive hardware requirements. Companies should agree transparent pricing mechanisms that meet their needs and ensure that long-term price stability is guaranteed.
  • Vendor lock-in: To avoid long-term dependency on a particular provider, companies should carefully review the terms of the contract and ensure that they receive support in exiting the contract if necessary.
  • ESG policies: Companies should review their ESG policies and ensure that these are included in the contract for a GenAI system. This includes consideration of the development of ESG policies during the contract period.

Managing GenAI risks in the supply chain

The use of GenAI by suppliers and service providers in connection with the development and delivery of the services and products that they supply to customers needs to be carefully evaluated within the context of the existing supply chain, and managed on an ongoing basis. The introduction of GenAI systems can give rise to additional legal and operational risks that have not previously been considered. This also underscores the need for organisations to understand clearly how the goods and services they procure are sourced and delivered.

 

Putting theory into practice

To effectively manage the risks discussed in this white paper, companies need to adapt their standard contract templates and redesign their procurement processes to recognize and cover GenAI-specific risks early on.
For more information or assistance in addressing the challenges and opportunities presented by GenAI, our experts at Deloitte Legal are at your disposal. Please do not hesitate to contact us to find out more about how we can support your business.

Talk to us!

Published: December 2024

Contact persons: Dr Till Contzen | Partner, Service Area Head Digital Law, Deloitte Legal Germany; Paul O’Hare | Partner, Commercial Technology Advisory, Deloitte Legal UK; Louis Wihl | Director, Commercial Technology Advisory, Deloitte Legal UK; Elizabeth Lumb | Associate Director, Commercial Technology Advisory, Deloitte Legal UK

Did you find this useful?