News and developments
Navigating the legal minefield: Generative AI and its implications for businesses and directors
From content creation to product design, customer service and marketing, generative AI is proving to be a game changer. McKinsey’s latest research estimates that generative AI’s impact on productivity could add $2.6 trillion to $4.4 trillion annually in value to the global economy [1].
However, like any powerful tool, generative AI comes with its own set of risks and challenges. Similarly, if the data set being used is erroneous, or restricted in any way, that can lead to inaccurate outputs. AI models can ‘hallucinate’ (i.e. create and rely on false data). Further, Al models often make decisions in a ‘black box’, meaning there may be no way for users to understand exactly how the AI has made its decisions (and in a litigation context, creating issues around discovery obligations and proof).
In this article, we set out some precautions that businesses and directors should take to minimise the legal risks of using generative AI, with a focus on privacy and copyright risks.
References and footnotes
- Privacy
- IPPs 1-4 cover why and how personal information can be collected. This requires an understanding of the training data and processes used to develop an AI tool.
- If you have already collected personal information and want to feed it into the AI, think about the purpose for which you originally collected the information, and whether feeding the information into AI is directly related to that purpose (IPP1).
- In general, agencies must get personal information directly from the person it is about (IPP2) and must be transparent about the information being collected and how it will be used (IPP3). While there are some exceptions to the normal collection principles, such as the exception for “publicly available” information, it may be risky to rely on these exceptions without a good understanding of the training data and processes used for an AI tool. For example, training data scraped from the internet may include sources which require a login to access, such as social media profiles, which may not be publicly available and outside the expectations people have on how this information would be used.
- Ensure that input and training data are collected in a way that is lawful and fair (IPP4), and relevant individuals know how and why their data is being used.
- Proactively consider how to manage security risks and unauthorised access to personal information, such as taking cybersecurity measures (IPP5). AI tools enable new ways to access and use information, and this creates new security risks. Some AI tools can leak sensitive information. Consider setting up privacy breach response plans to ensure you can identify, contain, assess and respond to privacy breaches quickly. For more information on how to manage a data breach, see our podcast on this topic.
- Develop procedures for how your organisation will respond to requests from individuals to access and correct their personal information (IPP6 and IPP7). Before purchasing an AI tool, consider whether you are able to practically access personal information about a person if they ask for it, and correct any personal information if required.
- Be aware of the limitations of the tool, including gaps, biases and ‘hallucinations’, and take steps to ensure accuracy (IPP8). This includes ensuring the training data is relevant and reliable, and putting checks in place (such as human review) to ensure accuracy of output.
- Clearly identify the purpose(s) for collecting personal information, and limit its use and disclosure to those purposes or a directly related purpose (IPPs 10 and 11). If you want to use personal information to train an AI tool, make sure that is clear at the time you collect the information. If you are sharing personal information with third-party suppliers, ensure they are not using the information for training AI tools unless that is why the information was collected. In supplier contracts and customer communications, set clear expectations about how personal information will be used and kept secure.
- The Privacy Commissioner recommends conducting a privacy impact assessment (PIA) before using any AI tool, and seek feedback from impacted groups.
- Copyright
- In early 2023, Getty sought an injunction to prevent the artificial intelligence company, Stability AI, from selling its AI image-generation system, in the United Kingdom and United States. This followed the creation of an image by Stability AI which clearly showed a ‘Getty Images’ watermark. Getty has made various claims against Stability AI in both the UK and the US, including copyright infringement and trademark infringement. The claims relate to both input and output of Stability AI. These cases, once they eventually reach trial, will address previously untested issues about the legal implications of using others’ works to train AI.
- In September 2023, several authors in the United States (including former attorney John Grisham) initiated legal action against OpenAI alleging infringement of their original works.
- Also in September 2023, the New York Times filed legal proceedings against OpenAI for infringing authors’ copyright.
- If purchasing an external AI tool, check whether the AI provider offers a robust indemnity for any infringement of IP from the use of the tool and requirements to ensure the indemnity applies.
- The terms of use of many AI providers assign ownership of inputs and outputs, or grant a use-only a licence to its users. This is likely to mean your input data is available to others to use, as is the output. However, as noted above, it is prudent to ask for the documentation of the sources of input data. If the AI provider does not own the data, ensure that the provider has obtained relevant consents and/or licences from any external parties who may own the data. Ensure that any use of the AI tool does not infringe upon those consents and/or licence conditions.
- Avoid input of data that is confidential, is likely to be used for a patented invention (as the required confidentiality may be lost) or strategically important to the business for these reasons;
- Try to identify if use of AI generated content means you are inadvertently using open-source software as the open-source licence terms may be inappropriate, with similar issues for materials that are creative commons.
- If in doubt, use internally generated and owned data to train models. Keep records of all inputs that go into the AI tool, such as prompts, which can help to show that the business “made the arrangements necessary” to create the output. However, be aware that a limited dataset could introduce bias (or other issues) into the model.
- Be aware that you may be unable to prevent others from using a similar AI output, if you are not modifying the AI generated output.
- Implications for organisations, employers and directors
References and footnotes
- The economic potential of generative AI: The next productivity frontier, McKinsey and Company
- Copyright Act 1994, s 29.
- The term “computer-generated” is defined in section 2 as “the work is generated by computer in circumstances such that there is no human author of the work.”
- Copyright Act 1994, s 5(2)(a).
- Copyright Act 1994, s 14(1) and (2).
- Wham-O MFG Co v Lincoln Industries [1984] 1 NZLR 641 (CA) at 665.
- Henkel KGaA v Holdfast New Zealand Ltd [2007] 1 NZLR577 (SC) at [38].