Artificial intelligence (AI) is essentially the intelligence of machines which is different from natural human or animal intelligence. Contrary to common knowledge, it has been around for well over 50 years. Yet only in the past decade has its use become more widespread in businesses. AI mainly deals with algorithms which generally fall into one of two main types: (a) standard machine learning algorithms for example those that identify different categories that data falls under or estimate relationships between data using numbers; and (b) deep learning algorithms that learn from previous mistakes by using deep neural networks.
Given the pace at which AI has grown, most businesses and employees are unlikely to have experienced knowledge of how to work with or programme AI. Therefore in the coming future there will be greater dependence on specialised companies in the market providing AI platform-based services and products. The trend has indeed been towards businesses using the services of these specialist AI providers rather than spending money to build their own AI platforms. The specialist AI companies referred to above are able to offer a wide package of AI services and products, which are being used more frequently. This growth will boost the quality of their AI systems through more funds available for investment, especially when it comes to looking at data and learning by machines. Such growth together with new entrants into this cutting-edge market, will inevitably lead to more acquisitions and investments in the field of AI.
Corporate transactions in the AI market including M&A, IPOs and Venture Capital Investments have grown rapidly in recent years, with approximately over £25 billion of transactions occurring in 2022, an almost 500% growth from the position five years prior to that. Recent studies have shown confidence amongst companies and investors that AI will help their businesses in terms of revenues, profitability, better service and product offerings and cutting costs. With this fast paced growth, legal systems around the world have had to adapt with newer risks and challenges associated with evolving forms of technologies. AI represents a challenge for regulatory regimes particularly as the market's risks are not fully grasped and in many cases the law is not clear. Those seeking to acquire or invest in AI businesses will need to understand the legal implications and risks associated with the use of these complex systems. This article examines such key legal issues to bear in mind for buyers of or investors in English companies in the AI industry.
The National Security and Investment Act (NSIA)
In the UK the National Security and Investment Act (NSIA) allows the UK government to scrutinise and intervene in certain acquisitions or investments that could harm the UK’s national security. Buyers are legally required to tell the government (and seek pre-closing approval) about acquisitions of, or investments in, certain entities (known as a "mandatory notification") active in certain sensitive areas of the economy, including AI.
As AI technologies are often of general purpose and used across sectors, the NSIA captures entities that do not necessarily identify as ‘AI companies’. Whether a qualifying entity is focused solely on AI, or incorporates or develops AI as part of a wider approach to their sector or business, it is the specific work that is important for the Buyer to consider.
To determine if the Target business is within the scope of the AI part of the NSIA, three questions need to be considered. Firstly, whether the Target business carries activities in the UK. Secondly whether the Target business is active in the research into, development or production of goods, software or technology that uses AI (as defined in the NSIA). Thirdly, if the qualifying entity fits this definition of AI, the Buyer needs to consider how the AI technology is being applied. In particular a mandatory notification will be required only if the AI technology does any of three things: (a) identification or tracking of object, people of events; (b) advanced robotics or (c) cyber security. It is important for potential buyers to bear in mind that Target businesses that simply make use of AI technology, as more and more businesses are doing, will not be caught by the mandatory notification regime of the NSIA. However, specialist legal advice should be sought in relation to whether a specific piece of AI falls in the scope of the NSIA.
The protection of intellectual property will be of key importance in the overall value that AI businesses give to buyers and investors. In order for an AI business to use the AI system through an algorithm, it needs data which can come from various sources including the public domain, arrangements agreed with other businesses or volunteers (the AI Input). The value of the AI system lies in the final result of the algorithm processing this data (the AI Output).
The algorithms used as part of the AI business may be under trade secret protection if they are kept confidential and the Buyer should ask the Seller to confirm if this is the case and ensure that appropriate steps have been take to preserve ownership of IP rights. The Seller should be asked to provide details of how confidential information is disclosed either by or to the Target and confirm that the Target has taken precautions to ensure trade secrets remain confidential. The Seller should provide information on whether the AI Output is owned by the Target, for example through contracts governing it or local intellectual property laws such as the protection of trade secrets. The Buyer should also ask for confirmation as to what extent the algorithm comes from third-party or open-source software. It should be identified whether any intellectual property rights and the AI systems themselves are shared with other members of the Seller's group or vice versa, and whether any such arrangements are intended to be carried on after the acquisition. The buyer should ask for details of whether the Target has faced disputes or challenges regarding the AI intellectual property it owns or uses, and these can range from issues relating to subsistence, ownership and validity of intellectual property rights. It is also important to request information on whether any infringement by third parties of intellectual property used or owned by the Target is suspected or alleged, and also details of any suspected or alleged infringement of third party intellectual property rights by the Target.
The Buyer should find out whether any intellectual property has been registered in respect of the AI system. As to the question of patentability of AI, in the UK, the Patents Act 1977 excludes "a program for a computer" from patent protection. However if the AI invention is considered to make a technical contribution to the existing body of knowledge then it may be patentable. In such a case, the legal person who made the AI has the right to be granted the patent as the inventor. Therefore if any AI used in the business is innovative or technical then questions should be raised about the Target's approach to patent filing and sustenance and when any existing patents will expire. The Buyer should review the written terms of contracts regarding the ownership and licencing of AI inventions and patents.
The Buyer should assess whether the Target has ownership rights over intellectual property created by its employees and consultants. The UK's Copyright Designs and Patents Act 1988 expressly provides for copyright protection of computer-generated works that do not have a human creator. Where a work is generated by a computer in instances where there is no human author of the work (section 178), the author of that work is "the person by whom the arrangements necessary for the creation of the work are undertaken" (section 9(3)). It has not been confirmed by the English courts what "undertaking necessary arrangements" means, and therefore the Buyer should check for written terms of contracts regarding the ownership and licencing of AI.
The terms of agreements entered into by the Target that are relevant to the above intellectual property rights should be checked, for example licence contracts, supply and development agreements and the Target's standard proprietary information and inventions assignment agreement. The key provisions to look out for normally include the definition of AI Data and the following clauses: duration, scope, permitted use, confidentiality, AI failure, restrictive covenants, and change of control.
The EU General Data Protection Regulation ((EU) Regulation 2016/679) (GDPR) includes within its scope personal data used in AI systems. If the Target is a data controller then it has direct duties to data subjects but if it is a data processor then it just has duties to the controller. The Target would be a ‘controller’ if it, alone or jointly with others, determines the purposes and means of the processing of personal data. It would be a ‘processor’ if it processes personal data on behalf of the controller. It should therefore be checked which of the two categories (or both) the Target falls under. It should then be checked whether the Target processes personal data. Processing personal data at all points prior to anonymisation (or factual deletion or destruction) is within the scope of GDPR, but properly anonymised data is not within the scope of GDPR as it is no longer personal. The Buyer should examine whether the Target has been transparent in their processing of personal data in order to provide meaningful privacy notices and whether it has an adequate privacy impact assessment system.
The Buyer should check the source of the data used in the AI Input, the means in which it is used, whether the Target has the right to use the data in its AI system and whether the Target has been complying with data protection legislation in the way it uses its data. Data available generally to the public can still be protected by data protection law but the uses that can be made of it (for example altering it or interpreting it) and the underlying bases for use may be impacted by it being publicly available. For example in a 2010 Spanish case it was held that a search engine can be a “controller” regarding the “processing” of personal data because it locates, indexes, stores, and disseminates such information. In 2022 and 2023 data protection regulators in various countries ruled that web scraping of facial images extracted from public web sources constitutes the processing of personal data. The Buyer should check that all data used by the Target is held in the Target's own systems and that the AI system has been developed in accordance with privacy-by-design principles.
The Buyer should ask for details of the AI hardware, software, technology and networks used by the Target. The Seller should provide verification of how reliable and functional the AI system is and confirmation that there are no regular technical issues with the AI system. The Buyer should assess how the Seller uses such AI system in its business currently and review whether this compliant with the Seller's duties of confidentiality and with applicable laws including data protection laws. The Buyer should enquire as to what types of data are used with the AI system – AI systems are only as good as the data it is trained on and there is a risk of the outputs of the AI system containing biases (which can have both legal and reputational consequences).
The Seller should be asked to confirm that there are arrangements for disaster recovery, facility management, cloud computing, outsourcing, or continuing support. The fees and services levels in respect of these should also be looked at. The Buyer should assess whether shared access to the AI is needed. The Buyer should check the Target's record of cybersecurity (including details of any successful attacks on its security or integrity) and whether it has sufficient protections in place against breaches of IT security breaches including its AI system; this may include asking if there are systems, procedures and policies in operation to secure against these risks.
The Buyer should ask if any AI used by the Target is hosted by a third party application service provider or cloud service provider, whether as a platform-as-a-service, software-as-a-service, or as an infrastructure-as-a-service system, and copies of all material contracts relating to the supply, financing, maintenance and/or support of the AI system should be requested. Complete details of any open source code used by the Seller together with copies of relevant licence agreements should be requested and analysed by the Buyer. The Buyer will be interested in finding out whether the Target has access to the source code of the key licenced AI and anything on which the source code is dependent, such as compilation scripts. It is important to check whether the Target monitors compliance with terms and conditions of its AI licences to make sure that it does not use unlicensed copies of any AI. The Seller should be asked to confirm that it does not know of any circumstances as a result of which the Target may lose the benefit of any licences. If any of the AI used by the Target is licenced to third parties then the scope of the rights granted should be checked.
If the Target business uses smart contracts then it should be checked that any such material contracts have been validly formed under their governing jurisdiction and for this purpose the following factors will normally be relevant: capacity of each party to form the contract, the intention to create legal relations, offer, acceptance, communication of acceptance, consideration, certainty of contract and other specific legal provisions. It should be noted that under English law an AI system would not be regarded as an agent because an agent is required to be a legal person, which an AI program is not. This area of law is developing rapidly and there are moves to develop contractual terms that reflect the use of AI in the delivery of services and technology solutions.
Consents and compliance
Certain consents and licences may need to be obtained in order for the Target to operate its AI system in the countries where its business operates. The Seller should be asked whether this is the case and it should be confirmed whether all such licences and consents are valid, subsisting, not likely to be suspended or cancelled and that there are no stringent conditions attached to any of them. The Buyer should also seek confirmation that the Target, its officers and agents have not been on the receiving end of penalties, fines, penalties, proceedings or other liabilities in the countries where the Target operates.
The Target may have insurance policies in place covering risks associated with running an AI business. Copies of such policies should be requested and it should be checked whether these policies are sufficient to cover errors, omissions, security privacy, cyber events, regulatory issues and media risks for data breaches.
Please note that the above is being provided as a general guide specifically relating to legal due diligence on the AI aspects of businesses and does not cover non-AI aspects that will sometimes be relevant, for example share ownership, financing, property, employees and pensions. The information provided may differ according to different jurisdictions and depending on the specific nature of the Target business and the transaction, and therefore specialist local legal advice should be sought.