The Possible Legal Risks Associated with AI In Business

Historically, interchangeable terms such as robots, automated decision-making and artificial intelligence (“A.I”) would be terms one would generally associate with the future. Technology that businesses or private individuals would only need to be concerned with “in time”. However, even though generative A.I has been around for some time, its use by businesses and private individuals have seen a dramatic increase over recent years and the prediction is that it will continue to rise exponentially. It stands to reason that A.I has shown to provide businesses with the necessary industry specific tools to expand faster, market more effectively, deliver services quicker and increase profits. To name a few, A.I has been utilised for customer service, cybersecurity, fraud management, inventory management, accounting, medical, and content production. One might argue that the greatest risk of all might be failing to implement A.I in business.

In light of this, many business owners have adopted A.I systems whilst unknowingly introducing major legal risks that could have a detrimental impact on its reputation, clients and employees. Business owners should therefore be conscious of the following possible risks when implementing A.I:

  1. Privacy and Data Protection breaches

    Due to A.I systems requiring large amounts of data in order to generate certain results, the data it uses often contains personal information regarding clients and employees. This information may be vulnerable to cyber-attacks and data breaches. Business owners should therefore guard against this and make an informed decision on the A.I system that they intend on using. Furthermore, business owners should be mindful of section 71(1) of the Protection of Personal Information Act, 2013 (“POPIA”) in an effort to be compliant with the relevant legislation governing automated-decision making and the protection of data subjects. Section 71(1) of POPIA determines that a data subject may not be subjected to a decision solely based on automated decision-making, which results in legal consequences and profiling of the data subject. A.I systems must therefore adhere to section 71(1) and business owners should ascertain what information and how it will be used by A.I in order to ensure compliance.Businesses, as responsible parties, can reduce risks by following Section 21 of POPIA, which necessitates entering a written agreement (“operator agreement” or “data processing agreement”) with the A.I software provider (“the operator”). This agreement ensures that the A.I software provider, processing personal information on behalf of the company, adheres to the security measures outlined in Section 19 of POPIA. The operator is then obliged to promptly notify the company if there are reasonable grounds to believe that there has been unauthorized access to the personal information of the company’s clients (amongst other things).
  2. Intellectual Property Infringement

    The issue of ownership is a rather complex one when it comes to the material produced by A.I as it raises the question of whether the user or A.I system itself is the actual owner of the content. A.I by its nature, learns from existing material and it can be trained to eventually replicate certain styles and content (videos, text, audio and images) originating from the material owners/creators. This very issue has led to the New York Times instituting legal proceedings against OpenAI and Microsoft in December 2023 for copyright infringement. Business owners should therefore proceed with great caution when using content produced by other companies as material for A.I to learn from, failing which it has the potential to bring about copyright, patent or trademark infringement.
  3. Outdated/ inaccurate information

    Since A.I relies heavily on the data it has access to, business owners should be aware of the risk that its content may be compromised if the data it is supplied is outdated, inaccurate or riddled with errors. Therefore, business owners should continuously scrutinize any source data to ensure its accuracy before it is consumed by an A.I system in order to rely on its output. Additional measures such as the implementation of a data lifecycle management framework will also ensure data integrity.
  4. Contracts and liability

    Businesses who provide A.I related services should ensure that the contracts entered into between them, and their clients clearly outlines liability clauses and dispute-resolution mechanisms in order to prevent unnecessary legal disputes. Failing to clearly outline liability for A.I related services could lead to lengthy and complicated legal proceedings which could be prevented.
  5. Bias and Discrimination

    As stated previously, A.I relies on the information/data it is given in order to be trained to produce the desired outcome by the user. Business owners must ensure that the A.I systems that they use are developed to mitigate biases in order to prevent any legal disputes relating to discrimination.

The above is not an exhaustive list of all the risks that A.I brings about in business. One should note that the risks will vary depending on the degree of its use in the business as well as the industry. Businesses should aspire to use A.I responsibly, ensuring transparency and compliance in order to deliver the best service for its customers and protect personal information.

In conclusion, the first step for business owners implementing A.I systems is to be conscious of all potential risks (industry dependent), the second would be to introduce measures to guard against and overcome these risks by introducing a tailored A.I policy, ensuring data protection and privacy standards (POPIA) are being continuously complied with, providing training to your employees, establish ethic boards, and conducting privacy impact assessments. Ultimately, ensuring human oversight and control. Lastly, as this is a continuously developing field, business owners should continue to educate themselves and their employees on the technology as well as any legislation that comes into operation in the coming years. Kindly contact our Technology and Innovation Law department if your company requires further information and/or the services we offer in respect of A.I.



Written by Keryn de Vries
Technology Attorney
Technology & Innovation Department
Email: kdevries@dkvg.co.za