Datasets processed through AI systems (also "AI Data Lakes") are becoming increasingly popular, with an exponential increase in potential "use cases."
You will find here below the main legal issues to consider:
- Privacy (and GDPR) – This is obviously at the top of the list. Even when the database does not include personal data, AI systems may progressively infer (or re-identify) personal data, which will then have to be processed adequately in accordance with all applicable data protection regulations. As for the Italian (and other) jurisdiction(s), GDPR principles will have to be taken into account, including purpose limitation, fairness and transparency, as well as privacy by default and privacy by design. This implies, among other things, completing a prior Data Protection Impact Assessment (DPIA) and setting up a data governance system, also including, for instance, adequate privacy notices that inform about the consequences of the data processing. Data transfer regulations will have to be taken into account carefully, also considering that in certain cloud scenarios it may not always be possible to determine exactly where the data resides in a given moment in time. Anonymization and simultaneous aggregation solutions will remain the risk-free option, but they should be reviewed from time to time taking into account the technology evolutions that may allow re-identifications.
- Antitrust – Big data economy has already been addressed by the Italian Antitrust Authority, and useful guidelines can be inferred already. That said, to avoid risks, a system to tag competition sensitive data should be set up, also providing for escalation procedures for certain use cases / data processes, particularly, but not limited to, when pricing and competitors data are handled. Data usage will have to be assessed carefully, also where data is used to reconsider the pricing/conditions applied by the suppliers; under Italian law, certain provisions on economic dependence may be triggered.
- Product safety – Data sets may include, among other things, production and performance data, with potential implications on product safety risks. When processing such data, product safety laws (and related notification obligations) will have to be addressed carefully. For instance, in Italy—in addition to the relevant tort law responsibility—with regard to consumer products, the Italian Consumer Code provides for an obligation to inform the competent authorities even when there is just a suspicion of risk to the health and safety of individuals.
- Insider law – In Italy investors must be protected by the misuse of inside information, in line with the relevant European regulations on market abuse. It should therefore be carefully assessed when data might qualify as inside or sensitive information, avoiding that any such information is included in the dataset or, where not possible, considering how to comply with the relevant disclosure obligations (including contingency plans, for instance, also providing for the data analysts to be included in the insider list.)
- Intellectual Property – Adequate measures must be set up to ensure secrecy and ownership of the database. Among other things, it should be noted that under Italian Copyright Law, databases are protected by copyright and by the so-called sui generis right (such right preventing the extraction of a substantial part of the database.) A database is generally protected when it expresses a "creative ability," being understood that the copyright protection for a database does not extend to its content. If data does not fall under copyright or sui generis protection, as is often the case for AI powered dynamic databases, contractual provisions may also help to prevent the use (or abuse) by third parties.
We hope the above will help your company to navigate safely through the (AI data) lake. Other issues will have to be taken into account, including, dual use and cybersecurity implications, insurance coverage and so forth, in addition to contractual frameworks with technology and data providers. When setting up an AI powered database, a case-by-case review is in any event advisable, also taking into account, among other things, the specific purposes and "use cases."
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.