5 Vendor Contract Clauses That Quietly Allow AI Training Using Your Data

Technology vendors rarely ask direct permission to train their models using your data. Instead, that permission is often hidden in ordinary-looking clauses found in SaaS and other agreements.

When reviewing technology contracts, there are the five contractual provisions to look out for. These clauses create a contractual mechanisms which allows vendors to utilise your data including customer inputs, prompts and outputs to train AI models, with customers being none-the-wiser.

If any of these clauses are encountered in reviewing SaaS and other agreements, it is essential to ensure that you have a full appreciation of the risks in agreeing to these seemingly harmless clauses, especially, from a data governance and privacy compliance perspective.

Feedback clauses

Contracts often contain vague wording regarding use of feedback, along the following lines: "Customer grants the Vendor a perpetual, worldwide, royalty-free license to use suggestions and/or feedback."

At first glance, this clause may seem harmless but in reality, it is not. In practice, if not defined properly, "feedback" can be construed as including the following:

• comments to documents such as specification documents, etc. which may often include proprietary material and/or trade secrets;
• user corrections to AI outputs;
• explanations of workflows;
• additional user prompts;
• operational insights;
• annotated responses; and
• other data and information which could be interpreted wide enough to constitute "feedback."

Ensure that you pay requisite attention to amending such clause to narrow the ambit of what a vendor can and cannot do and also clearly define what constitutes "feedback" and what does not.

'Enhance or improve the services' clause

Contracts allow vendors to use customer information, inputs and data to "improve the services" or "enhance functionality" of its existing services.

The use of terms "improvement" or "enhancement" may include:

• model tuning;
• hyperparameter tuning;
• algorithm optimisation; and
• creation or supplementation of training and/or testing datasets.

Vendors often intentionally use vague wording to allow for the widest scope.

Be cautious when agreeing to such service improvement clauses and ensure that language is drafted tight enough manner to prevent wide usage of information, inputs and data.

Usage data / telemetry clauses

Vendors often collect usage data, telemetry and other statistical data about how their AI systems are being used by end users.

Depending on how usage data and statistical data has been defined, it could include:

• user prompts;
• generated outputs;
• user corrections to outputs; and
• user behaviour (such as frequency of prompts).

Behavioural information is extremely valuable to vendors including for reinforcement learning AI systems.

When drafting consider how "usage data, analytics, telemetry, or performance metrics" have been defined and used throughout the contract.

Aggregated or de-identified data clauses

Many contracts allow vendors to use "aggregated or de-identified data or insights" derived from a customer's use of its services. Once data is anonymised or de-identified, vendors often argue that it no longer qualifies as customer data and that such data can be freely commercialised. This ultimately allows vendors to build further AI training and testing datasets.

The act of aggregation or de-identification in itself constitutes a processing activity under legislation such as POPIA and without the customer having a lawful basis to do so, customers who agree to grant vendors such broad rights run the risk of breaching their obligations under POPIA and also the customer may lose commercial advantage in its data.

Customer should be very wary of agreeing to such wording especially in the absence of a lawful basis on the part of a customer to grant a vendor such rights. Customer should also factor in their own data monetisation strategies before agreeing to such terms.

Derivative works clauses

Lastly, some contracts allow vendors to create derivative works from "usage data, outputs, or feedback." Vendors may attempt to argue that trained models are derivative outputs of training data.

When dealing with contracts keep a look out for references to derivative works, derived data, or derived analytics.

Final thoughts

The general rule of thumb is that if a contract contains any of the above clauses, the vendor may effectively have the ability to train AI systems using customer data, information, inputs, prompts and outputs, or otherwise use your data for purposes that you are oblivious to but which the customer agrees to.

On the face of it, these contractual rights may seem harmless, however, they create risk which most customers including their legal counsel are oblivious to. As companies are deploying more AI systems internally, it has led to the realisation that their data, prompts, outputs, corrections, feedback are valuable assets. For companies, the risk is clear: making sure your data and information are not used to improve someone else's services.

To the generalist lawyer, these nuanced risks may not be appreciated as these clauses seem harmless on the face of it. However, the AI-specialist lawyer, will quickly identify these clauses as high risk clauses and address them as part of contractual negotiations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.