Practical Contractual Considerations in Licensing Third-Party AI Applications and Solutions

Authors: Lasse Riski and Simon Mittler

As the EU and Finnish regulatory landscape for AI continues to evolve, particularly with the AI Act, and companies increasingly seek to integrate AI applications and solutions (“AI Systems”) into their operations, it is timely to highlight some key contractual considerations that should be addressed in agreements related to the licensing of third-party AI Systems to protect company interests and ensure compliance with regulatory frameworks.

If you are interested in the overarching principles and objectives of the AI Act, you may read our earlier blog post here. For a deeper dive into the AI Act, please visit our Digital Horizon website and tool here.

Business interests, risks, and regulatory requirements depend on the use case, which is why this blog focuses on third-party AI licensing on a general level. Any organised AI licensing arrangement should start by understanding the risks and implications involved, for example, by assessing and defining the following:

• Use Case and Purpose: Will the AI System be for internal use, such as in company R&D, or integrated into the company’s products and services?

• Customizstion: Will an off-the-shelf product suffice, or is the company planning to customise the AI System before integrating it into an AI-based product or service?

• Regulatory Scope: Is the AI System within the scope of the AI Act, particularly as a high-risk system?

• Data Access: Will the AI System be trained on company data or require company data as its input

Answers to these questions should help determine what contractual terms need to be negotiated and/or included. Negotiating an AI licence is still in many ways similar to negotiating any other software licence. However, below we highlight some contractual terms that are particularly relevant in AI licensing:

• Indemnity: Companies should be protected against potential losses or damages arising from (i) the use of AI System, i.e. its output, (ii) third-party intellectual property (IP) infringement claims, and (iii) non-compliance with regulatory requirements. This may include ensuring that the licensor holds appropriate insurance coverage to handle potential claims.

• IP and Data Ownership: Companies must ensure that they have unrestricted access and usage rights to the output data generated by the AI System. If seeking more customised solution trained with company data, ensure that such data remains the property of the company. You may also want to secure exclusive rights or even ownership to the entire customised solution to prevent third-party exploitation.

• Confidentiality: When sharing company data, it is vital to control and limit third-party access to sensitive information and trade secrets. The agreement should specify the nature and extent of data sharing and include confidentiality clauses that prevent unauthorised data usage or disclosure.

• Data Protection and Privacy: Where personal data is used for the development of the AI system, the company must ensure that the AI System and respective licensor comply with relevant data protection laws, such as the GDPR. If seeking to reuse a dataset acquired from the licensor (or from a third party), the company must ensure that the dataset is lawfully collected for the intended purpose, i.e. for training an AI System. Most importantly, the company will have to conclude a data protection agreement with the licensor, clearly define the purpose of the AI System and scope of the third-party processing, and take appropriate technical and organisational measures to secure the data.

• Regulatory Compliance: With the upcoming AI Act and other regulatory frameworks on the horizon, companies must ensure their AI-related agreements align with such laws. Companies must assess whether the AI System being licensed is within the scope of the AI Act and qualifies as a high-risk system. If so, the company must ensure that the licensor adheres to all regulatory requirements.

• Ethical Considerations: Finally, companies must ensure that their AI practices not only meet regulatory expectations but also foster public trust. One effective way to achieve this is by incorporating specific contractual terms that promote fairness, transparency, and accountability.

In conclusion, third-party AI licensing necessitates careful planning to mitigate risks and safeguard company interests, which should be reflected in any respective agreement. Addressing these key considerations can help companies leverage AI technology effectively and responsibly.

For more detailed guidance and bespoke advice, please do not hesitate to reach out to our IP & Technology Team at Hannes.