A prime example of disruptive technology, generative artificial intelligence (AI) has the ability to revolutionise the way entire industries think and operate. The rapid development of large language models (LLMs), such as OpenAI’s ChatGPT, are now challenging our understanding of the line between human and machine creativity and how that fits into our current regulatory and legal system.
ChatGPT, in particular, is essentially an incredibly sophisticated general purpose LLM that can generate text based on user prompts, ranging from haikus to software source code. ChatGPT evolved at an unprecedented rate, becoming the fastest-growing consumer application in history. Within just two months of its launch last November, it reached 100 million users. To put this achievement in perspective, it took Instagram 2.5 years to reach the same milestone.
Given its widespread adoption, the legal implications surrounding generative AI like ChatGPT have become increasingly significant. These considerations span multiple areas of law, including privacy, liability, intellectual property, anti-discrimination and regulatory compliance amongst others.
Personal Data and Transparency
LLMs often require access to personal data to provide personalised responses.
If your employees use information relating to individuals in input prompts fed into an LLM for business-related purposes, you would (in addition to the normal data protection compliance requirements) need to be clear that the relevant individuals are aware of this processing via privacy notices (if you are the data “controller”) or you are permitted to use the personal data that way (if you are the data “processor”), and in any event that grounds have been identified to justify the processing.
As a broader concern, AI models often face challenges in meeting transparency and explainability requirements under data protection law (i.e. the right of data subjects to a clear explanation of use of AI models in a way that impacts them). Automated decisions can be made in ways that are not fully explainable, and issues around transparency arise given the opaqueness of the purposes for which companies like OpenAI use input data.
Additionally, AI models have been demonstrated to be adept at re-identification of data subjects even when the source data set was supposedly de-identified, so use of ChatGPT in ways that potentially involve personal data should not be undertaken without careful review of the use-case.
At a minimum, organisations should ensure employees are made aware of the uncertainty as to how input prompts may be handled and (until adequate investigation and preparation is undertaken) should ban the use of personal data and any confidential information in input prompts.
Intellectual Property and Confidentiality
Input
In ChatGPT-4, it is possible to input significant volumes of “prompt” information, all of which (including user details) is logged by GPT4 and accessible to OpenAI. ChatGPT’s Terms of Use give OpenAI the right to use that input-content to develop and improve the services. Although there is an opt-out option (which organisations should ensure employees exercise as a matter of course), data may be retained anyway, leading to potential disclosures of your and third party confidential information. For this reason, Samsung recently banned its developers from using GPT-4.
Output
Whilst AI models themselves are the protected intellectual property of the owners (as the code that makes up the algorithms is copyrighted in almost all jurisdictions), the output of AI models, particularly in the case of LLM “trained on” large volumes of online information, may either infringe third party intellectual property or incorporate open-source code subject to particular open source licence restrictions which are not clear at the point of use (including restrictive open-source licences requiring onwards distribution of source code).
Infringement cases have already started. Notably, Getty Images has brought copyright infringement proceedings against Stability AI in the UK High Court for the unauthorised use of content from its image library (allegedly leading to the reproduction of Getty Images’ watermarks in some of the Stability AI generated images).
Additionally, in some jurisdictions (although not the UK) the content generated by AI models would not be capable of protection under copyright laws, as only “natural” or “legal” persons can create copyrighted works. This would make protecting materials like source code, designs or text produced using AI and enforcing rights against third parties more difficult.
Widespread use of AI to create intellectual property used by a company may also have significant, and as yet largely untested, implications in terms of sale or investment: particularly of companies with proprietary software products, where investors or buyers typically require warranties that all content is owned by the company, does not infringe third party rights, etc.
In the recent DABUS case, heard by the UK Supreme Court earlier this year, it was argued that AI cannot be recognised as an inventor under the existing patent framework, which would (if accepted) have significant ramifications for patent law. We are keeping a close eye on developments in this space.
Bias, Discrimination and Ethics
AI models are typically trained on large amounts of data scraped from the internet, and their output may reflect biases or other inappropriate content of that source material. OpenAI have set rules that are meant to weed out such content, but the subjectivity of these rules means that they will always be imperfect and if such content is communicated to others your business may be vicariously liable (or, at least, embarrassed).
As such, employees should once again be urged to check output before using it, according to existing content moderation policies.
Liability and Security
The autonomous nature of AI systems makes it difficult to attribute accountability to a specific actor. Whilst OpenAI would arguably be liable for the output of ChatGPT, from a contractual perspective, OpenAI’s liability is limited to US$100 or the fees paid in the past 12 months.
Using the output of ChatGPT without a framework for benchmarking the quality of the input (i.e. the “prompt”) and the accuracy of the output may pose issues. The output should therefore not be used unless reviewed by a subject expert in a position to gauge the accuracy/quality of the output.
For example, GPT-4 is good at writing different types of code, but these lines of code may contain errors or vulnerabilities. So whilst it may assist a developer in producing code, the code should still be unit-tested and vetted for vulnerabilities using normal industry methods.
Additionally, although the platform is SOC 2 Type 2 compliant and a detailed commercial security policy is made available, OpenAI does not give any security assurances in its terms of use.
It may be possible to negotiate more comprehensive safeguards in enterprise terms of use, but we would imagine that this would only apply to the largest enterprise users, and be outside the scope of most companies’ ability to negotiate. =
Conclusion
The opportunities connected with LLMs are undeniable, but the legal implications are multifaceted. It is evident that legislation, particularly in areas such as IP, will need to be amended to account for the emergence of these technologies, and in the UK ongoing litigation may produce some further clarity as test cases continue to work their way through courts.
To mitigate legal risks, businesses should be mindful of creating clear policies and providing clear instructions governing their employees’ use of AI systems. It is always advisable to exercise personal professional judgment (at an appropriate level) before relying on information generated by LLMs.
If you would like more advice on this or other technology related issues please feel free to contact Andrew or another member of our Contracts and Technology team.
While great care has been taken in the preparation of the content of this article, it does not purport to be a comprehensive statement of the relevant law and full professional advice should be taken before any action is taken in reliance on any item covered.
