Technology Archives - Marcus Andreen

Archive for the ‘Technology’ Category

Protection of IP in the age of Claude Code

As with most LLM provider terms of service, Anthropic’s Commercial Terms of Service confirm that when you use Claude Code:

Any IP in the output belongs to you, the customer (section B)
Anthropic indemnifies the customer against a claim that the output infringes a third party’s IP rights (section K.1).

For anyone using Claude Code to assist with software development – whether for their own purposes or for a client – Anthropic’s confirmation of ownership supported by an indemnity is good news.

So far so straightforward. A trickier question is whether your Claude Code-generated software code benefits from any IP rights, and specifically copyright, in the first place.

In this article we look at the status of copyright protection of AI-generated software code in the UK, and also briefly look at the position in the EU and in the U.S. We conclude with some practical suggestions how to manage some of the risks involved.

In common with most countries the UK provides ‘standard’ copyright protection for human author-created works. Under the UK Copyright, Designs and Patents Act 1988 (“CDPA“) copyright subsists in “original literary, dramatic, musical or artistic works” (CDPA, s.1), with literary work defined to include computer programs (CPDA, s.3). The originality of a work must meet the “author’s own intellectual creation” test which derives from the EC Copyright Directive 2009, and which the UK courts have confirmed continues to apply post-Brexit. Copyright continues for 70 years from the end of the calendar year in which the author dies (CPDA, s.12).

Unlike most countries however the UK has a separate regime for the protection of computer-generated works. A computer-generated work (CGW) is defined as a work “generated by a computer in circumstances such that there is no human author of the work” (CDPA, s.178). Copyright in a CGW continues for 50 years from the end of the calendar year in which the work is made (CDPA, s12(7)).

CGW cannot, by definition, be assessed by the “author’s own intellectual creation” test applicable when considering whether human-authored works has sufficient originality to be eligible for copyright protection. There is therefore some dispute about the circumstances in which the CGW regime will actually apply. The most widely held view appears to be that copyright protection is available to a computer-generated work which would be original had it been created by a human.

Where copyright does subsist in AI-generated code under the CGW regime, authorship (which with some exceptions also means ownership) is ascribed to the person who “undertakes the necessary arrangement to create the work” (CDPA, s.9(3)). Determining who makes the necessary arrangements in the case of Claude Code-generated software may not be straightforward; if the user provides detailed and well-defined prompts there is a strong argument that they have made the “necessary arrangement” and as a result they are the author; conversely where the user only communicates a general idea or concept via prompts and Claude Code makes the key structural and expressive choices in the code it’s likely that it’s Anthropic which has made the necessary arrangement and is the author. In most circumstances this will all be academic because the IP in the code vests in the customer under Anthropic’s Terms of Service. However software developers who are using Claude Code (or any other AI coding assistant for that matter) may want to check their client contracts, including any restrictions on sub-contracting the development work to third parties and any ‘original author’ warranties.

The EU provides ‘standard’ copyright protection for human author-created works, including software, much in the same way as the UK does. The EU does not however have an equivalent to the UK’s CGW regime. As a result software code generated by Claude Code without human creative control will have no IP protection at all.

Furthermore, a recent decision by a Munich court has confirmed that even when a human is involved the level of creative control that a human must contribute in order for copyright to subsist is very high. The case concerned three AI-generated logos (one created with a single, simple prompt, one with a 1,700-character prompt, and one with the design of the logo refined on an iterative basis by successive prompts), all of which were held by the court to lack sufficient human creative control in order for copyright to subsist. The court did say that it’s possible for copyright to subsist in AI generated output but only if the human-created elements forming part of the prompts are so dominant in the output that the work can be regarded as the author’s own original creation.

U.S.

In January 2025 the U.S. Copyright Office (“USCO”) published Part 2 of its Report on Copyright and Artificial Intelligence. Its conclusions and recommendations included the following:

Copyright does not extend to purely AI-generated material, or material where there is insufficient human control over the expressive elements
Whether human contributions to AI-generated outputs are sufficient to constitute authorship must be analyzed on a case-by-case basis.
Based on the functioning of current generally available technology, prompts do not alone provide sufficient control

In March 2025 the USCO’s approach to AI-generated outputs was affirmed by the U.S. Court of Appeals for the District of Columbia in Thaler v. Perlmutter. The USCO’s approach has however not yet been considered by the U.S. Supreme Court.

For the time being the position in the U.S. is therefore not dissimilar in effect to that in the EU: copyright in Claude Code-generated software code can only be registered (i.e. subsist) where and to the extent that there is sufficient human creative control.

Managing the risk

Determining whether copyright subsists in the software that Claude Code has written for you, and if copyright does subsist deciding who the owner of the copyright is, will not always be straightforward. Although the outcome will depend on which legal system applies and the factual circumstances, you may want to consider the following:

How important is copyright protection for the software? If the software will be staying in your IT environment and can be protected as a trade secret, or the software has limited commercial value, the importance of robust copyright protection may be low.
If copyright protection is important, maximise the chances of your Claude Code-generated software code passing the human creative control test by maintaining comprehensive records, including:
- non-AI generated design briefs, architecture notes and other creative elements
- prompt histories
- interim results and tests
- post-generation human edits
If engaging a third party to develop software again consider how important copyright protection is; for example will you be exploiting the software commercially or just using internally? If it is important then agree appropriate limits and rules regarding the third party’s use of Claude Code.
And if you’re the one developing software for a commercial client, consider obtaining not only the client’s agreement to using Claude Code but an acknowledgment from the client that your use of Claude Code means that the software may result in reduced or no copyright protection.

Tags: AI, claude code, coding assistants, copyright, IP, software, software code
Posted in Commercial, Technology, Updates | No Comments »

Making progress with AI governance (Part 2): procuring an AI system

04/06/26 – In Part 1 of Making progress with AI governance we looked at the key elements which are likely to form part of an organisation’s cross-functional AI Policy. In this Part 2 we focus on the procurement of an AI system (which could be generative and/or agentic) and consider some of the key questions and issues that a potential customer may want to keep in mind.

Due diligence

Questions that the customer may want to ask as part of the procurement process:

What third party service providers does the supplier rely on, including LLM provider(s)? Generally, how transparent is the supplier about its supply chain and third-party dependencies?
What data is the AI system trained on? Has the supplier secured all necessary rights for the data, both for past and future training? Will the supplier want to use some or all of the customer’s data and/or output data for further training? If so, what confidentiality and anonymisation safeguards are available?
Can the supplier demonstrate that the AI system is free of bias or meets acceptable bias testing benchmarks?
Does the supplier have ISO 27001 security certification and/or a SOC2 (ideally Type 2) attestation report?
Are the arrangements between the supplier and its service providers compliant with UK data protection law, including rules on international data transfers?
What is the supplier’s data retention policy, including post-contract deletion timelines?
Does the supplier maintain PI and cyber insurance with adequate indemnity limits?

Supply contract

When negotiating the supply contract, the customer may want to pay particular attention to the following areas:

Ownership of AI output

Whether AI output can be copyright protected under English law is still a moot point. But to the extent copyright does subsist in the output, the supplier and the customer can agree that ownership in the copyright (and any other IP) vests in the customer.

If the supplier wants to use the customer’s data and output data for further training of the AI system, and therefore for the benefit of other customers, the customer will need to consider whether this is acceptable from legal and commercial perspectives. If it is, the customer will want to consider whether use by the supplier (and potentially by third parties) needs to be subject to anonymisation and confidentiality safeguards. The customer may also want to consider whether some form of compensation should be payable for its contribution to the development of the AI system.

IP Infringement

Infringement of IP may arise in two areas:

The AI system generates outputs which infringe third party IP rights, e.g. instead of coding from scratch the GenAI tool opts to re-use proprietary software code that it finds online. When I asked Gemini about the risk of Claude Code doing this, Gemini replied that Claude Code (like all other GenAI) may generate code that “incorporates, resembles, or is inspired by third-party licensed software” but didn’t venture a view how likely this is. Gemini did however suggest that to mitigate the risk software developers may want to “Run software composition analysis (SCA) or license scanning tools as part of [their] CI/CD pipeline to identify any third-party code that has been inadvertently incorporated“.
The training of the AI system has resulted in the infringement of the copyright in the material used as training data. Although the lawfulness of using copyrighted works for LLM training is still subject to extensive litigation and government review, the wind has been blowing in favour of the LLM providers with several courts in the U.S. supporting the view that the intermediate, and allegedly infringing, copies created in the course of training LLMs constitutes fair use (see for example Judge Alsup’s comments in Bartz v. Anthropic (pp 13, 14)).

If the supplier is reluctant to give indemnities for 3^rd party infringement claims, arguing that infringement by LLMs is out their control, the customer may want to point out that most of the LLM providers offer robust IP infringement indemnities as part of their Terms of Use, certainly for their professional, subscription-based AI models (see for example section K.1 of Anthropic’s Commercial Terms of Service and section 13.1 of the OpenAI Services Agreement).

Hallucinations and accuracy

As much as it goes against conventional contracting normal, the customer may need to accept that hallucinations are an integral feature of GenAI and that the supplier is unlikely to be able to provide warranties regarding the accuracy and completeness of the AI system’s outputs of the type that are commonplace in SaaS contracts. The exception to this is where the supplier has suggested that its AI system meets accuracy thresholds; if so the customer may want to repurpose these into contractual service levels, supported by meaningful service credits. The customer may also want to negotiate a critical service level failure threshold (e.g. accuracy falls below x% in n consecutive months), resulting in the customer having an early termination right.

Bias and discrimination

Depending on the nature of the AI system, the types of data on which it was trained, and how the AI system will be deployed, the customer may want contractual commitments regarding bias and discrimination, and the effectiveness of the AI system’s guardrails. For example if the AI system is to be used for screening and filtering CVs, the customer may want to require the supplier to measure rejection rates broken down by protected characteristics (including sex, race, disability, age) on a 6- or 12-monthly basis. The customer can incorporate the agreed bias testing benchmarks as contractual service levels, again supported by meaningful service credits and a critical service level failure/early termination trigger.

EU AI Act

If the customer will be using the AI system in the EU, or if the output of the AI system will be used in the EU, they will want the supplier to not only warrant the AI system’s compliance with the EU AI Act but also to help the customer comply with its own obligations regarding transparency, explainability of output and employee literacy as a deployer of the AI system. In practice the customer will want contractual commitments that the supplier will provide sufficient information and documentation regarding: how the AI system was developed, what data was used to train it, how it works; how the AI system is tested for bias; and how the AI system performs over time.

Tags: agentic AI, AI, AI system, AI tools, bias, generative AI, hallucination, LLMs
Posted in Commercial, Technology, Updates | Comments Off on Making progress with AI governance (Part 2): procuring an AI system

Making progress with AI governance (Part 1): creating an AI Policy

21/01/26 – As AI tools and systems scale from evaluations/POCs to live deployments, businesses will want to start thinking about AI governance – putting in place policies, practices and processes (more…)

Tags: #aigovernance, AI, aipolicy, ethicalai, governance
Posted in Commercial, Technology, Updates | Comments Off on Making progress with AI governance (Part 1): creating an AI Policy

Smart legal contracts – the Law Commission’s advice to the Government

10/12/21 – On 25th November 2021, the UK Law Commission published its advice to the Government on smart legal contracts. The advice expands on the UK Jurisdiction Taskforce’s legal statement on cryptoasset and smart contracts – see my post here.

The Law Commission concludes that current legal principles can be applied to smart contracts in much the same way as traditional contracts, with relatively minor developments required in certain contexts. It does, however, identify two specific problem areas that will require further work: the execution of deeds, and determining the geographical location where smart contracts are formed or breaches are committed (and therefore which jurisdiction’s laws apply), particularly where the smart contract concerns a digital asset.

This article considers some of the key observations and findings set out in the Law Commission’s advice.

1. What is a ‘smart legal contract’?

Considering the generally accepted definition of a smart contract as a computer program which run automatically, in whole or in part, without the need for human intervention, the Law Commission suggests that where a smart contract is used to define and perform legally binding contractual obligations it is helpful to refer to it as a ‘smart legal contract’. The Law Commission then defines a smart legal contract as ‘a legally binding contract in which some or all of the contractual obligations are defined in and/or performed automatically by a computer program’, and divides smart legal contracts into three different types, depending on the role played by the computer program code, i.e. the degree of automation of the performance of the contract:

Natural language contract with automated performance
Hybrid contract
Solely code contract

The Law Commission suggests that: ‘Automation should be considered on a spectrum. Smart legal contracts which involve elements of standard automation, such as payment by way of direct debit, have been in use for many years and are therefore unlikely to give rise to novel legal issues. However, a smart legal contract drafted primarily or solely in code […] is likely to give rise to novel legal questions; the automation in question takes the contract out of the realm of legal familiarity‘.

Although it had originally suggested (in its call for evidence) that a smart legal contract must, by definition, be deployed on a distributed ledger technology (DLT) system, the Law Commission has decided that DLT should not be an essential feature, and that a better approach is for smart legal contracts to be technology neutral.

2. What are the legal issues with smart legal contracts?

As stated, natural language contracts with automated performance via code have been in existence for a long time, and do not raise any new issues. However, where the terms of the contract are written in code, whether partly or wholly, new challenges arise in relation to contract formation, interpretation and remedies.

The Law Commission believes that contract terms expressed in computer code can, and should, be ‘susceptible to contractual interpretation‘. It suggests that the appropriate test should not be the traditional ‘what a reasonable person would understand the (coded) terms to mean, having all the background knowledge’ test, but instead a ‘what a person with knowledge and understanding of code would understand the coded terms to mean’ test – what the Law Commission calls the ‘reasonable coder‘ test. The court should ask what a person with knowledge and understanding of computer code what they understand the coded terms to mean, similar to the way that a court would ask for expert evidence in the case of a contract written in a foreign language.

The Law Commission also suggests that there is an increased risk of disputes during the lifecycle of a smart legal contract, given the likelihood of code performing ways that that the parties did not intend or expect, as well as other risk factors such as inaccurate input data, system upgrades, the code being hacked, and normal bugs and errors. The Law Commission notes that the usual legal remedy of rectification (where the court ‘corrects’ the terms of a contract) may in practice prove difficult to obtain where a computer program runs on an immutable DLT system.

3. How should businesses using smart legal contracts address these issues?

In Appendix 3 of its advice, the Law Commission helpfully provides a (non-exhaustive) list of issues that parties proposing to enter into a smart legal contract may want to consider and provide for in their contract. These include:

Confirming the role of the code in the contract and, in particular, whether the code is intended to define contractual obligations or just perform the obligations. Where contractual terms are expressed in both natural language and in code, confirming which term takes precedence in the event of a conflict.
Using natural language aids to help with the interpretation, e.g. a business process document or term sheet, and/or a natural language explanation of the code, or natural language comments within the source code itself. Making it clear that the business process document or other explanation forms parts of the parties’ agreement so that the document or explanation can be used by the court when interpreting the contract.
To satisfy the Consumer Rights Act 2015 requirement that traders’ written terms are ‘transparent’ (i.e. ‘expressed in plain and intelligible language, and be legible‘) in B2C contracts, providing consumers with a clear and informative explanation of the code in natural language.
Allocating risk amongst the contracting parties in relation to the smart legal contract-specific risk factors mentioned in the previous section.
Incorporating a ‘kill-switch’ in the smart legal contract to enable suspension or termination of the performance of the code.

4. The problem areas

The Law Commission considers that further work may be needed to support the use of smart legal contract technology in following areas:

To be validly executed, the signing of a deed must be witnessed and attested. The Law Commission is unable to see how these requirements could be satisfied for deeds which are wholly or partly defined by code, although it acknowledges the possibility of technology being developed to enable a witness to record in a smart legal contract that they have observed the execution of the deed.
It may be difficult to determine the jurisdiction and applicable law for some smart legal contracts, particularly where the smart legal contract is defined solely in code or performed via the interaction of two or more computer programs. In addition, digital location, i.e. ascribing real-world locations to digital actions and digital objects, also presents difficulties for smart legal legal contracts, particularly when deployed on DLT system. The Law Commission strongly recommends that parties to smart legal contracts stipulate both their choice of law and jurisdiction.

The Law Commission has agreed to undertake a separate project considering the rules around conflict of laws in the context of emerging technology, including smart legal contracts, which is expected to begin in the middle of 2022.

5. Looking to the future

The Law Commission points out that smart legal contracts are already used to some extent in a number of sectors (including insurance, finance, DeFi, and peer to peer), but have the potential to revolutionise the way businesses engage across all sectors. It anticipates that the market will develop established practices and model clauses that parties can use for their smart legal contracts, and hopes that work in this area will be led by LawtechUK and the UK Jurisdiction Taskforce.

Posted in Technology, Updates | Comments Off on Smart legal contracts – the Law Commission’s advice to the Government

CJEU decides that downloaded software is a sale of goods, not services

23/10/21 – Back in 2013 The Software Incubator was appointed by Computer Associates as a sales agent to promote and market Computer Associates’ application service automation software, which was deployed by CA’s customers to manage applications across data centres. The software was downloaded by customers directly from Computer Associates’ servers, subject to a perpetual licence which restricted use to a specified territory and a maximum number of authorised users.

The relationship was short lived, and The Software Incubator’s appointment was terminated later in 2013. The Software Incubator claimed compensation from Computer Associates under the Commercial Agents (Council Directive) Regulations 1993 (“UK Regulations”), which provides that a ‘commercial agent shall be entitled to compensation for the damage he suffers as a result of the termination of his relations with his principal’ (Section 17(6)). The UK Regulations define “commercial agent” as a ‘self-employed intermediary who has continuing authority to negotiate the sale or purchase of goods on behalf of another person’, but then does not provide a definition of “goods”. As you have probably already guessed, The Software Incubator and Computer Associates had different views on whether the software promoted by The Software Incubator constituted goods for the purposes of the UK Regulations, and the dispute ended up in court.

In 2018 the Court of Appeal decided, in part, in favour of Computer Associates. The Software Incubator appealed to the Supreme Court, which then referred the issue to the Court of Justice of the European Union (CJEU). In short the question for the CJEU was: Does the the supply of computer software to a customer by electronic means, together with the grant of a perpetual licence, constitute a “sale” of “goods” within the meaning of article 1(2) of the Commercial Agents Directive (Council Directive 86/653/EEC), being the original EU Directive that was implemented by the UK Regulations?

CJEU decision

The CJEU decided that:

the term “goods” could cover computer software, since software has a commercial value and was capable of forming the subject of a commercial transaction, and it was irrelevant whether the software was supplied on a CD ROM or tangible medium, or by electronic download; and
the making available of a copy of the computer software and the conclusion of a user licence agreement for that copy which entitles use of the software for an unlimited period, in return for payment of a fee, results in the transfer of the right of ownership of that copy, and therefore constitutes a “sale”.

Accordingly, the supply by Computer Associates of its software to a customer by electronic download, together with the grant of a perpetual licence constituted a “sale of goods” for the purposes of the UK Regulations, entitling The Software Incubator to compensation for termination of its sales agent appointment.

Because the question was referred to the CJEU before Brexit, the CJEU’s decision is binding on the Supreme Court.

Comment

The CJEU decision is clearly good news for sales agents which promote the supply of perpetual software licences, and probably fixed term software licences where the term is at least equal to the software’s expected economic lifespan. Less good news for software vendors, who may want to review existing arrangements with their agents and tread carefully if looking to terminate the relationships. More generally it remains to be seen to what extent the UK courts will have regard to the decision when considering the issue of whether software should be considered to be goods or services (or neither) in other contexts, particularly sale of goods legislation.

Tags: cjeu, commercial agents, computer associates, sale of goods, software, software incubator
Posted in Technology, Updates | Comments Off on CJEU decides that downloaded software is a sale of goods, not services

UKJT’s Digital Dispute Resolution Rules

26/05/21 – The UK Jurisdiction Taskforce (UKJT) received extensive and overwhelmingly positive publicity for the Legal Statement on the Status of Cryptoassets and Smart Contracts that it published in December 2019 – you can read more about the Legal Statement here.

On 22nd April 2021 the UKJT published its Digital Dispute Resolution Rules (Rules) which:

Give legal effect to automatic dispute resolution processes incorporated into digital asset systems, and
Create a streamlined arbitration process to ensure prompt and cost-effective resolution of disputes arising out of digital technologies such as smart contracts, cryptoassets and cryptocurrencies, as well as DLT-based contracts (think blockchain) where there the parties in dispute may have transacted anonymously.

Key features of the Rules:

Automatic dispute resolution processes: If a digital asset system includes an automatic dispute resolution process (aka ‘on chain’ resolution), then incorporating the Rules into the system will result in an outcome of the automatic dispute resolution being legally binding on the parties.
Incorporation: The parties can agree that the Rules will apply either before or after a dispute has arisen. The Rules can be incorporated (including in electronic or encoded form) into any relevant contract or digital asset/system by using the following text: ‘Any dispute shall be resolved in accordance with the UKJT Digital Dispute Resolution Rules’. The parties can also include their preferences, including arbitration or expert determination, procedure to be adopted, and identity (or key characteristics) of the arbitrators and/or experts.
Starting proceedings: The claimant starts proceedings by giving a notice of claim to the respondent and the Society for Computers and Law (‘SCL‘). The notice may, among other things, include a proposal regarding the way the dispute should be managed.
Responding to proceedings: The respondent then has three days to send an initial response to the notice of claim. Among other things the initial response may include comments on the claimant’s proposal for managing the dispute.
Arbitrators and experts: On receipt of the initial response, the SCL appoints the tribunal of arbitrators and any experts. Although the SCL will have regard to the parties’ preferences regarding procedure and identity of the arbitrators etc, it is not bound by those preferences. Similarly, although the tribunal of arbitrators has regard to the parties’ preferences regarding procedure, it is not bound by those preferences, and is free to adopt whatever procedure it considers appropriate, without any requirement for disclosure, witness evidence, expert evidence, or even an oral hearing.
Anonymity: Unless the tribunal considers that disclosure of the parties’ names is necessary for fair resolution of the dispute or effective enforcement of any order, or disclosure is required by law, the tribunal will respect any agreement of the parties that they are to remain anonymous to each other (but not to the tribunal).
Determination of dispute: Unless a different period has been agreed, the tribunal will use best endeavours to determine the dispute within 30 days. Yes, 30 days. Except in the limited circumstances set out in the Arbitration Act 1996, the tribunal’s decision is final and binding, i.e. there is no automatic right to appeal.
Digital assets: To help it to implement or enforce its decision, the tribunal has the right to operate, modify, sign or cancel any digital assets relevant to the dispute using any digital signature, cryptographic key, password or other control mechanism available to it, or to order a party to the dispute to do so.

Since their publication a few weeks ago, the reaction has been largely favourable, with praise for the simplicity, flexibility, speed and certainty of the Rules. Whether the positive initial reaction now translates into broad uptake by participants in the new digital technologies remains to be seen.

Posted in Technology, Updates | Comments Off on UKJT’s Digital Dispute Resolution Rules

Overview of the European Commission’s proposed AI regulation

26/04/21 – The European Commission aims to turn the EU into ‘the global hub for trustworthy Artificial Intelligence (AI)’. With that objective in mind, on 21^st April 2021 the Commission published its Proposal for a Regulation on a European approach for Artificial Intelligence.

Very interesting, I’m sure. But presumably not relevant to those of us who are no longer in the EU? Or to those of us who aren’t building robots to conquer the human race, haha?

On the EU point, the regulation applies to both EU and non-EU providers who market or deploy AI system in the EU, all users of AI systems in the EU, as well as providers and users of AI systems that are located outside the EU but where the outputs of the AI systems are used in the EU. In other words, the regulation potentially extends far beyond the EU’s borders.

And for the Asimov fans out there, the regulation’s definition of ‘AI system’ is perhaps a little disappointing: ‘software that is developed with one or more of the techniques and approaches listed in Annex I and [which] can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing environments they interact with’.

Annex I in full:

‘(a) Machine learning approaches, including supervised, unsupervised and reinforcement learning, using a wide variety of methods including deep learning;

(b) Logic- and knowledge-based approaches, including knowledge representation, inductive (logic) programming, knowledge bases, inference and deductive engines, (symbolic) reasoning and expert systems;

(c) Statistical approaches, Bayesian estimation, search and optimization methods.’

Ah I see what you mean. So what do I need to know?

Well, the proposed regulation runs to 107 pages (not including the Annexes), so there’s quite a bit to digest. But by way of an overview:

Timing. The regulation will now be reviewed and debated by the European Parliament, and then by the Council of Europe. Given the subject matter, the regulation is also likely to generate extensive comments from AI providers and other interested parties. Once adopted by the Commission, the regulation is then subject to a 24-month grace period before it applies fully (Article 85(2)). Being realistic we’re looking at go-live in 2023, and very possibly 2024.
Risk-based approach. The regulation takes a risk-based approach, with AI systems falling into one of three categories: prohibited AI practices, high-risk systems, and lower-risk systems.
Prohibited AI practices. The regulation prohibits four specific practices involving AI (Article 5):
1. Marketing or deploying AI systems that ‘deploy subliminal techniques beyond a person’s consciousness’ in order to distort their behaviour in a way that causes or may cause harm.
2. Marketing or deploying AI systems that exploit vulnerabilities due to age, physical or mental disability in order to distort someone’s behaviour in a manner that causes or may cause harm.
3. Marketing or deploying by public authorities AI systems that evaluate or classify the trustworthiness of people with a social score (social scoring).
4. Use of ‘real-time’ remote biometric identification systems (e.g. facial recognition systems) for law enforcement purposes, with broad exemptions for certain criminal justice-related purposes. Biometric testing is likely to be one of the more controversial aspects of the regulation; the European Data Protection Supervisor (EDPS) has already issued a press release criticising the Commission for not adopting a stricter approach.
High-risk systems. The regulation specifies two categories of high-risk AI systems:
1. The first category consists of AI systems used as safety components of products, or AI systems which are themselves products, that are regulated under the ‘New Legislative Framework’ legislation listed in Annex II to the regulation, e.g. toys, medical devices, motor vehicles, gas appliances etc. Checking that these AI safety components, or AI systems, comply with the regulation (‘conformity assessments’) will be incorporated into the existing third-party compliance and enforcement mechanisms for the relevant products.
2. The second category are stand-alone AI systems that the Commission considers have ‘fundamental rights implications’. These are listed in Annex III to the regulation, and include AI systems used for:

- - - - biometric identification (to the extent not a prohibited AI practice).
      - management of road traffic and other critical infrastructure (water, gas, heating and electricity)
      - education and vocational training
      - recruitment and hiring of candidates
      - making decisions in connection with management and termination of workers

Stand-alone systems will be subject to conformity assessments, as well as quality and risk management systems and post-market monitoring. Following the conformity assessments, the AI systems must then be registered in a European Commission-managed database, to ensure public transparency and assist ongoing supervision.

Lower-risk systems. AI systems which are not prohibited or high-risk are subject to relatively light-touch regulation. There are no conformity assessment for lower-risk systems. And although all providers must inform individual users that they are interacting with an AI system (unless it is ‘obvious from the circumstances and the context of use’), there is no obligation for providers of lower-risk AI systems to provide information about the system’s algorithm or how it operates, as is the case for providers of high-risk systems.
Data governance. Providers of high-risk systems are required to adopt rigorous data governance and management practices in relation to training, validation and testing datasets to reduce the risk of potential biases and other inaccuracies.
Sandboxes. The regulation encourages EU member states to establish sandboxes (i.e. controlled environments) to enable providers to test innovative technologies on the basis of an agreed testing plan, and to reduce the regulatory burden (including conformity assessment fees) for SMEs and start-ups.
Penalties. For corporate providers of AI systems there are three levels of fines:
1. Non-compliance with Article 5 (prohibited AI practices, see para 3 above) or Article 10 (data governance, see para 6 above) is subject to a fine of up to €30,000,000 or 6% of total annual worldwide turnover, whichever is the higher.
2. For non-compliance of any other provision of the regulation, up to €20,000,000 or 4% of total annual worldwide turnover, whichever is the higher.
3. For the supply of incorrect, incomplete or misleading information to regulatory bodies, up to €10,000,000 or 2% of total annual worldwide turnover, whichever is the higher.

I see what you mean about quite a bit to digest. Anything I need to do now?

Although the regulation is likely to be subject to various changes over the next few months – particularly in the areas of biometric testing and social scoring – the fundamental principles are unlikely to change. So if you’re involved with the development, marketing, sale or distribution of software that constitutes a high-risk AI system then you may want to start thinking about how the regulation will impact areas such the accuracy of your datasets, risk of bias, and algorithmic transparency.

Tags: AI, artificial intelligence, brexit, EU, machine learning, ML
Posted in Technology, Updates | Comments Off on Overview of the European Commission’s proposed AI regulation

Who owns the copyright in software created by your employees?

12/03/21 – In accordance with the Copyright, Designs and Patents Act 1988 where any work “is made by an employee in the course of his employment, his employer is the first owner of any copyright in the work, subject to any agreement to the contrary”. (more…)

Tags: CDPA 1988, copyright, employees, IP, MD5, penhallurick, software
Posted in Technology, Updates | Comments Off on Who owns the copyright in software created by your employees?

Checklist: Service levels

Issues to consider when drafting, reviewing or negotiating service levels include:

Service levels

Are uptime service levels measured monthly, or over a different period? (A 99.9% uptime service level measured monthly allows for a single outage of approx. 43 minutes; measured quarterly, that increases to more than two hours.)
Are out-of-hours outages dealt with in the same way as outages during business hours?
What types of downtime excluded from the availability calculation, e.g. planned maintenance or Force Majeure events?
For response/resolution service levels, are different severities of fault subject to different service levels? Does a workaround constitute a resolution for the purpose of the service level?
Do the service levels apply from Day 1, or does the supplier have a grace period to allow the service to be ‘bedded in’?
Are there any ‘chronic’ service levels’, which if breached entitle the customer to terminate the agreement?

Service credits

If service credits are payable for breach of service levels, are the service credits subject to a cap? If a default results in breaches of multiple service levels, can the customer claim multiple service credits?
Does a service credit constitute the customer’s sole remedy, or is the customer able to claim against the supplier if its actual losses exceed the value of the service credit?
How and when does the customer claim service credits?

Tags: availability, chronic service level, service credit, service level, SLA, uptime
Posted in Commercial, Technology | Comments Off on Checklist: Service levels

AA v Persons Unknown – recovering Bitcoin ransom payments

10/02/20 – In AA v Persons Unknown [2019], the Commercial Court confirmed that cryptoassets such as Bitcoin can constitute property under English law, and are therefore capable of being subject to a proprietary injunction (i.e. a court order which prevents the defendant from dealing with the relevant property).

The judgment refers extensively, and gives considerable weight, to the UK Jurisdiction Taskforce’s recent Legal Statement on the Status of Cryptoassets and Smart Contracts – see my article on the UKJT Statement here.

Background

In October 2019, one or more hackers encrypted the IT systems of a Canadian insurance company with malware. In order to regain control of its IT systems, the insurance company paid the hacker(s) a ransom of 109.25 Bitcoins (approx. $950,000).

The insurance company’s cybercrime insurer traced the ransom payment to a Bitcoin wallet linked to and controlled by Bitfinex, a crypto exchange operated by two British Virgin Island entities. The insurer applied for a proprietary injunction to recover the 96 Bitcoins that remained in the wallet.

Judgement

Because proprietary injunctions can only be granted over property, the Commercial Court first had to consider whether Bitcoin constitutes a form of property. Although Bitcoin do not fit into either of the two conventional categories of property – ‘choses in possession’ or ‘choses in action’ – the Court reviewed the analysis of the proprietary status of cryptoassets in the UKJT Statement, and in particular the UKJT’s conclusion that, despite their “novel or distinctive features“, cryptoassets may be objects of property rights, and “[i]f it is necessary to classify it at all, then a cryptoasset is best treated as being another, third kind of property” (UKJT Statement, para. 86(a)). The Court agreed with this approach, adding that “it is fallacious to proceed on the basis that the English law of property recognises no forms of property other than choses in possession and choses in action“.

Having confirmed that Bitcoin constitutes property, the Court granted the proprietary injunction.

Tags: Bitcoin, blockchain, cryptoassets, cryptocurrencies, distributed ledger technology, DLT
Posted in Technology, Updates | Comments Off on AA v Persons Unknown – recovering Bitcoin ransom payments