Posts Tagged ‘AI’

|

Protection of IP in the age of Claude Code

As with most LLM provider terms of service, Anthropic’s Commercial Terms of Service confirm that when you use Claude Code:

For anyone using Claude Code to assist with software development – whether for their own purposes or for a client – Anthropic’s confirmation of ownership supported by an indemnity is good news.

So far so straightforward.  A trickier question is whether your Claude Code-generated software code benefits from any IP rights, and specifically copyright, in the first place.

In this article we look at the status of copyright protection of AI-generated software code in the UK, and also briefly look at the position in the EU and in the U.S.  We conclude with some practical suggestions how to manage some of the risks involved.

UK

In common with most countries the UK provides ‘standard’ copyright protection for human author-created works.  Under the UK Copyright, Designs and Patents Act 1988 (“CDPA“) copyright subsists in “original literary, dramatic, musical or artistic works” (CDPA, s.1), with literary work defined to include computer programs (CPDA, s.3).  The originality of a work must meet the “author’s own intellectual creation” test which derives from the EC Copyright Directive 2009, and which the UK courts have confirmed continues to apply post-Brexit.   Copyright continues for 70 years from the end of the calendar year in which the author dies (CPDA, s.12).

Unlike most countries however the UK has a separate regime for the protection of computer-generated works.  A computer-generated work (CGW) is defined as a work “generated by a computer in circumstances such that there is no human author of the work” (CDPA, s.178).  Copyright in a CGW continues for 50 years from the end of the calendar year in which the work is made (CDPA, s12(7)).

CGW cannot, by definition, be assessed by the “author’s own intellectual creation” test applicable when considering whether human-authored works has sufficient originality to be eligible for copyright protection.  There is therefore some dispute about the circumstances in which the CGW regime will actually apply.  The most widely held view appears to be that copyright protection is available to a computer-generated work which would be original had it been created by a human.

Where copyright does subsist in AI-generated code under the CGW regime, authorship (which with some exceptions also means ownership) is ascribed to the person who “undertakes the necessary arrangement to create the work” (CDPA, s.9(3)).  Determining who makes the necessary arrangements in the case of Claude Code-generated software may not be straightforward; if the user provides detailed and well-defined prompts there is a strong argument that they have made the “necessary arrangement” and as a result they are the author; conversely where the user only communicates a general idea or concept via prompts and Claude Code makes the key structural and expressive choices in the code it’s likely that it’s Anthropic which has made the necessary arrangement and is the author.  In most circumstances this will all be academic because the IP in the code vests in the customer under Anthropic’s Terms of Service.  However software developers who are using Claude Code (or any other AI coding assistant for that matter) may want to check their client contracts, including any restrictions on sub-contracting the development work to third parties and any ‘original author’ warranties.

EU

The EU provides ‘standard’ copyright protection for human author-created works, including software, much in the same way as the UK does.  The EU does not however have an equivalent to the UK’s CGW regime.  As a result software code generated by Claude Code without human creative control will have no IP protection at all.

Furthermore, a recent decision by a Munich court has confirmed that even when a human is involved the level of creative control that a human must contribute in order for copyright to subsist is very high.  The case concerned three AI-generated logos (one created with a single, simple prompt, one with a 1,700-character prompt, and one with the design of the logo refined on an iterative basis by successive prompts), all of which were held by the court to lack sufficient human creative control in order for copyright to subsist.  The court did say that it’s possible for copyright to subsist in AI generated output but only if the human-created elements forming part of the prompts are so dominant in the output that the work can be regarded as the author’s own original creation.

U.S.

In January 2025 the U.S. Copyright Office (“USCO”) published Part 2 of its Report on Copyright and Artificial Intelligence.  Its conclusions and recommendations included the following:

In March 2025 the USCO’s approach to AI-generated outputs was affirmed by the U.S. Court of Appeals for the District of Columbia in Thaler v. Perlmutter.  The USCO’s approach has however not yet been considered by the U.S. Supreme Court.

For the time being the position in the U.S. is therefore not dissimilar in effect to that in the EU: copyright in Claude Code-generated software code can only be registered (i.e. subsist) where and to the extent that there is sufficient human creative control.

Managing the risk

Determining whether copyright subsists in the software that Claude Code has written for you, and if copyright does subsist deciding who the owner of the copyright is, will not always be straightforward. Although the outcome will depend on which legal system applies and the factual circumstances, you may want to consider the following:

Tags: , , , , , ,
Posted in Commercial, Technology, Updates | No Comments »

Making progress with AI governance (Part 2): procuring an AI system

04/06/26 – In Part 1 of Making progress with AI governance we looked at the key elements which are likely to form part of an organisation’s cross-functional AI Policy.  In this Part 2 we focus on the procurement of an AI system (which could be generative and/or agentic) and consider some of the key questions and issues that a potential customer may want to keep in mind.

Due diligence

Questions that the customer may want to ask as part of the procurement process:

Supply contract

When negotiating the supply contract, the customer may want to pay particular attention to the following areas:

Ownership of AI output

Whether AI output can be copyright protected under English law is still a moot point.  But to the extent copyright does subsist in the output, the supplier and the customer can agree that ownership in the copyright (and any other IP) vests in the customer.

If the supplier wants to use the customer’s data and output data for further training of the AI system, and therefore for the benefit of other customers, the customer will need to consider whether this is acceptable from legal and commercial perspectives.  If it is, the customer will want to consider whether use by the supplier (and potentially by third parties) needs to be subject to anonymisation and confidentiality safeguards. The customer may also want to consider whether some form of compensation should be payable for its contribution to the development of the AI system.

IP Infringement

Infringement of IP may arise in two areas:

  1. The AI system generates outputs which infringe third party IP rights, e.g. instead of coding from scratch the GenAI tool opts to re-use proprietary software code that it finds online. When I asked Gemini about the risk of Claude Code doing this, Gemini replied that Claude Code (like all other GenAI) may generate code that “incorporates, resembles, or is inspired by third-party licensed software” but didn’t venture a view how likely this is.  Gemini did however suggest that to mitigate the risk software developers may want to “Run software composition analysis (SCA) or license scanning tools as part of [their] CI/CD pipeline to identify any third-party code that has been inadvertently incorporated“.
  2. The training of the AI system has resulted in the infringement of the copyright in the material used as training data. Although the lawfulness of using copyrighted works for LLM training is still subject to extensive litigation and government review, the wind has been blowing in favour of the LLM providers with several courts in the U.S. supporting the view that the intermediate, and allegedly infringing, copies created in the course of training LLMs constitutes fair use (see for example Judge Alsup’s comments in Bartz v. Anthropic (pp 13, 14)).

If the supplier is reluctant to give indemnities for 3rd party infringement claims, arguing that infringement by LLMs is out their control, the customer may want to point out that most of the LLM providers offer robust IP infringement indemnities as part of their Terms of Use, certainly for their professional, subscription-based AI models (see for example section K.1 of Anthropic’s Commercial Terms of Service and section 13.1 of the OpenAI Services Agreement).

Hallucinations and accuracy

As much as it goes against conventional contracting normal, the customer may need to accept that hallucinations are an integral feature of GenAI and that the supplier is unlikely to be able to provide warranties regarding the accuracy and completeness of the AI system’s outputs of the type that are commonplace in SaaS contracts.  The exception to this is where the supplier has suggested that its AI system meets accuracy thresholds; if so the customer may want to repurpose these into contractual service levels, supported by meaningful service credits. The customer may also want to negotiate a critical service level failure threshold (e.g. accuracy falls below x% in n consecutive months), resulting in the customer having an early termination right.

Bias and discrimination

Depending on the nature of the AI system, the types of data on which it was trained, and how the AI system will be deployed, the customer may want contractual commitments regarding bias and discrimination, and the effectiveness of the AI system’s guardrails.  For example if the AI system is to be used for screening and filtering CVs, the customer may want to require the supplier to measure rejection rates broken down by protected characteristics (including sex, race, disability, age) on a 6- or 12-monthly basis. The customer can incorporate the agreed bias testing benchmarks as contractual service levels, again supported by meaningful service credits and a critical service level failure/early termination trigger.

EU AI Act

If the customer will be using the AI system in the EU, or if the output of the AI system will be used in the EU, they will want the supplier to not only warrant the AI system’s compliance with the EU AI Act but also to help the customer comply with its own obligations regarding transparency, explainability of output and employee literacy as a deployer of the AI system.  In practice the customer will want contractual commitments that the supplier will provide sufficient information and documentation regarding: how the AI system was developed, what data was used to train it, how it works; how the AI system is tested for bias; and how the AI system performs over time.

Tags: , , , , , , ,
Posted in Commercial, Technology, Updates | Comments Off on Making progress with AI governance (Part 2): procuring an AI system

Making progress with AI governance (Part 1): creating an AI Policy

21/01/26 – As AI tools and systems scale from evaluations/POCs to live deployments, businesses will want to start thinking about AI governance – putting in place policies, practices and processes (more…)

Tags: , , , ,
Posted in Commercial, Technology, Updates | Comments Off on Making progress with AI governance (Part 1): creating an AI Policy

Overview of the European Commission’s proposed AI regulation

26/04/21 – The European Commission aims to turn the EU into ‘the global hub for trustworthy Artificial Intelligence (AI)’.  With that objective in mind, on 21st April 2021 the Commission published its Proposal for a Regulation on a European approach for Artificial Intelligence.

Very interesting, I’m sure.  But presumably not relevant to those of us who are no longer in the EU?  Or to those of us who aren’t building robots to conquer the human race, haha?

On the EU point, the regulation applies to both EU and non-EU providers who market or deploy AI system in the EU, all users of AI systems in the EU, as well as providers and users of AI systems that are located outside the EU but where the outputs of the AI systems are used in the EU.  In other words, the regulation potentially extends far beyond the EU’s borders.

And for the Asimov fans out there, the regulation’s definition of ‘AI system’ is perhaps a little disappointing: ‘software that is developed with one or more of the techniques and approaches listed in Annex I and [which] can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing environments they interact with’.

Annex I in full:

(a)        Machine learning approaches, including supervised, unsupervised and reinforcement learning, using a wide variety of methods including deep learning;

(b)         Logic- and knowledge-based approaches, including knowledge representation, inductive (logic) programming, knowledge bases, inference and deductive engines, (symbolic) reasoning and expert systems;

(c)         Statistical approaches, Bayesian estimation, search and optimization methods.’

Ah I see what you mean.  So what do I need to know?

Well, the proposed regulation runs to 107 pages (not including the Annexes), so there’s quite a bit to digest.  But by way of an overview:

  1. Timing. The regulation will now be reviewed and debated by the European Parliament, and then by the Council of Europe.  Given the subject matter, the regulation is also likely to generate extensive comments from AI providers and other interested parties.  Once adopted by the Commission, the regulation is then subject to a 24-month grace period before it applies fully (Article 85(2)).  Being realistic we’re looking at go-live in 2023, and very possibly 2024.
  2. Risk-based approach. The regulation takes a risk-based approach, with AI systems falling into one of three categories: prohibited AI practices, high-risk systems, and lower-risk systems.
  3. Prohibited AI practices. The regulation prohibits four specific practices involving AI (Article 5):
    1. Marketing or deploying AI systems that ‘deploy subliminal techniques beyond a person’s consciousness’ in order to distort their behaviour in a way that causes or may cause harm.
    2. Marketing or deploying AI systems that exploit vulnerabilities due to age, physical or mental disability in order to distort someone’s behaviour in a manner that causes or may cause harm.
    3. Marketing or deploying by public authorities AI systems that evaluate or classify the trustworthiness of people with a social score (social scoring).
    4. Use of ‘real-time’ remote biometric identification systems (e.g. facial recognition systems) for law enforcement purposes, with broad exemptions for certain criminal justice-related purposes. Biometric testing is likely to be one of the more controversial aspects of the regulation; the European Data Protection Supervisor (EDPS) has already issued a press release criticising the Commission for not adopting a stricter approach.
  4. High-risk systems. The regulation specifies two categories of high-risk AI systems:
    1. The first category consists of AI systems used as safety components of products, or AI systems which are themselves products, that are regulated under the ‘New Legislative Framework’ legislation listed in Annex II to the regulation, e.g. toys, medical devices, motor vehicles, gas appliances etc. Checking that these AI safety components, or AI systems, comply with the regulation (‘conformity assessments’) will be incorporated into the existing third-party compliance and enforcement mechanisms for the relevant products.
    2. The second category are stand-alone AI systems that the Commission considers have ‘fundamental rights implications’. These are listed in Annex III to the regulation, and include AI systems used for:

Stand-alone systems will be subject to conformity assessments, as well as quality and risk management systems and post-market monitoring. Following the conformity assessments, the AI systems must then be registered in a European Commission-managed database, to ensure public transparency and assist ongoing supervision.

  1. Lower-risk systems. AI systems which are not prohibited or high-risk are subject to relatively light-touch regulation.  There are no conformity assessment for lower-risk systems.  And although all providers must inform individual users that they are interacting with an AI system (unless it is ‘obvious from the circumstances and the context of use’), there is no obligation for providers of lower-risk AI systems to provide information about the system’s algorithm or how it operates, as is the case for providers of high-risk systems.
  2. Data governance. Providers of high-risk systems are required to adopt rigorous data governance and management practices in relation to training, validation and testing datasets to reduce the risk of potential biases and other inaccuracies.
  3. Sandboxes. The regulation encourages EU member states to establish sandboxes (i.e. controlled environments) to enable providers to test innovative technologies on the basis of an agreed testing plan, and to reduce the regulatory burden (including conformity assessment fees) for SMEs and start-ups.
  4. Penalties. For corporate providers of AI systems there are three levels of fines:
    1. Non-compliance with Article 5 (prohibited AI practices, see para 3 above) or Article 10 (data governance, see para 6 above) is subject to a fine of up to €30,000,000 or 6% of total annual worldwide turnover, whichever is the higher.
    2. For non-compliance of any other provision of the regulation, up to €20,000,000 or 4% of total annual worldwide turnover, whichever is the higher.
    3. For the supply of incorrect, incomplete or misleading information to regulatory bodies, up to €10,000,000 or 2% of total annual worldwide turnover, whichever is the higher.

I see what you mean about quite a bit to digest.  Anything I need to do now?

Although the regulation is likely to be subject to various changes over the next few months – particularly in the areas of biometric testing and social scoring – the fundamental principles are unlikely to change.  So if you’re involved with the development, marketing, sale or distribution of software that constitutes a high-risk AI system then you may want to start thinking about how the regulation will impact areas such the accuracy of your datasets, risk of bias, and algorithmic transparency.

Tags: , , , , ,
Posted in Technology, Updates | Comments Off on Overview of the European Commission’s proposed AI regulation

Get in touch

  • Your email address will only be used to respond to your message