Riding the AI Wave: Navigating Business Opportunities and Legal Limitations
By Sabine Reifenberger, Frankfurt
AI Under Regulated Management
When the EU enacted the General Data Protection Regulation in 2016, attorneys were swamped with work: "Every company had consulting needs back then due to data protection affecting everyone," says Christoph Werkmeister, global co-head of the data and technology practice and member of the Information Security Committee at Freshfields law firm. He sees a similar trend now with AI. "AI challenges companies across all sectors." From retail using AI to automate purchasing, to automakers analyzing data for autonomous driving, and healthcare conglomerates utilizing AI in drug development, AI is rapidly transforming businesses.
Business Leaders Steer the AI Ship
Executives in every industry must grapple with AI—economic pressure and competition ensure this. "If AI solutions offer increased efficiency, economic profitability, or industry-standard advantages, boards should be informed about them," Werkmeister explains. Importantly, AI application guidelines must be established before it becomes standard practice. Employee co-determination rights also warrant consideration.
The European Regulation's Guiding Role
Negligence can quickly result in chaos. Should HR departments use AI for employee selection? Can systems pre-formulate customer letters? Is sensitive data safeguarded? "Routine mapping is crucial for AI governance," Werkmeister states. Keeping track of who is working on AI and what areas they are working in helps maintain control. An enterprise policy can restrict AI tool application to specific processes.
A European Regulation for AI Governance
A new European Regulation on Artificial Intelligence went into effect in August of this year, offering guidelines for AI governance. "Board members need to implement a governance structure for AI use within the company, following a risk-based approach," says Klaus Brisch, partner at Grant Thornton. The regulation targets high-risk systems, such as AI deploying biometric data or operating in safety-critical areas like traffic or energy supply, with stringent regulatory requirements. These systems are tested for compliance through external audits.
Duties of Care and AI Obligations
To discharge their responsibilities, the leadership must consider certified and thoroughly documented AI systems in their implementation, recommends Grant Thornton partner Marco Müller-ter Jung. Transparency about AI system capabilities and processes is essential. When delegating tasks to AI or using its output in decision-making, the usual requirements for careful business management apply.
Internal AI Education
The regulation demands companies ensure 'AI literacy' among employees wherever AI systems are used. However, the specifics are left to the company's discretion. This is crucial, as better internal understanding can guide the selection of superior AI systems and facilitate nuanced, critical questions about AI functionality and documentation.
Parallels to Data Protection
Establishing an AI governance structure is not straightforward. Companies that manage large amounts of customer data are usually well-prepared for data protection compliance. They can leverage their experience in audits and documentation for AI governance.
International Differences in AI Regulation
While governance challenges exist, AI regulation broadly pertains to organizational matters, says Werkmeister. No one needs to fundamentally alter products, release data, or change business models due to it. However, internationally active companies may fall within multiple AI regulations. For example, the EU regulation applies to non-EU corporations if they sell products on the European market or if the AI output is used in the EU. Country-specific perspectives on AI vary, often focusing on consumer protection or copyright considerations.
Looking Ahead
As the landscape of AI regulation evolves, Werkmeister urges an emphasis on risk management, transparency, and documentation. By continuously monitoring and evaluating AI behavior, companies can be as prepared as possible for future developments.
- The enactment of the General Data Protection Regulation in 2016 and the current rise of AI in various sectors remind us of the significance of implementing guardrails for artificial-intelligence technology, as stated by Christoph Werkmeister.
- In the face of AI challenges across all industries, it's crucial for board members to ensure compliance with AI guidelines before it becomes standard practice, as Klaus Brisch suggests, following a risk-based approach.
- The new European Regulation on Artificial Intelligence targets high-risk systems, requiring stringent regulatory requirements and external audits for their compliance, as highlighted by Brisch.
- As AI systems become increasingly prevalent, companies need to ensure 'AI literacy' among employees, as mandated by the regulation, to facilitate better understanding of AI capabilities and decision-making, as advised by Marco Müller-ter Jung.
