FRANCE Trends and Developments Contributed by: Eric Weil, Victor Gozzerino and Giada Cancemi, Weil & Associés
straightforward for the AI service provider: the mere act of making a tool available that is capable of being misused should not, in itself, be sufficient to establish criminal complicity. Articles 121-6 and 121-7 of the Criminal Code require that the assistance or facilita - tion be provided intentionally, in connection with the preparation or commission of the offence. The decisive factor will therefore be the role effec - tively played by the provider. An AI service designed, configured and promoted so as to facilitate fraudulent uses will not be assessed in the same manner as a general-purpose tool that has been repurposed by an end-user in breach of its terms of service. This analysis extends a debate already familiar in the digital sphere. Courts are increasingly confronted with technical services (hosting, encrypted messaging, communication interfaces, and software infrastruc - ture) being used as vehicles for criminal activity. The central question is to distinguish the neutral provision of a service from knowing facilitation of unlawful activ - ity. These questions remain at an early stage of develop - ment. The rapid evolution of generative AI systems will inevitably renew the debate on the allocation of criminal liability between the developer and the user. In this context, the question of whether, and to what extent, a duty of vigilance may be imposed on devel - opers is of central importance. In this regard, Regulation (EU) 2024/1689 of the Euro - pean Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (the “AI Act”) provides an initial normative framework. The Regulation operates principally through the con - cept of “provider”, defined as the natural or legal per - son who develops, or causes to be developed, an AI system or a general-purpose AI model and places it on the market or puts it into service under their own name or trade mark. The AI Act establishes a graduated approach based on the level of risk posed by AI systems. Systems classified as “high-risk” – in particular where deployed in sensitive sectors listed in Annex III, like biometrics, personal identification, certain critical infrastructure
are subject to enhanced obligations. These include the implementation of a documented, continuous and regularly updated risk management system, together with the identification and mitigation of reasonably foreseeable misuse of the system. The use of generative AI tools to refine fraudulent mechanisms, automate scam campaigns, or facili - tate certain cybercriminal offences may well constitute precisely such foreseeable misuse. That said, genera - tive AI models do not automatically fall within the high- risk regime. Their classification depends primarily on the specific use made of them in one of the domains covered by Annex III, or, in the case of the most pow - erful general-purpose AI models, on whether they may be classified as presenting a “systemic risk” within the meaning of the Regulation. It should be noted, however, that this framework remains in flux. Recent European discussions sur - rounding the so-called “AI Omnibus” initiative are aimed at simplifying certain procedural obligations under the AI Act, in particular for innovative compa - nies and certain industrial operators, and at extending several compliance deadlines applicable to high-risk AI systems. Without establishing a distinct regime of criminal liabil - ity for AI developers, the AI Act therefore contributes to defining a European standard of vigilance and com - pliance that may, over time, influence the assessment of criminal fault or breach of a duty of care and safety. The principal obligations applicable to high-risk AI systems will come progressively into force from 2026 and 2027, subject to any adjustments arising from the Omnibus reforms. The question will then be whether and to what extent failure to comply with obligations of prevention, monitoring or anticipation of misuse may be relied upon to establish criminal liability on the part of the developer or provider of the AI system. Finally, French courts also take into account the con - duct of the victim. They may consider whether the corporate victim displayed excessive credulity, inade - quate internal controls or an unduly delayed response following discovery of the fraud.
65 CHAMBERS.COM
Powered by FlippingBook