UK Trends and Developments Contributed by: Amélie Chollet, Hannah Curtis and David Dennis, CMS
requirements, testing methodologies, monitor- ing obligations, and expectations for algorithmic transparency all vary widely between regulatory frameworks. These sometimes overlapping or even contradic- tory frameworks create substantial compliance challenges, particularly for products deployed across multiple markets. Companies must develop sophisticated regulatory intelligence capabilities to track evolving requirements and implement adaptable compliance strategies. The third-party AI supplier conundrum Building in-house AI capabilities requires signifi- cant investment of time and resources, which may not be within the reach of many companies; using external providers of AI systems may be a cost-effective solution, but it introduces its own set of challenges – and legal risks. Due diligence: looking beyond traditional vendor assessment When evaluating AI suppliers, companies must look beyond traditional vendor criteria. This extended due diligence should thoroughly assess the provenance and quality of training data used to develop the AI system. Organisa- tions need detailed documentation of devel- opment and validation processes to ensure regulatory compliance and scientific validity of datasets. Equally important is understanding the supplier’s approach to ongoing monitoring and performance evaluation, as AI systems may evolve or degrade over time. Transparency about known limitations and edge cases becomes cru- cial, as these boundaries can often define the risk profile of the technology.
Built-in contractual protections: new clauses for new risks Standard vendor agreements rarely address AI-specific concerns, necessitating new con- tractual approaches. Critical elements include clear delineation of responsibilities for ongoing performance monitoring throughout the AI sys- tem life cycle. Contracts should establish robust access rights to validation data and performance metrics to enable proper oversight. Explainabil- ity requirements and documentation standards need explicit definition to ensure regulatory compliance and defend against potential liabil- ity. Forward-looking provisions addressing reg- ulatory changes and compliance updates help manage evolving requirements. Perhaps most importantly, contracts must include thoughtful liability allocation for AI-specific scenarios such as algorithmic drift or dataset biases that tradi- tional agreements rarely contemplate. Compliance transfer risk The EU AI Act, like the General Data Protection Regulation (GDPR) before it, adopts an extrater- ritorial approach. This means that life sciences companies can face compliance obligations even when using AI suppliers based outside regulated territories. This creates a “compliance transfer risk” where an organisation becomes responsible for ensuring that the AI system meets regulatory requirements, even with limited visibility into the supplier’s compliance posture. Enforcement actions could target the organisa- tion directly, even if the non-compliant elements were developed entirely by a third party. Intellectual property (IP) minefields Third-party AI solutions create several IP-relat- ed risks that life sciences companies often overlook. AI systems trained on datasets with unclear ownership or usage rights may inadvert- ently incorporate protected IP, potentially trans-
142 CHAMBERS.COM
Powered by FlippingBook