USA Trends and Developments Contributed by: Jeffrey Harvey, Randall Parks, Andrew Geyer and Cecilia Oh, Hunton Andrews Kurth LLP
In reality, many of these issues are not settled and are currently working their way through the courts as of the date of publication of this guide. With that being said, a handful of recent cases do seem to lean towards protecting output from infringement claims, although it would be premature to declare it a trend or a majority. Buyers of generative AI solutions should ensure that humans sufficiently alter any output to make it their own, particularly if the commercial use will be a public use. Critically, and in cases of both traditional AI and gen - erative AI, customers must consider how the AI sys - tem and related projects and data uses will comply with applicable data protection laws, and whether any data protection laws were violated in the collec - tion of such data. In the United States, various state and sector-specific laws require businesses to enter into written agreements with providers that limit the provider’s ability to process the data for any purpose other than to perform the services and to employ rea - sonable safeguards to protect the data. A key consid - eration when entering into a contract with a provider is to ensure that the provider’s access to and use of such data does not run afoul of representations the business owner (whether the customer in a custom - er–provider relationship or a provider who hosts data online) has made to data subjects whose personal information is being processed in connection with the AI model. With the enactment of 20 state privacy regimes, including, among others, the California Consumer Pri - vacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020, the Virginia Consumer Data Protection Act (2021, effective 2023), the Colorado Privacy Act (2021, effective 2023), and the Utah Consumer Pri - vacy Act (2022, effective 2023), the US legal regime is continuing to shift to one that offers individuals certain rights with respect to their data (ie, access, deletion, and opt out of sale), moving away from the notion that businesses that collect the data are “owners” of such information with the autonomy to use the data indefinitely and without question as long as appropri - ate notice and choice were offered at the outset. Vendors and customers are leveraging the confluence of efficient technologies, capable automation, and
cheap, ubiquitous sensors and consumer technolo - gies to transform their existing business processes and deploy new ones. Examples include: • business collaboration tools with robust social- media style functionality; • smart-manufacturing tools to optimise production; • business “internet of things” implementations allowing continuous communication with products while in use; and • consumer subscription models for security, enter - tainment, health and fitness, finance, and educa - tion. Each of these models generates specific questions of compliance, liability management, cyber-risk, and a host of other legal issues typical of information tech - nology transactions. However, for large buyers, the sheer volume and pace of evolution of these models creates a new set of more strategic concerns, includ - ing: • how to efficiently procure solutions at speed; • how to manage cybersecurity, data protection, and compliance risks across a rapidly multiplying vendor population; and • how to manage a vendor population that may include under-capitalised start-ups that cannot possibly satisfy claims against them, but which offer a must-have business solution. Cybersecurity, Data Protection and Compliance As the trend to digitisation accelerates and data flows expand, vendors and customers are making increas - ing investments in cybersecurity, data protection and compliance in response to increased threats from bad actors, increased regulatory scrutiny, and an increas - ingly active plaintiff’s bar. Data breaches, ransom - ware attacks and other cyber-attacks are announced almost daily, and law enforcement and private security firms regularly warn of new threat agents (including nation states and organised crime) and attack vectors. Legislators, regulators and trade organisations are considering and adopting a range of cybersecurity and data protection requirements. Not unexpectedly, a good deal of the cybersecurity and data protection legislation brought before the 118th Congress tracked
108 CHAMBERS.COM
Powered by FlippingBook