Are you a Provider or a Deployer under the EU AI Act?

The correct qualification, especially between provider and deployer under the EU AI Act, brings a load of obligations and responsibilities, and in some cases, the line between the two roles might be blurred.

We are having considerable discussions with clients on their role under the EU AI Act since, in most cases, businesses are no longer requesting off-the-shelf AI systems. Also, because of the risk of legal challenges due to copyright or privacy-related breaches or for the risk of disclosure to third parties of trade secrets and/or confidential information, companies are exponentially requesting to

• Either have AI systems trained on their material, creating a secure environment where they are control over any content and potentially a better control over outputs;?
• Or have a system integrator develop an AI system based on an algorithm and materials provided by the company itself.?

In these scenarios, it is unclear whether the company exploiting the AI system can still fall just under the category of deployer or it can be qualified as a provider under the EU AI Act.

Under the final version of the AI Act,

• A ‘provider’ means "a natural or legal person, public authority, agency or other body

1. that?develops?an AI system or a general purpose AI model or that?has an AI?system or a general purpose AI model?developed?and?places them on the market?[i.e., it makes it available on the market]?or?puts the system into service?under its own name or trademark,

whether for payment or free of charge" while

• A ‘deployer' means "any natural or legal person, public authority, agency or other body?

1. using?an AI system under its authority?except?where?the AI system is used in the course of a?personal non-professional activity";

The distinction is relevant since most of the obligations and responsibilities under the EU AI Act are on providers, and in particular, recital 53 of the current draft provides that "It is appropriate that a specific natural or legal person, defined as the provider, takes the

responsibility for the placing on the market or putting into service of a high-risk AI system,?regardless of whether that natural or legal person is the person who designed or developed the system" and recital 57b also covers the scenario?when an initial provider of an AI system is no longer a provider under the EU AI Act?because of the evolution on the development of the system.

As in the case of the GDPR, the proper qualification of an entity cannot be contractually agreed upon, but?it depends on factual circumstances. As such, a considerable level of customizations of the AI systems that is either placed on the market or merely put into service under its name by a company might lead to entity being requalified as provider, even though the development activity was outsourced entirely. Likewise, if an AI system is placed on the market by a company with its brand that entity is likely to be considered to be a developer, even though the company outsourced the whole development activity.?At the same time, a system integrator might be qualified as a provider if its customizations make the AI system subsequently offered to its customers substantially different from the original system.?

A single solution fitting all the scenarios does not exist, and a case-by-case assessment shall be performed. However, given that the AI Act is focused predominantly on the obligations applicable to providers, even though deployers need to verify the provider's representations, the proper qualification of a party has a significant impact in terms of risk exposure in case of potential challenges by the regulators.?

Besides, the EU AI Act qualification might also have implications under the GDPR. Indeed, if it is represented that a provider is an entity with actual control over the AI system, there is a risk that data protection authorities might qualify the latter as a data controller or at least a joint controller with the deployer, while providers typically are data processors.??

As such, some safeguards shall be put in place to avoid that, if there is an investigation or a challenge by a customer or a competitor, the entity using the AI system is also qualified as providers with the consequential obligations and liabilities.

On a similar topic, you can read the article "AI Act Finalized: Here Is What Has Been Agreed".

Cyber Criminals Are the New Bandits – How do you deal with them?

Cyber criminals have become a major threat with increasing ransomware attacks that require to implement robust measures of legal compliance, this article gives indications on how to deal with it. Read more

Are Gambling White Labels and Skins Banned in Italy?

The draft law aimed at setting out the new Italian remote gambling framework in Italy might ban white labels and skins, but let’s explore it in more details. Read more

Prisca AI Compliance

Prisca AI Compliance is turn-key solution to assess the maturity of artificial intelligence systems against the AI Act, privacy regulations, intellectual property rules and much more providing a score of compliance and identifying corrective actions to be undertaken. Read more

Transfer - DLA Piper legal tech solution to support Transfer Impact Assessments

This presentation shows DLA Piper legal tech tool named "Transfer" to support our clients to perform a transfer impact assessment after the Schrems II case. Read more

DLA Piper Turnkey solution on NFT and Metaverse projects

You can have a look at DLA Piper capabilities and areas for NFT and Metaverse projects. Read more