Are you a Provider or a Deployer under the EU AI Act?
Giulio Coraggio
Solving Legal Challenges of the Future | Head of Intellectual Property & Technology | Partner @ DLA Piper | IT, AI, Privacy, Cyber & Gaming Lawyer
The correct qualification, especially between provider and deployer under the EU AI Act, brings a load of obligations and responsibilities, and in some cases, the line between the two roles might be blurred.
We are having considerable discussions with clients on their role under the EU AI Act since, in most cases, businesses are no longer requesting off-the-shelf AI systems. Also, because of the risk of legal challenges due to copyright or privacy-related breaches or for the risk of disclosure to third parties of trade secrets and/or confidential information, companies are exponentially requesting to
In these scenarios, it is unclear whether the company exploiting the AI system can still fall just under the category of deployer or it can be qualified as a provider under the EU AI Act.
Under the final version of the AI Act,
whether for payment or free of charge" while
The distinction is relevant since most of the obligations and responsibilities under the EU AI Act are on providers, and in particular, recital 53 of the current draft provides that "It is appropriate that a specific natural or legal person, defined as the provider, takes the
responsibility for the placing on the market or putting into service of a high-risk AI system,?regardless of whether that natural or legal person is the person who designed or developed the system" and recital 57b also covers the scenario?when an initial provider of an AI system is no longer a provider under the EU AI Act?because of the evolution on the development of the system.
As in the case of the GDPR, the proper qualification of an entity cannot be contractually agreed upon, but?it depends on factual circumstances. As such, a considerable level of customizations of the AI systems that is either placed on the market or merely put into service under its name by a company might lead to entity being requalified as provider, even though the development activity was outsourced entirely. Likewise, if an AI system is placed on the market by a company with its brand that entity is likely to be considered to be a developer, even though the company outsourced the whole development activity.?At the same time, a system integrator might be qualified as a provider if its customizations make the AI system subsequently offered to its customers substantially different from the original system.?
A single solution fitting all the scenarios does not exist, and a case-by-case assessment shall be performed. However, given that the AI Act is focused predominantly on the obligations applicable to providers, even though deployers need to verify the provider's representations, the proper qualification of a party has a significant impact in terms of risk exposure in case of potential challenges by the regulators.?
Besides, the EU AI Act qualification might also have implications under the GDPR. Indeed, if it is represented that a provider is an entity with actual control over the AI system, there is a risk that data protection authorities might qualify the latter as a data controller or at least a joint controller with the deployer, while providers typically are data processors.??
领英推荐
As such, some safeguards shall be put in place to avoid that, if there is an investigation or a challenge by a customer or a competitor, the entity using the AI system is also qualified as providers with the consequential obligations and liabilities.
On a similar topic, you can read the article "AI Act Finalized: Here Is What Has Been Agreed".
Cyber Criminals Are the New Bandits – How do you deal with them?
Cyber criminals have become a major threat with increasing ransomware attacks that require to implement robust measures of legal compliance, this article gives indications on how to deal with it. Read more
Are Gambling White Labels and Skins Banned in Italy?
The draft law aimed at setting out the new Italian remote gambling framework in Italy might ban white labels and skins, but let’s explore it in more details. Read more
Prisca AI Compliance
Prisca AI Compliance is turn-key solution to assess the maturity of artificial intelligence systems against the AI Act, privacy regulations, intellectual property rules and much more providing a score of compliance and identifying corrective actions to be undertaken. Read more
Transfer - DLA Piper legal tech solution to support Transfer Impact Assessments
This presentation shows DLA Piper legal tech tool named "Transfer" to support our clients to perform a transfer impact assessment after the Schrems II case. Read more
DLA Piper Turnkey solution on NFT and Metaverse projects
You can have a look at DLA Piper capabilities and areas for NFT and Metaverse projects. Read more
I drive consistent top-line revenue growth | Writes and talks Data & AI | Speaker & Consultant | 20+ Years of enabling businesses to unlock the value of their data through the application of AI
7 个月Your insights shed much-needed light on this complex terrain. Thanks for breaking it down! Giulio Coraggio