By Giacomo Lusardi and Alessandro Ferrari
In one of our latest blog posts, we went through the first part of our hints and tips on outsourcing agreements and artificial intelligence, covering #1 Technological evolution and benchmarking clauses, #2 Liability and limitations, and #3 Know-how transfer, insourcing and supplier replacement.
Below is the second part on: #4 Intellectual Property, #5 Data protection and #6 Cyber risk and Insurance.
#4 Intellectual Property
Where AI systems are employed in the outsourcing of processes there could be a tight interdependency between customer’s data and supplier’s AI technology processing such data. It follows that customer and supplier must accurately regulate the ownership of the IP rights in the relevant data and technologies within the scope of their relationship.
What should be particularly considered by the contracting parties is the ownership of data, databases and of any other protectable item of both parties existing before entering into the contractual relationship (background IP). The parties should also regulate the ownership of IP rights on the customisations of the AI system and on the protectable results thereof generated during the performance of the agreement, if any. Customer must also carefully assess whether to license or not its data to supplier for internal purposes, such as improving its services.
All of the above should therefore be carefully taken into account during the agreement drafting/negotiation, in order to grant the highest degree of certainty in the performance of the relationship and mitigate the risk of possible IP-related litigation.
#5 Data protection
In the baseline scenario, supplier processes personal data on behalf of customer, therefore it acts as a processor pursuant to Articles 4 (8) and 28 of the EU General Data Protection Regulation no. 2016/679 (“GDPR”). For instance, when a CRM service is outsourced, supplier usually processes the data of its customer’s users collected through the interactions with the CRM system including, for example, the browsing data related to customer’s e-commerce website or any information requested by users through a live chat. According to law, the parties shall govern their relationship on data processing in a specific agreement that is normally attached to the outsourcing agreement (data processing agreement or “DPA”) where, among others, the parties set out the instructions given by customer to supplier for the data processing activities under the agreement, the parties’ respective obligations, as well as the technical and organizational security measures to be implemented by supplier.
In addition, any transfer of data outside the European Union/European Economic Area, shall be duly covered. When AI systems are used in decision-making processes based only on an automated processing of personal data capable of significantly affecting or producing legal effects on the relevant data subjects (such as the automatic granting or refusal to grant a loan to applicants, based only on the processing and analysis of her/his personal data by an AI system), supplier shall adequately assist customer in the event that data subjects exercise their rights to obtain a human intervention, to express their opinion and to challenge the decision.
The parties shall therefore govern in their agreement, at least, supplier’s obligations in accordance with the principle of “explainability”, in terms of logics of functioning underlying the employed AI systems, and explanation as to the human choice to resort to fully automated decisions.
#6 Cyber risk and Insurance
It is clear that protection against cyber risk has become a duty for every company, be it a customer or an outsourcing service provider. This is inferable, for instance, from GDPR provisions and the principle of accountability contained therein.
The consequences of a successful cyber-attack may, in fact, be disastrous for a company: ranging from the loss of data (confidential information or personal data), business disruption, theft of IP rights including trade secrets, reputational damages (the share prices of listed companies, as known, have often been adversely affected by cyber-attacks), third party civil liability, costs incurred to restore the systems operation, administrative fines, etc..
From the perspective of a customer that has outsourced its services, the aforesaid duty consists not only in having risk protection infrastructure solutions be internally deployed, but also in requesting its supplier to provide appropriate insurance policies that cover and, above all, manage cyber-security risks. In this respect, the recent guidelines on cyber insurance published by the International Organization for Standardization (ISO) are particularly relevant.
Cyber insurance is important not only because it covers the damages suffered by companies but also, and especially, because of the ancillary services that insurance companies are able to provide after the damaging event, including the measures put in place to mitigate the damages and restoring the operations of the insured company, the assistance in making public announcements and announcements to its customers (for instance, the duty set forth by the GDPR to notify – and, where appropriate, communicate – data breaches), forensic investigation services, and the like.