Share This Article
The correct qualification, especially between provider and deployer under the EU AI Act, brings a load of obligations and responsibilities, and in some cases, the line between the two roles might be blurred.
We are having considerable discussions with clients on their role under the EU AI Act since, in most cases, businesses are no longer requesting off-the-shelf AI systems. Also, because of the risk of legal challenges due to copyright or privacy-related breaches or for the risk of disclosure to third parties of trade secrets and/or confidential information, companies are exponentially requesting to
- Either have AI systems trained on their material, creating a secure environment where they are control over any content and potentially a better control over outputs;ย
- Or have a system integrator develop an AI system based on an algorithm and materials provided by the company itself.ย
In these scenarios, it is unclear whether the company exploiting the AI system can still fall just under the category of deployer or it can be qualified as a provider under the EU AI Act.
Under the final version of the AI Act,
- A โproviderโ means “a natural or legal person, public authority, agency or other body
-
- thatย developsย an AI system or a general purpose AI model or thatย has an AIย system or a general purpose AI modelย developedย andย
- places them on the marketย [i.e., it makes it available on the market]ย orย puts the system into serviceย under its own name or trademark,
whether for payment or free of charge” while
- A โdeployer’ means “any natural or legal person, public authority, agency or other bodyย
-
- usingย an AI system under its authorityย exceptย whereย
- the AI system is used in the course of aย personal non-professional activity“;
The distinction is relevant since most of the obligations and responsibilities under the EU AI Act are on providers, and in particular, recital 53 of the current draft provides that “It is appropriate that a specific natural or legal person, defined as the provider, takes the
responsibility for the placing on the market or putting into service of a high-risk AI system,ย regardless of whether that natural or legal person is the person who designed or developed the system” and recital 57b also covers the scenarioย when an initial provider of an AI system is no longer a provider under the EU AI Actย because of the evolution on the development of the system.
As in the case of the GDPR, the proper qualification of an entity cannot be contractually agreed upon, butย it depends on factual circumstances. As such, a considerable level of customizations of the AI systems that is either placed on the market or merely put into service under its name by a company might lead to entity being requalified as provider, even though the development activity was outsourced entirely. Likewise, if an AI system is placed on the market by a company with its brand that entity is likely to be considered to be a developer, even though the company outsourced the whole development activity.ย At the same time, a system integrator might be qualified as a provider if its customizations make the AI system subsequently offered to its customers substantially different from the original system.ย
A single solution fitting all the scenarios does not exist, and a case-by-case assessment shall be performed. However, given that the AI Act is focused predominantly on the obligations applicable to providers, even though deployers need to verify the provider’s representations, the proper qualification of a party has a significant impact in terms of risk exposure in case of potential challenges by the regulators.ย
Besides, the EU AI Act qualification might also have implications under the GDPR. Indeed, if it is represented that a provider is an entity with actual control over the AI system, there is a risk that data protection authorities might qualify the latter as a data controller or at least a joint controller with the deployer, while providers typically are data processors.ย ย
As such, some safeguards shall be put in place to avoid that, if there is an investigation or a challenge by a customer or a competitor, the entity using the AI system is also qualified as providers with the consequential obligations and liabilities.
On a similar topic, you can read the article “AI Act Finalized: Here Is What Has Been Agreed“.
