Share This Article
The correct qualification, especially between provider and deployer under the EU AI Act, brings a load of obligations and responsibilities, and in some cases, the line between the two roles might be blurred.
We are having considerable discussions with clients on their role under the EU AI Act since, in most cases, businesses are no longer requesting off-the-shelf AI systems. Also, because of the risk of legal challenges due to copyright or privacy-related breaches or for the risk of disclosure to third parties of trade secrets and/or confidential information, companies are exponentially requesting to
- Either have AI systems trained on their material, creating a secure environment where they are control over any content and potentially a better control over outputs;
- Or have a system integrator develop an AI system based on an algorithm and materials provided by the company itself.
In these scenarios, it is unclear whether the company exploiting the AI system can still fall just under the category of deployer or it can be qualified as a provider under the EU AI Act.
Under the final version of the AI Act,
- A ‘provider’ means “a natural or legal person, public authority, agency or other body
-
- that develops an AI system or a general purpose AI model or that has an AI system or a general purpose AI model developed and
- places them on the market [i.e., it makes it available on the market] or puts the system into service under its own name or trademark,
whether for payment or free of charge” while
- A ‘deployer’ means “any natural or legal person, public authority, agency or other body
-
- using an AI system under its authority except where
- the AI system is used in the course of a personal non-professional activity“;
The distinction is relevant since most of the obligations and responsibilities under the EU AI Act are on providers, and in particular, recital 53 of the current draft provides that “It is appropriate that a specific natural or legal person, defined as the provider, takes the
responsibility for the placing on the market or putting into service of a high-risk AI system, regardless of whether that natural or legal person is the person who designed or developed the system” and recital 57b also covers the scenario when an initial provider of an AI system is no longer a provider under the EU AI Act because of the evolution on the development of the system.
As in the case of the GDPR, the proper qualification of an entity cannot be contractually agreed upon, but it depends on factual circumstances. As such, a considerable level of customizations of the AI systems that is either placed on the market or merely put into service under its name by a company might lead to entity being requalified as provider, even though the development activity was outsourced entirely. Likewise, if an AI system is placed on the market by a company with its brand that entity is likely to be considered to be a developer, even though the company outsourced the whole development activity. At the same time, a system integrator might be qualified as a provider if its customizations make the AI system subsequently offered to its customers substantially different from the original system.
A single solution fitting all the scenarios does not exist, and a case-by-case assessment shall be performed. However, given that the AI Act is focused predominantly on the obligations applicable to providers, even though deployers need to verify the provider’s representations, the proper qualification of a party has a significant impact in terms of risk exposure in case of potential challenges by the regulators.
Besides, the EU AI Act qualification might also have implications under the GDPR. Indeed, if it is represented that a provider is an entity with actual control over the AI system, there is a risk that data protection authorities might qualify the latter as a data controller or at least a joint controller with the deployer, while providers typically are data processors.
As such, some safeguards shall be put in place to avoid that, if there is an investigation or a challenge by a customer or a competitor, the entity using the AI system is also qualified as providers with the consequential obligations and liabilities.
On a similar topic, you can read the article “AI Act Finalized: Here Is What Has Been Agreed“.