Aleksandra Maciejewicz
Aleksandra Maciejewicz
8 August 2023

The legal aspects of Gen AI

The legal aspects of Gen AI


The legal aspects of Gen AI


      Table of Contents 

  1. As an introduction – briefly about AI
  2. Copyrights versus AI-generated objects
  3. AI versus industrial property rights
  4. AI versus protected information
  5. AI versus personal data
  6. AI versus consumers’ risks
  7. Planned regulations referring to AI
  8. SummaryAs an introduction – briefly about AI


1. As an introduction – briefly about AI

There are many definitions of Artificial Intelligence (AI). Traditionally, it is defined as an algorithm that has features of human (natural) intelligence. Today, it is most often indicated that AI is an algorithm that is able to learn.

It is exactly machine learning that is the key area of AI. In a nutshell, machine learning is a technology that enables to teach systems to perform tasks on the basis of provided data and received results, instead of classic, precise programming.

In the manner described above, in subsequent iterations, the algorithm is directed towards achieving a set goal (namely, finding the correct or most likely result) related to the analysis of the input data.

Deep learning, in turn, is a form of machine learning where an artificial neural network, comprising a few or more layers between the data input ad output, is trained. In most cases, deep learning is understood as using a range of layers of neural networks stacked “on top of each other” for machine learning.

Two most popular methods for network training are distinguished:

  • supervised learning, also called the teacher-student model, which consists in comparing the network output signal with known correct answers,
  • unsupervised learning, in other words, no-teacher model, in which the network, relying on the dependencies in the provided input data, has to create its own categories to appropriately recognise input signals.

For the purposes of this paper, AI will cover tools based on machine-learning technology, including deep learning.


2. Copyrights versus AI-generated objects

The fast development of such tools as ChatGPT, Midjourney, CoPilot, or Dall-e, which enable the easy generation of textual, programming, visual, music, etc. content (further referred to as “output”), brings us to the fundamental question of whether an object created with the use of AI tools may constitute a work protected under copyrights—and if yes, who holds those rights?

In order to make the above issue more clear to you, let us state that in Polish law the term “copyrights” covers moral and proprietary rights (at least this division is similar to systems used in other countries). Moral rights cover the author’s right to a work, among other things, to mark the work with one’s name or pseudonym, or the integrity of the content and form of the work, and its accurate use.

Proprietary rights, on the other hand, cover the right to exclusively use the work and to manage it throughout all the fields of exploitation and to receive remuneration for its use. In other words, the author has the right to decide on who, when, and on what terms—also financial—and in what manner will use or disseminate the work.


  •  Rights of a machine? Rights of the author of an algorithm?

In the current discussion about the possibility of granting copyrights to AI-generated works (texts, source codes, etc.), the most frequently raised fact is that according to Polish law (but not only Polish, this refers also to EU and American law), only a manifestation of human creative activity may constitute a work protected under law.

Thus, the effects of the activity of natural forces, animals, or exactly machines do not constitute a work within the meaning of copyright law. In view of this, the output generated with the use of AI should not—as a rule—be protected under copyrights.

On the other hand, the author of an algorithm/software developer may hold the copyrights to the source code but not to the very product of AI (although—in very specified and special circumstances—it may be the case). What is more, the copyrights to an algorithm as a method or mathematical concept will not arise at all because, according to law: protection may apply to the form of expression only; no protection is granted to discoveries, ideas, procedures, methods, and principles of operation as well as mathematical concepts.

  • Rights of a prompter?

Is it the same with the rights of users, that is persons providing input data to an AI tool? Here, the issue is more complex.

Only a human may be the holder of copyrights.

Therefore, AI will certainly hold no copyrights to a generated “work.” In principle, the author of an algorithm will also hold none, as he/she does not decide on the final shape of output.

And if no copyrights to a “work” of AI arise, then there is no work protected under copyrights. That is to say, in such a case, we cannot even speak of any copyrights whatsoever.*

*Still, please note that we are not discussing the copyright to an algorithm—that is a completely different area to consider.

In order to determine whether the generated output may constitute a work within the meaning of the Polish Act on copyrights and thus may be subject to copyrights, we should address the following issues:

  • Is it a result of creative activity?

The premise of creative activity—as per the Supreme Court—‘is based on the examination of the creative process in this sense that it is to verify whether in its course the author presumed the creation of a new object (subjectivism) and whether that presumption was fulfilled thereby by creating a fully independent, non-routine, and unprecedented element of reality.” (judgement of the Supreme Court of 06.03.2014, V CSK 202/13)

  • Does it have an individual character?

This is about examining whether the obtained result is obtainable in the same form by other persons who undertake a similar task. If yes, it should be further investigated whether—despite the possibility for another person to obtain a similar result—particular elements of the work, their selection, presentation, etc. in two different variants will be identical or, to the contrary, while shaping the content and form, the author enjoyed some liberty, and the work incorporates elements whose shape was determined by a personal approach to them. In the second case, the premise of individual character is fulfilled.

  • Has it been established in any form enabling its perception?

This is the simplest premise to establish since it suffices to indicate that the work exists and can be perceived. A work should be established in any form, irrespective of its value, purpose, and form of expression. The moment of establishing the work is significant as from that time on, the work is protected by copyrights—even if, in the author’s intention, the work has not yet been completed.

The above premises leading to determining whether particular output may constitute a work and thus be protected under copyright law are difficult to define in a simple and non-descriptive manner and to be put in rigid frames.

The problem arises with respect to the basic premise—a work has to be a result of the work of a human and not a machine.

In the case of AI tools, we can still consider whether the generated output has been created or co-created by a human by very precise prompts from the author.


AI as a helper of the author?

At the time of writing this e-book, there were no judgments to confirm this theory. Still, we have multiple court cases in which the author was not the technical maker of a work but only provided directions to third persons who, making them, created directly the relevant work.

Let us examine even a case where a photographer’s assistant claimed copyrights (she believed to be the co-author) to photographic works that actually had been made by her in technical terms, but it had been the photographer to decide about the overall artistic vision and how the pictures were to be made (case file number II CR 575/71). After long proceedings, finally, the Supreme Court adjudicated that the photographer’s assistant was not the co-author of the pictures, since her contribution to making pictures consisted in performing backup activities, even if at a very high level. Because, nevertheless, the photographer had the final say and it was him to decide on the final creative form of the pictures made, the assistant cannot be considered the co-author.

In the discussed case, the Supreme Court argued that co-authorship within the meaning of copyright law does not take place where the co-operation of a given person has no creative but backup character, even if the skill related to backup activities required a high level of expertise, agility, and personal initiative.

In another case concerning authorship, the court stated that an entity whose contribution to the creation of a work consisted in performing backup activities, even if at a high level, cannot be deemed its author. Authorship may only be established with respect to the person who had the last word in the final creative form of the performed work.

Whereas we know that more often than not AI performs such backup activities, while a human is the one to decide on the effect.

A different ruling was given in a case where a fine artist had organised a photo shoot of his works (case file number III CKN 1096/00). While making the pictures, the artist was cropping, decided on the lighting and all parameters of the pictures, including their size, the type of saturation, the type of paper, also on the moment a picture was made, giving the sign to release the shutter. Photographers, in turn, provided the photo equipment, the background, operated the equipment and a camera during the shoot, replaced films, and, at the artist’s sign, made pictures.

The artist also participated in developing the pictures and making prints, by deciding on their cropping, shape, and size. He himself decided which pictures were to be published.

In the descriptions of the pictures, the artist indicated the photographers as the technical service only, and not—as the photographers wished to—as the co-authors. So they brought a case against the artist to cease the violation of their copyrights to the pictures.

In the end, the Supreme Court adjudicated that a person who, in the creation of a photographic object, handled only the technical operation of the photographic equipment strictly following the instructions of the author is not a co-author within the meaning of the Act on copyright and thus does not enjoy copyrights to the pictures.

By way of analogy to the former case law, if prompts provided to AI are specific to a degree that determines the final shape of a work and AI performs solely technical operations, here human creation may be recognised.

And such creation will be a work, provided that it satisfies three premises of copyright: it is a manifestation of the creative activity of an individual character and it has been established in any form.

If we, in turn, can speak about a work, then we can also claim that a result generated with the use of AI is covered by copyrights.

In Polish case law, we have still had no exemplary cases for ceasing the violations of copyrights to AI-generated works. Nevertheless, since in the cases described above, the Supreme Court considered the sole authors of pictures to be persons who had not made pictures directly but provided specific instructions to other persons, who, in turn, only made pictures in technical terms, then—by way of analogy—persons providing specific prompts to AI may be deemed the authors of a work generated so (if it fulfils the premises of creation and individuality as discussed above).

3. AI as a helper of the author – how it looks like in the US

Currently, it seems that the approach to this issue is completely different in the US. Namely, recently the U.S. Copyright Office (USCO) has issued guidelines for registering works/copyrights in the context of AI-generated works. Let us present you with few quotes:

  • Examining an application to register such a work begins by asking “whether the ‘work’ is basically one of human authorship, with the computer [or other device] merely being an assisting instrument, or whether the traditional elements of authorship in the work were actually conceived and executed not by man but by a machine.”
  • If a work’s traditional elements of authorship were produced by a machine, the work lacks human authorship and the Office will not register it.
  • According to the Office, when an AI technology receives solely a prompt from a human and produces complex written, visual, or musical works in response, then the work is deemed determined and executed by the technology—not the human user. It is key for the Office that the users do not exercise ultimate creative control over how such systems interpret prompts and generate material. Instead, these prompts function more like instructions to a commissioned artist – they identify what the prompter wishes to have depicted, but the machine determines how those instructions are implemented in its output.
  • In other cases, however, a work containing AI-generated material will also contain sufficient human authorship to support a copyright claim. For example, a human may select or arrange AI-generated material in a sufficiently creative way that “the resulting work as a whole constitutes an original work of authorship.” Or an artist may modify material originally generated by AI technology to such a degree that the modifications meet the standard for copyright protection.
  • In these cases, copyright will only protect the human-authored aspects of the work, which are “independent of ” and do “not affect” the copyright status of the AI-generated material itself.
  • Authors have long used such tools to create their works (…). For example, a visual artist who uses Adobe Photoshop to edit an image remains the author of the modified image, and a musical artist may use effects such as guitar pedals when creating a sound recording. In each case, what matters is the extent to which the human had creative control over the work’s expression and “actually formed” the traditional elements of authorship.

You may read the full guidelines of the Office here.

Another example that fits into this narrative is a high-profile decision of the USCO related to the copyrights to a comic book “Zarya of the Dawn,” created by Kristina Kashtanova with the use of Midjourney. Kristina was deemed the author of texts and the compilation of images and texts (copyright was granted for their selection and arrangement). In turn, the very images generated by AI did not receive copyright protection for they are not a product of human authorship.

The Office stated that even if prompts were specific, subsequently amended and modified so that the output reflected the artist’s vision and the generated images were then edited by Kashtanova, still she did not control the algorithm, the output was unpredictable, and Midjourney may not be treated as a tool controlled by Kashtanova. According to the USCO, prompts function closer to suggestions than orders and further editing of the images should be more creative than technical to speak of the emergence of copyrights.

The mentioned decision was criticised both by AI experts and the legal environment.

For instance, Professor Edward Lee of Chicago Kent College of Law stated in the Washington Post that the decision was based on an inexplicable requirement that the author must exactly predict the effect of work with AI, while in other fields of creative activity, authors are not required to predict the effect of their work ahead of time. Such expectations would prevent works based on improvisation, such as jazz or some genres of painting, from being protected by copyrights.

Currently, the situation of prompters and whether they hold copyrights to the works generated by AI is unclear.

In the US, it is rather said that they enjoy no such copyrights, whether in whole or in part. Now, in turn, if we take a look at Polish judicial decisions— while referring to other fields than AI but with a similar subject matter —we may find that provided that relevant premises are satisfied, a prompter may be regarded as holding copyrights to a given work.

In UK law, the concept of so-called computer-generated works has been around for years. According to the UK Copyright, Designs and Patents Act of 1988, such works are defined as works generated by computer in circumstances such that there is no human author of the work.

Such works are covered by legal protection, and the copyrights to such a work are vested in the person who has taken the efforts necessary to produce it. Introducing an analogous solution to the Polish—or even broader—European legal order would certainly make it easier to assess what rights to the works generated with the use of AI tools are vested and who is to hold them.

Yet, there are currently no plans to introduce provisions related to computer-generated works into existing laws, whether at the European or Polish level.

What are the practical implications of the foregoing discussion?

Well, where the AI-generated input is deemed a work within the meaning of the Act on copyright, and the user of an AI tool (providing input to such a tool) is the author within the meaning of that Act, then the user will hold exclusive copyrights. This means that the user will be entitled to decide whether, when, and how the AI-generated output will be shared, and whether and how other persons could use it. This includes concluding chargeable licences for its use, demanding the cessation of infringements where someone uses the work without his/her consent or in violation of the granted licence.

If we state that an AI-generated work is not a work within the meaning of the copyright law, the user will, admittedly, be able to use it, but if it is further shared, other persons will also be able to use it freely, and the user will not be entitled to any claims under copyright.

Most companies providing AI tools have secured themselves against an unclear legal status of products obtained with the use of such tools. For instance, Midjourney stipulates that a user grants Midjourney a free-of-charge licence to use both the prompts and data sent to Midjourney for training and the effects of the work of AI. Hence, it seems that Midjourney assumes that copyrights to AI products do exist on the part of the user.

Meanwhile, the Terms of Use of OpenAI state that the user holds the ownership rights to the training data and prompts, and the ownership right (but not copyright) to the effects of the operation of AI is vested in OpenAI. At the same time, the company grants the user the rights to reproduce and display the generated work and guarantees that OpenAI will not raise any claims against the user (including those connected with copyrights).

Therefore, when using AI tools, it is worth becoming familiar with the policy/licence/terms of use of a relevant tool to make sure that the permitted use of output corresponds to our purposes.

On the other hand, when creating an AI tool, we should take care of documents regulating the manner in which the users will use the works generated by means of such a tool.

If we consider that an AI-generated work is subject to copyright, then it will be necessary to address all issues connected with the transfer of rights, consideration for the transfer or a licence, designation of authorship, etc.

Still, if an AI-generated work is deemed not subject to copyright, then we cannot say that such rights are granted by the human behind the prompts. Then, in the agreement with a client, the author may also not e.g. declare that he/she holds all copyrights to the work or charges remuneration for transferring the copyrights to the work (as is usually stated in, e.g., specific task contracts).

AI vs copyrights of third persons – inspiration or derivative work?

Since we assume that some effects of the use of AI tools may constitute works within the meaning of copyright law, then a question arises, whether there is a risk of a certain violation of third-party copyrights here (still, as a result of wrong training, such violation may also occur in any circumstance).

That is to say, taking into account that AI tools are trained on an actually infinite number of data derived from the web, and at the same time the suppliers of such tools do not always transparently communicate what datasets have been used to train a given AI tool, it is highly probable that a work we generate will be founded on works protected by copyright.

The question is—where, in such a situation, lies the borderline between inspiration (permitted from the point of view of copyrights irrespective of the consent of the author of the original work) and a modification or a derivative work.

In turn, the disposal and use of a derivative work is dependent on the permission of the author of the original work (unless the author’s economic rights to the original work have expired).

The author’s permission is also required for preparing a derivative work in the case of databases showing the features of a piece of work.

What is more, if a given work created with the use of AI tools imitates the style of a particular artist, going beyond inspiration and, at the same time, being not a derivative work of the specific work of that artist, then disseminating the works created so may be qualified as a violation of the moral rights of the author of the original work, even if the style itself is not protected by copyright.

Briefly speaking, in specific circumstances it may turn out that what we produce with the use of AI is plagiarism.

Using a licence vs training AI

Another issue is the possibility of training AI tools on data shared in the web on open licences (e.g. Creative Commons, Apache, MIT, or GNU), which prescribe the manner in which the user may use a work free of charge. Some licences authorise the user to freely copy and modify the content, others permit only copying the work but without modifications, others limit the right to use the content only for non-commercial purposes, etc. What they have in common is the need to identify the author of the licensed work.

To date, Creative Commons has spoken favourably of the possibility of using the content published on CC licences to train AI tools. Still, it has not been indicated how the use of the licenced works would impact the AI effects generated in such a manner.

Meanwhile, the effects of AI work on licenced content may violate the mentioned licences.

For instance, solutions that are used to generate the code and that are supported by AI (such as, e.g., GitHub Copilot) are usually trained in such a manner that, e.g., they analyse billions of lines of open-source codes. Next, such data are used to generate codes as part of offered solutions (they provide suggestions, etc.). Not long ago, however, it has been reported that GitHub Copilot was also trained on public GitHub repositories, which led to allegations of the violations of the rights of the authors who published their codes under open source licences on GitHub (e.g. MIT, GPL, etc.).

Therefore, the fundamental question remains—whether a developer using such a tool and code created on the basis of generated, e.g., certain prompts, may violate the licences on which the source codes used to train the model of such an AI tool are shared.

Given that in this context, at least a class action against GitHub, Microsoft, and OpenAI has been brought, in which the users of GitHub question the legality of GitHub Copilot and OpenAI Codex, accusing them of violating such open source licences, at the moment it is difficult to clearly state whether a software developer using such a tool is also subject to an open source licence to the code on which the tool has been trained. The case is pending now, yet it is worth noting that the court indicated as significant whether it will be possible to prove that GitHub Copilot or Codex may be made to generate a code whose authorship may be clearly assigned to a relevant person (in this case, to one of the plaintiffs) and to include such a reproduction in the complaint.

Using some source codes on open licences to train AI models may violate the terms of licence of that code.

AI vs programming work

There are more threads connected with the abovementioned issues, but let us find the following to be key:

  • The place where the used code is hosted

One theory reduces to the fact that stating a violation may depend on where the code used to train the model is hosted. If it is on GitHub, then no violation of copyrights can take place, because its terms of use stipulate that the code may be used to improve its products and functions, but where the model is trained on codes hosted beyond GitHub, the issue of fair use should be considered (it will be discussed later).

  • Fair use

There are also some voices that justify training AI models as part of fair use. Yet, we should remember that it is an institution and standpoint functioning in the US. Fair use is an institution similar to Polish “permitted use” (dozwolony użytek), but not identical. In the context of fair use, such criteria are mentioned as the purpose and character of the use, taking into account the circumstances, whether it has a commercial character or is used for non-profit educational purposes; the character of the work, the quantity and volume of the used fragment against the work as a whole; the impact of the use on a potential market or the value of the work. Although the scope of those criteria is vague, they may certainly prove practical guidelines for the use of AI tools.

  • Information on an open-source licence indicated by AI tools

What is usually significant in open source licences is to recognise the authorship of software. For instance, GitHub Copilot itself mentions no recognition of authorship (information on the origin of a code, author, or licence). That is why, the user of that tool is not even technically able to observe that licence, as he/she does not know the licence terms of the original work.

  • Copying a code or creating a new one

What is more, it is also indicated that tools of this type usually work in such a manner that they do not copy an open source code literally but only learn from it, using the code to create a new “original” code, at least GitHub claims so (quite apart from the very issue of the authorship of a code created by AI). Now, we should be aware that this phenomenon is not new. To date, software developers have also created their own codes, learning and deriving from other open source codes (without copying them, just to create their own, original code). On the other hand, one cannot ignore information indicating that some suggestions include even a good deal of fragments of copies codes, while some open source licences directly stipulate at least, e.g., the requirement to mark that some modifications are introduced to open source software.

  • New exploitation fields

There are also voices within the European Union that the machine-driven analysis of text and data should be qualified as a new, unnamed field of exploitation of making digital copies of a work. Accepting that standpoint would lead to the necessity to obtain the consent of the author of the original work to use his/her work in that field of exploitation. Still, currently, these are postulates only, and in no way one can refer to such an approach as an argument supported in our laws.

Derivative work

What we create by means of an AI tool may be deemed a derivative work. We can refer to a derivative work all the more so where a code is created on the basis of more complex, longer suggestions (a higher likelihood that it will be protected by copyright). Polish copyright laws enable the author of the original work to exercise certain control over derivative works. That means that when the author of a derivative work wishes to disseminate it further, e.g., create a commercial solution on the basis of the source code founded in such a manner, then he/she should obtain the consent of the author of the original work.

In the case of creating on the basis of open source codes, this would be most problematic with respect to codes—let’s call them original—shared on the so-called viral licences, which accordingly have to be shared on the same terms as prescribed by the licence. According to such viral licences, what we create on the basis of original works—that is derivative works—“gets infected” by such a licence and thus should be published on the same terms.

So each time, what remains significant is the suggestion itself. If it is so irrelevant (minor) that it cannot be treated as something creative, what may be the object of copyrights, then the likelihood that no violation of rights will take place is all the more higher. We should all already know that—we should not use suggestions that contain complex fragments of a code, especially those clearly extracted from another source, in particular if they still have comments attached.

The foregoing examples demonstrate that we should be careful when using the output generated by means of tools such as, let’s say, GitHub Copilot. If a work created so violates the licence terms or third-party copyrights, then using it will also constitute a violation.

2. Copyrights vs AI-generated objects

When using AI tools, it is worth becoming familiar with the policy/licence/terms of use of a relevant tool to make sure that the permitted use of output corresponds to our purposes.


  • We should remember that currently, there are no regulations regarding possible copyrights to the products of AI. It is arguable whether a work generated with the use of AI may at all constitute the object of copyright or whether it may be qualified as a derivative work or modification of another author’s work. Because of that, each time we should carefully approach works generated with the use of AI tools and, as far as possible, make sure that the output does not excessively resembles the works of specific authors.
  • For the aforementioned reasons, in practice, it may turn out to be difficult to enforce the rights to works generated with the use of AI (even if, in our opinion, the output satisfies all conditions to be deemed a work within the meaning of the Act on copyright);
  • As long as there are no specific regulations related to copyright with respect to AI, while building an AI tool we should also take efforts to appropriately prepare the terms of use of such a tool;
  • It should therefore be verified, in business terms, whether we have a well-thought-out strategy for selling outputs from an AI tool (since we do not sell the copyrights to a work) and how we will defend such outputs against being copied (since they are not subject to copyrights).

3. AI vs industrial property rights

It has been also debated for some time whether it is possible to patent a product of AI. Here, the situation will be quite similar to the issue of covering a product created with the use of AI with copyrights since only a human is deemed an inventor.

That case has been analysed at least by the European Patent Office (EPO), which stated that a device or a tool may not be the holder of a patent. Whereby the Office indicated itself that the patent laws do not prescribe directly that they refer only to inventions of a human (see to that effect: J 0008/20 Designation of inventor / DABUS).

Paraphrasing some thoughts included in the decision of the EPO, we may be tempted to state—apart from the obvious thing that inventions created with the use of AI are patentable—that inventions generated by AI are patentable

provided that a human is labelled as the inventor (quoting the panel issuing the aforementioned decision: “The Board is not aware of any case law which would prevent the user or the owner of a device involved in an inventive activity to designate himself as inventor under European patent law.”)

As a side note, not so long ago the U.S. Patent and Trademark Office (USPTO) requested public comment on, among other things, whether AI should be deemed a co-inventor.

AI may be neither an inventor nor the holder of a patent (not to be confused with the object of a patent— as, by all means, it may be such, which will be discussed later). Thus, entering it in a patent application is asking for trouble.

Maybe it is worth mentioning oneself as the inventor, and treating the issue of whether the solution was created by means of AI as of secondary importance.

Industrial property law prescribes directly that inventions are not deemed to include in particular computer programs and mathematical methods (as well as, e.g., scientific theories). Unfortunately, this provision has come to collective consciousness as the absolute prohibition of patenting such types of tools. On the contrary—under certain conditions—solutions exploiting computer programs or algorithms may be patentable.

In other words, in such cases, if as part of an applied for solution, we prove its technical character or the so-called further technical effect, we will be able to patent such an invention. But what about those technical details?

According to the European Patent Office, a “further technical effect” is a technical effect going beyond the “normal” physical interactions between the program (software) and the computer (hardware) on which it is run.

In the case law, such effect is sometimes also determined as a “technical effect on a physical unit in real life” or a technical effect requiring a “direct connection with the physical reality,” but it may also be another effect, such as a technical effect within a computer system or network (obtained by, e.g., specific adjustment of a computer system or data transfer).

In the case of computer simulation programs, in turn, we may speak of a “technical effect going beyond the simulation’s implementation” or a “technical effect going beyond the simulation’s straightforward or unspecified implementation on a standard computer system” (quotes come from a decision of EPO

in case G1/19 referring to the invention called “Simulation of the movement of an autonomous entity through an environment” related to the simulation of a pedestrian crowd’s movement in a specified building for designing or verifying a safe and functional building structure).

Additionally, AI and machine learning are based on calculation models and algorithms for classification, clustering, regression, dimensionality reduction, etc. Such calculation models

and algorithms are, by nature, abstractive mathematical models and as such are excluded from patentability. Nevertheless, as was mentioned before, this is not a final resolution, and in order to give you here a few practical guidelines, we will use the Guidelines for Examination in the European Patent Office (issued, obviously, by the EPO itself; you can read the entire document here).

That is to say, if such models implicate the independent use of technical means and thus have a technical character, then we may be tempted to apply for a patent. To make an example, let us take at least the application of a neural network in a device used for cardiac monitoring to identify irregular heart rhythms or the classification of digital images, video, audio or speech signals based on low-level features (e.g. edges or pixel attributes for images).

But—now, as an example—the classification of text documents solely in terms of their textual content is not deemed as such as a technical but linguistic purpose, though (see to that effect: decision T 1358/09). The classification of abstract data records or even “telecommunications network event description records” without indicating the technical application of the resulting classification is also not a technical purpose per se, even if the classification algorithm may be deemed to have valuable mathematical properties, such as immunity (see to that effect: decision T 1784/06).

And now please note, where a classification method serves technical purposes, the steps to generate a training set and to train a classifier may also contribute to the technical character of an invention if they support the achievement of that technical purpose (and thus they are suitable for patenting).

Still, we need to remember that the very fact that a mathematical method may serve a technical purpose is not enough. The requirement of a functional limitation refers to a technical purpose both

explicitly and implicitly. It may be satisfied by creating a sufficient relation between the technical purpose and the steps of the mathematical method, e.g. by determining what input and output data of the sequence of the mathematical steps refer to the technical purpose so that the mathematical method has a causally related technical effect.

Determining the character of input data for the mathematical method does not necessarily imply that the mathematical method contributes to the technical character of the invention and, therefore—depending on other premises—we will most likely fall under the exclusion of patentability.

If the steps of the mathematical method are used to designate or predict the physical state of an existing, real object on the basis of the measurement of physical properties, as in the case of indirect measurements, then such steps will provide a technical contribution, irrespective of what application is used in the results—hence, in such a case we may try to apply for a patent.

It can also happen that a mathematical method is designed to use particular technical properties of the system on which it is implemented to obtain a technical effect, such as the effective use of computing power or computer network bandwidth—such a situation is patentable.

For instance, adapting a polynomial-time reduction algorithm to use word-size offsets matched to the word size of computer hardware is based on such technical considerations and can contribute to a technical effect, such as an efficient hardware implementation of the algorithm. Another example is assigning the execution of the training stages of a machine learning algorithm to a graphics processing unit (GPU) and the preparation stages to a standard central processing unit (CPU) to take advantage of the parallel architecture of the computing platform. The reservation should then refer to the implementation of steps onto GPU and CPU so that the mathematical method has a technical character.

It is not only in the US that algorithms and computer programmes can be patented. It is also possible in the European Union. In other words, in such cases, if as part of an applied for solution, we prove its technical character or the so-called further technical effect, we will be able to patent such an invention.

In simple words, in the case of software, it is all about proving a “further technical effect,” that is a technical effect going beyond the “normal” physical interactions between the computer program (software) and the computer (hardware) on which it is run. On the other hand, in the case of a mathematical method (which may be an algorithm), it should be proved that the reservation refers not only to a purely abstract mathematical method but also requires the use of technical means. While assessing the contribution of the mathematical method to the technical character of the invention, we should consider whether the method, in the context of the invention, causes a technical effect serving the technical purpose.

4. AI vs protected information

AI tools base on huge quantities of data, impossible to be analysed by a human in as short a time as artificial intelligence does. At the same time, apart from generally available data, AI tools learn also from input—prompts provided by the users of a given tool. In order to use such tools safely, we should consider what risks are connected with the use of legally protected data, e.g. personal data or trade secrets.

Trade secret

According to the Act on combating unfair competition, a trade secret is any information of technical, technological, or organisational nature referring to a business or other information with business value that is not commonly known to persons usually handling such type of information, that is confidential or with respect to which some measures have been taken to keep it confidential.

It is the duty of employees and other persons who have access to the information that is a trade secret to protect it.

Therefore, using a tool based on AI, we should exercise particular care when providing input data.

Consideration should be given as to whether the use of even a fragment of information that is a trade secret would not lead to disclosure of such information or even more, whether the fragment of information disclosed to AI would not enable the algorithm to reproduce the undisclosed part.

When assessing the risks connected with the use of generally available AI tools, one should take into account also the terms and conditions, licences, and the terms of use provided by the supplier itself—e.g. in the case of ChatGPT it is company OpenAI L.L.C.

The regulations applicable to ChatGPT—Service Terms and Terms of Use—stipulate that OpenAI L.L.C. is entitled to use the content provided by the user while using ChatGPT to support and improve technologies created by OpenAI. It is not only about prompts but also output data generated by AI on the basis of the user’s commands.

Such information is transferred to be processed and used by the supplier, and the scope of such processing is not expressly stated. What is more, from the abovementioned regulations it results that OpenAI makes no commitment to the users to keep the provided information confidential.

This means that when entering data that are a trade secret (and also any other information protected by law—whether under an NDA or special provisions, e.g. medical, legal, or banking secrecy) to ChatGPT, the user transfers it to a third party. More, when accepting the ChatGPT terms of use, the user expressly agrees to the vaguely determined processing of the provided information.

The situation is a bit different if the user sends data through API. Then, OpenAI states that such data are not used to train OpenAI models or improve its services (unless the user consents to that). However, this does not change the fact that such data will be shared with the staff of OpenAI (since the supplier processes them). In ChatGPT there is a possibility of using a functionality to disable chat history and thus to exclude it from training and improving its models (nevertheless, such data will still be stored for 30 days).

Use an additional functionality in ChatGPT to disable chat history. OpenAI states that in such a case, selected chats (with respect to which such functionality is enabled) will not serve to train and improve its models.

We should also take into account that any limitations in the above scope, that is preventing the use of data to train models, may at the same time impact the resolution of specific cases of use.

In theory, the OpenAI regulations prescribe that the company takes every effort to ensure the appropriate security, deletes any information enabling the identification of persons on the basis of the data that it intends to use to improve the model, and that a sample of those data (for each client) is minor. However, we must approach such assurances with a great deal of caution, since they are still no guarantees of such actions but only information indicating efforts taken in that scope. Therefore, in the case of possible violations, such statements are not much support for us.

What is more, there is a risk that data provided to some AI tools are transmitted and stored on external servers and thus disclosed and shared further, which also leads to the violation of a trade secret.

Hence, when using AI tools, in particular for business purposes, e.g. for data analysis, we should take into account that this may lead to the disclosure of information protected under law and, consequently, to the violation of the contractual obligations or laws obliging to keep a trade secret confidential. In view of that, especially in the situation when tools based on open licences and using AI are widespread, it is necessary to at least appropriately train your staff and, preferably, to introduce appropriate clauses into the contracts with employees, associates (in particular in B2B contracts), and subcontractors. Such clauses should, on the one hand, regulate the admissibility of using AI tools and on the other hand, the consequences of their use as part of the performance of a contract.

It is also worth including appropriate disclaimers in contracts with clients if we plan to use external AI suppliers.

When using generally available AI tools, such as ChatGPT or Midjourney, it is necessary to become acquainted with the regulations of such services in terms of the division of the rights to input and output data and the manner in which those data are stored. This, in turn, should serve as a starting point for the assessment if and possibly what data may be used as input;

The admissibility of using generally available AI tools and the consequences of the use of the generated results in the course of the performance of a contract should be regulated in the contracts with employees, associates (in particular in B2B contracts), and subcontractors. It is also recommended to introduce to the contracts the disclosure obligation concerning the use of such tools as part of contract performance;

In organisations where creative work is a significant element of activity, we may also consider introducing general policies for using AI-based tools. Within the frames of such policies, it is possible to comprehensively regulate the issues connected with the use of AI tools by personnel or associates. This will be a step towards guaranteeing the security and confidentiality of data processed in the organisation;

If we do not want our data to be used to improve the effectiveness of the OpenAI model, we may fill in a form shared on the OpenAI website;

It is worthwhile to additionally consider turning on new functionality to disable chat history in ChatGPT. OpenAI states that in such a case, selected chats with respect to which such functionality is enabled will not serve to train and improve its models.


If we use the API of OpenAI, then the input provided by us is not used to train the model or improve the services – as opposed to using ChatGPT or DALL-E;

Use AI locally, in other words, it is worth choosing models that function locally on your servers;

Consider using ChatGPT-4 via the Azure OpenAI platform, which reportedly offers appropriate data security means, indicating that all data remain within the frames of the Azure OpenAI service and are not sent to OpenAI;

As far as possible, use more specialised AI platforms, that is, intended for a specific purpose (e.g. marketing, sales, etc.)—such platforms often offer more detailed terms related to data security;

Use AI tools carefully when providing data, in particular, make sure that no information that is a trade secret is provided, that data concerning, e.g., a potential invention entered in such a manner would not deprive the invention of the premise of novelty, etc.

5. AI vs personal data

In an era of extensive protection of personal data, as required by the General Data Protection Regulation (GDPR), particular care should be taken when processing personal data in AI tools. Personal data are—as per the Regulation—information about an identified or identifiable natural person. This definition covers identifiers that enable the identification of a natural person, such as first and last name, identification number, location data, Internet identifier, or one or more specific factors describing the physical, physiological, genetical, psychological, economic, cultural, or social identity of such natural person

Still, we should remember that it is an open catalogue—if collected information (also in combination with other ones we hold) enables the identification, then it will be treated as personal data.

The “processing” of personal data, in turn, means an operation or set of operations performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Therefore, the definition of data processing is broad and we should remember that it covers not only active operations on data but also, e.g., storing or consulting data gathered by another entity.

Personal data include any information that may lead to the identification of a natural person. Identification is often possible if obtained pieces of information are linked with each other.

The entity that decides on the purpose and manner of data processing is—as per the GDPR—the data controller. The entity processing data on behalf of the data controller is, in turn, called the “processor.” The processor performs data processing operations for the account of the data controller (upon its order), in other words, it does not independently decide on the purposes and manner of processing. The key to distinguishing the foregoing is to determine whether a given entity decides on the very fact of data processing—if yes, then we are dealing with

the data controller. In practice, processors carry out certain operations on behalf of the data controller—for instance, they store personal data (e.g. suppliers of cloud solutions).

Be aware that the term “processing” refers to in fact any operation performed on personal data, from the time they were obtained until deleted, destroyed, or finally anonymised.

The data controller is responsible for processing personal data in compliance with the law. General principles for data processing were indicated in Article 5 of the GDPR and include, among other things, fairness and transparency, data minimisation, storage limitation, purpose limitation, and accountability. Furthermore, the data controller is responsible for the selection of a processor—before entrusting it with the processing of personal data, the data controller should verify whether the supplier of particular services acts in line with the GDPR and whether it applies appropriate safeguards as part of the performed processing.

Processing is lawful only if and to the extent that at least one of the conditions indicated in Article 6 of the GDPR applies, namely:

a data subject has given his/her consent to have his/her personal data processed for one or more specified purposes;

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

processing is necessary for compliance with a legal obligation to which the controller is subject;

processing is necessary in order to protect the vital interests of the data subject or another natural person;

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,

except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The controller is responsible for selecting the processor to whom it entrusts the processing. We should always verify that such an entity provides for sufficient guarantees of implementation of appropriate technical and organisational measures.

According to the GDPR, certain personal data enjoy special protection. These are special categories of data (sometimes also called sensitive data), namely information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Personal data may be processed only where a relevant premise applies. A data subject should always be informed of the purposes for which his/her personal data will be processed.

As a principle, the processing of special categories of personal data is prohibited, unless the special conditions indicated in Article 9 of the GDPR are met (sensitive data may be processed when, without limitation, the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, it is necessary for medical diagnosis, etc.).

The regulations of the GDPR impose on the data controller a range of obligations connected with special manners of data processing. In the context of AI tools, the following issues should be noted in the first place:

  1. The data controller’s obligation to carry out a Data Protection Impact Assessment (DPIA). It is about the evaluation of risks at the stage of planning even before starting to process personal data. The obligation to carry out a DPIA will apply

in particular in the following cases:

processing with the use of AI on a large scale (the concept of large scare refers to the number of persons whose data are processed), the scope of processing, the data retention time, and the geographical scope of the processing;

systematic monitoring of publicly accessible areas on a large scale using the elements distinguishing the properties or features of objects located within the monitored area;

processing information obtained through the Internet of Things (IoT) (medical bands, smartwatches, etc.) and sending it to the web using mobile devices, such as a smartphone or a tablet;

processing biometric data only for the purpose of identifying a natural person or controlling access;

processing genetic data—in each case;

performing comparisons, assessments, or inferences based on the analysis of data derived from different sources;

assessing and scoring—profiling and predicting, in particular referring to such data as health, interests, localisation;

evaluating or assessing, including profiling and predicting (behavioural analysis) for purposes having negative legal, physical, or financial effects or causing other inconveniences for natural persons (e.g. assessing creditworthiness with the use of AI algorithms subject to the confidentiality obligation and requesting disclosure of data that are not directly connected with the assessment of creditworthiness).

In the case of planning certain processes of personal data processing, a Data Protection Impact Assessment (DPIA) will be required.

When using AI, it is also worth verifying that such an assessment is necessary.

  1. The obligation to appoint a data protection officer—applies to the entities whose main activity covers the processing of sensitive data on a large scale or the regular and systematic monitoring of persons on a large scale. In such a case, the monitoring of the behaviour of persons means, among other things, any form of observing

and profiling on the Internet, also for the purposes of behavioural advertising.

  1. The obligations connected with data transmission beyond the European Economic Area (EEA). In line with Articles 44–47 of the GDPR, transmitting personal data of Europeans beyond the EEA is possible if:

the Commission has decided that the relevant third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer does not require any specific authorisation.

In the absence of the abovementioned decision1, a controller or processor may transfer personal data to a third country or an international organisation if the controller or processor has provided appropriate safeguards,

and on condition that enforceable data subject rights and effective legal remedies for data subjects are available, that is:

legally binding and enforceable instruments between public authorities or bodies;

binding corporate rules;

standard contractual clauses concerning data protection adopted by the European Commission;

an approved code of conduct pursuant to Article 40 of the GDPR together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;

an approved certification mechanism pursuant to Article 42 of the GDPR together with binding

and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;

standard contractual clauses concerning data protection adopted by the supervisory authority and approved by the European Commission.

Where there is no decision of the Commission and no appropriate safeguards and legal protection means are in place, personal data may be transmitted beyond the EEA in special situations named in Article 49 of the GDPR.

In each case, when transmitting data beyond the EEA, the data controller or the processor is responsible for the processing of personal data in compliance with the principles prescribed by the GDPR. If using a tool based on AI, we use personal data of persons residing in the European Economic Area (or even persons from beyond that area if the processing activities are performed within the EEA) for training or as the input, and such personal data will be transmitted beyond the EEA through that AI tool (such as, e.g., ChatGPT, which gathers data on servers located in the US), we should determine whether either of the abovementioned premises allowing the transborder data processing exists. If none of the premises applies, then we cannot process personal data by means of that AI tool.

Where we wish to transmit personal data to a third country, in all cases we should verify:

what is the basis of the transfer;

whether it is possible to apply such a basis;

whether the data recipient applies appropriate safeguards;

whether the country of the recipient provides for the observance of the rights of data subjects.

The foregoing principles for transmitting personal data beyond the EEA are very important for regulatory and supervisory bodies, which is proven even by a recent high-profile case in which the European Data Protection Board imposed a fine on Meta, which operates, among other things, Facebook and Instagram, for transmitting data of European users of Facebook to the US. The fine was imposed as a result of an inquiry initiated by the Irish Data Protection Commission and reached EUR 1.2 billion. It is hence the highest penalty imposed to date under the GDPR.

Processing personal data with the use of AI.

When processing personal data with the use of AI tools, we should remember that the following conditions have to be met:

the data subject has to be notified of the specific manners and purposes of the processing of his/her personal data,

the legal basis for data processing has to be indicated (this may be, e.g., an agreement binding upon the person whose data are processed with the data controller or consent of that person),

the consent of the person whose data are processed has to be obtained—where there is no other legal basis for processing, yet such consent cannot be implied,

the person concerned has to have the possibility of exercising his/her rights under the GDPR, including, in the first place, the right to request access to the data, object against their processing, and have his/her data rectified or removed.

In view of the foregoing, certainly, most of the privacy policies, information clauses, or contractual clauses referring to data processing used in the course of trade do not include the content required in connection with the use of AI tools for that purpose, that is, for instance, the consent given by a user to set up an account in a given website does not allow the use of such person’s data to train an AI tool.

What is particularly problematic in the context of the currently available AI tools is to enable the person concerned to exercise his/her rights under the GDPR—to date, there has been no mechanism to enable the removal of data that have been already provided as input to an AI tool, the review of

the manner in which data are processed, and their rectification.

We should also keep in mind that personal data may not be processed endlessly—they should be removed when the legal basis for their processing ceases to apply, but also when they cease to be useful.

AI tools—for the sake of compliance with the GDPR—should ensure the enforceable possibility of exercising the rights of data subjects.

With regard to newly created AI tools, in turn—assuming that the foregoing obligations of the data controller are satisfied—we should additionally remember the general principles of the processing of personal data. More than anything else, this is about

the principles of fairness and reliability of data processing. Under these principles, personal data cannot be processed in an unfair, unexpected manner or maliciously, and also in a manner that may negatively affect the persons whose data are processed. We should remember here that when providing biased data to train AI, the algorithm will reproduce those biases in its results, which, in consequence, may cause that personal data will be processed unfairly.

A good example to illustrate the abovementioned relationship is an attempt to create an employment algorithm by Amazon. The algorithm was assumed to create—on the basis of data of already employed persons—a short list of candidates for a particular position, that is, it was designed to select persons out of the submitted resumes to be invited to an interview. It turned out that the algorithm “favoured” men in the results, namely indicated a higher position of male candidates.

This was caused by the fact that the algorithm had been trained on data of existing employees, who were in substantial part men. In this manner, a tool that was assumed not to use data

unfairly, in fact—inadvertently—became a discriminatory measure, reproducing inequalities from training data in its results. In this context, we should remember that an effect of the faulty operation of an algorithm may be a violation of not only the provisions of the GDPR but also other legal acts.

It is essential to make sure how training data are stored in line with the terms of use of a relevant AI tool—if beyond the EEA (as most of the generally available AI tools)—then in order to process data by means of that tool it is necessary to satisfy either of the premises mentioned above. In the case of failure to meet the conditions stated there, it is not possible to process personal data by means of that tool.


The currently available AI tools do not include a mechanism that would enable the removal or modification of the data processed by the system, which is why it is actually out of the question to process personal data by means of such tools in line with the GDPR.

Assuming that the used AI tool will enable the removal or modification of the data processed by the algorithm—when collecting personal data to train AI, we should ensure that data subjects are fully and accurately informed of the purpose and manner of data processing, as well as of the legal basis for processing, and if it is necessary, that we have their clear consent to the processing of personal data for that purpose.

When using AI to analyse personal data, we should carry out a DPIA and assess the probable impact on individual persons, in particular, assess whether the effects of the operation of AI will not affect data subjects and not cause unfair or discriminating data processing.

When building tools based on AI, we should give particular attention to the sets of data used to train AI, so that their use does not decide on the unfair processing of personal data, leading to, e.g., discriminating results (as was the case with Amazon).

6. AI vs consumers’ risks

As a result of the dynamic development of AI, more and more often the systems exploiting it are used as part of

software used by consumers. This is of considerable importance in the context of the broad protection of consumer rights ensured by the laws applicable within the European Union,

including also Poland, as well as postulates concerning the extension of that protection due to constantly emerging, new threats.

Currently, consumers use on a wide scale systems exploiting AI to generate texts and images. Yet, it should be assumed that in the near future AI will be used by consumers for numerous other purposes. Still, we can already identify a number of risks for consumers connected with the use of AI. The following should be considered the most important:

the risk of manipulation—it may arise in two alternative cases, namely: I) AI to which low-quality data have been provided may generate erroneous or misleading messages directed at users; ii) AI is so designed to cause a specific effect in a recipient by means of the generated content;

misleading—irrespective of reasons (poorly prepared model, content of input data, intentional action of the authors), AI may generate content misleading consumers. It is particularly dangerous when one attempts to gain expertise, e.g. in the field of medicine or law;

disinformation—for a long time, AI has been used to create false messages (voice, text, images), in particular, to generate the so-called deepfakes. Generating and then disseminating such type of material may serve the dissemination of false information and, in consequence, influence behaviour of consumers—recipients of the content—also in very important aspects, such as, for instance, participation in elections or voting for a particular candidate;

infringement of privacy—AI models use for their development a range of information, which may cover also personal data. One should bear in mind that the said data may be freely processed by a given solution, while, at the moment, it seems impossible to remove personal data from it. What is more, hypothetically, on the basis of already collected data, AI may generate additional, false data pertaining to a person.

Using AI systems, we should bear in mind the necessity to observe the national laws implementing the so-called Omnibus Directive (Directive 2019/2161). In this case, this will primarily come down to the introduction of a number of fuses to guarantee the correct display of the information generated or managed by AI. For instance, we should remember that if an AI system independently decides on a change (reduction) of the price of a given product or service (e.g. due to increased demand or a special offer), it will be necessary to display all information required by the law and thus—as a rule—the promotional price, the lowest price within the last 30 days, and the price applicable before the reduction.

It is also possible that a relevant system will independently place products offered within an online trading platform (in simple words—a marketplace). In such a case, we should share on the platform information on the main parameters deciding on the product placement within the browser made available to a consumer and the relative significance of such parameters in comparison to others. It seems that in some cases it will be particularly difficult to satisfy that obligation, all the more so, when a given system has extensive decision-making autonomy.

Currently, works are pending on such provisions as the AI Act (Artificial Intelligence Act) or ALID (AI Liability Directive), which may considerably impact the possibility, scope, and manner of the influence of AI on consumers.

AI vs principles of accountability for its actions.

Actually, this issue may be divided into two, that is how it is now and how it will be in the near or more distant future. Because now, we should assess AI in line with the applicable provisions, which are not adequate and simply fail to cover complicated issues related to AI and potential damage that may be caused by its errors.

First and foremost, AI cannot be deemed a dangerous product. Under Polish provisions (Article 449(1) of the Civil Code), such product is deemed a tangible object—even if it is connected with another object—as well as animals

and electricity. Consequently, it is not possible to apply with respect to AI authors the regime of liability for a dangerous product, in accordance with which the entity that creates such a product as part of its business activity is liable for damage caused to anyone by it.

This means that the liability for damage caused in connection with the use of AI should be assessed on general terms.

Consequently, in order to effectively pursue its claims, the affected entity has to prove:

the amount of the suffered damage;

the fault of the third person;

the causal relationship between an act or omission of the relevant person and the damage caused.

Such regulation of the liability terms in the context of AI makes it currently extremely difficult to pursue possible claims. Why?

This is a specific feature of civil law. As a sneak peek, the fault of the perpetrator may be intentional or unintentional. At the level of unintentional fault, one has to prove failure to exercise required care, and the very measurement of due care may not be determined in advance at a general level and each time should be determined individually on the grounds of the factual circumstances of the relevant case.

The bodies of the European Union are aware that the currently existing legal standards do not take into account the issue of AI. In connection with that, last year, the European Commission published a proposal for a directive on adapting non-contractual civil liability rules to artificial intelligence (AI Liability Directive).

Similarly to the AI Act (which will be discussed later on), the directive distinguishes between AI systems and high-risk AI systems, at the same time obliging the member states to introduce provisions to secure and disclose evidence related to the manner in which a high-risk AI system operates.

What is more, the proposal provides for the introduction of a challengeable presumption of the existence of a causal relationship in the case of a fault (this means that when certain premises are satisfied, a challengeable allegation will arise that there is a causal relationship between the defendant entity’s fault and the result obtained by the AI system or the fact that such system failed to obtain such a result).

The provisions proposed by the Commission are designed to facilitate seeking claims for damages connected with the operation of AI. Given such proposals, in the future, it will certainly be easier and more effective to defend one’s interest violated by the operation of AI.

Who is liable—the producer, the developer, or the user?

What is more, on the grounds of currently applicable provisions, it may be doubtful who is to be held liable for a given event. Will it be the entity that has marketed AI, the relevant developer, or maybe the user who used the possibilities offered by the relevant AI system in such a manner and not otherwise.

In most cases, the developer himself/herself will bear possible liability only against the entity that committed works over AI to that developer (unless the developer acts independently as the producer or a distributor of the relevant AI system).

Because this results from the essence of contractual liability—the author acts on the basis of an agreement, within the frames of which the principles of his/her liability were determined (they may also result from general provisions if no respective clauses were included in the agreement).

Here, we should remember that if AI has hidden errors that cause damage to users, in some cases it is possible for the producer/distributor to seek claims from the developer under recourse liability.

On the other hand, the entity that has marketed the relevant system may bear liability under contract as well as in tort. Contractual liability arises when AI cannot be used for the assumed purposes, and a third party has paid for access to the relevant system.

As far as liability in tort is concerned, the evidence issues discussed above apply here as well, however, it is in theory possible to hold the entity offering the relevant solution accountable.

The user himself/herself (the person who uses AI for a certain purpose) may also be subject to liability in tort (for a delict)—for instance, we may imagine a situation where a system serves to generate false content related to a particular person and such content will later be published by the user as genuine. Such activity will constitute a violation of the personal interest of the third person who in connection with that may seek claims against the person on whose instructions the particular content was generated.

In this context, we should remember that when assessing the user’s activity, consideration should be given to whether such a user acted consciously or whether it was the AI system that misled him/her.

In the case of AI, the scope and ground of liability may considerably differ—all depends on the relation between the relevant user and the relevant system. The developer’s liability will usually be limited to contractual liability against his/her principal. On the other hand, the entity that has marketed the relevant system will be held liable for both the incompliance of the system operation with the agreement concluded with the final user and for damage caused to third persons. planned regulations referring to AI


7. Planned regulations referring to AI

The European Union and the AI Act

On 21 April 2021, the European Commission presented a proposal for the EU Regulation on artificial intelligence (Artificial Intelligence Act). It is a result of a several years plan, the so-called European AI Strategy adopted in April 2018.

The AI Act was designed to ensure the operation of AI systems in the EU in a secure, transparent, ethical, unbiased, and human-controlled manner, and the European Union itself is intended to become the global centre of reliable AI.

The AI Act was designed to introduce provisions related to, among other things, marketing, putting to use, and using AI systems throughout the European Union. At the same time, it will provide the basis for prohibiting particular practices connected with the use of AI, special requirements related to high-risk AI systems, as well requirements referring to transparency —in particular with respect to AI tools that are supposed to interact with natural persons.

The Regulation covers also requirements related to the quality of training, validation, and test data used to train AI systems, as well as the issues of monitoring AI tools after they are marketed, and supervision over the market. In the AI Act, the Commission assumed that AI tools should be categorised in terms of risk to human rights and liberties connected with their use, and the higher the risk, the more obligations and restrictions.

The following risk categories are indicated:

  • Unacceptable risks (and the so-called prohibited AI systems)

Specific applications of AI are identified as having unacceptable risks. This category includes, among other things, citizen scoring conducted by the government—the so-called social scoring (a system used in the People’s Republic of China)—designed to monitor behaviour of citizens in terms of compliance with legal and social standards. Further, using subliminal or intentional manipulation techniques as well as “real-time” remote biometric identification systems in publicly available places. The above uses of AI, as contrary to fundamental rights, will be banned.

  • High risk

High-risk AI systems are classified as such on the basis of two premises. Firstly, it has to be a solution indicated in Annex No. 3 to the Regulation, that is in the list of high-risk AI systems. Secondly, such a system will still need to pose a significant risk of harm to health, safety, civil rights, or the environment. The Annex, in turn, indicates the AI systems used in—for instance—the following areas:

management and operation of critical infrastructure: AI systems used in the management and operation of road traffic and the supply of water, gas, heating, and electricity;

education and vocational training – AI systems intended to be used to determine access or assig natural persons to educational and vocational training institutions;

employment, workers management, and access to self-employment – AI systems intended to be used for recruitment or selection of natural persons, notably for

advertising vacancies, screening or filtering applications, evaluating candidates in the course of interviews or tests, making decisions on promotion and termination of work-related contractual relationships, task allocation, and monitoring and evaluating the performance and behaviour of persons in such relationships.

When creating and implementing high-risk AI systems, it will be necessary to satisfy the requirements prescribed by the AI Act. Such requirements include, without limitation, the obligation to implement a risk management system, satisfy the quality criteria for data sets used to train and test AI, and prepare technical documentation of the system and to keep it up to date.

Additionally, high-risk AI systems have to be designed so as to automatically record events during the operation of that system (logs) and to enable individuals to oversight them effectively, also to understand the capabilities and limitations of a given AI system. Human oversight over an AI system is to cover, among other things, being able to decide not to use the AI system in a given situation, disregarding a decision made by the AI system, or immediately interrupting the operation of the system.

In order to effectively ensure the protection of fundamental rights, the deployer of high-risk AI systems should carry out a fundamental rights impact assessment before putting it into use. Such assessment should be preceded by a detailed plan describing the measures or tools that will help mitigate the risks to fundamental rights identified at the latest from the time the system is put into use. When performing the abovementioned impact assessment, the deployer should notify the national supervisory authority. It is also encouraged to make the summary of the conducted fundamental rights impact assessment publicly available on the online website of the relevant system.

  • Limited risk

Limited risk was assigned to those AI systems the use of which may involve a clear risk of manipulation (e.g. in the case of chatbots). The AI Act assumes minimum obligations related to transparency with regard to those systems so that the user is able to make conscious decisions when interacting with such a tool. Users should be aware that they interact with a machine and thus be able to decide whether to continue to use the relevant application (tool) or resign from using it.

Foundation models

The AI Act also considers foundation models and general-purpose AI.

As regards foundation models, possible risks and damage, among other things, should be assessed and limited by the appropriate design, testing, and analysis, data governance measures (including prevention of discrimination) should be introduced, and technical and design requirements should be satisfied to ensure an appropriate level of performance, predictability, interpretability, accuracy, security, and cybersecurity and to address appropriate environmental standards. However, this does not mean that foundation models will be treated as high-risk AI systems.

Regulatory sandboxes

Apart from the foregoing categorisation of AI systems and related obligations, the Regulation also stipulates the introduction of the so-called regulatory sandboxes. A regulatory sandbox is supposed to ensure a controlled environment facilitating the development, testing, and validation of AI systems for a limited time before they are marketed or put into use in line with a specific plan.

AI Office

What is more, the AI Act provides for the introduction of a new body, namely the EU AI Office. The Office will be responsible for, among other things, gathering and disseminating expertise and good practices among the member states, giving opinions and recommendations in cases connected with the implementation, and contributing to the uniform observation of the Regulation, in particular with respect to the regulatory sandboxes.


The AI industry will not be left alone in the observation of the AI Act, though. The Regulation provides for a number of institutions to clarify the practical aspects and make the legal requirements more specific, among others, this will include European standardisations and specifications. The Commission will also determine, among other things, the criteria to enable entrepreneurs to assess whether their AI system may be high-risk.

Open source

Under certain conditions, the authors of free and open-source AI components will not be subject to the requirements of the AI Act, in particular not against a supplier that has used such an AI component.


The United Kingdom and the pro-innovation approach to regulating AI.

The policy paper (a document including no specific provisions but only action directives) published in March 2023 describes the UK plan for regulating AI. In this document, it was directly stated that the UK legislation should aim at such an approach to enable fast development and implementation of AI tools in the UK and thus to enable the UK to become the leader in the implementation of that technology.

Similarly to the European Commission, the UK regulator promotes an approach based on the evaluation of the risk connected with AI systems. However, unlike the European AI Act, the UK legislator provides for the introduction of regulations that will “provide for clear guidelines, which, however, will not necessarily translate into specific restrictions.”

The British also stated a method to supervise the entities using AI-based solutions that is different from that assumed in the EU. In the United Kingdom, the supervision over the development and implementation of AI and related regulations will be entrusted to the existing supervisory authorities, to name a few: the Financial Conduct Authority, the Competition and Markets Authority, the Information Commissioner’s Office, and the Medicine and Healthcare Products Regulatory Agency. Those institutions will gain new duties and competencies connected with, among other things, the identification and assessment of existing risks.

Which approach is better? Time will tell.


 8. SummaryAs an introduction – briefly about AI

LEGAL DISCLAIMER: Any information contained in this e-book is for guidance only and does not constitute any form of legal advice or opinion. Therefore, in case of need, remember to consult a competent advisor. We are not liable for any losses resulting from your action or omission.

The content presented in this e-book reflects the legislation at force and information and materials available as of 15.06.2023. As the discussed field is dynamically developing, any standpoints and views presented in this e-book are not official and, in particular, may be changed.

With the rapid development of AI algorithms, at the same time with no up-to-date and implemented legal solutions related strictly to AI, we should particularly carefully assess the risk connected with the use, creation, and implementation of AI tools. Below you will find a set of recommendations related to the legal aspects of conducting projects based on AI.

When starting works on the implementation of an AI system, it is worth considering what we want to monetise—the algorithm itself, training data, output data, or any other aspect of the use of AI. This will impact our strategy for the protection of those components, the manner in which legal obligations will be satisfied, and, indirectly, the scope of our liability.

One should assess exactly what rights we can have or want to have to the project element that is of most interest to the client, e.g. whether we can have the exclusive right to use this element or whether we have to make it available under certain conditions; whether exclusive rights arise in this case (that is, copyrights or rights to an invention); whether in each case copyright has to be transferred in full, or whether we are concerned with, for instance, an exclusive licence, etc.

In each case, we should take care of the data sets used to train the algorithm. We should remember that if training data are biased, contain errors, or have been erroneously gathered, we may be held liable for that. Additionally, we have to assess whether the use of specific training data will not violate a trade secret (or another secret protected by law) or copyrights of a third person.

If an AI algorithm within a project is created under an agreement, then such an agreement should specify the role of each party, including in particular the scope of liability with respect to the compliance of the AI system with legal requirements (e.g. prescribed by the AI Act, which will soon come into effect).

Using personal data for training, we should particularly carefully assess the related risk, especially with respect to the possibility to ensure the right to cease the processing of personal data. We should assess whether it is necessary to carry out a DPIA and determine whether data will be transferred beyond the EEA—and if yes—the conditions for such a transfer will have to be satisfied. We need to also consider whether third persons will process personal data as part of the project—if yes—then respective data transfer agreements have to be concluded with those persons. In order to avoid the foregoing obligations, it is recommended to use anonymised data.

If as part of a project, we use an AI algorithm from an external supplier or available under a licence, etc., it is important to assess the risk of liability on our part for the operation of the algorithm in violation of the applicable guidelines. This is all the more significant in the case of high-risk systems described in Annex III to the European AI Regulation.

Be aware that in light of the currently implemented provisions—especially European—AI tools, and thus projects implementing solutions based on AI, should follow such operating principles as transparency, accountability, and safety.

The Authors:

Legal Advisor Dominika Wcisło

Patent Attorney Aleksandra Maciejewicz

Legal Advisor Milena Balcerzak

Attorney-at-Law Bartłomiej Serafinowicz

Contact details:

Share article


Stay up to date with changes in the law

Subscribe to our newsletter

facebook twitter linkedin search-icon close-icon