Curriculum
AI and Data Governance
AI and Data Governance
0/8
-
How AI Works and Why It's Different?
Preview -
Let's Talk Technical: What's an AI model?
Preview
-
Exposure: What are PIIs? And how it can slip into the Mind of AI?
Preview
-
Irreversibility: The Memory Trap in AI and Why Prevention is the Only True Solution
Preview
-
Compliance: The Dark Side: Legal Liability
Preview
-
Indirect Liability for Companies using AI vendors
Preview
-
AI Glossary: What means what?
Preview
-
AI and Data Governance Quiz
Indirect Liability for Companies using AI vendors
Now to the billion-dollar question:
“I’m a company with customers and active contracts. I’m sending customer data to AI, AI 3rd-party decided to use it to train. Who should be found responsible?”
This is a complex situation with potential legal and ethical ramifications. There isn’t a simple “guilty” or “not guilty” answer, as liability will depend on several factors, primarily focusing on the contracts, privacy policies, and applicable laws. This issue has 3 parties: you, your customers as the 2nd party, and the AI vendor as the 3rd party:
Customers
Customers are not guilty of anything. They are the injured parties whose data has been misused. They have the right to seek legal remedies against both your company and the AI third party.
AI Third-Party
- Breach of Contract: If the contract between your company and the AI third-party explicitly prohibits the use of customer data for training purposes, then the AI company is in clear breach of contract.
- Violation of Privacy Laws/Regulations: Most jurisdictions have strict data privacy laws (e.g., GDPR in Europe, CCPA/CPRA in California, similar laws around the world). Using personal data for training AI models, especially without consent, can easily violate these laws if:
- Customers weren’t informed of this potential use.
- Customers didn’t give explicit consent for their data to be used for this purpose.
- The data used is considered sensitive personal information (e.g., health data, financial data, demographic data revealing race, religion, etc.).
- The AI company didn’t implement adequate data anonymization or pseudonymization techniques before using the data for training. Even then, if re-identification is possible, they’re still potentially liable.
- Unfair or Deceptive Practices: Using customer data for a purpose that customers didn’t anticipate or agree to could be considered an unfair or deceptive trade practice, leading to regulatory action and potential lawsuits.
Your Company:
- Negligence in Data Governance: Your company has a responsibility to protect its customers’ data. If you were negligent in:
- Choosing a reputable AI partner with clear data privacy policies.
- Performing due diligence to ensure the AI partner’s data handling practices were compliant with applicable laws.
- Clearly communicating to customers how their data would be used by the AI partner.
- Putting sufficient contractual safeguards in place to prevent unauthorized data use. You could be found liable for contributing to the breach. A court would consider what a reasonable company in your position would have done to protect customer data.
- Doing almost care in forbidding customer data ever hitting the AI vendor if not needed.
- Breach of Privacy Policy: If your own company’s privacy policy states that customer data will not be used for AI model training (or any similar purpose), and you then allow it to happen, you are in breach of your own policy, which can lead to lawsuits and regulatory penalties. A common issue is a vague privacy policy; the more specific, the better.
- Indirect (Vicarious) Liability: In some cases, you could be held indirectly liable for the AI third-party’s actions, especially if the AI company is considered your agent or if you directly benefited from their unauthorized data use.
Key Factors That Determine Liability:
- Contractual Language: What does your contract with the AI company specifically say about data usage, privacy, and security? Is there a data processing agreement (DPA) in place?
- Privacy Policies: What does your company’s privacy policy state? How clear and unambiguous is it about data sharing with third parties and the purpose of that sharing?
- Consent: Did you obtain informed consent from your customers for their data to be used for AI training purposes? Was that consent explicit and specific?
- Anonymization/Pseudonymization: Did the AI company adequately anonymize or pseudonymize the data before using it for training? Even with anonymization, re-identification risks must be considered.
- Data Minimization: Did the AI company use only the minimum amount of customer data necessary for the training process?
- Jurisdiction: Which laws and regulations apply (e.g., GDPR, CCPA, state privacy laws)? This will determine the specific legal standards and penalties.
- Due Diligence: What steps did your company take to vet the AI third-party’s data practices?
- Communication: How transparent were you with your customers about the data you were sharing with the AI provider and the purpose of that sharing?
In Summary:
While the AI third-party bears the primary responsibility for violating contractual terms and privacy laws by training their AI on your customer data without consent, your company could also be held liable for negligence, breach of its own privacy policy, or failure to perform adequate due diligence. The exact apportionment of responsibility depends on the specific facts and circumstances of the situation.