Part 25: AI Tools – What about data protection? - VISCHER
AI tools continue to spring up like mushrooms. New products are coming onto the market every day, while the functions and possibilities of existing tools are also constantly changing. As a result, companies are increasingly spoilt for choice. In addition to questions regarding the suitability and costs, legal aspects and the associated review of contracts always play a central role. The latter is particularly challenging, which is due on the one hand to legal challenges and on the other hand to the complexity of the contracts themselves – whereby the contracts could sometimes be better described as “confusing” or even “deficient”.
Data Processing Agreement and Confidentiality
If a company processes personal data with such a tool, a data processing agreement ("DPA") that meets the applicable data protection requirements is required. In addition, confidentiality obligations for the provider, as well as the rights to the data and its use for the provider's own purposes, may play a role. If personal or confidential data is to be processed in the tool, use for the provider's own purposes (e.g. training or further development) within the company is generally not acceptable. Free services or those intended for private customers usually do not meet these requirements, which is why companies should stay away from them.
In order to be able to process data within the application that is protected by official or professional secrecy (e.g. attorney-client, doctor-patient or bank-client confidentiality), additional contractual assurances are required that go beyond the standard contracts and must be negotiated with the providers or additionally requested from them. In these cases, the provider's employees must also be prevented from reviewing prompts and outputs, which the provider reserves the right to do in certain cases (in particular to combat abuse).
Geographical Considerations and Compliance Assessment
Furthermore, where (geographically) the AI tools or the models used in them are operated is relevant. With a view to legal protection against foreign lawful access by authorities, data protected by Swiss official and professional secrecy must generally be hosted in Switzerland. This is not possible with all providers, AI tools, and AI models, but from a legal point of view it is not mandatory in all cases either.
There is more to compliance assessment than just choosing the AI tool. Equally relevant is which data is processed when the tool is used, and which version is licensed. This situation makes it clear that companies need to clearly regulate the use of AI tools, including those that are freely available. Ultimately, it must be clear to the company and the people working for it whether an AI tool may be used and, if so, with which data and for which purposes. To this end, companies should issue a policy that regulates these questions.
Recent Developments with AI Tools Providers
Not only have the AI tools developed functionally in the last year, but there have also been adjustments in almost all the providers' agreements. Microsoft, for example, has made some improvements to the agreements, but overall, the picture is still somewhat chaotic.
Microsoft's AI Tools Updates
In its offers for private use, Microsoft has started to integrate Copilot into its Microsoft 365 offers for private customers, combined with significant price increases. The terms of the offers raise concerns about data privacy and usage rights. Companies need to be cautious and ensure that Copilot is only used with a business M365 account to maintain better data protection.
Microsoft's offers for private users are not suitable for companies, and care must be taken to ensure that Copilot is only used with a business M365 account. In general, these offers can normally not be used in a compliant manner, and even private users must carefully consider the clauses regarding data usage.
For more information, you can refer to this link. Click here for a version with clickable links.
