6 Regulatory considerations with GenAI terms and conditions
Organisations and managers need to be aware of various regulatory frameworks for GenAI providers. Many providers use third-party models and technologies, so compliance with third-party terms is crucial.
For instance, Google’s Generative AI Additional Terms of Service limit developing machine learning models. Understanding who owns the Intellectual Property (IP) Rights, both inputs and outputs, is essential – typically, users retain IP rights but there are exceptions.
Managers should check for standard indemnities from users to providers, especially in free subscriptions. It is important to ensure that any GenAI use complies with data protection regulations (including the General Data Protection Regulation) understanding how data is processed, stored, and protected (Koley Jessen, 2024).
Some of these regulatory considerations are explored in more detail below.
Data usage
A critical area addressed in the terms and conditions of GenAI tools is data usage. Many GenAI tools depend on substantial amounts of user input – such as text prompts or uploaded documents – to function effectively and improve over time.
Providers like OpenAI and Google often reserve the right to retain, log, or utilise input data to refine their models unless the user opts out or subscribes to an enterprise-tier plan that prohibits training on user data.
For instance, OpenAI specifies that unless users are using a business account, data entered may be used for model training and enhancement. This raises significant concerns for organisations handling confidential or personal data, especially under legal frameworks like the UK GDPR.
GenAI models are trained using vast amounts of data which often includes personal data. This causes significant privacy concerns under the GDPR because GenAI can generate incorrect information – called ‘hallucinations’ – which pose particular challenges if personal data is involved, and which are compounded by the lack of transparency in GenAI models (Lolfing, 2023b). Managers must ensure that the processing of personal data by GenAI systems complies with GDPR requirements (Lolfing, 2023a). This means taking steps to obtain proper consent (full, and informed consent), ensure data minimisation, and implement appropriate security measures.
Organisations should implement technical and organisational strategies to ensure data security when using GenAI tools. This includes implementing access controls, encryption, data backups and recovery processes (Lolfing, 2023b).
Intellectual property
Another essential consideration is intellectual property (IP). Users often assume that they fully own the outputs generated by GenAI. However, providers frequently indicate that the generated content may be non-exclusive and not necessarily subject to copyright protections. Many GenAI outputs may be derived from public datasets or resemble outputs provided to other users, thereby limiting exclusivity. It is imperative that users carefully review ownership clauses to comprehend whether, and how, content may be reused or commercialised.
Liability and disclaimers
Liability disclaimers are commonly included in GenAI T&Cs. Most providers stipulate that they do not guarantee the accuracy or reliability of outputs and disclaim responsibility for any harm caused by reliance on the tool. The Law Society of England and Wales emphasises that lawyers must remain accountable for the content they submit or rely on, even when AI is involved in its creation. This underscores the necessity for professional oversight and thorough verification when utilising GenAI, especially in regulated industries.
Acceptable use policies
Acceptable use policies are also prominent in provider terms. These clauses typically prohibit the use of the tool for unlawful purposes, including the creation of harmful, deceptive, or discriminatory content. Violations of these clauses may result in account termination and/or reputational damage. It is crucial that organisations understand not only what the tools can do but also what they are permitted to do within legal and ethical boundaries.
Model changes
GenAI T&Cs often include provisions for model changes, versioning, and service continuity. Providers may update their models or restrict access at any time, potentially affecting consistency or reproducibility. This dynamic nature of service delivery necessitates close attention to version controls and documentation, particularly when GenAI is integrated into operational or legal workflows.
Insurance
It is important to assess whether a GenAI provider offers adequate liability coverage and indemnity provisions. This is crucial for safeguarding the organisation in case the GenAI produces incorrect results. It is essential to review any indemnity clauses to determine whether they provide protection against infringement claims made by third parties (Talladoros, 2024), especially since GenAI models can sometimes generate outputs that inadvertently infringe upon existing intellectual property rights.
Managers should also examine if the insurance includes coverage for data breaches or privacy violations resulting from the use of GenAI tools. Given the sensitive nature of data processed by GenAI systems, this aspect is particularly important. If there is no coverage for data breaches, other insurance policies, such as cyber insurance, should be considered (O'Brien, 2024).
In certain instances, GenAI providers may require users to maintain specific types of insurance, such as professional liability or cyber insurance (Koley Jessen, 2024), to mitigate potential financial losses from claims related to the use of GenAI services.
Assessing whether there is appropriate cover in place, or needs to be obtained, should be done in conjunction with reviewing any exclusions in the insurance policy that deny coverage for specific scenarios, such as incidents arising from misuse of the GenAI systems.
Session 2: Terms and conditions of GenAI providers – 60 minutes
