The EU AI Act: Open-Source Exceptions and Considerations for Your AI Strategy

8 minute read | May.20.2024

This update is part of our EU AI Act Essentials Series. Click here to view additional updates.

The treatment of open-source AI technologies was a source of heated debate leading up to adoption of the EU AI Act. In the end, legislators adopted an Act that:

Does not apply to many AI systems released under free and open-source licenses.
Creates a limited open-source exception for general purpose AI models (GPAIMs).

Given the EU’s status as an early mover in tech regulation, AI developers and users should consider the law’s open-source exceptions as a guidepost for how such requirements are likely to develop elsewhere in the near term.

Overview of the Open-Source Exceptions

AI Systems

The Act as a whole “does not apply to AI systems released under free and open-source licenses, unless they are placed on the market or put into service as high-risk AI systems or as an AI system that falls under Article 5 or 50.” Those articles cover AI systems that are prohibited or interact directly with people.
A fact-specific analysis will determine whether a given AI system falls into one of the categories of prohibited or high-risk AI systems.

GPAIMs

The Act creates a limited open-source exception for GPAIMs. It allows for “the access, usage, modification, and distribution of the model…” where the model’s parameters “…including the weights, the information on the model architecture, and the information on model usage, are made publicly available.” GPAIMs will not qualify for the exception if they “present systemic risks” (described below).
Qualification: Providers seeking the qualification of a GPAIM under the exception should:
- Make the GPAIM available on conditions that satisfy the requirements stated above.
- Account for systemic risk. The latest language states that GPAIMs will be classified as presenting “systemic risks” if they:
  - Have “high-impact capabilities” evaluated on the basis of technical tools and methodologies. (This will be presumed when the cumulative amount of computation used for training the model measured in floating point operations is greater than 10^25) or
  - Are otherwise designated as such by the Commission based on the criteria set out in Annex XIII of the Act.
Benefits of the Exception: If an open-source GPAIM otherwise meets the exception requirements, the Act exempts the provider from certain transparency obligations. That includes an exemption from the obligation to create and maintain up-to-date technical documentation and information intended for providers that plan to integrate the GPAIM into their AI systems.
- The provider of the open-source GPAIM nonetheless must:
  - Share a detailed summary at distribution of the content used for model training with a level of specificity regulators will determine.
  - Establish a policy with respect to EU copyright law, including for identifying and respecting a rightsholders reservation of rights though “the use of state of the art technologies” and pursuant to Article 4(3) of the Directive (EU) 2019/790.

What Does This Mean for Your Open-Source AI Strategy?

Developers, providers and users (called “deployers” under the Act) should keep a few initial considerations in mind as they develop, use and distribute such technologies.

What types of AI technologies do you use or share? Why?

The first step of any AI compliance program is to inventory how your company uses AI. Does your company receive a license to the technology – or grant one to third parties? Make sure to review:
- Proprietary AI systems and GPAIMs.
- Open-source AI systems and GPAIMs.
- Commercially licensed AI systems and GPAIMs.
- Other commercially licensed services that include AI-powered functionality.
Companies often use several types of models or AI-powered tools, but they may not always realize it due to the speed at which companies integrate AI technologies into commonly used software services (which might include open-source AI technologies). This means a one-size-fits-all approach could quickly become obsolete. The pace of change makes internal tracking and oversight a cornerstone to managing AI-related risk.
Companies should also assess whether they are complying with license terms (including terms on the license scope).
- Complying with license terms is critical to maintaining a legal right to use such technology.
- Licensors can often immediately terminate a licensee’s use if the licensee breaches applicable terms.

What are the pros and cons of a “provider” licensing AI systems or GPAIMs to third parties under an open-source license that respects the Act’s requirements?

A provider might find it beneficial to make an AI system or GPAIM available under an open-source license. That could bolster innovation and development, enhance the provider’s reputation, market the availability of its more advanced solutions or recruit technical personnel.
The Act exempts GPAIM providers from a number of transparency obligations. This could lessen the compliance burden.
The Act still requires disclosures related to architecture, weights and training. That could involve information a provider intends to maintain as confidential or a trade secret. To date, few GPAIMs meet the requirements of that open-source exception. That could limit the initial open-source GPAIM options available to users.

What are the pros and cons of a “deployer” (user) licensing AI systems or GPAIMs from providers under the exceptions?

Open-source AI systems and GPAIMs are free, easily accessible and already developed, potentially saving companies time and money. Users benefit from the information GPAIM providers must disclose as part of the license terms, such as parameters, weights and architecture. That kind of information goes beyond what often is made available under a traditional open-source software license.
Some potential drawbacks of open-source AI systems or GPAIMs are that users may be wary of potential security vulnerabilities or copyleft license effects resulting from offerings with an unclear testing or training regimen. That’s especially true if users do not receive representations, warranties or indemnities from a third party backing the training, suitability and security of such AI technologies. Users may also want a provider to be contractually obligated to:
- Provide ongoing implementation support or maintenance.
- Maintain a detailed understanding on how AI technologies were trained and operated in case regulators or customers raise questions.

What safeguards should a company implement when using open-source AI technologies?

Beyond corporate oversight, companies should consider extensive operational precautions when evaluating, implementing and operating AI technologies.
Some precautions might already be in place for existing technical systems, including internal and external testing, quality management procedures, employee/contractor policies concerning AI, technical documentation of AI usage, log maintenance, maintaining a “human-in-the-loop” for AI operations and tracking and labeling output from AI models.
Legal and technical personnel should evaluate the legal terms that apply to new open-source AI technologies before use. (This might already be a part of a company’s open-source software policy or procedures.)
Companies should ensure no license terms or outright prohibitions conflict with the business use case, such as commercial use restrictions.
A company should track such terms and periodically audit the use of associated code to ensure company use cases remain consistent with license terms.

If you have questions about the AI Act, open-source AI Systems, GPAIMs or legal issues in artificial intelligence reach out to the authors or other members of Orrick’s AI team.

Authors

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Sarah Schaedler Partner, Technology & Innovation, Technology Transactions

San Francisco

See my bio

D:+1 415 773 5474
E: [email protected]

Practice:

Technology & Innovation Sector
Technology & Innovation
Technology Transactions
Intellectual Property
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Sarah Schaedler Partner

San Francisco

Sarah’s practice focuses on structuring and negotiating the intellectual property aspects of complex corporate transactions, including mergers and acquisitions, business divestitures and commercial transactions where software and technology are the principal assets. Sarah also advises on intellectual property and technology contracts related questions in the context of Artificial Intelligence (AI).

Sarah routinely advises on carve-outs and business separation transactions and helps clients with structuring and implementing their intellectual property and technology separation roadmap.

Sarah has counseled several companies in their preparation for a divestiture and understands the issues a buyer is focused on in the context of intellectual property matters. She regularly helps companies implement remediation steps around their intellectual property assets to help them to a successful closing.

She has significant experience advising private equity funds on investments involving companies that are driven by technology & innovation, as well as intellectual property reliant consumer product companies and companies that are stepping into digitalization.

Sarah is also a member of Orrick’s AI leadership group and involved in thought leadership projects related to AI matters on corporate transactions.

Educated and trained in Germany, France and the United States, Sarah’s international experience provides her with additional knowledge on cross-border transactions and international matters.

Shaya Afshar Senior Associate, Technology Transactions, Artificial Intelligence & Machine Learning

Santa Monica

See my bio

D:+1 310 633 2817
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Artificial Intelligence & Machine Learning
Blockchain and Virtual Currency
Cyber, Privacy & Data Innovation
Technology Companies Group
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shaya Afshar Senior Associate

Santa Monica

During his time with Orrick, Shaya was seconded to cloud-based information security company Zscaler, Inc. as commercial and corporate counsel. Prior to joining Orrick, Shaya was an associate in the IP and Technology Transactions Group at Skadden, Arps, Slate, Meagher & Flom LLP, and prior to law school, he spent a year teaching English in Shenzhen, China.

Daniel Healow Managing Associate, Technology Transactions, Cyber, Privacy & Data Innovation

Silicon Valley

See my bio

D:+1 650 614 7434
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Daniel Healow Managing Associate

Silicon Valley

Daniel has experience working with clients of all sizes with varying industry and regulatory footprints, from startups to mature technology companies to large financial institutions, in various transactional settings, such as mergers and acquisitions, carve-outs, service provider arrangements, development arrangements, strategic partnerships and commercial contracts. In addition to standalone transactions, Daniel provides ongoing client support concerning post-transaction business integration, IP portfolio management, artificial intelligence tooling usage, open source software usage, compliance with privacy laws, internal and external-facing policy management and data management strategy.

Prior to joining Orrick, Daniel was an Associate in the IP and Technology Transactions Group at Skadden. Prior to law school, he was part of the Legal Online Operations team at Google where he managed and developed policies to address government requests for user data.