Briefly

TRANSCRIPT

00:02
Adam Stofsky
Hey, Julia, how are you?

00:04
Julia Apostle
Good. Adam, how are you doing?

00:06
Adam Stofsky
Very good. Because today we're going to talk about another topic related to the EU AI act and European AI law, which is once a company determines that it's, you know, its AI system or a product may fall under AI law, we need to understand the relationship between that company and the product. But there's different ways of relating to AI. Maybe you are actually developing the AI system, maybe you just use it heavily, integrate into your own products. Can you talk about what these distinctions are, what the definitions are and why they're important?

00:41
Julia Apostle
Yeah, absolutely. And you're right, this is absolutely key because who a company is in relation to the AI system is absolutely integral to determining what that then means in relation to what they have to do under the AI act, what are their obligations? So the AI act is modeled on European Product Safety law. Right. And so under most European product safety law, you have what this concept of operators or economic operators, and that's like the generic bucket of all parties that interact with a given product and it subdivides into, you know, the user of the product, who could be the consumer, the manufacturer and so forth. So the AI act takes that approach. It's got this concept of operator, which includes everyone, and then it splits it down further into provider, deployer, importer and distributor. And of course, user.

01:41
Julia Apostle
But you know, a user, that's easy. Everyone knows what a user is of a system. But let's start with a provider. What is a provider? That is the most important concept. And the provider is the party that is responsible for developing the system or the model, because you can have model providers as well in relation to general purpose AI models only, and putting it on the market or putting it into service under their name or brand, or that has an AI system developed by a third party. Right. And then puts it on the market in their own name, whether for payment or free of charge. Right. So that's what a lot of companies are doing right now. They're commissioning, you know, third parties to develop AI systems and then they're, you know, bringing it in house, they're white labeling it.

02:29
Julia Apostle
And either they're using it in house or they're putting it on the market under their own brand. So that would be a provider.

02:36
Adam Stofsky
So it's logical, actually, you're providing the AI tool in some way.

02:39
Julia Apostle
Yeah. And the provider is analogous to the manufacturer under other EU product safety law. Right. I'm not entirely sure why they went with provider instead of manufacturer, but there you go. I'm sure there's reasons, maybe because they didn't want to bring the relationship too close. Anyway, the deployer, that's the next most important category is the party that uses the AI system, not necessarily the end user, which is the affected person. If my CV is scanned by a system and in a recruitment process, I am the affected person. The company that's using the CV scanning technology might be the deployer and it may have been provided by a provider, that system, right? That's the chain.

03:34
Julia Apostle
And under the AI act, providers have the most obligations because they are the ones that are, you know, building the system and under a product safety logic where all the obligations, or most of them, not all of them, but most of the obligations apply in an ex ante way right before the product is actually used. So the AI system has to be compliant with the AI act at the time that is placed on the market before it starts to get used. And who has, you know, who is responsible for that? Who can actually control that? That's the provider, right? And the deployer under the act has some obligations, but not as many as the provider. And then there's the importer and the distributor.

04:25
Julia Apostle
And I don't think we need to spend a lot of time on that because, you know, an importer imports, a distributor distributes, just like in any other sort of product context. And their obligations tend to be limited to making sure that the system actually does comply with the act. The provider has done what they need to do before they make it further available within the EU market. What is tricky, and this is what, you know, deployers need to think about is how they become a provider, right? You don't want to unwittingly become a provider through, you know, the development process or through the commissioning process or through the deployment process. And of course this is most relevant in relation to high risk AI systems because that's where again, most of the obligations are.

05:11
Julia Apostle
But a deployer, as I mentioned before, that sort of commissions the development of a system and then puts it on the market under their brand, then becomes responsible for it, and that might be fine, that's all good, but then you want to make sure that you have really locked down the development process contractually to make sure that you have all the information you need to satisfy your obligations as a provider. Because once you get the finished product, it's hard to go backwards.

05:41
Adam Stofsky
So I have a couple of questions about defining this idea of a deployer versus a provider. So if I just like, use a lot of AI tools in my company, right, internally, so we use ChatGPT or we use, you know, we used tools to help our sales reps, we use tools to screen resumes, but it's all kind of internal. Does that, does that still make me a deployer?

06:13
Julia Apostle
Yes, in some circumstances. So this is one of the, like, little tricky bits under the AI Act. And it's Article 2 talking about scope, right? This, who does the act apply to generally? And it, and this is when we're talking about like, who in the world. And so obviously it applies to providers that are, you know, building their systems in the EU and placing their systems on the market in the eu.

06:39
Adam Stofsky
That's the easy, that's like the easy definition.

06:42
Julia Apostle
Yeah. Then you have deployers that are in the eu. You know, like you are using it in the eu, but what if you're using it outside the eu, right? Like, what if you are in New York State and you're like you said, doing X, Y or Z generating inputs and they're all for your own use. The act at Article 2 also provides that if the outputs are used in the eu, then the ACT will apply. And therefore it's like, well, if I'm a deployer and my outputs are being, you know, and I'm using outputs in the EU somehow like, you know, device come up with your scenario, right? You're, you're using. Again, let's go with a hiring AI.

07:25
Adam Stofsky
Yeah, any SaaS product, right. If someone uses it in the EU.

07:29
Julia Apostle
Well, or, yeah, but you're like, okay, I generated this interesting list of candidates for a freelancer that I want to hire in the eu. And so therefore I'm like using, I've got this shortlist and based on that shortlist that was created for me, I'm going to go higher in the eu. So that could maybe, you know, I'd have to think through it, but that could potentially be caught by that, using outputs in the eu. Therefore, as a deployer, what are my obligations?

08:00
Adam Stofsky
Right. Okay, So I guess my last question is on this idea of moving, becoming a provider if you're just a deployer. So if you, let's say you're, you use that HR system, but just a user, right? So I license this SaaS product from this provider and I'm using it to screen resumes. If I then make like heavy modifications to it or certainly if I start marketing it myself, obviously. But if I just, if I kind of sort of customize it and modify it, could that put me over the line into being a provider?

08:41
Julia Apostle
Yeah, it could Potentially, if. And especially like if you customize and modify and turn it into a high risk AI system.

08:49
Adam Stofsky
Right, right. Even if I'm just using it for myself, I'm not selling it as a product.

08:54
Julia Apostle
Again, if it's. Yeah. So there's this. It depends where you're based. And there's. There's this, you know, going to Article 2 because, you know, this is interesting how the definitions of, you know, who is covered interacts with the scope. Right. So if you're a provider and you're putting a system into service for your own use, that is covered.

09:21
Adam Stofsky
Right, Right.

09:23
Julia Apostle
But it has to be a covered AI system. It has to be like a high risk AI system to have any meaningful obligations or subject to transparency obligations, because it's generating content. Right. So not every AI system that you use is going to have implications, even as a provider.

09:45
Adam Stofsky
Right. Okay. Lots of interesting gray areas here. But the bottom line is the two most important definitions in this area of the relationship between a company and its AI tools, or whether they're a provider of the AI tool or system or a deployer. And pretty important to understand where you fall.

10:08
Julia Apostle
Yeah, absolutely. It's like a funnel. Right. So you're like, is it an AI system? Who am I in relation to this AI system?

10:16
Adam Stofsky
Great. All right, Julia, thanks so much.

10:18
Julia Apostle
Okay, thanks, Adam