In the Old Testament, Moses was handed the Ten Commandments on Mount Sinai. Now, we are all at the foothills of Mount AI, and it’s Isaac Asimov’s laws of robotics that seem pertinent. However, a key principle of both still feels relevant to GAI: first, do no harm.
With this in mind, we have constructed ten rules for using GAI, recognising that this is an environment that can and will quickly change. While these rules may seem very restrictive, they are prepared on the understanding that most of the GAI tools that are currently exploding in popularity are owned and operated by independent developers and made available to the world at large. These rules may well apply differently if your organisation develops its own GAI based solutions in-house.
1. Before you begin: don't use GAI until you have read and understood these rules
You wouldn’t take a new medicine without understanding what it is, why you need it, and what its side effects might be. You should adopt the same approach with GAI. In its current form it is akin to a powerful, untested drug which has flooded, almost overnight, into a largely unregulated market.
While it’s true that we all use technology which we may not fully understand, few of these tools will compare, in terms of scale and potential harm, to the impact of GAI.
2. Don’t share anything with GAI that you wouldn’t be happy to disclose to the world at large
It is possible that the information you input into GAI tools will reappear, in whole or in part, in the results generated by others. Moreover, you will be disclosing it to the tech company which owns the GAI program. This can undermine your rights in that information and expose you to liability to others for doing so. Particular “red flag” information that should generally not be shared with GAI includes:
- Trade secrets
- Confidential information
- Information that you are obliged, contractually or otherwise, not to disclose to third parties
- Research that could later be subject to patent protection
- Sensitive market information
- Computer source code
- Legally privileged material
- Personal data relating to others (including private information)
If a setting exists to prevent the GAI from retaining the information you provide, or from using that information to train the model, you should use that setting to opt-out of that input data being retained (but never assume this will always happen in practice and apply these rules in any event).
3. Expressly prohibit third parties from sharing such material (from rule two) with GAI
Even if you comply perfectly with rule two above, it will become pointless if third parties you provide that information to (including colleagues and contractors) then share it with GAI.
4. Be sceptical about what GAI provides to you
GAI is known to “hallucinate” ie make things up, so check the output, adopting proportionately greater care the more significant it is to you, your business, or to others who may be affected. For those of us old enough to remember Wikipedia’s early days, treat it with the same degree of scepticism you gave Wikipedia results 20 years ago!
5. Don’t rely on GAI to make important decisions about your organisation, your business, or individuals
You may be building your organisation or business on shaky foundations or you may risk acting unfairly towards individuals, which can place you in breach of discrimination or data protection laws. For the time being, at least, human oversight of GAI is crucial and human review of all GAI-made decisions is highly recommended, if possible. As per rule four, however, a proportionate approach is required, depending on the nature and importance of the decision.
6. Be aware that what GAI provides to you might expose you or your organisation to liability if you use it or retain it
Many GAI programs appear to assign rights in the AI-generated output material to the user, or at least disclaim the GAI developer’s rights in those "outputs". However, beware the gift horse: you are potentially acquiring risk when you acquire ‘free’ GAI outputs.
Particular concerns may include:
- Infringement of privacy and / or data protection rights
- Infringement of intellectual property rights
- Misuse of trade secrets or confidential information of others
- Breaches of equality laws
- Bias and unfairness, eg in breach of consumer protection law
- Insider trading information
7. If you are asking legal questions of GAI, what you receive will not be legally privileged (or insured)
GAI outputs could be used as a substitute for legal advice, but they are not subject to the same protections from further disclosure as correspondence between legal adviser and client would be. In addition, there is no GAI equivalent to professional indemnity insurance which all lawyers must have in place.
8. If you share GAI output with colleagues or third parties or if you keep a record of it, be very clear that it has been derived from GAI
Make sure that any recipients of AI-generated output material are fully aware where the information comes from and can also follow these rules when considering using it. That way, anyone in your organisation who comes across this information on your systems also understands where it is derived from and can act appropriately.
9. If you do use GAI, make sure you can remove its outputs if you have to
Make sure you have the ability to “clean the room” of AI outputs if they later become unlawful or commercially unsafe (see Rule 10). Making AI outputs traceable if they are used by you or your organisation will make this task easier to manage if it is needed.
10. Monitor the development of GAI laws and regulations carefully
Laws and regulations on GAI are likely to change in the coming months and years, so put in place effective means to monitor these developments and be able to adapt your practices appropriately.
Following on from rule nine above, be very cautious about materially altering your business model based on GAI. The regulatory framework may pull the rug from under you in the near to medium term and there could be no way back to a lawful business model (or at least no quick fix).
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, June 2023