In recent years, an increasing number of companies have started to employ artificial intelligence (“AI”) technologies in the development of their products and in their day-to-day business. This shift to utilizing AI can be very advantageous given its far-reaching potential impact; however, with fast-paced growth comes complex questions, novel issues and increased uncertainty. Accordingly, in a merger or acquisition of an AI company or a company with an AI system (“AI Transaction”), acquirers will want to conduct rigorous due diligence to evaluate the unique risks associated with an AI system prior to proceeding with the deal.
A few key areas to consider while conducting due diligence for an AI Transaction include data, cybersecurity, privacy, and intellectual property rights.
The risks associated with the input data used to train the AI system are a key consideration when conducting due diligence on AI. These risks often vary based on the nature and sensitivity of the data, and raise the following issues, among others. To assist with understanding the AI and gain comfort on the aforementioned risks, a few considerations are as follows:
- Accessibility: Acquirers should confirm that the target obtained their data legally to ensure there will be no issues using the data after acquisition. Problematic data may jeopardize the AI model’s ability to generate predictive solutions, and prevent the AI system from operating as intended.
- Bias: Input data may contain racial, gender, disability and other biases, which could result in an AI system that is susceptible to errors (which, in some instances, could raise ethical concerns). To reduce the risk of acquiring problematic data, buyers should ensure that the target has systems in place to identify and eliminate biases in the AI system, and that the target prioritizes data ethics.
Cybersecurity and Privacy
Another key consideration for AI due diligence is to ensure that the target has taken appropriate measures to comply with ever-evolving data privacy laws and prioritize cybersecurity. Accordingly, these aspects should be explored during the due diligence process:
- Data Privacy: Acquirers will want to ensure that the target is complying with all applicable legislation in collecting, using, storing, disclosing, and protecting personal information. In Canada, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) (and other substantially similar provincial statutes) set out requirements for how private organizations should handle personal information. During the due diligence stage, it is important for acquirers to verify that the target’s data practices comply with PIPEDA and/or other applicable privacy laws to avoid any privacy compliance issues and potential penalties after acquisition. The global trend is certainly moving towards empowering regulators to strengthen requirements for AI systems, and therefore, we expect this particular issue to become of even greater concern. It is also important to note that legislation governing data privacy may soon change. The federal government recently introduced Bill C-27 (the “Bill”): the Digital Charter Implementation Act, 2022. If passed, the Bill would introduce legislation that largely replaces PIPEDA and will provide a framework and rules to regulate AI systems. See our recent article discussing the potential consequences of the Bill on AI activities.
- Cybersecurity: Acquirers should consider the vulnerability of the data to cyber-attacks and whether the target has any controls or processes in place to reinforce cyber preparedness and resilience. In some cases, it may be advisable that buyers seek assistance from cybersecurity experts who can identify any cyber-related weaknesses that must be addressed. In addition, acquirers should be mindful of how security issues could impact the integrity of input data.
Intellectual Property Rights
Lastly, throughout the due diligence process in an AI transaction, acquirers should also identify the various intellectual property (“IP”) rights that may exist in the AI system and may wish to consider the following:
- Identifying Rights and Registrations: Acquirers should request a list of all of the IP that is material to the target’s business (including the AI system) as there may be copyrights and/or trade secrets protecting different components of the AI system which may or may not be registered in each applicable jurisdiction.
- IP ownership: Acquirers should ensure that the target has taken the necessary steps to preserve ownership of IP rights in the AI system. For example, if an AI system is protected through trade secrets, it is important that acquirers confirm that the target has taken precautions to ensure these trade secrets remain confidential (e.g. through non-disclosure agreements).
As AI technologies continue to evolve, it is anticipated that the number of M&A transactions in this space will continue to grow. To mitigate risk, it is critical that acquirers carefully consider the unique issues associated with acquiring or investing in an AI company and stay current on due diligence practices in this area. Norton Rose Fulbright is well-positioned to support acquirers in navigating these unique issues that arise in AI Transactions.
The author would like to thank Sandeep Patel and Carissa DeMarinis for their significant contribution to this article.