DORDA Rechtsanwälte GmbH

Challenges when using ChatGPT, DeepSeek & Co How to achieve a balance between compliance and concentrated technology offerings in the global supply chain. The AI arms race is in full swing and is reaching new geopolitical dimensions. While the USA and China have been fighting for their leading position in the technology sector for years, the EU has now also announced its entry into the AI sector at the AI Action Summit in Paris following the DeepSeek shock. It wants to mobilise a total of EUR 200 billion in AI investments. However, until there is a comparable selection of AI models ‘made in Europe’, many companies will continue to be confronted with the compliance challenges of AI components from third countries. The AI Regulation is repeatedly criticised as a new regulation. In fact, the use of language models such as DeepSeek, ChatGPT or Gemini is primarily restricted by data protection and copyright issues. AI purpose determines compliance obligations The GDPR lays down strict rules for the processing of personal data. In addition to the AI Regulation, these also expressly apply to AI systems and models. Therefore, the first step is always to check whether a personal reference is established when integrating language models into your own systems. On the one hand, this depends on the probability of the model to output personal data as results. On the other hand, the intention of the user is decisive. For example, personal data is processed when an intelligent duty rota is used. If, on the other hand, an employee formulates AI-supported advertising brochures, the probability of traceability to a natural person is low and data protection issues are manageable. The purpose for which AI is used therefore determines which obligations must be observed. This also applies, for example, to the risk classification of AI systems in accordance with the AI Regulation. Data flows in the supply chain Once the data flows have been clarified, the next step is to define the role of the controller and processor under data protection law. The provider is the one who has produced the language model and brought it to market; the company then uses it for its own business purposes. The provider therefore carries out the computing processes on behalf of the operating company and becomes the processor, while the company acts as the controller under data protection law. However, there is an exception for processes that are clearly carried out in the operator`s own interest. This is the case, for example, with ongoing optimisation of the entire language model through data training for a new release (e.g. improvement of the OpenAI GPT 3.5 version to 4.0). In this case, the provider is responsible. The party responsible for the individual processing steps must subsequently also justify the data flow and obtain any necessary consent, for example. AI training often a knock-out criterion Providers generally have an interest in continuously optimising their AI models and also accessing user input for training purposes. When using the tools, however, the transfer of data to the provider for this new training purpose must be justified separately. This can also increase the risk of the training data being fed into the AI corpus and causing data breaches. It also favours the outflow of know-how and the loss of trade and business secrets. To rule out these risks, some providers now also offer the exclusion of data training when enterprise solutions are purchased for a fee. Companies should therefore take a close look at the different licence models. Free open source access should be critically scrutinised. Data transfer to third countries Furthermore, due to their global integration, AI tools always raise the question of the (in)permissibility of data transfers to third countries, such as the USA or China. Any transfer outside the EEA must ensure that the EU level of data protection is complied with in the recipient country. This is the case, for example, if there is an adequacy decision with the specific recipient country. Alternatively, standard contractual clauses with additional, suitable guarantees for data protection must be concluded with the data recipient. Companies based in the USA have advantages among the major AI players: With the ‘EU-U.S. Data Privacy Framework’, there is an adequacy decision for certified U.S. companies as a basis for transatlantic data transfer. Anyone can determine whether a specific company has complied with the regulations by consulting the public register (Data Privacy Framework List). However, there is no comparable adequacy decision with China. The implementation of DeepSeek therefore requires the conclusion of standard contractual clauses together with suitable additional guarantees. Copyright - The elephant in the room Furthermore, every language model raises the question of whether it has been improperly trained with copyrighted materials. If this is the case, there is a risk for companies that the AI-generated output represents a straightforward takeover or adaptation of another person's work, infringes third-party rights and may not be used by their employees without the author's consent. It is therefore necessary to examine the extent to which providers and operators of AI systems can rely on the free use of text and data mining. This copyright challenge is being hotly debated not only in the EU, but worldwide. Liability clauses and clear licence provisions for dealing with AI output are suitable for risk management. Keywords: AI regulation Data protection copyright Import Authors Axel Andler is Managing Partner and Head of the IP/IT/Data Protection Practice Group and the Digital Industries Group at DORDA. He specialises in IT contracts, in particular outsourcing and cloud sourcing, e-commerce, data protection and new technologies. He is a leading IT/IP expert in various lawyer rankings (Legal 500, Chambers, Lexology etc). He is also the author of specialist publications, including the books ‘#Blockchain2’ and ‘#Cybersecurity’ published by LexisNexis and ‘IP in der Praxis’ published by Manz, and teaches at the Universities of Vienna, WU Vienna and Krems. Axel Anderl, Managing Partner Tel +43-1-533 47 95-23 [email protected] Alexandra Ciarnau is a lawyer in the IP/IT and data protection team, specialising in artificial intelligence and blockchain. She is also Co-Head of the interdisciplinary DORDA Digital Industries Group. Alexandra is an author and speaker at specialist seminars. Alexandra Ciarnau, Principal Associate Tel +43-1-533 47 95-23 [email protected]  

London, UK and Graz, Austria, 3rd March 2025 – Together with Roschier (Sweden) as main counsel, DORDA advised European growth investor Sprints on its partnership with Styria Media Group. As part of the partnership, the joint venture between Sprints and Styria acquires all of Adevinta's shares in willhaben, Austria's digital consumer marketplace. This collaboration combines Sprints' extensive expertise as an investor in customer-focused technology businesses in Europe with Styria's prominent position as a leading media and digital company in Austria. The transaction is subject to approval by the relevant regulatory authorities. Completion of the transaction is expected in the second quarter of 2025. Financial terms of the transaction are not disclosed. The team of DORDA’s Digital Industries Group in this transaction was led by M&A partners Christian Ritschka and Martin Brodey, mainly supported by Ulrich Weinstich (Principal Associate) and Max Lesjak (Associate). Heinrich Kühnert (Partner) and Mirko Marjanovic (Principal Associate) took lead responsibility for antitrust aspects. Further DORDA team members are partners Magdalena Brandstetter (Real Estate) and Christoph Brogyanyi (Corporate), principal associates Julia Landskron (Corporate), Magdalena Nitsche (Insurance), Katrin Repic (Regulatory), Florina Thenmayer (Employment) and Ida Woltran (IP/IT), as well as associates Thomas Krappinger (IP/IT), Corina Kruesz (IP/IT), Anna Martseva (Insurance), Julia Moser (M&A), Maxie Müllbacher (Real Estate), Sophia Pux (Antitrust), Nicole Scharl (Corporate), Julia Strass (Employment) and Antonia Stubbe (Finance). The Roschier team was led by Björn Winström and Mattias Jönsson. The partnership between Sprints and Styria creates a powerful collaboration. Sprints brings decades of experience as an investor in online marketplaces. Styria, as a major player in the Austrian media and digital sector, provides deep local market knowledge and a strong network. Together, the two are ideally positioned to drive willhaben's continued growth and innovation. “Sprints partners with technology companies that place long-term customer happiness at the heart of everything they do. willhaben epitomises this philosophy. It has one of the most recognised and beloved brands in Austria, and we’re excited to join forces with them and Styria to support the next phase of the company’s growth.” said Henrik Persson, Managing Partner at Sprints. About willhaben willhaben - meaning “want to have” - is a leading provider in the Austrian digital marketplace landscape, with more than 3.8 million users per month. It is one of the go-to platforms of buyers and sellers in Austria, with more than 13 million listings across real estate, jobs, cars and motors and the free marketplace for private users. About Sprints Sprints invests in select European growth companies that use technology to significantly enhance their customers’ lives. The team of Sprints comprises investors and operators with deep, long-standing expertise across the marketplace, fintech and software sectors. Founded in 2015, its portfolio includes category-defining companies like Revolut (the leading global neobank), Hemnet (Sweden’s top property portal) and Chrono24 (a leading second hand luxury watch marketplace) About Styria Styria Media Group AG was founded in 1869 and is a leading Austrian media group as a house of media and marketplaces; its core markets in both business segments also include Croatia and Slovenia. [About DORDA; Contact]