Navigating the AI Act in Tech M&A
The use of artificial intelligence (AI) in various sectors is transforming the landscape of mergers and acquisitions (M&A), requiring companies and their M&A advisors to keep up with the rapidly changing technological and regulatory environment. On 21 April 2021, the European Commission proposed the 'Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence' (AI Act), which aims to establish a regulatory framework, inter alia for the providers (including product manufacturers), users, distributors and importers of AI systems. The AI Act is expected to be formally adopted in the first half of 2024.In our last contribution, we discussed the concept of 'Tech M&A'. In this article, we will take a look at how the AI Act will affect Tech M&A. AI Act The AI Act introduces a new legal framework that classifies AI systems according to the level of risk they pose in respect of the rights and freedom of individuals. Four levels of risks are distinguished:Unacceptable risk: AI systems which are classified in the first category are prohibited by the AI Act.High risk: With respect to high-risk AI systems, the AI Act imposes requirements and obligations regarding, inter alia, (i) technical documentation; (ii) risk management systems; (iii) conformity assessment procedures; (iv) log keeping; and (v) quality management systems.Limited risk: Title IV of the AI Act concerns certain AI systems to take account of the specific risks of manipulation they pose. The transparency obligations set out therein apply for systems that (i) interact with humans, (ii) are used to detect emotions or determine association with (social) categories based on biometric data, or (iii) generate or manipulate content ('deep fakes').Low or minimal risk: Lasty, the AI Act creates a framework for the creation of codes of conduct, which aim to encourage providers of non-high-risk AI systems to voluntarily apply and implement the mandatory requirements for high-risk AI systems.The task of monitoring and enforcing the provisions of the AI Act is assigned to a national supervisory authority in each Member State. In the Netherlands, the competent authority is the Personal Data Authority (Autoriteit Persoonsgegevens). Failure to comply with the obligations and requirements laid down in the AI Act may result in a penalty. Further rules on penalties shall be determined by each European member state individually, taking into account the maximum penalties provided for specific infringements of the AI Act. For example, infringements of Article 5 (regarding prohibited AI practices) shall be subject to administrative fines of up to EUR 30,000,000 or up to 6 % of its total worldwide annual turnover for the preceding financial year. Due diligence As the AI Act will come into force in the near future, assessing the risk level(s) of the relevant AI system(s) and their compliance with the AI Act is already – and will increasingly become – an important part of the due diligence in Tech M&A transactions. In addition, depending on the role of the target company (e.g. as a provider or user of AI), it will be crucial in such due diligence investigations to assess information on the ownership of AI-generated intellectual property rights, compliance with data protection regulations and liability for AI decision-making. Transaction documentation The AI-related risks identified in the due diligence phase should be addressed in the share purchase agreement through appropriate warranties and indemnities, signing or closing conditions. These due diligence findings may also affect the valuation, negotiation and structuring of the M&A transaction.Representations and warranties: the seller should provide more specific and comprehensive representations and warranties regarding compliance with the AI Act.Signing or closing conditions: the parties may need to include more tailored conditions relating to the target company's AI systems, such as obtaining or maintaining any necessary authorizations, registrations, certifications or notifications under the AI Act in order to comply with any ongoing or reporting requirements.Furthermore – in the event of W&I-insured transactions – the parties and their insurers should adapt the scope of their due diligence, disclosure, negotiations and underwriting processes to account for AI risks and to ensure that the W&I insurance provides adequate coverage for these risks. The introduction of the AI Act and the expected development of associated national legislation may result in uncertainty regarding the (legal) risks involved. Therefore, we expect W&I insurances will be in demand by parties in Tech M&A transactions Conclusion In the dynamic landscape of Tech M&A, the development and application of AI and the introduction of the proposed AI Act are transforming M&A processes. AI-related transactions require a tailored approach at each stage of the transaction, focusing on identifying specific AI risks and incorporating such risks into the transaction documentation. The AI Act, once enacted, will impose various requirements, obligations and other aspects to be considered by all stakeholders to an M&A process. Time will tell how the Tech M&A market will respond to the development of further legislation to regulate AI systems. We consider the adoption of the AI Act a confirmation of the significant potential of AI companies and foresee a bright future for Tech M&A.