The main sources of law in Ireland are the 1937 Constitution of Ireland (the Constitution), EU law (including the Charter of Fundamental Rights), domestic legislation and decisions of the Irish courts. Ireland has signed the European Convention of Human Rights (ECHR) and ratified several international conventions, including the International Covenant on Civil and Political Rights, and the International Covenant on Economic, Social and Cultural Rights. 

Although currently untested, existing constitutional protections can be expected to apply to issues connected with the use of AI. Indeed, as with other emerging technologies, constitutionally protected rights such as privacy and other fundamental rights will impact on AI.  

Right to Privacy

Although the Constitution does not explicitly specify a right to privacy, there exists an unenumerated right to privacy pursuant to Article 40.3.1 of the Constitution. In McGee v. Attorney General [1974] IR 284, the court recognised a right to privacy as being inherent to every person due to their human personality. Kennedy & Ors v. Ireland [1984] 1 IR 587 confirmed that the right to damages for breaches of the right to privacy may not be limited to claims against the State alone, allowing for claims against others. 

The right to privacy is not absolute. Irish case law has established that the right is subject to the constitutional rights of others, to the requirements of public order, public morality and the common good (for example Ryan v. The Attorney General [1965] 1 IR 294 and Norris v. The Attorney General [1984] 1 IR 36). 

Freedom of Expression, Assembly, and Association

The rights to freedom of expression, assembly, and association are protected by Article 40.6.1 of the Constitution. People have the right to express their convictions and opinions, to assemble peaceably and without arms, and to form associations and unions. These freedoms are subject to limitation on the basis of public order and public morality. 

The Irish courts, in The Irish Times v. Ireland [1998]1 IR 359, held that this extends to the dissemination of information, as well as the expression of convictions and opinions, and is primarily concerned with public activities. The courts have been reluctant to limit freedom of expression in Ireland (Ryan v. The Attorney General and Norris v. The Attorney General are examples of this).

Article 40.1 contains explicit constitutional protection that all citizens, as human persons, are equal before the law, including a ban on discriminatory behaviour. 

These rights should be considered in the use of AI which could (inadvertently) have the effect of creating forms of bias and discrimination. 

The European Convention on Human Rights Act 2003 gave full effect in Irish law to the European Convention on Human Rights (ECHR), including Article 8 (right to respect for private and family life); Article 9 (freedom of thought, conscience and religion); Article 10 (freedom of expression); Article 11 (freedom of assembly and association); and Article 14 (prohibition of discrimination).

The Charter of Fundamental Rights of the European Union is applied in Ireland. It is relevant when the Oireachtas (Irish parliament) is implementing or effecting EU law. While not explicitly referred to in the Irish Constitution, Article 29 does reference the primacy of EU law.

Ireland’s robust Intellectual Property (IP) regime, like all other EU Member States, is facing novel issues spawned by AI in the areas of patents, copyright, and trade secrets. 

Patents in Irish law are governed by the Patents Act 1992 as amended (the Patents Act). Under Section 9(1), a patent shall be patentable if “it is susceptible of industrial application, is new and involves an inventive step”. However, computer programs are not considered to be an invention under Section 9(2), meaning much of the scope for patentability relating to AI is untested under Irish law. 

There is no decision that a machine can be classified as an inventor for the purposes of the Irish Patents Act. ‘Inventor’ is defined as “the actual deviser of an invention”, which appears to leave the question open, however Section 80, relating to co-ownership of patents, refers to co-owners as “two or more persons” [emphasis added]. This aligns with the decisions of the European Patent Office (EPO) in J8/20 and J9/20, in which the Legal Appeal Board of the EPO confirmed the EU position under the European Patent Convention (EPC) that an inventor must be a person with legal capacity. 

Ireland’s copyright regime is contained in the Copyright and Related Rights Act 2000 (CRRA), which protects copyright in a “computer program” where “a program which is original in that it is the author’s own intellectual creation and includes any design materials used for the preparation of the program”.

Under Section 2 of the CRRA, a “computer-generated” work is a work that is generated by computer in circumstances where the author of the work is not an individual. The author of this type of work is the person by whom the arrangements necessary for the creation of the work are undertaken. Section 21(f) states: “In this Act, “author” means the person who creates a work and includes:… (f) in the case of a work which is computer-generated, the person by whom the arrangements necessary for the creation of the work are undertaken”.

The legislation appears to derive from the idea of a legal entity model, i.e., one that implies the existence of natural persons behind a legal entity instructing it; although it could have been trying to capture the concept of a machine authoring a work as opposed to a human. As AI becomes more advanced, issues may arise where robots, acting autonomously, are not acting on the instructions of humans. This could make section 21(f) difficult to reconcile with the concept of machine learning. An absence of case law means that the legislation has yet to be tested. It is notable that this Irish provision is seen as lying outside the EU's copyright acquis, which requires human authorship for copyright to vest in a work.

Text and data mining

Text and data mining (TDM) is an AI technology which is an automated process by which large amounts of data are selected and analysed for purposes such as extraction, pattern recognition, semantic analysis, etc. Article 4 of Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market (CDSM Directive), which was transposed into Irish law by Regulation 4 of S.I. No. 567/2021 - European Union (Copyright and Related Rights in the Digital Single Market) Regulations 2021 (Irish CDSMD Regulations); provides for an exception to the reproduction copyright in works for the purposes of TDM, even if for commercial purposes, if the rights in such works have not been expressly reserved "in an appropriate manner" with regard to TDM. This "appropriate manner" includes, for online works, metadata and terms and conditions for a website or a service, and if not available online, it must be communicated to everyone who has lawful access to the work. 

Due to the difficulties in patenting abstract ideas, acquiring meaningful patents on artificial intelligence systems is not straightforward. Some companies are using trade secret protection to protect their AI-related intellectual property. Trade secrets are governed by common law and the European Union (Protection of Trade Secrets) Regulations 2018, whose provisions mirror the definition of ‘trade secret’ contained in the equivalent EU Directive (2016/943). Under Irish law, in order for an algorithm to be classified as a trade secret, there are three essential criteria: 

• it must be actually secret;
• it must have actual or potential commercial value; and 
• there must be reasonable efforts made to keep it a secret. 

Ireland's domestic law features a piece of legislation that is core to the use and application of AI, that being the Data Protection Act 2018 (the DPA 2018). In addition, the European Communities (Electronic Communications Network and Services) (Privacy and Electronic Communications) Regulations 2011 provides for data privacy in electronic communications. The DPA 2018 implemented certain operational and discretionary national matters as required by the General Data Protection Regulation (the GDPR). 

Several provisions of the GDPR are applicable to the governance of AI in Ireland. Article 35 requires those processing personal data “using new technologies” to carry out an assessment of the impact of the processing where that processing is “likely to result in a high risk to the rights and freedoms of natural persons”. Those developing AI to process personal data are likely to need to conduct data protection impact assessments.

While the CDSM Directive and the Irish CDSMD Regulations allow for exceptions for reproduction for the purposes of TDM, the legislation specifically disallows the processing of personal data unless it complies with the GDPR.

There is a prohibition on individuals being subject to a decision based solely on automated processing (Article 22), which is relevant to ‘profiling’. Similarly, the overarching principle of transparency (Article 5), obliges controllers to be clear about the processing of personal data undertaken. Also, controllers must build privacy by default into new technologies (Article 25). 

Irish Context

The GDPR allows for derogations to be made by EU Member States. Irish law may restrict the scope of data subjects’ rights and controllers’ related obligations in Articles 12 to 22, 34, and 5 (as it relates to the rights and obligations in Articles 12 to 22) of GDPR in certain circumstances. The DPA 2018 provides that this can be done when processing personal data for archiving in the public interest, scientific or historical research, or statistical purposes (Section 61) or where processing for purely journalistic purposes or academic, artistic, or literary expression (Section 43). 

Further, Article 8 of the GDPR provides that countries must set a minimum age at which online service providers can rely on a child’s own consent to process their personal data. The DPA 2018 sets the age of this digital consent at 16. This means that companies deploying AI algorithms may need to obtain the consent of a child’s parent or guardian in order to rely on consent as the legal basis for processing a child’s personal data where that child is under the age of 16. 

The Irish Government has implemented the European Union (Open Data and Re-use of Public Sector Information) Regulations 2021, to give effect to the EU Open Data Directive 2019/1024. The regulations are aimed at allowing machine learning, AI, and the Internet of Things (IoT) to become more accessible, to address emerging barriers to publicly funded information, and to stimulate digital innovation, especially with regard to AI. 

Placed on a legislative footing, the data sharing regime imposes an obligation to make high value datasets available for re-use free of charge in machine-readable formats and via APIs and, where relevant, as a bulk download. High-value datasets offer significant benefits for society, the environment and the economy, as they are suitable for developing applications and value-added services. 

The GDPR lists biometric data as a form of special category of personal data, which is used for the purposes of uniquely identifying an individual. Like all forms of special category personal data, the GDPR is more restrictive about the processing of biometric data. The DPA 2018 does not provide additional restrictions on the processing of biometric data, including voice data and facial recognition data, beyond that of the GDPR. 

The Irish Data Protection Commission (the DPC) has expressed concern over the certain proposed uses of facial recognition systems, for example, in September 2021 in relation to the Garda Síochána (Digital Recording) Bill 2021. The bill provided for ‘smart’ body-cameras to be worn by members of the Garda Síochána (Irish police), which can facilitate automatic facial recognition and automatic profiling and tracking of individuals. The DPC noted that there was no legislative basis within the DPA 2018 for this type of processing of special category data. 

Discrimination in AI can stem from biased training data, skewed algorithms, lack of diversity in data, and the unconscious biases of those implementing and deploying the AI itself. Ireland's anti-discrimination regime is well established and implements the Equal Treatment Directive 76/207. The Equal Status Acts 2000-2018 prohibit discrimination in the provision of goods and services, accommodation and education. This will be used to protect individuals from discrimination in certain instances such as where AI is utilised in the selection of tenants in residential properties, or in the case of applicants for schools and colleges. 

In the employment sphere, the Employment Equality Act 1998 was enacted to affirm the European principles of non-discrimination. In Ireland this applies to discrimination on the grounds of gender, marital status, family status, sexual orientation, religion, age, disability, race and membership of the traveller community. These nine equality grounds, by law, must be respected in the recruitment process of employees. It is likely that this protection would extend to instances whereby the initial stages in a recruitment process have little human interaction and/or are dependent on AI.

Further, Ireland's Gender Pay Gap Information Act 2021 requires employers to publish details on pay differences between male and female employees. This may impact organisations' utilisation of AI to accurately track pay in companies and report real data to identify problems in companies and remove latent bias.

Data as a raw material for deploying AI, and the control of its supply as a raw material, could potentially generate a market-distorting advantage if left unregulated.   

Indications of the adaption of Ireland’s regulatory regime to potential market abuses are beginning to become visible. The Competition and Consumer Protection Commission, in a consultation response on Ireland’s AI Strategy published in 2019, stated that, in the case of personalised pricing algorithms, there should be specific information requirements which mirrors the European Commission’s New Deal for Consumers, to inform the consumer “that the price of the goods, digital content, digital service or service was personalised on the basis of automated decision-making”. This is reflected in Schedule 2 of the Consumer Rights Bill 2022. 

The Competition Act 2002 (as amended) prohibits anti-competitive behaviour by undertakings in Irish law. Section 4 of the Competition Act 2002 is based, by analogy on Article 101 of the Treaty on the Functioning of the European Union (the TFEU) and is concerned where undertakings come together bilaterally to create anti-competitive agreements, conduct concerted practices or take anti-competitive decisions. The second applicable section is section 5, which is where an undertaking, acting unilaterally, abuses its dominant position in trade for any goods or services. Section 5 is based on Article 102 of the Treaty of the Functioning of the European Union. Whether the Irish law or the TFEU is invoked is dependent on the territorial impact of the arrangements. 

It is possible that the issue of ‘algorithmic pricing’ i.e., the automated re-calibration of prices based on internal and external factors such as market data or competitors’ prices, may constitute potential anti-competitive behaviour or concerted practices. As it currently stands, if AI is used to conceal or comprise anti-competitive agreements this will fall foul of national legislation in the normal way (i.e., an infringement of section 4). 

AI has recently been identified by the Government of Ireland as an area in which Ireland intends to be an international leader. The path to such a position will be influenced by EU laws, such as the EU AI Regulation.

The Irish Government has moved to implement its National AI Strategy, which was unveiled in July 2021. It sets out strategic actions on eight strands for the implementation of AI. The National AI Strategy has led to the creation of new positions, such as an ‘AI Ambassador’, who will champion AI as a “positive for change”; an Enterprise Digital Advisory Board will be established to assist with industry adoption of AI; a GovTech Delivery Board will work to assist with public sector adoption of AI; and an AI Innovation Hub will assist in promoting Ireland as a leading AI development location.

1. Is AI a “product” and, based on this assessment, does the European Product Liability Directive apply to my business?

The Product Liability Directive 85/374/EEC was transposed into Irish law by the Liability for Defective Products Act 1991 (the Act). This Directive is a key component of both European and national frameworks governing product liability. Under the Act, the definition of a ‘product’ includes all movables including movables incorporated into another product or into an immovable. It is generally accepted that products incorporating AI are captured under this definition of a “product” and are therefore covered by the legislation. The type of damage that is captured under the Act is quite specific and comprises of “death or personal injury” or damage to any item of property, other than the defective product itself, provided that the property is a type intended to be used for private consumption or was used by the injured person for private use or consumption. However, given the passage of time since the drafting of the legislation, while the Act can be applied to products incorporating AI, it is not fit for purpose to adequately deal with the intricacies of such products due to advancements in digital technologies and how AI effects the operation of products. 

While the current framework does apply to products that incorporate AI, future (updated) legislation will aim to specifically address the issue of damage caused by AI systems. 

2. Is there anything from an ethical perspective that we should be aware of in our use of AI? 

It remains to be seen whether Ireland’s legal and regulatory approach to AI will mirror the ethical proposals set out in the EU Commission’s AI Strategy, which, by placing people at the core of AI, enunciates that Europe can “safeguard the respect for our core societal values” and become “a leader in cutting-edge AI that can be trusted throughout the world”. In Ireland, an ethical structure is needed not just from a commercial perspective, but also as a cornerstone of positive public engagement by which consumers can trust AI systems. More than half (54%) of Ireland’s public sector bodies have implemented AI solutions in their organisations, while more than 30% view AI as highly important for qualifying decisions and assuring quality. Subsequently, questions have been raised about the ethical implications of deploying and/or using new technologies. William Fry’s recent Trends in Technology Report explored this issue. When C-suite industry leaders from over 300 firms were asked if they shared concerns when it came to ethical issues that arise in relation to the deployment of AI, 78% agreed that they did, while 83% believed that regulation would help businesses adjust to AI’s future impact. The EU AI Regulation’s categorised system of unacceptable-risk AI systems, high-risk AI systems and minimal-risk AI systems, may give standing to the ethical considerations raised in the current debate in Ireland. An ex-ante impact assessment carried out by the European Commission in relation to the proposed AI Act found that up to 35% of AI systems in place in Europe could fall under the remit of the AI Act. 

3. In the context of commercial contracts, how should legal liability relating to AI be allocated between parties?

Legal liability is frequently identified as a sticking point between customers and AI vendors and this needs to be looked at in its many guises in a contract. Many AI vendors are start-up companies which may not have sufficient capital to adhere to indemnity and liability clauses. While dependant on the circumstances, legal advice should be taken before entering into an agreement with an AI vendor. The customers should seek certain indemnities and warranties from the vendor, especially relating to intellectual property and data protection laws. 

AI vendors commonly represent that they own the software involved, or at least that they have the licence to use it, and this should be contained as a warranty within the agreement. Furthermore customers should seek a warranty that the use of the software does not infringe the intellectual property rights of any third parties. However, where the end product created by the AI system infringes the intellectual property of a third party, this is unlikely to be covered by warranties. If the customer is the owner of this end product, should liability rest on the customer, or is it the fault of the AI system itself? Apportioning this liability cannot be addressed easily and requires extensive consideration and negotiation. 

The most significant issue in relation to AI regarding warranties and liability, is the black box nature of AI systems, whereby the weightings etc. used in convolutional neural networks utilised in machine learning are dynamic and subject to constant change and flux. It may be difficult to settle upon warranties and liabilities when both parties accept that there may be a lack of explainability in the use of AI systems. 

A way in which AI liability will be dealt with is in the technical documents and instructions accompanying AI systems, and disputes will likely centre around whether users of AI strayed outside the intended parameters of the system's intended use. Contracts incorporating AI systems will increasingly concentrate on this element of AI as a product.

With the increased scrutiny on data protection, and with the volume of data used by AI systems, due diligence on adherence to data protection laws is crucial not least given the extensive fines possible under GDPR. A warranty/indemnity should be provided by the vendor that it will comply with all applicable data protection laws. This is increasingly an issue with the retention and return of data, especially where that data is personal data, as retention of data sets is a necessary part of the evolution of AI systems. If the data is to be retained, this increased risk may need to be reflected in a decreased purchase price. 

Where legal liability could be at issue, then applicable insurance cover comes to the fore. While many vendors will have cyber insurance, this may only cover instances of a hack or a deliberate data breach, rather than damage caused by the AI system itself. It is important to look at the specificities of the cover and ensure it is adequate for the agreement involved, which would require legal advice.