Shihui’s Insight｜Legal Considerations in AI Sector M&A (1)

M&A in the AI sector is experiencing rapid transformation, seeing a significant increase in deal-making across various industries such as healthcare, finance, autonomous vehicles, and manufacturing in recent years. This trend underscores AI's pivotal role in industry innovations and gaining a competitive edge. Characterized by high valuations, AI M&A deals reflect the value of the data, intellectual property (IP) and growth potential of AI businesses. These transactions are strategic acquisitions of advanced technology, proprietary algorithms, and the vital talent needed for innovation and value addition integral to business operations.

A key driver and differentiator in AI M&A deals is the management and protection of data, which has both legal and commercial implications. The ownership and protection of AI models and algorithms are also central to such deals. Additionally, ensuring IP originality and mitigating infringement risks are critical due diligence challenges, especially considering the proprietary nature of AI models and licensing agreements. 

This guide will build on these insights to explore key issues in AI M&A deals, providing investors and acquirors with a legal framework to navigate the intricacies of data, IP, regulatory compliance, and other critical aspects of AI M&A deals.

This article is Part I of a three-part series in M&A in the AI space. In this Part I we will explore briefly the AI sector M&A landscape, provide an introduction into the AI sector and AI companies, highlight data protection and privacy issues in the AI industry and finally offer some considerations from a legal perspective in AI M&A transactions. 

Over the past decade, the AI industry has developed rapidly, with concurrent rise in AI investment activities. Global AI-related investments have increased thirteenfold between 2013 and 2023 from $14.57 billion to $189.16 billion. Although there was a 20% decrease in total investment from $234.95 billion in 2022 to $189.2 billion in 2023 (the most significant downturn occurred in M&A which fell by 31.2% from $117.16 billion of the previous year to $ 80.61 billion in 2023^[1]), generative AI (AIGC hereinafter) has countered the trend.

While overall AI private investment decreased in 2023, funding for AIGC sharply increased. AIGC attracted $25.2 billion in investment, nearly nine times the investment in 2022 and about 30 times the amount in 2019, accounting for over a quarter of all AI-related private investment in 2023, which totaled $95.99 billion. 2023 also marked a significant increase in the number of newly funded AIGC companies, with 99 new startups receiving funding, up from 56 in 2022, and 31 in 2019. ^[2]

In China, the landscape of AI private investment is rapidly evolving. In 2023, China's private investment in AI reached $7.8 billion, trailing only the US and ranking as the second highest globally. As for private investment in AIGC, China invested a total of $650 million, comparable to the EU (plus the UK), which invested $740 million. 

China’s strategic commitment to AI began in 2017 with the launch of the New Generation AI Development Plan, which positioned AI as a national strategy, indicating a systematic layout and advancement in China's AI domain. Since then, China's AI legislation and policies have evolved from embedded arrangements in internet regulations from 2017 to 2020, to more targeted guidelines and policy advice in 2021 and 2022, culminating in the release of the Interim Measures for the Management of Generative Artificial Intelligence Services in 2023, marking the beginning of comprehensive regulation. These legislative and policy documents play a crucial role in guiding and regulating AI M&A activities.

Types of AIGC Companies 

Within the AIGC space, there is a diverse array of types of AI companies, categorized based on their specialization, service scope, and business model etc. While there can be some overlap, generally the most common categories include: 

• End-to-End AI Companies: these companies engage in the entire process from data collection to model training and deployment, offering full service throughout the AI ecosystem from conceptual design to the development of end-user applications.

• AI Data Services Companies, which focus on a specific stage in the technology chain. They provide services such as data collection, cleansing, annotation, and enhancement, preparing the data for AI model training or optimization.

• Vertical-specific AI Companies: These companies concentrate on AI applications specific to certain industries or vertical markets e.g. healthcare, finance, retail, etc. They might use customized AI models to address specific problems but typically do not engage in the establishment and training of large language models. 

• Large-Scale Model Training and Optimization Companies: These entities specialize in the development, training, and optimization of AI models such as general-purpose language models and image recognition models. They often offer these customized models packaged in APIs or other forms of technology services to other firms and generally do not interact directly with end-users.

• AI PaaS, AI SaaS: Platform as a Service, these platforms provide the infrastructure needed for AI development and deployment without the need for companies to establish their own infrastructure. Software as a Service, these services offer subscription-based AI software solutions that can be readily integrated into a company's business processes. Examples include customer service chatbots and data analysis tools. 

When considering M&A involving AI companies, investors and acquirors must first discern the specific nature of AI companies, recognizing its core AI competencies and potential risks. Identifying the company’s specialization is essential as it guides a targeted assessment of the risks and informs strategic decision-making. For an AI data service company, the focus should be on data sourcing, compliance, and privacy. In the case of a vertical-specific AI company, industry-specific regulations and restrictions are paramount. For an End-to-End AI company, a broad evaluation of risks inherent to AI Companies will be necessary. 

It is important to initially concentrate on the unique concerns that are relevant to the target AI company's type, its operations, and its offerings. Such focus helps in addressing specific issues and risks leading to a comprehensive understanding of the most critical aspects of the AI company's business.

Data is a fundamental component for AIGC companies. Therefore, we will begin our exploration of the risks associated with data from a business standpoint, recognizing that data is central to AIGC operations.

AI's Reliance on Data

The data-centric nature of the AI industry underscores the reliance of AI firms on data for their operations and valuation. Thus, it is essential that as a part of the due diligence process on a target AI company to assess whether the data being used by the target AI company is being used legally and in a compliant manner. In particular, it may be worth carefully assessing whether the target AI company has sufficient legal rights to use the data, any issues concerning using data in a way that is compliant with local regulations on content and any data protection and privacy related compliance issues.

First, in assessing whether the data being used by the target AI company is in compliance with laws and regulations, it is important to look at the data source and the method of collection and whether the target AI company has sufficient legal rights to use such data:

• When open source is involved, the open-source license agreement or relevant licensing document must be reviewed to ensure there are no defects in data collection. It should be noted that even open-source data may still contain prior rights, such as intellectual property rights (IPR), personal information (PI), and there may also include errors or inaccuracies. Special attention should be given to potential biases, particularly with synthetic data, to ensure that it does not introduce biases that could affect the AI model's performance or fairness. 

• If data is self-collected, meaning it is either self-produced or collected from the internet, collection records must be maintained. It is imperative to avoid crawling data that others have expressly prohibited from being collected, typically as web page data explicitly marked as uncollectible through the Robots Protocol or PI for which the individual has refused to authorize collection. 

• If data was obtained through a data transfer transaction or cooperation agreement, a legally valid contract or agreement must be provided. A thorough review should be done of the data source, quality and security, with supporting documentation to prove the data ownership. That is to say, the complete rights chain of data collection shall be comprehensive and adequate.

Second, the AI industry faces the risk of collecting data that includes illegal or harmful information, potentially violating local laws. It is crucial to recognize that certain countries (including China) have established specific legal requirements regarding the content of such information. Acquirors in the due diligence process, should check to ensure that the target AI company’s legal compliance in this respect. Collected data must be rigorously filtered to ensure it meets the legal standards before using in model training. Filtering can be done through the use of keywords, classification models, and manual spot checks to eliminate illegal and unhealthy content. Compliance with the quantitative requirements outlined in the applicable laws and regulations is essential. If the target AI company’s data usage does not comply with these standards, acquirors should evaluate the relevant legal risks associated with non-compliant content and consider necessary corrective measures, thereby ensuring that the data used in model training is compliant and lawful.^[3] Also, as stipulated in Article 8 of the Provisional Measures for the Administration of Generative Artificial Intelligence Services and Article 5.3 of the Basic Security Requirements for Generative Artificial Intelligence Service, the service provider shall take steps to confirm that the target AI company meet the requirements of data annotation. This includes having specialized annotators, relevant training, rules, tools, routine examinations etc. Such standardized requirements are important reference for service providers to improve safety levels, mitigate possible risks, and thus should be given attention.

Third, data protection and privacy related compliance require special attention in the usage of the data. In China, adherence with laws and regulations such as the "Civil Code," "Personal Information Protection Law," "Data Security Law," "Personal Information Security Specification," and "Cybersecurity Law" which govern data protection and privacy related legal obligations in China is mandatory. These govern legal obligations related to data protection and privacy. Generally, under PRC laws, it is necessary to obtain the consent of the individuals concerned, or, if sensitive personal information is involved, to obtain the separate consent of each individual. Cross-border transfers of PI from China may also be subject to Cyberspace Administration of China (CAC) approval or require the filing of standard contractual clauses with the CAC. Therefore, whether the data being used concerns PI or other sensitive data whose use is regulated, due diligence should verify the usage of such data, whether it involves PI or other regulated sensitive data and complies with relevant data protection and privacy laws and regulations.

In practice, user agreements typically encompass data policies, which outline privacy practices and compliance with data protection laws. These agreements are crucial as they govern how data is collected, used, shared, and protected within AI companies and thus demand close review. For example, AI companies like Open AI, which have previously faced lawsuits for using API data in model training, have since revised their data usage policies. They now state that they "will no longer use any data submitted through their API for 'service improvement,' including AI model training, unless the customer or organization opts in." This serves as a useful reminder to pay attention to the provisions regarding user-entered information in data usage policies, in particular regarding user consent.

Given the specific and rapidly involving nature of the AI sector, M&A transactions in the AI sector need to take into account the specific issues and risks inherent to AI companies. 

In the due diligence stage, both with respect to commercial and legal due diligence, it is crucial to first delve into the company’s operational processes, supply chain, and partnerships to identify potential risks or inefficiencies from legal, commercial and technology perspectives. This helps in pinpointing key issues that require attention such as:

• Technical assessment: in-depth analysis of the target company’s AIGC technology, focusing on algorithmic efficiency, data dependency, and the scalability of models, evaluating the long-term viability of the technology to evaluate its technical and commercial prospects. 

• Data compliance: ensure data collection, storage, and processing practices of the target company comply with relevant data protection and privacy laws in China such as the "Cybersecurity Law," "Data Security Law," "Personal Information Protection Law" and related laws and regulations or other jurisdictions where it operates. 

With respect to the acquisition agreements for an AI sector transaction, it may be worth considering building in certain provisions to address sector-specific risks: 

• Representation and warranties: consider whether operational or business representations and warranties need to be more specifically tailored to AI sector related risks or even if, based on the target company, specific AI representations and warranties covering a critical aspect of the target’s business are needed. For example, whether data protection and privacy related representations and warranties need to be more tailored to AI companies such as how AI companies collect data e.g. issues related to crawling of data. 

• Indemnities: if due diligence has found certain AI specific legal, compliance or other issues, may need to consider specific indemnities to address the risks related to such issues. 

• Pre-closing covenants: include covenants between signing and closing that require the target to obtain the acquiror’s consent for certain actions may need to consider AI activity specific restrictions including internal process and policies related to the use of AI, how data is collected and used etc. which are fundamental to an AI company’s operations. 

• Conditions precedents: include conditions precedents for a transaction closing that address any particular actions related to an AI target company which need to be resolved or completed prior to closing e.g. if third party consents are needed for continued use of any data obtained from a third party, if any relevant government consents have been obtained or are in the application process with respect to data use e.g. if CAC approval is needed for applicable cross-border data transfers from China. 

Jeff Liu has a corporate and M&A practice specialized in cross border M&A and investment transactions as well as general corporate matters. He advises a wide range of clients including MNCs, private equity/venture capital funds and other corporate clients in various sectors including the financial, high-technology, biotechnology/pharmaceutical, TMT, energy, food & beverage and other consumer products sectors.

Jeff has extensive experience advising on transactions in China and globally (Europe, Asia and the US), often involving complex multijurisdictional issues. He also advises MNCs and other companies on a wide range of general corporate matters including cross border commercial transactions, IP licensing related matters and regulatory and compliance issues (antitrust, data compliance etc).

Before joining Shihui, Jeff worked at a number of leading international law firms in Beijing, Brussels, Hong Kong and Paris.

Liu Fan specializes in intellectual property (IP) litigation and non-contentious IP services, possessing extensive experience in the strategic management and protection of brand and IP portfolios, which encompass copyrights, trademarks, patents, and more. 

Fan has acted on behalf of numerous multinational companies in IP litigation, administrative proceedings, and various dispute resolution matters. She consistently achieves favorable outcomes in IP and brand protection cases. Her legal expertise is sought after across a diverse array of sectors, such as the internet, culture and entertainment, luxury goods, the food industry, medical products, hotel, and mechanical manufacturing etc.

In addition to her extensive practice, she has demonstrated particular expertise in the emerging field of AI, participating in multiple research projects focused on AIGC-related copyright and other compliance matters. This involvement aims to support clients in being well equipped to navigate the complexities of IP in the era of AI.

Before joining Shihui, Fan worked as an IP litigator at network firm of a UK consulting firm and served as a seconded IP counsel at an MNC.