D&I’s AI Prep List for Lawyers

– Vol 1. AI and Communications

Posted on

1 Oct

2024

Dittmar & Indrenius > Insight > D&I’s AI Prep List for Lawyers

As with all work, prioritising AI-related legal tasks is essential to ensure you focus your time where it is most needed. Even knowing this, the constant overflow of to-dos can be overwhelming – especially when every task is accompanied by a request to complete it yesterday. In this D&I Quarterly series, Iiris Kivikari, our Head of IP, Media and AI, gives you a peek into what is taking up space on our team members’ (virtual) desks in order to help you figure out what AI work you might want to be focusing on right now.

Confidentiality of communications is king

Many of the AI tools our clients are currently looking into and/or actually using aim to keep them cyber safe, help their employees manage their workflow better and/or automate some of the more menial tasks they face daily. Given the amount of time an average office worker spends in Teams meetings, sending and receiving emails, and otherwise communicating through the IT systems available to them, many such streamlining initiatives entail tapping AI into employee communications.

In many countries, this might not seem like a red flag issue. For example, some of the comments we have heard from our international colleagues over the years when it comes to employee communications include: “confidentiality of communications does not apply to work emails” and “it’s not an employee’s communication as such if it is sent from a company provided device”. Although this might be the case in other jurisdictions — as a Finnish lawyer, I will leave it up to you to research and decide — it is definitely not the case in Finland.

In Finland, the constitutional right of confidentiality of communications is king and any exceptions are few and far between.

In Finland, the constitutional right of confidentiality of communications is king and any exceptions are few and far between. As a result, the starting point is that even work-related communications sent from a company provided device are confidential, regardless of what size or form they come in. This is not to say that AI tools can never collect or process communications data, it just means that we as lawyers have homework to do so that we are able to properly identify and apply the exceptions available to us.

When implementing AI solutions in the context of communication, it is therefore important to carefully identify the specific requirements arising from Finland’s exceptional regulations. To give you a picture of what this entails, here are two examples of what our team at D&I has been working on recently.

Data security AI tools

When it comes to electronic communications in a work environment, Finnish law recognises a few exceptions to the main rule of confidentiality of communications. The idea is to allow employers to process employee communications in the rare situation where this can be seen as “acceptable” when balancing the interests of the employer with those of the employee. As a result, there are provisions in place that allow companies to collect, analyse and even read employee communications or parts thereof in order to, for example, ensure data security, protect trade secrets and/or open employee emails when an employee is absent. Although the scope of each exception is rather narrow, and many of them require companies to jump through quite a few procedural hoops in order to apply them, they have traditionally provided solutions to many — even the majority — of the issues companies face in the course of their business.

When it comes to AI, the reoccurring challenge is the fragmented nature of these exceptions. While the same AI tool might be able to tackle several different types of communications data processing all at once, Finnish law often sets out a different set of rules for each purpose the AI tool is used for.

Therefore, in order to get an AI system up and running, start by taking a look at why (i.e., the purpose), what types of communications and how they are processed — and start working your way up from there.

When implementing AI solutions in the context of communication, it is important to carefully identify the specific requirements arising from Finland’s exceptional regulations.

AI assistants

When it comes to GenAI tools aimed at helping employees in their day-to-day work, a lot of the data collected by such tools is data created by or on each user themselves — or data on their communications. This is good news, as the confidentiality of communications set out in Finnish law is meant to provide protection against third parties — not the correspondents themselves. Therefore, in general, each sender and recipient of a message may do with it as they please, including subject it to processing by an AI tool.

Naturally, these communications come in many shapes and sizes: Teams calls, emails, instant messaging, web browsing and text messages are all included, not even mentioning face-to-face conversations and telephone calls. With some mediums it is easy to tell who a message is sent to or who is a true participant in a conversation — and who is therefore able to process it as a party to the correspondence — while with others this requires more investigation and reasoning.

As a result, an efficient way to mitigate the risks involved with AI assistants is to take a close look at all the communications available to an AI tool and ensure that each employee is only tapping into communications that they are the proper sender and/or recipient of or that they otherwise have lawful access to. This will not mitigate all the risks involved, but it will likely get you a lot further than you perhaps thought.

More by the same author

eIDAS2.0 Has Arrived – What is an EUDI Wallet?

The awaited eIDAS Regulation (EU) 1183/2024, known as eIDAS2.0, introduces new comprehensive rules aimed at facilitating a secure and seamless Europe-wide digital identity framework by amending the first eIDAS Regulation (EU) 910/2014. As the most notable change, eIDAS2.0 introduces a new EU Digital Identity Wallet (EUDI Wallet), meaning an electronic authentication application that must be interoperable throughout the EU. In function, the application will be similar to ordinary wallets, especially when looking at what types of data is stored in it. The Regulation entered into force on 20 May 2024 and the European Commission is due to adopt technical implementing acts in November 2024, after which the Member States have 24 months to implement at least one EUDI Wallet.

Ready or Not, Here Comes the AI Act!

D&I’s summary of the changes coming your way The European Parliament has approved the Artificial Intelligence Act on 13 March 2024. The AI Act is a huge step forward in creating a legal framework for AI technology throughout the European Union. It brings about substantial new obligations for both the developers and users of artificial intelligence (or, using the terminology of the Act itself, the providers, importers, deployers, authorised representatives and other parties listed in the Act). However, although the categorisation does cut a few corners, the AI Act can be seen as a type of “product safety” legislation. As such, it leaves a wide range of topics to be dealt with in other EU and/or national laws, or by the parties involved in a specific transaction.

Q&A with New Partner Iiris Kivikari

With a wealth of experience in serving leading global and Finnish clients, our new partner Iiris Kivikari navigates the dynamic legal landscapes of intellectual property, media, data protection and data assets. She is also a leading expert in Finland on the legal aspects of transformational technologies such as artificial intelligence. Beyond her legal expertise, Iiris is also an enthusiastic mountain climber and a devoted mother of two young girls.

Latest insights

The Ministry of Finance Proposes a New Tax Credit for Large Industrial Investments

Article / 7 Oct 2024
Reading time 2 minutes

Q&A: Exploring the Future of Legal Work with AI

Article / 1 Oct 2024
Reading time 2 minutes