Switzerland Update: Five Trigger Questions for AI Compliance

If companies want to stay on top of their AI compliance, they need to be notified of new or changed AI applications. But how can employees without in-depth knowledge recognize when things are getting tricky? We have compiled five trigger questions for you in this blog post No. 24 in our series on the responsible use of AI in companies.

From a legal point of view, the use of AI, especially in the areas of data protection, protection of secrets, intellectual property and AI regulation, must be checked whether the relevant rules are complied with (see our blog post no. 18). This is basically true for any AI application, even if it is done with existing and company-approved tools. For example, if you use ChatGPT to have an applicant’s CV analyzed, your employer will automatically become a provider of a high-risk AI system as soon as the corresponding provision of the EU AI Act becomes applicable. This is associated with numerous obligations that the employer certainly does not want.

Where are the red lines?

That’s why companies need to make sure that their employees know when they may be crossing a red line when using AI and that an in-depth examination of the application is necessary. One possibility is to give them appropriate questionnaires that ask about the cases regulated by law. There are also corresponding testing tools such as our free “AI Act Check” in our AI risk tool GAIRA. For the large number of employees, however, this is often too much of a good thing.

We have therefore developed five trigger questions that employees can use to see whether their AI use case may need more detailed clarification, even without in-depth knowledge of AI:

• Do we use a new provider and use personal data, our own or third-party secrets?
• Will we use third-party intellectual property to train AI or generate AI results that we will use externally?
• Will we use AI to identify or analyze people based on their characteristics or behavior?
• Will we use AI to evaluate people at work or in education, or to influence people unknowingly?
• Will we use AI for decisions or functions that may affect people’s lives or safety?

If one of these questions has to be answered with a “yes”, then the use case should be examined more closely, even when using existing tools approved in the company. This has the GDPR, Swiss data protection, copyright law, the protection of professional and trade secrets and the EU AI Act in mind.

The last three questions are formulated in such a way that they cover the prohibited as well as the high-risk AI applications under the AI Act. The details in this regard are contained in the latest edition of our GAIRA tool. There are further explanations for each question as well as the assignment to the individual cases regulated in the AI Act. It is also another question aimed at those cases in which the AI Act prescribes certain transparency regulations. We have deliberately omitted this here because, in our experience, it does not affect most companies in practice or is already covered by the existing transparency requirements.

Further requirements are necessary

Of course, these five trigger questions alone are not enough. The company will have to impose a few more basic rules on its employees:

• Only use approved AI tools, and only with the approved content
• Check the results of the AI for accuracy – each employee remains responsible for this, as well as for his or her work results
• Ensure adequate transparency in the use of AI, for example when third parties interact with AI or when deepfakes are used.

By Vischer, Switzerland, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact switzerland@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 84 Brook Street, London W1K 5EH, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.