Danny Kan, Partner, Stephenson Harwood, and Adjunct Assistant Professor, The Chinese University of Hong Kong, provides a clear and concise overview of the key issues a buyer should be aware of when considering the acquisition of an artificial intelligence (AI)-related business.

Highlights

  • key issues to examine when considering the acquisition of an AI-related business include its proprietary technology, innovative business model, the experience and stability of its product development team and its future growth prospects
  • a potential buyer should conduct an expert review of the ownership of the copyrights or patents relating to the intangible assets of the business, such as the computer source code, algorithms, training data, input data, output data and user interface design of the AI system
  • the potential impact of regulatory scrutiny should be considered when planning for a deal, given that authorities in some jurisdictions may see a business with AI capabilities as posing national security concerns

Unlike M&As involving a traditional business, where its tangible assets and historical financial results contribute to its core value, the crown jewel of an AI-related business is usually its proprietary technology and innovative business model, short of an established track record. Underlying the proprietary technology are the computer source code, algorithms and data. The valuation of an AI-related business hinges upon these intangible assets, as well as the experience and stability of its product development team, its future growth prospects and other dynamic factors. As such, the techniques for evaluating an AI-related business are somewhat complex, having to embrace these novel and fluid issues. So what are the key issues to look out for when buyers consider acquiring these businesses?

Fundamental concepts – AI, algorithms and data

What is AI?

AI, to many people, means automation, or ‘smarter’ versions of human beings potentially displacing the human workforce. In fact, AI is more than just automation. In practical terms, it is software that simulates human behaviour and intelligence. Underpinning such software are computational models and data. What’s fascinating is that AI can engage in an independent learning process to develop itself further without the need for additional instructions – like a human baby who, starting from birth, develops its knowledge and skills from zero to unlimited levels.

How to train an AI system – data and algorithms

For an AI system to learn, it is first trained with a sample set of data (the training data) with the aim of identifying common attributes in groups of data or patterns inherent in a data set. As a simplified example, an AI system could be trained to distinguish an ‘apple’ from a ‘banana’ when it is initially provided with the essential features of each of these fruit. When given a sufficiently large training data set, the AI system should become more accurate when making such determination. In the context of anti–money laundering, for instance, an AI system could be trained to spot a suspicious transaction with attributes common to a sample set of suspicious transactions. In legal practice, it could be trained to spot an indemnity clause in a share subscription agreement.

Simply put, an algorithm is a mathematical model or formula, representing a procedure with certain embedded logic to accomplish a specific task. It is a series of instructions that are followed by computers, step by step, with a view to solving a problem or achieving a targeted outcome. Using the examples above, an algorithm would be a set of logic to identify the salient features of a suspicious transaction or an indemnity clause.

AI and business

As illustrated above, AI-related businesses require dealing with an enormous amount of data. AI-related M&As generally centre on intangible assets and the potential growth prospects of a business. Accordingly, the due diligence and negotiation process should be tailored to focus on those elements.

1. What is the product and who owns it?

The ‘product’ of an AI-related business consists of a wide range of elements. It encompasses a range of intellectual properties (IPs), such as the computer source code, algorithms, training data, input data, output data, user interface design of the AI system and more. The buyer should conduct an expert review of the ownership of the copyrights or patents relating to these intangible assets – is the target company the sole or joint owner of these IP rights? Do the employees or independent contractors who have contributed to the development of these intangible assets have a claim on the ownership of the relevant IP rights?

If the target company utilises third-party software or open-source software in its product development, we should ascertain to what extent such software has been utilised, which could in turn affect the ownership of the relevant IP rights. To reveal any infringement of third-party IP rights, we should also find out if the target company has the right to utilise such software under a valid licence.

In the M&A transaction documents, we should ensure that representations and warranties cover the ownership of the IP rights residing in the product, that no third-party licences or ownership rights have been infringed and that there is an absence of infringement claims.

2. AI governance model

The buyer must critically assess if a target company adopts an effective AI governance or risk management framework. In particular, buyers should review for compliance with the ethical framework of relevant jurisdictions, such as the G7 AI Principles and Code of Conduct, the European Union (EU)’s Ethics Guidelines for Trustworthy AI, the US Artificial Intelligence Ethics Guide, the PRC Ethical Norms for New Generation Artificial Intelligence, the Hong Kong Ethical Artificial Intelligence Framework and the Hong Kong Guidance on the Ethical Development and Use of Artificial Intelligence. A common theme among these frameworks is to question whether there is sufficient human review and oversight when developing an AI system, and whether steps have been taken to mitigate AI-specific risks including security, bias and discrimination. Even if the target company has such a governance or risk management framework in place, the buyer should assess if there is a strong compliance culture to adhere to such a framework in practice. The most recently passed EU’s AI Act, sometimes regarded as the world’s first major legislation implementing some of the toughest AI regulations, also allude to these considerations.

To assess the quality of the AI-related product, the buyer should examine how the AI model is trained and the quality of the training data set – specifically, where and how the target company sourced the training data set, and how its AI model functions. Are the rights to such data transparent and auditable?

the buyer must critically assess if a target company adopts an effective AI governance or risk management framework

3. Data protection

Data protection is becoming ever more important with data-intensive AI-related businesses. A target company may be using data acquired from third parties when it first trained and then subsequently continued to develop its own AI model. During its operations, the target company may routinely transfer data across jurisdictional borders – for example, when data is stored in one country while it is processed in another. This gives rise to a range of data protection issues. Certain jurisdictions classify data into different categories depending on the nature of the data, while the categories are subject to varying protection requirements. By way of illustration, under the PRC Regulations on Promoting and Regulating Cross-border Data Flow and the EU General Data Protection Regulation, cross-border data transfers can be prohibited for certain types of data, or the data handler may be required to conduct a security assessment or obtain regulatory approval before transferring data offshore. Further, if an AI system involves personal data (for example, if the training data set contains personal data), more thoughts should be given to the applicable data protection laws, such as the Hong Kong Personal Data (Privacy) Ordinance and the PRC Personal Information Protection Law.

In the due diligence process, the buyer should consider how the data has been obtained, as well as from where and from whom. If personal data is involved, has the target company developed and implemented any data protection compliance program? M&A transaction documents should require the target company to give comfort on its compliance with the applicable data protection laws arising from its development and/or use of AI systems, and that it has proper policies and procedures in place to ensure compliance.

4. Employment and incentive plans 

As with many M&As, it is important to ensure the key personnel contributing to the success of the target company would stay on after completion of the deal. For AI-related M&As, the long-term ability to develop and maintain the AI-related product is typically a crucial question to ask. In this regard, the buyer should identify the key technical personnel contributing to the long-term success of the product – encompassing researchers, computer scientists, program developers, software managers and so on – and their likelihood to stay on with the target company. A careful examination of the relevant employment agreements and incentive plans is desirable.

Tech companies generally reward and retain their staff by granting stock options as part of the compensation package. The terms of such packages must be reviewed and the corresponding tax implications must be assessed. Non-compete and confidentiality obligations binding the key personnel should be scrutinised. The buyer should also assess whether algorithms underlying the AI systems are protected as trade secrets, which afford a higher level of protection in certain jurisdictions as, unlike patents or copyrights, trade secrets can be protected without registration (meaning no procedural formalities are required) and for an unlimited period of time.

5. Shareholding structure and shareholder rights

Tech companies would typically secure several early rounds of funding and investors in each round may be granted certain special rights. These rights may not be reflected in the main transaction documents, but are embedded in side letters agreed between the company and the investors. A new investor may want to negotiate for similar rights. There could be different classes of share issued by a tech company. Holders of each class of shares may be entitled to different voting rights. For pre-IPO companies, new investors should also pay attention to the conversion mechanics (or restrictions from conversion) of preferential securities into tradable ordinary shares.

6. Regulatory scrutiny

Regulatory scrutiny of foreign investments has increased in many jurisdictions, particularly those involving a transfer of ownership in AI systems. Authorities may see a business with AI capabilities as posing national security concerns – even more so if the technology can be used for defence purposes or involves a high volume of personal data. For instance, the Committee on Foreign Investment in the US regularly reviews transactions involving critical technologies for national security risks. Against this backdrop, the potential impact of regulatory scrutiny should be considered when planning for a deal. In some cases, regulatory approval needs to be obtained before signing the M&A transaction documents. If preapproval is not obtained, the buyer should plan for post-deal regulatory enquiries and consider how the buyer’s interests could be protected if the regulator subsequently raises concerns about the deal. In short, analyse potential political and regulatory implications early in the process.

7. Anti-trust

Anti-trust agencies scrutinise whether the investments of big tech firms into smaller players enable dominant firms to exert undue influence or gain privileged access in ways that could undermine fair competition. An AI system depends on a set of data inputs. Control over one or more of those data inputs may be regarded as creating unlawful barriers to entry, slowing innovation or generating opportunities for unlawful product bundling, tying and exclusive dealing. As such, anti-trust agencies may review if a company’s data collection and aggregation process would trigger anti-competitive concerns. In practice, the buyer should conduct an anti-trust risk assessment when planning for the deal.

Conclusion

The above highlights some of the key issues to look out for when a buyer examines an AI-related business and is by no means exhaustive. AI systems evolve with the ingenuity of business founders and technology developers, and hence the issues stemming from AI-related businesses are dynamic. This will continue to pose new challenges for buyers as the market in this space develops – buyers beware!

AI systems evolve with the ingenuity of business founders and technology developers, and hence the issues stemming from AI-related businesses are dynamic

Danny Kan

Partner, Stephenson Harwood, and Adjunct Assistant Professor, The Chinese University of Hong Kong

Read More