Artificial intelligence (AI) is advancing at a rapid rate and is being used by most organisations in Australia.  Transactions involving AI companies or companies that use AI heavily as part of their delivery present unique legal and operational complexities. This article examines five critical issues that deal participants must address: intellectual property, data privacy, third-party dependencies, regulatory scrutiny, and ethical governance. 

Sellers must be mindful of providing prospective acquirers with certainty regarding these issues. Pre-emptive and proactive management to implement robust and sustainable systems will maximise market opportunities, and reduce deal execution risk, on the sell-side. Purchasers should deploy focused diligence and experienced advisors to gain an understanding of the target's exposure to these issues, which are central to being able to exploit value in the target.

Intellectual property rights

Intellectual property (IP) risks are amongst the most pressing legal issues in AI M&A. This is because uncertainty around IP infringement and ownership continues, especially in relation to training inputs and AI-generated outputs.

Training data

The provenance of training data is increasingly material to supporting the valuations of relevant target companies following recent litigation in the US, which highlights that AI training methods can expose companies to significant liability. Deal participants should carefully assess the relevance of such international developments to Australian transactions.
AI training materials may include data, text, source code, images, or video, obtained through various methods including creation, purchase, licensing, or web scraping. 

Key due diligence questions include:

• How was training data acquired (scraping, licensed datasets, negotiated agreements)?
• Was sensitive or infringing data stored, and is there evidence of destruction?
• Have copyright works been reproduced in the training process, and are there applicable exceptions in the jurisdiction in which the training took place?
• What is the volume and nature of underlying works used?
• What remediation steps and governance programs are in place?

Many AI systems are built on open-source frameworks or trained on open-source datasets. Both sellers and purchasers should carefully consider the IP risks of such systems, as open-source licences may carry copyleft obligations requiring derivative works to be released under the same terms which could materially constrain commercialisation post-acquisition if not properly managed. 

Ownership of AI-generated outputs

Under the Copyright Act 1968 (Cth), copyright protection requires human authorship. In Acohs Pty Ltd v Ucorp Pty Ltd [2012] FCAFC 16, the Full Federal Court held that purely computer-generated works are not works in which copyright subsists. Similarly, in Commissioner of Patents v Thaler [2022] FCAFC 62, the Court held that a patent inventor must be a natural person. This creates a critical gap in legal protection for AI-generated materials.

The High Court in IceTV Pty Limited v Nine Network Australia Pty Limited [2009] HCA 14 emphasised that copyright subsists in works that are the product of 'independent intellectual effort', requiring human creative input. Unlike the United Kingdom, Australia has no statutory provision extending copyright protection to computer-generated works. To the extent a target relies on AI-generated materials, it may be unable to protect those materials from use by others. This may have direct bearing on the value of assets such as AI-generated code, research data, game animation or business documents.

Use of AI in creation does not automatically preclude copyright protection. Assessing copyright subsistence is a technical and fact-dependent question as to whether there has been sufficient human input in creation of the relevant work. However, it is important to understand that traditional IP protections (patents and copyright) may not be well suited to protecting AI-generated technologies.  

There are, however, alternative protections available. Targets frequently rely on confidential information rights to protect proprietary interests in their AI assets, potentially including algorithms, neural networks, training data, weights, and AI- generated outputs. Acquirers should verify that such assets are adequately protected by contractual covenants, including confidentiality agreements with employees, external contractors and potentially with AI technology providers. 

A related risk is the ownership of IP developed by contractors rather than employees. This is a critical consideration, given that many AI companies rely on contractors throughout development. Under Australian law, copyright in works created by employees during their employment vests automatically in the employer, but the same is not true for independent contractors. Without a written assignment, there is a risk that IP created by contractors remains with them.  

Data privacy and regulatory compliance

AI systems using personal or sensitive information must comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), as well as applicable state, territory, and international laws. Deal participants must be mindful of data governance practices and verify that proper consents and authorisation exists, for example, to deidentify personal information for the purpose of training an AI system.

A common issue is targets using data collected before contemplating AI development, where privacy policies did not notify users of this intended use. Under the APPs, personal information may only be used for the primary purpose of collection, or for secondary purposes where the individual has consented or would reasonably expect such use. The Office of the Australian Information Commissioner (OAIC) has authority to impose civil penalties for breaches of the Privacy Act 1988 (Cth) (Privacy Act) of up to $50,000,000, three times the value of the benefit of the breach or 30% of a body corporate’s adjusted turnover for the contravention period.

Both sellers and purchasers should also examine how and where data is processed. Many AI companies rely on offshore cloud infrastructure provided by rapidly expanding hyperscalers for model training and inference, which has direct implications for compliance with APP 8 of the Privacy Act. APP 8 requires entities to take reasonable steps to ensure overseas recipients handle personal information consistently with the APPs, and exposes the disclosing entity to liability for foreign recipients' breaches unless specific exceptions apply. 

AI systems also present distinct cybersecurity risks, particularly those based on language models, which present novel threat vectors such as prompt injection. Breaches of this nature can result in the exposure of personal or otherwise sensitive information. Deal participants should assess whether the target has adequate controls and an incident response framework consistent with its obligations under the Notifiable Data Breaches scheme, and whether any unreported eligible data breaches may give rise to inherited liability.

The evolving regulatory landscape

Australia's regulatory framework for AI continues to develop incrementally. While no comprehensive AI-specific legislation comparable to the EU AI Act has been enacted, existing statutes are gradually adapting to address AI-related risks. Notably, the Privacy and Other Legislation Amendment Act 2024 (Cth) introduced reforms to automated decision-making, requiring entities to notify individuals when substantially automated decisions significantly affect their rights or interests. These reforms come into effect in December 2026 and reflect a broader trend of sector-specific regulation evolving to capture AI use, rather than a single omnibus approach.

In the absence of a unified AI regulatory framework, AI companies and companies that heavily use AI face a fragmented compliance landscape where multiple regulators, including the ACCC, OAIC, ASIC, TGA and APRA, are increasingly focused on AI-related risks within their existing mandates.

The Australian Government has signalled that it intends to increase the capability of existing regulators to enforce AI-related obligations. In financial services, for example, deal participants should consider ASIC's published guidance on AI governance ('Beware the Gap Report'). Targets operating in these sectors may face specific obligations around the explainability, auditability, and human oversight of AI systems – obligations that are already enforceable and not contingent on future AI-specific legislation.

Internationally, the EU AI Act (entering force in 2024, with obligations phasing in through 2027) may have extraterritorial implications for Australian companies operating in or supplying services to Europe (including by virtue of internal intragroup arrangements for Australian companies that are part of multinational organisations with a presence in Europe). Compliance posture should be actively assessed against both current domestic requirements and emerging international standards.

Regulators also remain concerned with 'AI washing' – companies overstating their AI capabilities. The ACCC has identified misleading conduct regarding AI claims as an enforcement priority, and acquirers should perform robust diligence on the target's marketing representations. 

In a transaction context, this evolving patchwork of obligations underscores the importance of looking inside the IT 'black box'. Acquirers should not accept surface-level assurances regarding AI systems, but should instead conduct in-depth technical reviews to understand what the target's systems are actually doing, including how automated decisions are made, how AI models are weighted and constrained, what data inputs are used, and whether appropriate safeguards exist. This approach is essential to identifying and mitigating regulatory risk before completion.

Third-party AI tool risks

Use of third-party AI tools raises questions regarding confidentiality of an organisation's valuable information. Information supplied to AI systems, without adequate and appropriate protections in place, may be retained indefinitely and accessed by third parties, presenting material risks to proprietary rights and internal company confidential information.

Terms of use for AI systems may require users to indemnify providers for infringing outputs. If a target relies on third-party AI to deliver products and the tool malfunctions (eg hallucinates), the target may breach customer commitments or face liability. Deal participants must understand the scope of warranties, limitations of liability, and indemnification obligations that have been agreed to in contracting.

Many companies build products using third-party APIs (such as OpenAI's) without owning the underlying technology. These businesses depend on continued third-party development and support, creating significant concentration risk that deal participants must evaluate and manage.

Beyond AI-specific APIs, both sellers and purchasers should assess the target's dependency on cloud infrastructure providers (AWS, Azure, GCP) more broadly. Operational reliance on a single cloud provider, without adequate portability or contractual protections, represents a concentration risk comparable to AI API dependency and warrants the same scrutiny.

Liability and accountability for AI decisions

AI systems that make or inform decisions, whether in lending, recruitment, healthcare, or consumer services, create novel liability exposures that deal participants must carefully assess. Australian law has not yet developed a comprehensive framework for AI-related liability, leaving relevant parties to navigate existing tort, contract, and statutory regimes.

Under the Australian Consumer Law, guarantees as to acceptable quality and fitness for purpose apply to AI-enabled goods and services. Where AI systems produce defective outputs or cause harm, suppliers may face liability regardless of fault. Professional services augmented by AI (such as legal research tools or medical diagnostic systems) also raise questions about the standard of care and whether reliance on AI constitutes a breach of professional duties.

Sellers and purchasers should each examine how liability is allocated in customer contracts, including limitations of liability, disclaimers, and indemnification provisions. Traditional insurance policies including, professional indemnity and product liability coverage, may not adequately address AI-specific risks, and deal participants should assess whether coverage gaps exist. In highly regulated industries, such as healthcare, deal participants should also consider whether AI systems owned or used by a target are required to be registered with specific government authorities (such as the Therapeutic Goods Administration), and confirm such registrations are in place. Similarly, companies in the financial services industry would be advised to consider whether any services or other outputs provided or generated by, or with substantial assistance from, AI agents are captured by any licensing or professional conduct regimes (eg Australian Financial Services Licence). 

Bias and ethical AI governance

AI tools trained on historical data may perpetuate biases, leading to potential discrimination claims based on biased outputs. Because models draw on biased data and incorporate outputs into training materials, biases can be magnified through adverse feedback loops without intentional remediation. Existing Australian anti-discrimination legislation applies to outcomes produced by AI systems today such that where a company's AI produces discriminatory outputs in recruitment, lending, or service delivery, the company may already be exposed to legal risk.

Some jurisdictions, including the EU and certain US states, have enacted AI-specific laws addressing bias, transparency, and accountability. Australian companies operating internationally should assess their exposure to these regimes.

Deal participants should also examine what systems are in place to oversee AI use, including measures to identify and minimise bias and ensure safety, transparency, and human oversight. Such inquiries should focus on board level governance, workplace policies, and training regarding responsible AI use.

Practical recommendations for managing risks

Deal participants must adopt a disciplined and AI-specific approach to transaction planning and execution. The following three recommendations provide a framework for identifying and mitigating the unique risks inherent in AI M&A transactions, from initial due diligence through to post-closing integration. 

1. Enhanced due diligence: Beyond traditional reviews, AI-specific diligence should include audits of training data, and review of licensing arrangements and data consents. Engaging technical experts to review source code, inspect model documentation, and verify IP ownership should be standard practice. Sellers must consider how best to tailor data room and disclosure procedures to ensure a smooth process and mitigate liability for risk-allocation measures in the relevant sale agreement.
2. Tailored transaction documentation: Generic representations and warranties applicable to traditional intellectual property rights are unlikely to capture AI-related risks. Tailored representations should address the target's legal right to use training data, originality of algorithms, and absence of known model bias. Where legal standards are unsettled (particularly for generative AI), specific representations regarding permissioned data and compliant practices are essential. Depending on the results of diligence, acquirers should also use warranties and indemnities to address AI specific risks such as transparency, accuracy and explainability in any automated decision making in the targets AI systems. Sellers must be comfortable standing behind the nature and scope of these representations, warranties and indemnities, which should involve a focused verification process. 
3. Post-closing integration: Retaining technical talent is critical in AI acquisitions, where institutional knowledge is a core asset. Acquirers should implement earn out incentives for key executives and staff, retention bonuses, equity incentives, and career development plans early in integration planning. Similarly, where the target relies heavily on third-party APIs, it will benefit deal participants to be mindful of establishing risk allocation measures which address any threats to the target's value or sovereignty.  

Conclusion

AI acquisitions present legal challenges extending beyond traditional M&A concerns. To realise full value, acquirers must proactively identify and address distinct legal, regulatory, and operational risks. By adapting diligence processes, acquisition documents, and integration strategies, dealmakers can achieve successful outcomes in this complex environment.

As the regulatory landscape evolves and courts address novel questions of IP ownership, data rights, and algorithmic accountability, practitioners must remain vigilant. The five issues outlined represent the core challenges defining successful AI transactions. 

To discuss how these AI related risks may affect your transaction and how best to manage them, get in touch with our team.