1. The necessity and complexity of AI liability regimes

While AI brings promises of economic and social benefits in a vast range of industries and social contexts, its regulation is necessary because of the equally compelling risks posed by AI to individuals and society. Commonly recognised AI risks include the threat to fundamental rights, such as privacy, and to individual and public safety and interests.Footnote ¹⁹

Regulating AI remains complex, however, because of the importance of balancing the fostering of AI use and innovation while protecting safety and fundamental rights. In part, the source of this complexity is in the very nature of AI, which relies on the use of big data to train and develop algorithms that function at tremendous speeds, and sometimes using neural networks that operate in ways that remain incomprehensible even to the AI developer. An AI system may also be autonomous, the level of which continues to evolve, and could be used in real time, as explicitly recognised by the EC Proposal.Footnote ²⁰ AI could also take on different roles, whether as a component within a product or larger system or as a standalone system with applications in unlimited environments and purposes. Predicting the risks that AI may pose is therefore an inherently challenging task. Finally, since the development and operation of AI involves multiple and sometimes overlapping actors, attributing the source or cause of liability could be a challenge, especially in complex neural network AI systems. Information asymmetry arises relative to the control of and knowledge about the AI.

EU regulators, explicitly recognising the inherently unique challenges of regulating AI, approach AI regulation not solely by focusing on the characteristics of AI, but by categorising the level of risk that an AI may pose. The EC Proposal includes a risk-based approach to AI in order to determine how AI should be regulated in different cases. The proposal is for four categories of risk, namely:

1. 1) Unacceptable risk, which is banned in the EU since it contravenes basic fundamental rights.Footnote ²¹

2. 2) High risk, which may adversely affect human health and safety or fundamental rightsFootnote ²² protected by the EU Charter of Fundamental Rights (as classified in Article 6(1) and Annex II as well as Article 6(2) and Annex III). Mandatory requirements are imposed on high-risk types of AI and they are assessed to ensure they comply, in which case they are deemed permissible.Footnote ²³

3. 3) Limited risk, which imposes requirements for transparency in certain circumstances so users know it is a machine that they are interacting with.Footnote ²⁴

4. 4) Minimal risk, which allows other types of applications to be legally developed.

Specific rules pertaining to high-risk AI are contained in Title III of the EC Proposal. High-risk AI is classified depending on the AI system’s intended purpose. Annex II contains a list of typologies of AI systems categorised per area of application. Annex III’s amendable list of AI that is of high risk to fundamental rights includes risks that are likely soon to materialise, or have already materialised, coupled with a risk assessment methodology. For fundamental rights to be protected, AI should be unbiased in its decision-making or data assessment in order to prevent discriminatory outcomes. This may not happen where there is limited transparency or understanding of an AI application’s processes.

“Black box” AI is one non-exclusive example of such a lack of transparency and accountability, since the data sample used or decision-making processes may be unclear to human observers. Researchers have also found evidence of obscure or discriminatory outcomes.Footnote ²⁵ Such discriminatory results would breach EU fundamental rights, and these types may be considered high risk and impermissible.

Black box AI refers to AI systems, primarily opaque neural networks, whose inputs and operations are visible neither to the user nor to any other interested party. In other words, a black box is, generally speaking, an impenetrable system. As stated by Bathaee, “modern AI systems are built on machine-learning algorithms that are in many cases functionally black boxes to humans. At present, it poses an immediate threat to intent and causation tests that appear in virtually every field of law. These tests, which assess what is foreseeable or the basis for decisions, will be ineffective when applied to black-box AI”.Footnote ²⁶ This is a problem for liability as it is hard to connect the harm to the developer.

While a black box AI does not necessarily mean that the AI is high risk, a black box AI may pose a threat in the sense that the processes behind black box development are largely self-directed and generally difficult for data scientists and users to interpret.Footnote ²⁷ The algorithms are capable of learning from massive amounts of data. Once those data are processed, the algorithms are capable of making decisions experientially and developing biases in the decision-making process.

There are three ways to address the black box AI issue when it comes to AI liability. The first approach is to create a strict liability regime that places the onus of understanding the source of the liability on the developers and users of AI. A second approach is to prohibit black box AIs altogether. The first and second approaches are similar in that they address the information asymmetry problem by placing the burden on the developer. The drawback to these approaches is the potential for stifling innovation in the midst of an AI race. A third approach is a sandbox regulation that can target the intent, causation and mitigation of liability in specific high-risk scenarios. In this way, the sandbox approach could complement the existing strict liability regime.

Bathaee considers that the solution to the intent and causation problems should not be strict liability or a regulatory framework of granularly defined transparency standards for AI design and use. Both solutions risk stifling innovation and erecting entry barriers, especially for smaller firms. Rather, Bathaee argues that the most suitable solution would be a sliding scale system, which adapts the current regime of causation and intent by relaxing their requirements for liability when AI is allowed to operate autonomously or when AI lacks transparency. On the other hand, the sliding scale system preserves the traditional intent and causation tests when humans supervise AI or when the AI is transparent.Footnote ²⁸

2. Weighing fault-based liability and strict liability in AI regulation

Before delving into the EU’s approach to high-risk AI, it is important to examine the predominant approaches to AI regulation with the hope of better understanding the EU’s legal perspective. The approaches to regulating AI can be divided into two categories: fault-based liability and strict liability. These two theories of liability have competing approaches to allocating the burden and costs of risk knowledge and risk control.

Fault-based liability (negligence) focuses on assessing the level of care based on a legally recognised duty and a corresponding breach and causation.Footnote ²⁹ Actors therefore are incentivised to act within the expected level of care, as determined by courts through policy and cost–benefit analysis, to avoid the risk and cost of liability. Zech notes that a limit in fault-based liability’s regulation of AI lies in the information asymmetry between courts and producers.Footnote ³⁰ In other words, fault-based liability places the risk knowledge on courts, which are not likely to have the same technological and risk knowledge and resources as developers and manufacturers. Zech’s analysis, however, disregards the role of parties and lawyers in an adversarial process. Courts could leverage their judicial authority and ability to shift the burden of proof and presumptions to the parties in the litigation and mitigate the information asymmetry. Zech also notes that the incentive factor to adhere to the level of care may fail in novel technologies such as AI when the actor has no risk knowledge that would allow them to meet the level of care. In other words, information asymmetry could arise between the user and the producer and therefore not allow the user to meet its level of care. Finally, fault-based liability would not cover the risks posed by new technologies that are unforeseeable and therefore could not meet the requirements of legal causation.Footnote ³¹

An alternative to fault-based liability that aims to address the risk posed by information asymmetry is strict liability. When applied to high-risk AI, strict liability imposes the risk, knowledge and costs on the producer and operator of the AI regardless of its conduct. Strict liability essentially internalises the economic risks of AI, which Zech sees as a means of creating public acceptance of AI by eliminating its economic risks.Footnote ³² Zech makes his public acceptance argument under the assumption that AI development and innovation would not flourish without risk controls in place.Footnote ³³ In practice, however, much of the AI innovation thus far has been made without such risk controls and public assurances. Instead, the public has been far too eager to accept the risks, primarily consenting to privacy risks in exchange for free access. Rather, strict liability acts primarily as a means of social risk distribution. As Zech notes, producers will likely conduct a cost-based analysis in a strict liability regime.Footnote ³⁴ This analysis could either limit AI innovation when the liability far exceeds the benefits of the invention or encourage risk-taking when the benefits far exceeds the liability. If the risk and benefit balance is set correctly, strict liability could incentivise producers and operators to make AI safer, assuming of course that they have the capacity to make it so.Footnote ³⁵

Strict liability, however, has significant drawbacks, the most important of which is stifling innovation by deterring companies, especially small start-ups, from taking the risk of liability exposure. What may be a small sum to a large company, which can tolerate such economic costs, could end a small start-up company, which, on the other hand, must rely more on innovation and experimentation with a lower prototype-to-market risk threshold.

Additionally, while strict liability can be justified due to the information asymmetry problem, regulators may overlook the fact that the development of AI requires the cooperation of multiple parties that may separately have information asymmetry amongst themselves concerning data, algorithms or people. Additionally, AI may pose high risks that are unforeseeable to the producers and operators. An example of this is the development of neural networks that essentially act like black boxes, where their processes remain virtually unknown to the developer and operator in terms of various factors. In such circumstances, the strict liability approach is unable to address the information asymmetry dilemma.

The multiple-producer or multiple-operator scenario and the black box scenario could also trigger issues relating to causation. The EU, for example, approaches such a situation in the EC Proposal by shifting the burden of proof onto the producer or operator. This approach, however, will likely favour large companies that already dominate the AI industry since they have leverage over small companies regarding the AI development process and could alternatively shield themselves from liability.

That the EU opted for a strict liability regime exemplifies the information asymmetry concern of EU regulators when it comes to AI. In our view, however, the strict liability approach could mitigate the primary concern of stifling innovation by allowing high-risk AI activities to be tested through a sandbox, which can test the risks of the technology while also allowing for the consideration and adoption of appropriate laws tailored to the specific activities. Such a sandbox approach could complement an existing strict liability approach such as that in the EU. The following sections will argue in favour of this view.

3. What is a sandbox regulation?

A sandbox both enables entrepreneurial development and informs regulatory policy. The “sandbox” concept is particularly utilised in the areas of financial innovation and FinTech, where a regulator enables experimental innovation within a framework of controlled risks and supervision.Footnote ³⁶ This allows a “… form of ‘beta testing’ for financial technology start-ups, where firms may test their financial services technology and other financial products under supervision of the financial services authorities”.Footnote ³⁷ The UK Financial Conduct Authority (FCA) describes it as “a ‘safe space’ in which businesses can test innovative products, services, business models and delivery mechanisms without immediately incurring all the normal regulatory consequences of engaging in the activity in question”.Footnote ³⁸ A sandbox is a “controlled environment or safe space in which FinTech start-ups or other entities at the initial stages of developing innovative projects can launch their businesses under the ‘exemption’ regime in the case of activities that would fall under the umbrella of existing regulations or the ‘not subject’ regime in the case of activities that are not expressly regulated on account of their innovative nature, such as initial coin offerings, crypto currency transactions, asset tokenisation, etc.”.Footnote ³⁹

Sandboxes offer several advantages to technology developers, including the ability to verify and demonstrate an innovative technology by testing it in a live environment with real consumers.Footnote ⁴⁰ Direct communication between developers and regulators creates a more cohesive and supportive industry. Successive trial-and-error testing within a controlled environment mitigates the risks and unintended consequences such as unseen security flaws when a new technology gains market adoption. It is in this context, for instance, that the financial sector implemented regulatory sandboxes to avoid such flaws given the importance of this sector to any global economy.Footnote ⁴¹ Hence, similar reasoning should follow when it comes to AI activities.

A supplementary goal of the sandbox is for regulators themselves to learn and understand the product or service better.Footnote ⁴² This allows regulators to develop policy and regulations to accommodate, supervise and control sectoral innovation within and outside of the sandbox. Regulations tested within the sandbox can determine the most appropriate framework for real-world regulations outside of the sandbox. Updating regulations and ending regulatory uncertainty would make the jurisdiction a more attractive destination for technology developers and investors. Quan warns that “regulatory uncertainty is the result of outdated regulations unable to catch up with innovation. Regulatory fear, on the other hand, is caused by risk-averse regulators unwilling or unable to green-light novel products that may be perfectly compliant with regulations”.Footnote ⁴³ Sound innovation can be promoted through a flexible regulatory regime, where regulators can provide guidance. Truby explains that “[r]ather than only regulating financial technology to keep it in line with other types of financial activities, legitimising sound and legally compatible business and financing structures and activities involved to facilitate their growth, may offer substantial opportunities for economic development. This can be done whilst retaining both supervisory control, and investor and client protections”.Footnote ⁴⁴ Deloitte, in 2018, in collaboration with Innovate Finance, interviewed several firms that have been through or were still going through the FCA’s sandbox to seek their views on their journey.Footnote ⁴⁵ The main conclusions are that regulation is no longer a barrier to innovation given the various benefits of the sandbox, but there remains room for improvement.

Multiple jurisdictions have experimented with sandboxing, typically in the financial innovation sector.Footnote ⁴⁶ The FCA is credited with creating the first formal regulatory sandbox and propagating the concept throughout the world.Footnote ⁴⁷ Since the FCA launched its FCA sandbox in 2016, it has supported more than 700 firms and increased their average speed to market by 40% compared with the regulator’s standard authorisation time. The FCA’s sandbox recently opened applications for cohort 7 (a clear proof of its success), and it is currently open to authorised and unauthorised firms that require authorisation and technology businesses that want to deliver innovation in the UK financial services market.

A number of other major jurisdictions are seeking to follow suit in order to capitalise on the fast-growing FinTech sector. In the USA, the Consumer Financial Protection Bureau (CFPB) was the first regulatory agency to set up a dedicated FinTech office to study FinTech and to help promote consumer-friendly innovation. Another very successful regulatory sandbox is that of Singapore, which takes a more innovator-centred approach than the UK prototype in terms of lower entry barriers and a greater emphasis on industry benefits.Footnote ⁴⁸ The Monetary Authority of Singapore (MAS) published its guidelines for the financial regulatory sandbox in June 2016.Footnote ⁴⁹ The regulatory sandbox of MAS aims to transform Singapore into the centre of the smart finance industry. Sandbox entities are freed from the administrative and financial burdens imposed under ordinary compliance processes, and they are also entitled to a broader testing ground (whereas licensed operators may reach out only to a limited group of clients), an element that is crucial for refining their core technologies.

As jurisdictions rush to develop their sandboxes, Quan cautions on the importance of properly implementing a sandbox, as “too often sandboxes are misunderstood, misused, or mismanaged. Regulatory agencies should use sandboxes to keep up to date with fast-paced innovation and promote market competition without sacrificing consumer protection. Real innovation-minded regulatory agencies see sandboxes as means, not ends”.Footnote ⁵⁰

This is of the utmost importance as scholars and international bodies have raised concerns regarding the use of regulatory sandboxes. For instance, Allen argues in the context of financial regulations that as “competition among countries for fintech business intensifies, the phenomena of regulatory arbitrage and race to the bottom are likely to drive the regulatory sandbox model toward further deregulation and disincentivise vital information sharing among financial regulators about new technologies”.Footnote ⁵¹ Meanwhile Ahern argues that “pressure on regulators to produce sandbox successes and to compete with other sandboxes may influence the exercise of regulatory discretion and produce regulatory distortions that affect competition in FinTech markets”.Footnote ⁵² In contrast to those supporting regulatory sandboxes, many experts strongly oppose regulatory sandboxes, seeing them as actually slowing down and halting innovation.Footnote ⁵³ Indeed, practical challenges facing regulatory sandboxes have been noticed. For instance, consumers may perceive products tested in the context of a sandbox as if authorities have endorsed them, which in turn has negative legal consequences.Footnote ⁵⁴

Additionally, competing sandboxes treat the issue of liability in different ways, and some are silent on the matter. Generally, sandboxes only exclude businesses from enforcement action by the financial regulator and not from consumer liability.Footnote ⁵⁵ National laws on liability usually still apply.Footnote ⁵⁶

These are some of the shortcomings mentioned in the literature, while many more exist. AI innovation presents many opportunities and uncertainties, especially with uses of AI that are considered to be more dangerous, such as AI algorithmic experimentation (automated and black box AI).Footnote ⁵⁷

1. Overview

The European Parliamentary Research Service published a study establishing the case for regulating the civil liability of AI at the EU level, reporting that not doing so would “potentially discourage innovation, increase prices for consumers, substantially increase administrative costs for public administrations and judicial bodies and ultimately even challenge the social desirability of the overall liability system”.Footnote ⁵⁸ The Council of the European Union (Council) further set out the risks of AI applications to fundamental rights in the EU, establishing the need for regulatory intervention.Footnote ⁵⁹

The Council has adopted conclusions on Regulatory Sandboxes and Experimentation Clauses as tools for an innovation-friendly, future-proof and resilient regulatory framework that masters disruptive challenges in the digital age.Footnote ⁶⁰ Having examined potential regulatory frameworks for AI, the EP proposed new rules for the Commission to adopt.Footnote ⁶¹ The first two EP Resolutions related to the creation of a framework on ethical aspects of AI, robotics and related technologies,Footnote ⁶² as well as a civil liability regime.Footnote ⁶³ A further Resolution on intellectual property rights (IPRs)Footnote ⁶⁴ and the Resolution of the Council on regulatory sandboxes and experimentation clausesFootnote ⁶⁵ call for the adoption of new regulations.

The AI Resolution offers a long list of required ethical principles such as “human dignity, autonomy and safety … social inclusion, democracy, plurality, solidarity, fairness, equality and cooperation …”.Footnote ⁶⁶ The Resolution on civil liability regime for AI provides a brief overview of the concept of civil liability and focuses on imposing strict liability for high-risk AI systems, determining the amount and extent of compensation and the limitation period. It also includes provisions on fault-based liability for other AI systems, national provisions on compensation and limitation periods, contributory negligence, joint and several liability, etc.Footnote ⁶⁷ Assessing the interplay between IPRs and AI, the Council Conclusions calls the EC to encourage the exchange of “information and good practices regarding regulatory sandboxes” between Member States,Footnote ⁶⁸ for various purposes. These include determining the current use of regulatory sandboxes in the EUFootnote ⁶⁹ and identifying “experiences regarding the legal basis, implementation and evaluation of regulatory sandboxes”.Footnote ⁷⁰ Based on these efforts, the EC ultimately issued its Artificial Intelligence Act and Amending Certain Union Legislative Acts in April 2021.Footnote ⁷¹

The most recent EC Proposal creates new harmonised rules for the regulation of AI while prohibiting the use of certain AI practices. It also imposes specific requirements related to high-risk AI systems and those operating them and lays down harmonised rules for transparency, market monitoring and surveillance.Footnote ⁷² The proposal presents a holistic and comprehensive regulation that covers, in addition to the issues mentioned above, governance structure, implementation of the regulation and the creation of codes of conduct.Footnote ⁷³ Of particular interest for purposes of this paper is the addition of the AI regulatory sandbox.

2. The EU’s strict liability regime for AI

The EU does not have a specific liability regime applicable to AI, as the main applicable legislation is the EU Product Liability Directive (PLD), while national liability and damage rules apply in case of accidents. Despite its importance, the PLD is seen as a limited instrument when applied to advanced technologies such as AI systems. The main issues of contention are related to its scope, the definition of the notion of defect, the types of damages covered, the scope of liable persons and the exemptions and defences. Consequently, it was concluded that current EU secondary law related to liability is insufficient when it comes to its application to AI, be it for covering already existing areas within EU law or emerging risks not covered by European regulations.Footnote ⁷⁴ Moreover, the national liability rules vary across states and jurisdictions where fault-based liability and strict liability are applicable. In this context, strict liability applies to “damages caused by things, dangerous activities, animals and vicarious liability”.Footnote ⁷⁵ States either adopted general and flexible strict liability provisions or “exhaustive, closed lists, or no provisions on strict liability for the analysed group of situations”, which is considered narrow. Given this reality, there was a need to adopt new liability rules applicable to AI.Footnote ⁷⁶ These rules were adopted recently by the EC, though as proposals that require the approval of the EP. As such, they represent a first step towards a legally binding regulation on liability of AI.

The EP Resolution on a civil liability regime for AI proposes strict liability for high-risk AI systems, including damage or harm resulting from a “physical or virtual activity, device or process driven” by a high-risk AI system. The list of these systems and critical sectors is annexed to the Resolution and can be amended by the EC. Operators will still be held liable even when acting with due diligence or when the damage occurred by “an autonomous activity, device or process driven by their AI-system”, although force majeure is excluded.Footnote ⁷⁷ The frontend operator has the responsibility to cover the operations with an adequate liability insurance and the backend operator must cover its services with an adequate business liability or product liability insurance in accordance with the compensation articles of this regulation. The requirement of purchasing insurance shall be considered as satisfied upon the condition that compulsory insurance regimes and voluntary corporate insurance funds “cover the amounts and the extent of compensation” stipulated within the regulation. This law takes primacy over national laws in case of “conflicting strict liability classification of AI-systems”.Footnote ⁷⁸ The draft regulation made a distinction between high-risk AI systems, where strict liability applies, and other low-risk AI systems, where fault-based liability applies.Footnote ⁷⁹

The EP justified the use of strict liability rules by noting the need to protect the general public from high-risk autonomous AI systems.Footnote ⁸⁰ It also emphasised the need for a “common strict liability regime for those high-risk autonomous AI-systems”.Footnote ⁸¹ The EP further underlined the need for clear criteria and definition of the term “high risk” given the existence of various levels of risks.Footnote ⁸² The EP considered that the default position for an AI system not yet classified as high risk should be “subject to strict liability if it caused repeated incidents resulting in serious harm or damage”.Footnote ⁸³

The Resolution on the framework of the ethical aspects of AI, robotics and related technologies examined the issue of liability and even high-risk AI systems without, however, discussing strict liability.Footnote ⁸⁴ The Resolution on AI IPRs did not mention strict liability and only mentioned liability once, noting that AI and the associated technologies used for the “determination of liability for infringements of IPRs cannot be a substitute for human review carried out on a case-by-case basis …”.Footnote ⁸⁵ The Council Conclusions on Regulatory sandboxes and experimentation clauses did not mention the issue of liability or strict liability at all in the document.Footnote ⁸⁶

Although the EC Proposal does not explicitly refer to strict liability, the latter mentions liability in specific provisions.Footnote ⁸⁷ Moreover, the extremely detailed and numerous provisions adopted within this proposal addressing high-risk AI systems highlights the influence of the previous EU regulations, mainly the one on civil liability, as the proposal creating clear, direct and detailed rules concerning high-risk AI systems that must be complied with. These provisions, for instance, are related to classification rules for high-risk AI systems, risk management systems, transparency and provision of information to users, human oversight, obligations of providers of high-risk AI systems, obligations of product manufacturers, obligations of importers, obligations of distributors and obligations of users of high-risk AI systems.Footnote ⁸⁸

These rules should apply to physical or virtual AI that harms or damages life, health, physical integrity and/or property or that causes significant immaterial harm if it results in a verifiable economic loss. Despite admitting that high-risk AI activities are still rare, the members of the EP believe that their operators should hold insurance similar to that used for motor vehicles.

The EU’s concern towards liability is not new, though, since it has been a recurring topic these last few years. In November 2019, the EC published a report on AI, new technologies and liability: the “Liability for Artificial Intelligence and Other Emerging Digital Technologies” report.Footnote ⁸⁹ This report contained several recommendations, such as the default rule of strict liability for certain operators as well as producers for defects in products or digital content incorporating emerging digital technology. The possibility of giving legal personhood to AI systems was also rejected.

The most important findings of this report is on how liability regimes should be designed (and changed if necessary).Footnote ⁹⁰ A person is held strictly liable for harm or damage occurring from the use of a permissible technology that poses an increasing risk of harm. In case a service provider providing technical expertise has more control than the “owner or user of an actual product or service equipped with AI”, this reality should be considered when figuring out who operates the technology. A person still needs to “properly select, operate, monitor and maintain the technology in use” even when there is no increased risk of harm where liability will occur in case of failure to fulfil these duties. The certain degree of autonomy that a technology may have does not exonerate a person from liability. Manufacturers of products or digital content involving digital technology are held liable for damage in case of product defects even when the defect occurs when the product is with the producer. The report recognises the information asymmetry and the difficulty in the victim proving liability due to the technology used. Finally, there is no need for granting legal personality to devices or autonomous systems as only persons and bodies can be held liable for any harm.Footnote ⁹¹

The importance of liability was also highlighted in the EC’s White Paper on Artificial Intelligence (“White Paper on Artificial Intelligence – A European Approach to Excellence and Trust”),Footnote ⁹² as well as in its associated Report on Safety and Liability (“Report on the Safety and Liability Implications of AI, the Internet of Things and Robotics”).Footnote ⁹³ The White Paper proposed the adoption of a regulatory framework for high-risk AI systems, which will have to comply with several requirements. Even though the White Paper does not address the issue of liability and AI thoroughly, it acknowledges that there is a need to improve the legal framework in order to better assign responsibilities between the actors.Footnote ⁹⁴ The liability framework may be challenged by AI systems, limiting their effectiveness. Yet an equal level of protection must be provided to those suffering an injury or damage because of AI systems, similarly to other technologies. The White Paper concludes by providing an overview of the various AI benefits for “citizens, companies and society as a whole, provided it is human-centric, ethical, sustainable and respects fundamental rights and values”, while emphasising the need to “develop and reinforce the necessary industrial and technological capacities” of the Union.Footnote ⁹⁵

The associated Report on Safety and Liability goes further by focusing on the following areas, mainly: (1) establishing a strict liability regime for AI systems with a “specific risk profile” and coupling it with a mandatory insurance requirement; (2) examining the question of whether or not to adapt the burden of proof regarding fault and causation for other AI systems (eg those with a low risk) – the EC thus considers a differentiated liability approach depending on the level of risk posed by AI systems; and (3) considering reversing or alleviating the burden of proof required by national rules “for damage caused by the operation of AI-systems, through an appropriate EU initiative”. The Report proposes a risk-based approach to liability given the emerging challenges raised by AI and related technologies. The Report proposes “certain adjustments to the Product Liability Directive and national liability regimes through appropriate EU initiatives … on a targeted, risk-based approach, i.e. taking into account that different AI applications pose different risks”.Footnote ⁹⁶

The White Paper identified the importance and need to adopt a common approach at the EU level. Consequently, the JURI Committee of the EP made available its Draft Report with Recommendations to the EC on a Civil Liability Regime for AI in April 2020.Footnote ⁹⁷ The latest draft set of harmonised rules could serve as a basis for a future legislative initiative by the EC.

The Draft Report creates a twofold liability regime depending on the risk of the AI system. High-risk systems are subject to a strict liability regime in which the deployer of the system is liable without fault (Article 4.1). Low-risk systems remain subject to fault-based liability only targeting the deployer (Article 8.1). The report had other key elements. All of the elements of the report were later included within the civil liability framework initiative adopted in October 2020 and examined previously.

3. The role of sandboxes in the EC Proposal

Under Title V, Articles 53–55,Footnote ⁹⁸ the EC Proposal explicitly adds sandbox regulation to AI liability regulation within the EU. Article 53 essentially defines a regulatory sandbox as “a controlled environment that facilitates the development, testing and validation of innovative AI systems for a limited time before their placement on the market or putting into service pursuant to a specific plan”.Footnote ⁹⁹ To understand better the role of sandboxes in the EC Proposal, it is perhaps important to revisit prior proposals and recommendations made in the EU concerning the role of a regulatory sandbox in AI regulation.

In the EU, some authors have proposed the creation of an EU-level regulatory sandbox, which would make EU Member States, collectively, a more attractive destination for innovation.Footnote ¹⁰⁰ In this sense, the Expert Group on Regulatory Obstacles to Financial Innovation recommended that the EC and the European Supervisory Authorities (ESAs) should further consider the establishment of an EU-level regulatory sandbox. The EU Digital Finance Strategy envisages the development of a “procedural framework for launching cross-border testing and other mechanisms facilitating firms’ interaction with supervisors from different Member States” by mid-2021. Related to this, the 2019 ESAs Joint Report identified a set of principles for the establishment and operation of regulatory sandboxes.Footnote ¹⁰¹ These principles include several requirements such as having “clearly defined and published eligibility criteria for entry” and “clearly defined and published key information which needs to be submitted by the companies in support for the application to participate in the regulatory sandbox”.Footnote ¹⁰²

The idea of using a regulatory AI sandbox in the EU is not an entirely novel concept. Outside of the EU, both the UK (see Section III.4 below) and Norway have developed AI sandboxes. The Norwegian Data Protection Agency developed a data-focused sandbox as part of its National Strategy for AI,Footnote ¹⁰³ to ensure ethical and responsible use of data. The aim is to increase supervision of data usage and to inform policy development.

In January 2020, the EC organised a series of workshops to refine further the concept of reference Testing and Experimentation Facilities (TEFs) for AI with the help of the invited experts and national delegations. In the upcoming Digital Europe Programme 2021–2022, the EC will launch calls to create these TEFs. The idea of creating sandboxes was discussed during these workshops. Furthermore, the EC Communication “Coordinated Plan on Artificial Intelligence” from 2018Footnote ¹⁰⁴ referred to sandboxes, stating the need to establish “world-reference testing facilities” to test and experiment with new technologies in the real world in various areas such as “mobility, healthcare, manufacturing, agro-food or security”, while limiting the “number of specialised large-scale reference sites” across the EU. The suggested facilities can have regulatory sandboxes in specific areas where the law can be flexible for the duration of the sandbox. The Communication only made reference to “large-scale testing facilities” in some specific AI areas, but no mention was made of high-risk AI.Footnote ¹⁰⁵

Both the EC and the EP had taken matters a step further when recognising regulatory sandboxing as a highly desirable tool for coping with the regulatory challenges presented by new technologies, especially AI. The EC did so in its Coordinated Plan on Artificial Intelligence,Footnote ¹⁰⁶ while the EP did so in its Resolution of 12 February 2019 on a comprehensive European industrial policy on AI and robotics (2018/2088(INI)).Footnote ¹⁰⁷ The Resolution states the need for a “deeper understanding of the technology and [to] integrate it into their daily life” given the importance of social acceptance for the future of AI where effective communication is vital. Indeed, public awareness of AI affects it acceptance, emphasising the need for the EC and Member States to share credible information. To that end, the Resolution encouraged the use of AI-specific regulatory sandboxes to introduce “innovative new ideas, allowing safeguards to be built into the technology from the start, thus facilitating and encouraging its market entry” and to “test the safe and effective use of AI technologies in a real-world environment”.Footnote ¹⁰⁸

In its current state, the EC Proposal does not mandate Member States to create sandboxes, but rather encourages the competent authorities of Member States to create regulatory sandboxes, including their basic framework of facilitating the development, experimentation and testing of AI innovations under strict supervision.Footnote ¹⁰⁹ The framework would include the governance, supervision and liability of sandbox participants. The EU views such a sandbox as a pre-market deployment phase, but it does not exempt sandbox participants from AI liability. The EC also envisages the creation of common rules and a framework for the implementation of regulatory sandboxes across the relevant Member State authorities.Footnote ¹¹⁰ Notably, the conduct of sandbox participants could be taken into account when determining the imposition of fines under the General Data Protection Regulation (GDPR).Footnote ¹¹¹

4. Limitations of the EC Proposal’s sandbox

The EC Proposal’s sandbox approach suffers from three important limitations. The first two stem from its failure to address the need to balance liability protection and innovative experimentation for participants while in the sandbox and before market placement. First, the continued imposition of liability under Article 53(4) means that the sandbox only provides an exemption from regulatory compliance. While developers should not be allowed to use the sandbox as a shield to liability, imposing the same liability regime on sandbox participation could lead to limiting innovation. Second, the EC Proposal’s sandbox could create a false perception of safety and compliance in the market. Third, the EC Proposal’s sandbox could lead to uncertainty and confusion in the market since it is not mandatory to, and not necessarily uniform among, EU states.

The EU appears to have chosen the pure strict liability approach, which could restrict innovation in the field of AI, and it applies the same approach in the sandbox environment. As mentioned earlier, the recent EU civil liability framework for AI makes those operating high-risk AI strictly liable for any resulting damage.Footnote ¹¹² Meanwhile, the EC’s legislative proposal has even imposed liability when establishing a regulatory sandbox even though it is not clear whether such liability is strict.Footnote ¹¹³

In other words, the EU approach gives a nod to sandboxes, recognising their utility in fostering innovation, but with limited protection from potential liability. The EC Proposal holds AI sandbox participants liable and thereby creates a sandbox regulatory environment that remains subject to AI strict liability. While liability exemption for regulatory sandboxes is not the norm even in FinTech, the lack of liability protection in AI sandboxes becomes more prominent because of the unlimited application of AI and its unforeseen risks, making liability testing even more important than regulatory compliance in AI sandboxes than in FinTech sandboxes.

As it is, the EC Proposal would offer a lowered incentive for AI developers to participate in the sandbox since doing so would only subject the developer to the exposure of trade secrets and algorithms and added regulatory compliance, without the benefit of a moratorium on strict liability. In this way, the AI sandbox may inadvertently lead to stifling innovation. In other words, the role of the sandbox in development, testing and validation is only for the purposes of regulatory compliance rather than to assess the AI innovation’s exposure to potential liability.

In the instance that an AI innovation passes the sandbox regulatory requirements, it is given the stamp of approval to proceed to market placement. However, this stamp of approval does not mean that the AI system does not pose a liability risk. In this scenario, the AI sandbox creates a false perception of protection since it creates the appearance that an AI system that has gone through an AI sandbox no longer poses a threat to fundamental rights and safety. In reality, an AI system could meet regulatory compliance but could lead to unforeseen liability risks, or it could evolve into a high-risk AI through unanticipated applications. The EC Proposal’s sandbox essentially only offers a limited timeframe in which to determine AI innovations’ regulatory compliance before market placement.

According to Article 53 of the EC Proposal, one or more EU states may establish an AI regulatory sandbox, thereby allowing for different sandbox frameworks and implementations.Footnote ¹¹⁴ These various AI sandboxes need to coordinate and cooperate with the European Artificial Intelligence Board and set out implementing acts, which will later lead to common implementing rules and frameworks.Footnote ¹¹⁵

Yordanova remains cautious about the applicability of an AI regulatory sandbox in the EU when it remains unclear “how a national regulator can fully participate in a regulatory sandbox when the area of regulation falls partly or entirely under EU’s competences”.Footnote ¹¹⁶ This issue needs to be fully resolved in the future, though the EC Proposal seems to leave the sandbox regulation to the primary domain of Member States, especially by not making it mandatory. Additionally, the EC Proposal envisages the creation of a common regulatory sandbox implementing rules and frameworks that would very likely require the participation and input of the various competent authorities of Member States. Still, Yordanova’s criticism persists, as it remains to be seen whether the competent authorities of Member States can agree on a common implementation and framework that combines both EU and Member State rules. It may also be possible for some Member States not to implement a regulatory sandbox. Since the implementation of the sandbox is not uniform among and not mandatory to EU states, the EC Proposal’s sandbox regulation could create confusion in the market. It could also encourage AI developers to choose EU states with less stringent sandbox regimes, at least for the purposes of regulatory compliance.

The “black box” problem in AI exemplifies one type of high-risk AI that would be ideal for analysis through sandboxing, as the results can be studied in a controlled environment. This is also an example of where sandbox regulation may be a more effective approach than a pure strict liability regime. However, the sandbox can only address the black box problem when the sandbox regulation aims to exempt AI innovation from both regulatory compliance and liability exposure while within the oversight and control of the sandbox regulators. Furthermore, since the black box AI would likely have use and application across the EU, thus its sandbox regulation should likewise be supervised at the EU level rather than through different national approaches and priorities.

1. Assessing the benefits of sandboxes: the case of the UK ICO

The UK ICO developed a regulatory sandbox as a service “to support organisations who are creating products and services which utilise personal data in innovative and safe ways”.Footnote ¹¹⁷ Those participating engage with the sandbox team to benefit from the ICO’s expertise and so on. It is worth mentioning that the sandbox is a “free, professional, fully functioning service for organisations, of varying types and sizes, across a number of sectors”.Footnote ¹¹⁸ There are many benefits to organisations taking part in this sandbox. These include: “1) access to ICO expertise and support; 2) increased confidence in the compliance of your finished product or service; 3) a better understanding of the data protection frameworks and how these affect your business; 4) being seen as accountable and proactive in your approach to data protection, by customers, other organisations and the ICO, leading to increased consumer trust in your organisation; 5) the opportunity to inform future ICO guidance; 6) supporting the UK in its ambition to be an innovative economy; and 7) contributing to the development of products and services that can be shown to be of value to the public”.Footnote ¹¹⁹ The ICO has specific key areas of focus that are “innovations related to the Age Appropriate Design Code” and “innovations related to data sharing, particularly in the areas of health, central government, finance, higher and further education or law enforcement”.Footnote ¹²⁰ The ICO is currently accepting expressions of interest from organisations innovating in these key areas where substantial public benefits can be proven.Footnote ¹²¹ The importance of this regulatory sandbox is highlighted through the previous participants who benefitted from the regulatory sandbox, which include Future Flow Research, Inc., Onfido Limited, Heathrow Airport Limited, JISC – Wellbeing Code of Practice and Novartis Pharmaceuticals UK Limited.Footnote ¹²²

The ICO along with the Alan Turing Institute established guidance providing “organisations practical advice to help explain the processes, services and decisions delivered or assisted by AI, to the individuals affected by them”. This guidance was developed as organisations are using AI for supporting or making decisions concerning individuals.Footnote ¹²³ The guidance is necessary given the need to balance legal compliance while realising the benefits of AI.Footnote ¹²⁴ In fact, there is a need to clarify “how to apply data protection provisions associated with explaining AI decisions, as well as highlighting other relevant legal regimes outside the ICO’s remit”.Footnote ¹²⁵ The guidance supports organisations with the “practicalities of explaining AI-assisted decisions and providing explanations to individuals”.Footnote ¹²⁶ The guidance allows organisations to “1) select the appropriate explanation for your sector and use case; 2) choose an appropriately explainable model; and 3) use certain tools to extract explanations from less interpretable models”.Footnote ¹²⁷ The actors that will find the guidance useful are technical and compliance teams, among others. The guidance was issued given the government’s commitment with regards to AI’s Sector Deal.Footnote ¹²⁸ A number of tasks are set up to “design and deploy appropriately explainable AI systems and to assist in providing clarification of the results these systems produce to a range of affected individuals (from operators, implementers, and auditors to decision recipients)”.Footnote ¹²⁹ These are: (1) selecting “priority explanations by considering the domain, use case and impact on the individual”; (2) collecting and pre-processing “data in an explanation-aware manner”; (3) building the “system to ensure you are able to extract relevant information for a range of explanation types”; (4) translating the “rationale of your system’s results into useable and easily understandable reasons”; (5) preparing “implementers to deploy your AI system”; and (6) considering “how to build and present your explanation”.Footnote ¹³⁰ In summary, the guidance “covers the various roles, policies, procedures and documentation that you can put in place to ensure your organisation is set up to provide meaningful explanations to affected individuals”.Footnote ¹³¹ The ICO’s shift in its regulatory sandbox to cover organisations looking to use AI highlights the great potential that is seen when it comes to regulating AI through sandbox regulation, especially as this move complies with the UK’s commitment to invest in and regulate the AI sector. Although this guidance is still at the nascent stage and is not binding, it sends the message that sandboxes, as a mechanism, can be appropriate for the regulation of AI.

Indeed, several of those who participated in the ICO’s regulatory sandbox highlighted a great level of satisfaction. Novartis’ participation in the sandbox helped it to understand voice technology and its risks.Footnote ¹³² Similarly, the Greater London Authority was capable of reviewing the processes and documentation associated with its SafeStats data portal, demonstrating to the “public, stakeholders and data-providing organisations that they are cognisant of legal requirements in handling, processing and sharing of personal data; with the relevant and necessary procedures and requirements in place”.Footnote ¹³³ Moreover, the participation of the Ministry of Housing, Communities and Local Government enabled it to understand how public authorities can conduct complex data-sharing activities while complying with data protection law. This participation emphasised the importance of establishing key dependencies related to “clear legal powers/gateways to use data and upfront commitments from partners to permit the use of the essential data that they hold”.Footnote ¹³⁴ Finally, the participation of Tonic Analytics demonstrated their commitment to using innovative technology to provide “new insights and actionable intelligence to improve the way that law enforcement organisations, public sector agencies, local authorities and the private sector can collaboratively tackle crime and safety challenges on the roads in a compliant and secure manner while maintaining individual’ [sic] rights to data protection and privacy”.Footnote ¹³⁵

2. A proposal for regulating AI applications: strict liability complemented by sandboxes

Sandbox regulation offers the possibility of controlling AI development. This would mean applying the concept of FinTech sandbox regulations to AI algorithmic experimentation, which would solve a few issues, namely:

1. 1) It would help avoid the stifling of innovation that may occur in a strict liability regime, since the sandbox would not restrict experimentation in high-risk areas of AI such as black box AI, allowing the technology to be tested within supervised limits to understand its impact on the market and society.

2. 2) The concerns that most EU lawmakers have when it comes to high-risk AI would be heard, in the sense that we would not be freely allowing high-risk AI experimentation, but rather conducting it in a safeguarded and controlled regulatory environment. Risk management of disruptive technologies is one of the main reasons for the existence of a sandbox.

3. 3) It would nevertheless be challenging to design a regulatory environment that is flexible enough to accommodate new changes to markets and that, at the same time, can create regulatory certainty for all market participants.Footnote ¹³⁶

4. 4) The sandbox would allow for the mitigation of risks and costs posed by a strict liability regime on producers and operators.

Notably, the European Council itself has determined that both regulatory sandboxes and experimentation clauses have practical uses beyond FinTech, and in technological growth generally. On 16 November 2020, the European Council published its Conclusions on Regulatory Sandboxes and Experimentation Clauses as Tools for an Innovation-Friendly, Future-Proof and Resilient Regulatory Framework that Masters Disruptive Challenges in the Digital Age.Footnote ¹³⁷ Through this document, the Council encourages the EC to continue considering the use of experimentation clauses on a case-by-case basis when drafting and reviewing legislation, as well as to evaluate the use of experimentation clauses in ex post evaluations and fitness checks on the basis of an exchange of information with Member States. Conclusion Number 8 defines regulatory sandboxes as “concrete frameworks which, by providing a structured context for experimentation, enable where appropriate in a real-world environment the testing of innovative technologies, products, services or approaches – at the moment especially in the context of digitalisation – for a limited time and in a limited part of a sector or area under regulatory supervision ensuring that appropriate safeguards are in place”.Footnote ¹³⁸ On the other hand, Conclusion Number 9 defines experimentation clauses as “legal provisions which enable the authorities tasked with implementing and enforcing the legislation to exercise on a case-by-case basis a degree of flexibility in relation to testing innovative technologies, products, services or approaches”.Footnote ¹³⁹

The Council demonstrates its keenness not to waste time in the pursuit of economic competition through technological innovation. It called upon the EC to present the findings of this evaluation, followed by practical recommendations for the possible future use of regulatory sandboxes and experimentation clauses at the EU level. These Conclusions seem consistent with the other two documents previously analysed – the Coordinated Plan on Artificial IntelligenceFootnote ¹⁴⁰ and the Resolution of 12 February 2019 on a comprehensive European industrial policy on AI and robotics (2018/2088(INI))Footnote ¹⁴¹ – since it insists on the opportunities offered by regulatory sandboxes.

In these Conclusions, the Council affirms that regulatory sandboxes can offer relevant opportunities, particularly for innovation and growth, and especially for SMEs, micro-enterprises and start-ups. This is consistent with Conclusion Number 2, in which the Council states that, in order for the EU to emerge stronger after the COVID-19 crisis, “the EU regulatory framework needs to be as competitive, effective, efficient, coherent, predictable, innovation-friendly, future-proof, sustainable and resilient as possible. It needs to be evidence-based and has to protect and support both citizens and businesses in the context of the aim of a fully functioning EU Single Market without imposing new unnecessary burdens and while reducing existing unnecessary burdens”.Footnote ¹⁴² The Council clearly envisions that technological competition is essential to driving growth, and it recognises the need to eliminate barriers and burdens for firms. Nevertheless, the strict liability approach was chosen given the human-centric focus that the EU legislator is emphasising for the adoption of ethical AI and for protecting citizens. Hence, the legislator is seeking to strike a balance between innovation and regulation through strict liability but also sandbox regulations fostering innovation.

Most recently, the EC Proposal laying down harmonised rules on AI (Artificial Intelligence Act) and amending certain Union legislative acts includes provisions on the use of sandboxes for the regulation of AI. Accordingly, such regulatory sandboxes can be established by a single or several Member States or the European Data Protection Supervisor. The regulatory sandbox can only occur if it is supervised and guided by the competent authorities and in accordance with the existing regulations applicable to sandboxes at the EU and national level.Footnote ¹⁴³ An emphasis on the role of national authorities is made, especially on ensuring that the supervisory and corrective powers of the competent authorities are not affected. Moreover, mitigation and even suspension actions must be taken in case of risks to health and safety and to fundamental rights.Footnote ¹⁴⁴ Other elements related to regulatory sandboxes are also included, such as the “Further processing of personal data for developing certain AI systems in the public interest in the AI regulatory sandbox”Footnote ¹⁴⁵ and the provision of “small-scale providers and start-ups with priority access to the AI regulatory sandboxes to the extent that they fulfil the eligibility conditions”.Footnote ¹⁴⁶

More importantly, the proposal explicitly mentions that participation in a sandbox experiment does not exempt a participant from liability, but rather remains liable under EU and Member State liability legislations.Footnote ¹⁴⁷ This is very important, as sandbox participation cannot become a shield from liability. The EU’s policy approach to AI sandboxing, while focusing on limiting any potential abuses of using the sandbox as a liability shield, could be criticised for eroding the very essence of sandbox regulation. It may be a more prudent approach to create a different set of liability regulations under the sandbox or to exempt certain types of high-risk AI technology from participating in the sandbox. Another option is to create a fault-based liability while participating within the sandbox or to lower the level of risk for experimenting on AI applications within the sandbox. One can argue that participation in a supervised sandbox justifies the lowering of the risk level from a high risk, for example, to that of limited risk. It remains unclear whether participation in the sandbox could be a defence or mitigating factor against strict liability, as conduct in the sandbox can be a factor when imposing fines under the GDPR.

The EU approach could send the wrong message and discourage some producers and operators from participating in an AI sandbox, at the very least due to the uncertainty in liability that could diminish any potential upsides. After all, sandbox participation is not without risks. As examples, it exposes the developer to compliance and setup costs, an added layer of regulatory supervision, and it exposes the AI technology to regulators and third parties. In exchange for these risks, a regulatory sandbox should minimise regulatory constraints, lower the risk of regulatory enforcement and liability and provide ongoing guidance from regulators. Despite all of the efforts made in clarifying high-risk AI liability in the EC Proposal, the EC could have further clarified the interplay between strict liability and the regulatory sandbox. Hence, even though the EU approach seems to focus on striking a balance between innovation and regulation, not creating liability protections or at least clarifying liability protection benefits within the regulatory sandbox creates uncertainty and substantially weakens the adoption of a sandbox approach. Rather, further details on the regulatory and liability benefits to sandbox participant and AI experimentation activities within the sandbox ought to be added. Additionally, the determination of an AI’s classification as high risk should be made after a determination of AI experts and sandbox regulators of the results of the AI experimentations.

Strict liability in particular would be more costly to SME producers and operators as a regulatory regime in this context. The EC Proposal recognises this reality when adopting the regulatory sandbox provisions by giving priority access, organising awareness activities and creating dedicated communication channels to small-scale providers under Article 55(1).Footnote ¹⁴⁸ The Explanatory Memorandum to the EC Proposal (Sections 1.1 and 3.2) explains that the AI regulatory sandbox could be useful for the promotion of AI and aims to reduce the regulatory burden on SMEs and start-ups.Footnote ¹⁴⁹ The proposed regulatory sandboxes are also obligated to consider the interests of SMEs when setting compliance fees under Article 55(2).Footnote ¹⁵⁰

Strict liability transfers the cost of risk knowledge and risk control from the user primarily to producers and operators (whether backend or frontend operators), who are deemed to control the risk.Footnote ¹⁵¹ The cost of compliance, development and liability will increase significantly for producers and operators. This allocation of risks and costs will likely result in the stifling of innovation, especially for SMEs that cannot afford the cost of the risks in a strict liability regime. SMEs may also face barriers to entry, for example, for procedures on full quality compliance.Footnote ¹⁵² These SMEs are already at a disadvantage, according to Bathaee, since AI resources are already concentrated in a few large companies.Footnote ¹⁵³ SMEs that lack significant funds will likely stay away from AI development, especially when taking into account that AI liability total compliance costs account for an estimated 17% of total AI investment costs, although this figure is likely higher for SMEs than large companies due to economies of scale.Footnote ¹⁵⁴ Furthermore, large companies are in a better position to absorb the costs of a strict liability regime and are better prepared for new regulations.Footnote ¹⁵⁵ SMEs would be able to offset regulatory compliance costs only by sharing systems,Footnote ¹⁵⁶ which is ideal in a regulatory sandbox environment. The use of strict liability will only encourage monopolies in the AI industry, which in turn represent a risk to consumers, who will ultimately bear the cost of the strict liability regime as that cost is passed on to them.Footnote ¹⁵⁷ One could argue that insurance could mitigate the cost of strict liability AI regulation for small businesses.Footnote ¹⁵⁸ However, insurance likely would not cover all risks, especially those that are uncontrolled and unforeseeable. Most importantly, insurance will not address the stifling of innovation since insurance will not necessarily encourage experimentation, as it can only help with risk tolerance.

To be fair, a sandbox regulatory regime also has costs for regulators, namely the administrative ones of running the sandbox. However, companies participating in the sandbox could offset such costs, which are not as significant and lasting when compared to the costs of stifling innovation and competition. Rather, sandboxing could be a means for addressing the cost imbalance created by a strict liability regime by encouraging innovation despite the strict liability regime.

To sum up, as previously stated, the strict liability approach might restrict innovation in the area of AI in the EU, which strengthens the call herein for supplementing AI development within a regulated sandbox to promote innovation. Indeed, there are various arguments against the use of strict liability rules for the regulation of AI, especially as strict liability is possible in case of individual causation. By assigning only a strict liability rule, the AI developer or operator will need to assess whether the risks exceed the expected benefits.Footnote ¹⁵⁹ If so, such actors may not invest in the innovation. These actors cannot foresee the behaviour of AI algorithms where several variables play an important role, including databases, big data gathering and the end users themselves.Footnote ¹⁶⁰ Indeed, this is further worsened by the fact that many parties are involved that are “AI developers; algorithm trainers; data collectors, controllers, and processors; manufacturers of the devices incorporating the AI software; owners of the software (which are not necessarily the developers); and the final users of the devices (and perhaps many more related hands in the pot)”.Footnote ¹⁶¹ It is in this context there are new calls for new liability approaches such as giving AI systems legal personhood.Footnote ¹⁶² The concept of strict liability for assigning fault for harms will become even more obsolete as AIs become more independent.Footnote ¹⁶³