What do the open source exemptions for GPAI models mean for you? The EU AI Act Guidelines provide some clarity

The EU AI Act’s GPAI rules came into force on 2 August. To help organisation’s comply, the Commission has published Guidelines on the scope of the obligations for general-purpose AI models. Although non-binding, the guidelines explain how the Commission interprets key terms in the AI Act and will guide enforcement. In particular the guidelines are designed to help organisations along the AI value chain answer the following questions: 

1. Is my model a GPAI model? 
2. Could I be a provider placing a GPAI model on the market (e.g. if I modify a third party GPAI model)?
3. Am I exempt from the GPAI obligations (i.e. can I benefit from the open source exemptions)?
4. What can I expect regarding the Commission’s enforcement of compliance with these obligations, in particular during the period immediately after 2 August?

In this blog, the second in our series, we look at the open source exemptions (question 3). Our blog on the first two questions is available here.  

Am I exempt from the GPAI obligations (i.e. can I benefit from the open source exemptions)?

The AI Act exempts GPAI providers from some, but not all, of the GPAI rules if: (i) they are providers of open source models; and (ii) the model does not fall within the ‘model with systemic risk’ category. But what is an open source model? 

Open source models

The Act discusses ‘AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available.’ (Art 53(2)).  The guidelines provide more information about the conditions the open source licence must meet to qualify for the open source exemptions, and highlight some of the explanatory wording already contained in recitals 102-4 of the Act. They clarify that if one of the rights (i.e. rights to access, use, modify, and redistribute) is missing, then the licence cannot be considered free and open source, and explain what the Commission thinks free access, use, modification and redistribution mean. For example: 

• The Commission understands access to mean that anyone interested can freely obtain the model without payment or other restrictions, although reasonable safety measures (like user verification) are acceptable, provided they do not unfairly discriminate against a person. 
   
• When discussing use and distribution, the Commission confirms that it does not expect the original model provider to use their IP rights to restrict use of the GPAI model. The licence can, however, contain restrictions ensuring attribution and distribution of the model or derivatives under the same or comparable terms. This means a term could be included which requires the model to be distributed under the same (or compatible) copyright terms. That said, and without prejudice to that right of the original provider, the guidance also confirms that a model/licence which permits modifications to be licensed on proprietary (closed-source) terms will still be recognised as open source for these purposes. 

The guidelines also provide examples of restrictions which would disqualify a licence from meeting the open source criteria. These include provisions such as restricting use to non-commercial or research only use, or adding scale thresholds which require additional licensing if the number of active users exceed a certain threshold. 

What GPAI rules apply? 

As mentioned, the Act exempts open source models from some, but not all of the GPAI rules:

Article	GPAI Rules	Does the rule apply to an open source model which is not a GPAI model with systemic risk?	Does the rule apply to an open source model which is a GPAI model with systemic risk?
Art 53(1)(a)	Draw and keep up-to-date technical documentation of the model (e.g. training and testing processes)
Art 53(1)(b)	Draw up, keep up-to-date and make available information to providers of AI Systems who want to integrate the GPAI model into their AI system
Art 53(1)(c)	Put in place a policy to comply with EU copyright law
Art 53(1)(d)	Draw up and make publicly available a summary about the content used for training, using the Commission template
Art 54	Obligations relating to the appointment of an authorised representative for providers of GPAI models established outside the EU

The thinking behind this is that models released under a free and open licence which are not models with systemic risk:

• can be exempt from the transparency obligations as they contribute to research and growth in the EU and also already tend to ensure a high level of transparency – e.g. if their parameters (including their weights) and information on their model architecture and usage is made publicly available; but 
• should still be subject to the copyright provisions as such models do not necessarily reveal substantial information about the data used to train or modify the model or how compliance with copyright law was ensured.

All of the rules still apply where it is a model with systemic risk as the fact it is open source is not sufficient to reduce the risks related to the most powerful models.  For more information on models with systemic risk, see our blog.   

Comment

An increasing number of GPAI models are being released on an open source basis. These guidelines help both the providers and users of such models to understand what obligations apply, and what can (and perhaps more importantly for users, cannot) be included in any model licence.