General

Artificial intelligence has long become an integral part of everyday business, especially in economic and legal contexts. The use of AI technologies is steadily increasing, whether in the analysis of financial data or the planning of operational processes. But what happens when employees use AI tools to complete their tasks, with or without the knowledge of the employer? And what responsibility does the management have in such cases?

Control systems of the managing directors of the shareholders

The managing directors of a limited liability company (GmbH) are obliged to perform their duties with the care of a prudent businessman. As explicitly stated in § 22 para 1 GmbHG (Austrian Limited Liability Companies Act), this also includes establishing an internal control system (“ICS”) to ensure proper corporate management.

The aim of an ICS is to: 

(ii)     to secure assets; 
(iii)    ensure accuracy;
(iiii)   quarantee reliability of accounting; 
(iiv)   to establish security, regularity and economic efficiency; 
(iv)    Compliance with the prescribed commercial policy; as well as 
(ivi)   Ensure compliance with relevant laws and regulations. 

The required standard of care in terms of compliance in the company

Managing directors are liable to the company under § 25 GmbHG for damages arising from culpable breaches of their duties pursuant to § 22 para 1 GmbHG. Liability extends not only to their own actions but also to organizational deficiencies, such as missing or insufficient guidelines, controls, and training. This plays a crucial role in the area of compliance, which falls under the responsibility of the legal representatives and generally cannot be delegated. 

Liability of the managing director can only be excluded if he or she acts with the care of a prudent businessman.

In light of these duties, it is essential that an existing ICS is continuously adapted to new technological developments. The increasing use of artificial intelligence represents a new challenge that requires clear regulation by management. 

AI as Part of a Modern ICS

The responsible and legally compliant use of AI must be an integral part of a modern ICS. Especially considering technical possibilities and the associated Risks for data protection, confidentiality and corporate integrity.

Especially in larger companies, the risk increases with the number of employees that sensitive business information may inadvertently leak through AI systems. It is therefore all the more important to establish clear rules to ensure data protection, confidentiality, and legal certainty.

It is the responsibility of management to create the necessary pillars and clear rules for handling artificial intelligence. This includes well-drafted AI policies as well as targeted employee training to avoid data leaks.

Recent developments in the USA (The New York Times Company v. Microsoft Corporation, Case No. 1:23-cv-11195, U.S. District Court for the Southern District of New York8), especially with regard to the storage of data, are forcing European companies to take action. Precise regulations for the use of artificial intelligence, whether via private tools or applications provided by the employer, are necessary here. Active training of employees is essential, even if the AI Directive speaks out against the use of privately acquired AI, it is important that employees know the consequences of such use. 

AI is a powerful tool that can be used profitably if used carefully. Nevertheless, management bears responsibility for minimizing potential liability risks through tailored solutions that reflect the nature and scope of AI usage and the size of the company.
Artificial intelligence is not a legal vacuum. Any managing director who fails to set clear rules and underestimates the risks of uncontrolled AI use exposes themselves to the danger of liability.