Skip to main content
HashnodeComplizo

Command Palette

Search for a command to run...

A BigLaw Firm Just Asked What Proprietary Information Your AI Contract Analysis Tool Must Disclose If a Market Surveillance Authority Requests It Under Article 78: Here's How to Answer

Updated
8 min read
A
Ari Volcoff

Your head of enterprise sales forwarded the question from a London-based Magic Circle firm that is evaluating your AI contract analysis and due diligence tool for their M&A and corporate teams. The firm's General Counsel has added a question that does not appear in most vendor questionnaires:

"Under Article 78 of the EU AI Act, market surveillance authorities can request access to technical documentation and source code. If the competent authority in an EU member state requested documentation of your AI contract analysis system, what information would you be required to disclose? How do you protect our firm's confidential matter data and your own proprietary model information during such a process?"

This question reflects a sophisticated buyer: a law firm that has read the Act, understands that regulators can request access to AI systems, and wants to understand both their exposure and yours before signing a long-term contract. Here is what Article 78 requires, what it protects, and how to construct an accurate answer.

What Article 78 Requires

Article 78 of the EU AI Act addresses confidentiality of information. It establishes two things simultaneously: what regulators can access, and what protections apply to the information they receive.

On the access side: national competent authorities and the AI Office have the power under Articles 64, 65, and 74 to request documentation, access source code, and inspect AI systems during market surveillance and enforcement activities. Providers of high-risk AI systems cannot refuse these requests on grounds of commercial confidentiality.

On the confidentiality protection side: Article 78 requires that national competent authorities, the AI Office, and any other entity that receives information in the course of applying the Regulation must protect confidential information in accordance with applicable EU and national law. Specifically, they must:

  • Treat commercially sensitive information, trade secrets, and intellectual property with the confidentiality protections established under EU law
  • Not disclose information that would harm the competitive position of the provider or any other party
  • Ensure that officials and other persons working under their authority are bound by confidentiality obligations

Article 78 also requires that providers, when responding to a request from a competent authority, may designate which information they consider confidential and explain why. This does not entitle them to withhold the information — but it does trigger the authority's obligation to handle that information with enhanced confidentiality protections.

Why This Question Matters for Law Firms Specifically

Law firms have a dual concern when they ask this question. They are worried about two separate categories of information that could be implicated in a market surveillance action:

Your proprietary model information. The law firm is asking: if a regulator requests access to your model architecture, training methodology, or feature engineering, will you be able to handle that without exposing your competitive differentiation? And will the regulator's process protect that information from being shared with competitors or disclosed in public regulatory proceedings?

Their clients' confidential matter data. The more acute concern is this: if a market surveillance authority requests to inspect how your AI contract analysis tool processes documents, could they gain access to the confidential legal documents their clients uploaded to your system? In law firm procurement, this concern often outweighs the model IP concern. An attorney-client privilege question lurking inside an AI regulatory inspection is a serious professional responsibility issue.

The firm's General Counsel is asking you to walk through both scenarios before they commit to deploying your tool on confidential M&A transactions.

What a Market Surveillance Inspection Actually Looks Like

Under Articles 64 and 65 of the EU AI Act, a market surveillance authority conducting an inspection of a high-risk AI system can:

  • Request access to technical documentation, including Annex IV documentation, training data descriptions, and performance metrics
  • Request access to source code in circumstances where it is necessary and proportionate to assess conformity
  • Conduct tests on the AI system, including by requesting the provider to run the system under specific conditions

In practice, for a contract analysis AI tool, an inspection would most likely focus on: the system's risk management documentation, evidence of data governance and bias testing, records of the conformity assessment, and technical documentation on how the system handles legal documents. The inspection is unlikely to require access to specific client matter files unless there is a specific allegation that the system mishandled particular data.

Source code requests under Article 65 require a higher threshold — they are permitted only where other means of obtaining information have been exhausted. They are not a routine part of initial market surveillance inspections.

What Information Must Be Disclosed, and What Is Protected

You must disclose, if requested: technical documentation under Annex IV, your EU declaration of conformity, your risk management documentation, evidence of testing and validation, your post-market monitoring records, and your instructions for use and transparency documentation.

You may designate as confidential (and request enhanced protection for): proprietary model architecture details, training methodology and hyperparameter choices, competitive benchmarking data, source code (particularly algorithms not strictly necessary to assess conformity), and commercial contract terms with third-party data suppliers.

You cannot refuse to disclose on grounds of commercial sensitivity, but Article 78 requires the authority to treat properly designated confidential information as protected from public disclosure and from disclosure to your competitors.

Regarding client data: the EU AI Act's market surveillance framework is not designed to give regulators access to end-user data that the AI system processes. Technical inspections focus on the system itself — its architecture, training, performance, and conformity documentation — not on the specific documents uploaded by a law firm's clients. If an inspection request did implicate client matter data, that would raise separate questions under GDPR Article 86 and potentially under member state professional privilege law. Your data processing agreement and technical architecture should ensure that client matter data cannot be returned in response to a standard system inspection.

What Your Answer Must Cover

Describe your Article 78 process. Explain that you have a designated point of contact for regulatory enquiries, a process for reviewing and designating confidential information in any documentation package, and legal counsel engaged to manage the confidentiality designation process if a request arrives.

Explain the technical architecture that protects client data. Describe how your system processes and stores client documents. If client matter data is encrypted at rest and in transit, processed transiently without persistent storage, or segregated so that a system-level inspection cannot access individual client files, explain this. This directly addresses the law firm's privilege concern.

Describe what you would be required to disclose. Be direct: Annex IV technical documentation, your EU declaration of conformity, and your risk management file. State that you would designate your model architecture and source code as confidential under Article 78 and request that the authority apply enhanced confidentiality protections.

Reference your data processing agreement. Confirm that your DPA with the firm includes provisions addressing regulatory access requests, including a notification requirement so the firm is informed if a regulatory body requests access to documentation that may implicate their matter data.

The Short Answer for the Questionnaire

A direct answer looks like this:

"If a market surveillance authority under Article 64 or 65 requested documentation of our AI contract analysis system, we would be required to provide: our technical documentation under Annex IV, EU declaration of conformity, risk management records, and performance validation reports. We would designate our model architecture details and source code as confidential under Article 78 and formally request that the authority apply enhanced confidentiality protections. Our system processes client documents transiently and does not retain matter-level content in a form accessible to a system-level inspection. Our data processing agreement with your firm includes a notification obligation triggered by any regulatory access request that could implicate your clients' data. We can provide a more detailed technical and legal analysis under NDA as part of the procurement process."

The Article 78 question will become routine for any AI tool sold into large law firms or regulated legal services businesses. Having a documented, technically grounded answer — covering both your model IP and your clients' data exposure — is a competitive differentiator. Firms that have been through a regulatory inspection in a related context understand what "the regulator can ask" actually looks like in practice. Your questionnaire answer should reflect that same operational clarity.

Try Complizo free at complizo.com

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Complizo

87 posts