Skip to main content
HashnodeComplizo

Command Palette

Search for a command to run...

A Magic Circle Firm Just Asked What Data You'd Hand Over If a Market Surveillance Authority Audited Your AI Document Review Tool Under Article 64: How to Answer

Updated
4 min read
A
Ari Volcoff

A Magic Circle firm just asked what data you'd hand over if a market surveillance authority audited your AI document review tool under Article 64: how to answer

Your enterprise legal account lead received the question during the final stage of a competitive evaluation. A Magic Circle law firm with significant EU regulatory matters practice is finalising vendor selection for their AI document review and contract analysis platform. Their risk committee has cleared all other questions and has one remaining concern before approval:

"Under Article 64 of the EU AI Act, market surveillance authorities have the right to access training data, test results, and other documentation from AI system providers. We need to understand what data about our matters and documents would be accessible to regulators if your system were audited, and how you protect our client confidentiality in that scenario."

This is one of the most commercially sensitive questions your enterprise sales team will face from law firm buyers. The concern is legitimate and the answer requires precision. Here is what Article 64 requires and how to address it.

What Article 64 Authorises

Article 64 grants national market surveillance authorities — and, in certain circumstances, the EU AI Office — specific access rights to AI systems and their underlying data when conducting compliance checks under the EU AI Act.

Article 64(1) allows market surveillance authorities to access the source code of a high-risk AI system when necessary for assessing compliance and when other means of access are insufficient. This access must be proportionate and subject to confidentiality safeguards.

Article 64(2) allows authorities to request access to the training datasets, validation datasets, and testing datasets used to develop the system — or the documentation summarising those datasets — in order to assess compliance with the data governance requirements in Article 10.

Article 64(3) provides that where the datasets themselves cannot be provided (for example, because they are third-party data or subject to confidentiality agreements), the authority may request the documentation describing the dataset instead.

What This Means for Law Firm Client Data

The law firm's concern is whether their client documents and matter data — which flow through your AI document review system during use — could be accessed by a regulator under Article 64.

The answer requires distinguishing between training data and operational data:

Training data is what you used to build and train your AI system before deployment. If your model was trained on publicly available legal datasets, synthetic data, or anonymised data that does not include this law firm's client documents, then the firm's client data is not part of your training dataset and is not accessible to market surveillance authorities under Article 64(2).

Operational data — the actual documents the law firm sends through the system during their work — is a different category. This is customer data processed under your data processing agreement. Market surveillance authorities conducting an Article 64 audit are assessing your system's compliance with the EU AI Act requirements, not investigating your customers' matters. They request access to the AI system's training data and documentation — not to the output of the system applied to each customer's documents.

If your system logs outputs for post-market monitoring under Article 12, those logs should record system performance metrics rather than client matter content. Your answer should clarify what your Article 12 logs contain.

What You Need to State

What your training data contains. If no client document data was used to train your system, say so explicitly. Name the categories of data used: public legal datasets, licensed datasets, synthetic data.

What Article 64 access would include. Be precise: an Article 64 audit would give authorities access to your training dataset documentation, your test results, your technical documentation under Annex IV, and potentially your source code. It would not give authorities access to client documents processed through the system.

What contractual and technical protections apply. Confirm that client documents are processed under a data processing agreement in which you are the processor and the firm is the controller. Authorities requesting access under Article 64 for provider compliance assessment are not requesting access to controller data.

Your confidentiality protocol for authority requests. State that if you receive a formal request from a market surveillance authority referencing your system, your legal team manages the response and notifies affected clients as appropriate.

Law firm buyers who ask this question are protecting their professional secrecy obligations. The vendor who answers it with precision — distinguishing training data from operational data and Article 64 from general regulatory data requests — is the vendor that closes the deal.

Try Complizo free at complizo.com

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Complizo

87 posts