Overview of Legal Issues Surrounding GenAI
The deployment of Generative Artificial Intelligence is a major technological revolution. It is set to profoundly change traditional financial services: transforming jobs and practices, particularly in terms of customer relationships, developing new products and services, and achieving operational efficiency gains. However, its deployment raises complex legal issues. These legal issues must be anticipated to ensure secure, ethical, and compliant integration with the existing regulatory landscape, as well as with new regulations dedicated to AI and GenAI.
Protection of Personal Data
Developing and using GenAI requires large amounts of data, which often includes personal data. Within the European Union, this data is protected by the General Data Protection Regulation (GDPR), and in other countries (Australia, Japan, Brazil, Canada, or India), by regulations inspired by the GDPR. Companies that develop or use Generative AI solutions must therefore ensure the protection of this data in accordance with applicable regulations. These regulations generally require:
- Total transparency about the data collected,
- Definition of the purposes of this data use,
- Implementation of security measures to protect this data.
Data Ownership
Some data that is necessary for the development of GenAI may be protected by intellectual property rights ( e.g. newspaper articles, photos, website content, or books). It is imperative to have the author’s permission before using this data. Otherwise, the developer of Generative AI and its users are exposed to sanctions, which can go as far as criminal penalties, particularly in France.
The generation of content by GenAI, and more particularly Generative AI, also raises questions of intellectual property. In most jurisdictions, the most relevant legal regime for protecting generated content is copyright law. However, content can only be protected by copyright if it is an original work, which requires a sufficient level of human intervention in the creation process. A work generated by AI is not necessarily original in itself, which limits its chances of benefiting from legal protection. The challenge here is to determine whether generated content can be copyrighted and, if so, who to designate as the author of this content.
A work generated by AI is not necessarily original in itself, which limits its chances of benefiting from legal protection.
Bias and Discrimination
The risk of bias and discrimination is at the heart of concerns to ensure the development of responsible and ethical AI. The "black box" effect of AI, whose decisions or predictions are difficult, if not sometimes impossible to explain, amplifies this risk. BNP Paribas Group must therefore ensure that the AI systems that it deploys do not discriminate against people, avoid biases, and that the AI-based results are explainable. Both the AI Act and the GDPR provide a framework for these aspects.
How LEGAL Contributes to the Controlled Development of AI and GenAI within BNP Paribas
Meeting with Martin Pailhes, Global Manager of the Digital & IP Platform within LEGAL, the Group's Legal Department. This Department, composed of law specialists accompanies the Group on a daily basis with the interpretation of laws, analysis of rules, management of legal risks, and legal advice, in accordance with the most demanding standards of excellence and integrity.
GenAI is beginning to be framed by new regulations, such as the EU AI Act in Europe. How does LEGAL ensure their proper interpretation and implementation within the Group?
Martin: This is a major challenge. The EU AI Act is obviously a reference text, even if the European Union was not the first to legislate on AI in general, with China having earlier equipped itself with a specific framework for AI. Within LEGAL, a team ensures permanent regulatory monitoring and works on the interpretation of new texts. Concerning the AI Act, this team identifies and analyses the new provisions in order to determine, with the operational teams, their impact on the Group, and to issue consistent and aligned interpretations. Then, we translate these analyses into concrete legal adive.
The objective of LEGAL is to accompany the Business Lines and Functions on a daily basis, particularly in the implementation of these major texts. For example, one of the measures of the EU AI Act, which entered into application on 2 February 2025, is prohibiting certain AI practices.
The LEGAL teams have thus identified and interpreted these provisions, then built, with the Business Lines and Functions, a certification mechanism allowing of them to certify the absence of prohibited AI practices.
How LEGAL Contributes to the Secure Integration of AI into the Group through the Review of AI Models
Martin: Regarding GenAI, the Group's data scientists use Language Models, known as Large Language Models (LLMs). These LLMs are open source or "proprietary", i.e., owned by the company that develops and distributes the LLM under a licence contract. This is the case with Mistral AI, with whom BNP Paribas has concluded a partnership. In these two cases, our main mission is to identify usage restrictions (e.g., prohibition to use a LLM to train another LLM) and to analyse the warranties offered in particular in intellectual property, in order to limit the legal issues for BNP Paribas.
LEGAL's Involvement in the Deployment of Use Cases
Martin: When a Business Line or Function decides to use AI, LEGAL collaborates with other key Functions of the Group, such as IT GROUP, RISK, Compliance, the Group Data Office (GDO), and the Data Protection Office (DPO) teams, to identify legal issues (personal data, intellectual property, compliance with the EU AI Act, etc.). We then propose adapted solutions to ensure a deployment that is compliant with laws and internal policies.
We continuously monitor new interpretations by authorities and the European Court of Justice (ECJ) that could affect the Group's positions and policies, particularly in terms of personal data and intellectual property. For example, the European legislator is currently working on the omnibus AI Act, a targeted revision of the AI Act regulation aimed at adjusting the entry into force deadlines, clarifying certain obligations (especially for high-risk AI systems), and harmonising the interpretation of the text, with final adoption still dependent on negotiations between the Parliament, the Council, and the European Commission.
Navigating the legal landscape of AI - and GenAI in particular - is a major challenge for BNP Paribas. Understanding and complying with existing regulations (French, EU, etc) are essential to optimising the benefits of AI, while also managing the legal risks. In doing do, BNP Paribas can strengthen the trust of its clients, partners, and employees and protect the Group. In this context, LEGAL plays a key role having organised structured itself to identify these risks at an early stage on to provide suitable and innovative legal responses.
