For many businesses, artificial intelligence (AI) is no longer an optional feature but a core feature of products. AI behaves in probabilistic and often opaque ways, creating uncertainty and increasing the likelihood of unintended legal exposure. This exposes businesses to a wider and more complex set of legal risks than those typically associated with conventional products.

A careful and practical understanding of these risks is essential for any business offering AI-enabled products.

Misleading or deceptive conduct

One of the most immediate risks arises from the law on misleading or deceptive conduct.

Under the Competition and Consumer Act 2010 (Cth), businesses must not engage in conduct that is misleading or deceptive or likely to mislead or deceive.¹ Statements made in websites, pitch materials, and demonstrations can all be relevant. Disclaimers in terms of service will usually not correct prominent or repeated claims made elsewhere.²

This prohibition does not depend on intent, what matters is the overall impression created by the conduct.³ Courts assess these matters from the perspective of a reasonable member of the target audience, not from the perspective of a technically sophisticated user.⁴

Marketing products that utilise AI poses a unique risk because their capabilities are difficult to describe in simple terms. Marketing language often relies on broad expressions such as ‘AI powered’, ‘autonomous’, or ‘intelligent’. These terms can easily create unrealistic expectations that the underlying system does not meet.

In particular, risk arises where businesses overstate the capabilities of their systems. This can include:

• describing rules-based systems as AI (known as ‘AI-washing’);
• portraying processes as fully automated when they rely on human oversight; or
• presenting probabilistic outputs as reliable or objective.

Claims about compliance also carry risk. Statements that a product complies with Australian law or eliminates bias are treated as representations of fact.⁵ If there is no reasonable basis for such claims when they are made, liability may arise.

If misleading conduct is established, the consequences can include regulatory enforcement, financial penalties, damages claims, and the loss of contractual protections such as limitation of liability clauses.

Technology stack and licensing risks

A second major category of risk relates to the technology stack that underpins most AI systems.

Few vendors build models entirely from scratch. Instead, they rely on a combination of open source software, pre-trained models, commercial foundation models, and proprietary components. Each layer may be subject to licensing terms that impose obligations on use and distribution.

Open source licensing in the AI context can be more complex than in traditional software development. Questions arise as to whether trained models or weights are derivative works, whether making models available through an interface triggers certain licence conditions, and whether attribution requirements are being met. If a licence is breached, the licence rights may terminate, which can expose the vendor to copyright infringement claims.

Commercial model licences introduce additional constraints. Providers often impose restrictions on how their models can be used. These may limit certain industries, restrict use for sensitive decision making, or prohibit activities such as retraining or reverse engineering. If a vendor incorporates such a model into a product and markets it as broadly usable, it may be breaching its upstream obligations even if customers are unaware of those limits.

There is also growing concern about how model outputs are reused. Using outputs from one model to train another may raise contractual or confidentiality issues, depending on the source and the terms that apply. These issues highlight the importance of understanding and documenting the full AI supply chain. Vendors need to know what components they rely on, what rights they have, and what restrictions flow downstream.

Privacy and personal information

Privacy law is another area of significant and evolving risk.

The Privacy Act 1988 (Cth) applies where regulated entities (known as ‘APP entities’) collect, hold, use, or disclose personal information. The concept of personal information is broad and includes any information about an identifiable individual.⁶ AI systems can interact with such information at multiple stages, including data collection, model training, testing, and deployment.

A recurring issue is the reuse of data for new purposes. Information collected for one function may later be used to train or improve an AI model. Unless this secondary use is reasonably expected or supported by consent, it may breach privacy obligations. Deidentification is often used to address this risk, but it is not a complete solution. If individuals can be reidentified, whether through combining datasets or through model behaviour, the information may still be treated as personal information.

Security obligations also take on new dimensions in the AI context. Risks such as unintended data leakage or model memorisation can undermine claims that reasonable steps have been taken to protect personal information.

In addition, many AI systems rely on offshore infrastructure or service providers. This raises issues under rules governing cross border disclosures, which require organisations to take steps to ensure that overseas recipients provide comparable protections.

With penalties for privacy breaches increasing, these issues represent not just compliance concerns but material business risks.

Copyright and training data

Copyright law presents further challenges, particularly in relation to training data.

Under Australian law, copyright protects original works, and reproducing those works without permission will generally infringe unless an exception applies. Training AI models often involves copying large amounts of material, including potentially copyrighted content.

Australia does not currently have a broad exception that allows text and data mining for commercial purposes. Unlike copyright law in the United States, existing exceptions in Australian law are limited and purpose specific, and it is unclear whether commercial AI training falls within them. This creates uncertainty around the legality of common training practices.

There are several distinct points at which infringement risk can arise. These include the compilation of training datasets, the use of material during training, and the generation of outputs that reproduce protected content. These concerns are increasingly reflected in customer procurement processes, which often require detailed information about the origin and licensing of training data.

This risk is often addressed through broad intellectual property indemnities. However, these may not be appropriate when the position regarding use of copyrighted materials for training purposes is still uncertain.

Ownership and authorship of outputs

Finally, AI systems raise questions about ownership and authorship of outputs.

Australian copyright law requires human authorship. Where content is generated with little or no human input, it may not attract copyright protection. This means that copying AI generated outputs cannot amount to copyright infringement.

This issue has practical implications for commercial arrangements. Customers often expect to receive exclusive rights in outputs generated by AI systems. If those rights do not exist as a matter of law, disputes may arise.

Next steps

AI products sit at the intersection of several established areas of law, each of which presents its own challenges when applied to machine learning systems. The risks are not confined to a single domain but arise from the interaction between consumer protection, intellectual property, privacy, and contractual obligations.

Managing these risks effectively requires legal considerations as part of product design rather than as a separate compliance exercise. Clear and accurate marketing, a thorough understanding of supply chain dependencies, careful handling of data, and well drafted contractual terms are all essential. As regulators and customers continue to focus on AI, these issues will become more prominent. Early and informed legal engagement is therefore not just a defensive step but a source of commercial advantage.

HWLE Lawyers’ intellectual property and information technology team has extensive experience in advising businesses regarding software products utilising artificial intelligence. If you are concerned about the risks of marketing artificial intelligence-enhanced software, please contact us for further information on how we can assist you.

This article was written by Luke Dale, Partner, Maximilian Soulsby, Associate, and Jasper Dowdell, Law Graduate.

¹ Competition and Consumer Act 2010 (Cth) s 18.
² See, eg, ACCC v TPG (n 2) 656 [53].
³ Australian Competition and Consumer Commission v TPG Internet Pty Ltd (2013) 250 CLR 640, 657 [56] (‘ACCC v TPG‘).
⁴ Campomar Sociedad Ltd v Nike International Ltd (2000) 202 CLR 45, 85 [102].
⁵ See, eg, Australian Competition and Consumer Commission v Apple Pty Ltd [2018] FCA 953.
⁶ Privacy Act 1988 (Cth) s 6(1) (definition of ‘personal information’).