Contributed By Sołtysiński Kawecki & Szlęzak
There are no general provisions of Polish law that would specifically apply to AI.
AI is currently qualified as software, and the laws applicable to software should be used to regulate AI, eg:
AI and machine learning ("ML") have been applied in various sectors in Poland, but AI deployments are rather slow and focus on automatisation and efficiency.
From our experience, key industry applications now are based on generative AI (“GAI”) and include:
There are multiple cross-industry initiatives concerning new technologies in Poland.
The Polish government's initiatives to facilitate and support the adoption and advancement of AI for industry use are limited and include:
There are no AI-specific regulations in Poland; hence, the EU-wide AI legislation will apply. Poland will opt to regulate AI at the EU level. Some local acts would have to be adopted in Poland to implement a regulation laying down harmonised rules on Artificial Intelligence ("AI Act") and amending certain Union legislative acts 2021/0106 – see section 3.7 Proposed AI-Specific Legislation and Regulations.
No AI-specific legislation has been enacted in Poland.
AI Policy
AI Policy focuses on creating transparent and accountable algorithms for use in public administration, enhancing data access, and applying AI to healthcare and environmental protection. There is an ongoing discussion regarding the amendment of this Policy.
Position of the Polish Financial Supervision Authority (“FSA”) on the provision of robo-advisory services (2020)
The guidelines emphasise the user's control over AI use and responsibility for clear client communication. Humans should make the final decision.
Recommendations on AI in the financial sector (2022)
The Ministry's Working Group on AI - Subgroup for the Financial Sector - identified several barriers to using AI and provided its recommendations in the identified fields.
Recommendations for the use of AI in justice and law enforcement (2024)
The document suggests adopting AI to modernise and speed up the judicial system – including digitalising records, automating transcriptions, drafting orders, using chatbots, searching for case precedents, drafting decisions, and implementing electronic delivery and translation systems.
Guidelines on the responsible use of generative AI in research (2024)
In March 2024, the European Commission – together with the European Research Area countries and stakeholders – published guidelines focusing on research quality, honest GAI use, respect for participants, and accountability in research.
Communication on information processing by supervised entities using public or hybrid cloud computing services
The Polish Financial Authority published the recommendations in January 2020. They do not focus on AI technology itself but are of great importance for AI implementations, as most AI is available through the public cloud.
In April 2024, the Ministry of Digital Affairs started consultations on implementing the AI Act.
Poland currently has no AI-specific laws, hence no related inconsistencies.
There is a pending project regarding implementation of text and data mining exceptions provided by the Digital Single Market Directive, but not yet adopted.
Only applicable to US law.
No special local Polish laws have been introduced or amended to foster AI development. On the contrary, Poland is already behind with the implementation of the Directive on copyright and related rights in the Digital Single Market, which envisages data and text mining exemptions relevant to AI training.
While the EU's primary aim is to regulate AI through the EU AI Act, AI must also comply with all other EU regulations, ie:
The EU's most significant pending AI legislation is the AI Act.
Polish companies usually use the existing AI models already implemented in their solutions. At present, due to the costs, they usually do not fine-tune the existing models or create their own models. However, as the availability of various models (from simple ones, which may be stored on mobile devices, to the very complex ones) will increase, it is expected that they will also start to build their own models.
The AI Act provides many new obligations regarding the use of AI systems in the EU. It will apply not only to entities based in EU countries but also to all entities outside the EU that would like to introduce AI systems in the EU. It will also apply to entities based outside the EU when the results of the AI systems are intended to be used within the EU.
Prohibited and high-risk AI systems
The development and use of certain AI systems will be prohibited in the EU. The AI Act also introduces high-risk systems, which will be allowed as long as providers adopt additional safeguards, particularly creating risk management and data governance systems. High-risk AI systems include remote biometric identification systems, systems used for evaluation or admission in education or employment, credit score systems, etc.
Timeline and steps to be taken
Provisions regarding prohibited AI systems will apply after six months of the AI Act's coming into effect, which means they will apply by the beginning of 2025. The obligations regarding high-risk AI systems will apply after 24 months of the AI Act becoming effective (or 36 months for systems already required to undergo conformity assessment under EU law).
First preparations should include the following:
New regulators
The AI Act provides for the establishment of an AI Office and the addition of new AI powers at the member states' level. The business would need to adapt to the new area of regulations and new powers of authority.
There have been no decisions related to AI in Poland.
Not applicable in Poland.
EU
Poland
Additionally, several governmental bodies and institutions play roles in regulating aspects related to AI. Key entities are:
A legal definition of AI in national legislation and international conventions has yet to be developed.
AI system, according to the OECD, is a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations or decisions that can influence physical or virtual environments, having different levels of autonomy and adaptiveness after deployment. The EU finally decided to follow the concept of the OECD definition in the AI Act (see 3.7 Proposed AI-Specific Legislation and Regulations).
Harmonising the definition of AI across member states and legal documents applicable in a given country is crucial for consistency, legal clarity, and responsible AI adoption. Businesses should actively engage with policymakers to shape coherent and adaptive frameworks.
Each agency focuses on its own area of activity. Please refer to section 5.2 Technology Definitions.
So far, the enforcement and other regulatory actions have limited scope. For instance, UODO is investigating a complaint about ChatGPT (see 8.3 Data Protection and Generative AI).
Poland
The Polish Committee for Standardisation (PKN) creates and approves Polish Standards (PN) and plans to establish a separate Technical Committee on AI. It will be the lead Polish committee for international cooperation in international standardisation committees: ISO/IEC JTC 1/SC 42 AI and CEN/CLC/JTC 21 AI.
See also information about the AI Policy – section 2.2 Involvement of Governments in AI Innovation.
International
The standards are usually intended for voluntary use by businesses, but in some sectors, compliance with such standards is deemed essential for the credibility and reliability of products.
In Poland, the decisive standards are those set by ISO, and any discrepancies with Polish Standards (PN) are likely to be inconsequential (similar to the situation with cloud computing, which is based on ISO and SOC I and II standards). Polish companies will need to adhere to international standards if they wish to offer their services beyond Polish borders.
Polish government is engaging with AI across various domains, and the known examples include:
AI is not widely used in the criminal justice system, but its use is thought to be very widespread. Currently, the most common example of using AI in this area is a general legal information system at the disposal of judges and prosecutors. This system includes a search system (for rulings, literature, etc) based on AI algorithms.
In October 2023, Ethics and Legal Subgroup of the Working Group on Artificial Intelligence (GRAI) under the Ministry of Digitisation issued a report on “Recommendations for the application of artificial intelligence in the judiciary and prosecution”. The considered use of AI systems in the criminal justice system is focused on supporting, rather than replacing, the judges, prosecutors and other legal professionals.
Not applicable in Poland.
The AI Policy (see 2.2 Involvement of Governments in AI Innovation) emphasises the importance of AI in national security and encourages cooperation between the private and military sectors to address defence needs.
According to the National Security Strategy of the Republic of Poland (2020), AI creates new development opportunities for Poland while generating previously unknown risks.
The GAI raises many issues, the key (at the moment) including:
As for IP, see 8.2 IP and Generative AI. For personal data, see 8.3 Data Protection and Generative AI.
Copyright protection
AI-generated results
Copyright protection of AI-generated output is limited since only humans can be considered authors under Polish law (as in most countries). The AI output cannot be considered as copyrightable work.
It may be claimed that AI is only a tool and AI-generated output can be copyrightable work as long as human oversight in its creation was significant and that all creative choices and decisions were made by a human, as with photography. This can apply only to specific examples and should be assessed case by case.
With regard to derivative (neighbouring) rights, such as rights to recordings of video or sound (as protection may be granted, eg, to birds' sounds), the rights may be allocated to individuals or companies.
The position with respect to the output ownership depends on the market. For example, MidJourney T&Cs provide that users of the commercial (paid) version of the platform are the sole owners of the content, while free version users only receive the licence for the personal use of such content. Users are responsible for the input and are obliged to indemnify MidJourney if there is any third-party rights violation due to such non-compliant input. Microsoft Product Terms state that Microsoft does not own the output of Generative AI Services.
The output may infringe on copyrights, other IP rights, or third parties. Therefore, some providers are following Microsoft's customer copyright commitment to offer indemnification should a third party raise a claim that AI output infringes their IP rights. Such indemnification is usually subject to certain conditions (eg, using filters or content monitoring tools).
Moreover, the providers usually specify in their T&C if they use the output for training the model.
AI input
The input provided to AI systems can be protected as a standard work under copyright law, as long as it meets all the copyright law requirements (eg, originality and creativity). T&Cs usually specify whether the input will be used to train model.
AI system itself
An AI system itself can be protected under copyright law as the software. In Poland, as in the whole EU, software is protected similarly to literature works, with some necessary modifications due to the nature of the computer programs.
Training data
Training data can be protected by copyright or by databases protection laws. However, there are discussions about whether the use of training data will be an infringement of copyright or may be based on text and data mining exemptions (once implemented in Poland). There are arguments raised that training the AI models is similar to learning from a book and consists of learning ideas or concepts that are not protected by copyright. However, no court cases have been raised in Poland against the model developers.
Trade secrets, know-how
Input, training data, software, and output can be considered trade secrets as long as the definition of the trade secret is met (eg, they have economic value, are kept confidential, and security measures are introduced to maintain their confidentiality). This may be relevant in cases where AI output cannot be protected (eg, software output).
The main data protection issues connected to GAI are:
If possible, the rights of data subjects should be respected, and in particular, a request to delete data should not entail the deletion of the whole model. However, the model should be reviewed in order not to create future output with false data or data of a person who requested to have their data deleted.
Guidance in this scope is expected following a complaint filed in Poland in September 2023 claiming a lack of data subject rights fulfilment and transparency in ChatGPT.
There are currently no guidelines or recommendations from the Bar Associations or the Ministry of Justice on the use of AI by legal professionals; however, the Bar Associations is currently preparing a proposal. There are no case laws either.
As for AI solutions, most law firms use standard AI tools, particularly for translation purposes or for achieving efficiency and improving the quality of work (eg, summarisation of meetings, drafting clauses, etc). The most common seems to be Copilot (including M375 Copilot). AI tools are also used in e-discovery to identify relevant documents. Other solutions (eg, supporting drafting litigation documents) are often not adjusted to Polish law and, therefore, are of limited use.
The legal practitioners should ensure that:
Currently, the use of AI is subject to standard liability rules set forth in national laws:
Fault-based liability
The aggrieved persons need to prove the fault of the liable person, the damage and the causation between the fault and the damage to successfully bring a liability claim. In the context of AI, reliance on this principle is difficult, as often it may not be easy to find the person responsible or the cause (taking into account the lack of access to the model's "construction"). Compliance with AI manufacturer's instructions may shield users from fault while altering an AI code or using it for unintended purposes could attribute fault to the user.
Strict (risk-based) liability
In specific cases, Polish law attributes liability to certain persons without the need of the aggrieved person to prove fault. An individual who operates an enterprise powered by natural forces (such as steam, gas, electricity, or liquid fuels) is liable for injuries or property damage resulting from the operation without the necessity to prove the fault. However, this provision does not apply in the case of AI, as providers of AI systems or models will not qualify as operators of enterprises powered by natural forces.
The risk liability also applies to the vehicle's possessor, though it is still necessary to prove the cause. Thus, its application will still be difficult if the damage caused by the AI system is applied to the vehicle.
Liability for defective products
The current rules, based on the implementation of Council Directive 85/374/EEC, do not allow considering AI systems themselves as "products" within the scope of provisions related to defective products as they are exclusively movable items. AI systems cannot be classified as a movable product. However, please see section 10.2 Regulatory.
Contractual liability
If the aggrieved party is using AI based on the contract, it may potentially claim the damage for breach of contract; it has to prove the breach, the damage and causation. There is a presumption that the alleged perpetrator is liable for the damage. However, he may prove otherwise. The risks outlined above to claim the damage caused by AI also apply to the contractual liability. However, the provider of AI solutions often offers additional measures, such as indemnity for third-party claims related to the infringement of IP rights by output generated by provided AI (see 8.2 IP and Generative AI). On the other hand, in most business transactions, the parties limit the provider's liability (eg, up to 12 months' remuneration). The limitations or exclusion of liability will not be effective in contracts with consumers or the case of B2B if the damage is caused wilfully.
Liability for infringement of personal interests
This is a fault-based liability. It is attributable to the person who uses the AI systems or the creations of AI systems without proper verification or with a false intent, eg, using deepfake technology. Besides the typical financial claims, the plaintiff may request the infringer to publish a given statement in the media.
Insurance position
At the moment, there is no obligatory insurance similar to that necessary for the use of vehicles. Due to the confidentiality of model training, it is rather unlikely that insurance coverage will be an affordable standard solution in the foreseeable future.
Currently, two legislative initiatives in the EU are relevant from the perspective of liability for using AI.
Directive on the liability for defective products
The European Parliament adopted a directive on March 12, 2024. While similar to the existing Directive on defective products from 1985, it introduces changes that could significantly impact the liability of AI systems.
It will cover not only physical goods but also software (especially damages for destroyed or corrupted data). The burden of proof will be simplified, and the aggrieved party will be able to claim material and mental damages (confirmed medically).
The Directive of the European Parliament and the Council on adapting non-contractual civil liability rules to AI
The Directive, introduced in September 2022, is currently halted but may be reintroduced after the 2024 European Parliament elections.
Bias characterisations and risks
Algorithmic bias happens when the system discriminates against a specific group or individual, resulting from various factors, eg, biased training data, discrimination in data collection, a biased training team or defective parameters in the models, or inappropriate deployment. Bias has not been explicitly defined in the Polish legal system. AI bias can affect the personal interests and freedoms of individuals, for example, by discriminating against them in a recruitment process or credit scoring, which may lead to claims for compensation and erosion of consumer trust.
Regulations, industry efforts
The GDPR introduces a human oversight requirement for processes that qualify as automated decision-making unless required by law. Human oversight can take different forms: (i) Human-in-the-Loop (HITL), which involves human intervention in every decision cycle of the system; (ii) Human-on-the-Loop (HOTL) allows human intervention during system design and monitoring; (iii) Human-in-Command (HIC) enables overseeing the overall AI activity and deciding when and how to use it in specific situations. See also section 13. AI in Employment.
Under Art. 10 of the AI Act, in the development of high-risk AI systems that use data for training, validation and testing, it is crucial to adhere to quality criteria, such as data governance, examination for biases that are likely to affect the health and safety of persons and ensuring data relevance, representativeness, accuracy and completeness. The statistical properties of these datasets should align with the system’s intended purpose and the specific groups affected by its use. Even when an AI system isn’t deemed high-risk, it remains crucial for organisations to carry out their own risk evaluations to mitigate any potential adverse outcomes, including bias.
Transparency requirements arising from Art. 13 of the AI Act also aim to ensure clarity and minimise bias in AI.
Art. 14 of the AI Act requires that high-risk AI systems that continue to learn after being placed on the market or put into service shall be developed in such a way as to eliminate or reduce as far as possible the risk of possibly biased outputs influencing input for future operations (feedback loops), and to ensure that any such feedback loops are duly addressed with appropriate mitigation measures.
Risks
GDPR compliance risks and potential solutions are described in section 8. Generative AI above.
In cases where a human does not supervise AI, these risks are greater, especially regarding AI's potential lack of quality training data, lack of context/human understanding, potentially no ethical considerations, or risk of bias. Also, it may be difficult to interpret and explain such decisions.
In terms of ensuring security for AI systems, there is a risk that such systems may be difficult to secure due to their complexity. Also, new threats appear concerning such technology, such as the possibility of creating inaccuracies in personal data (hallucinations) or the difficulties in respecting data subject rights requests (eg, data deletion requests).
Benefits
AI can provide benefits to protecting data, such as enhanced personalisation (ie, in marketing or healthcare) and efficiency (ie, faster decision-making based on data).
AI may also ensure greater security through its efficiency (the possibility to handle large volumes of data), adaptive learning (learning from new threats) and advanced threat detection (quick and accurate threat detection).
Legal issues, liability
The AI Act will provide restrictions on using real-time and retrospective facial recognition:
Currently, the use of such systems is subject to GDPR and local laws implementing the Data Protection Law Enforcement Directive (LED).
Risks
Automated Decision-Making (ADM) employs algorithms and AI systems to automate tasks traditionally requiring human insight, learning from data to predict outcomes.
Risks
In terms of risks, ADM systems can inherit biases (section 11.1 Algorithmic Bias). ADM models often lack transparency, leading to mistrust.
Applicable rules – Art. 22 GDPR
DSA
AI Act
Currently, there are no specific rules.
It is currently unclear whether use of AI technology in price-setting may have a similar effect as use of pricing algorithms.
Risks
The procurement of AI technology in Poland can be implemented by two groups of entities: private entities or public entities.
Private entities
In cases of private entities, the principle of freedom of contract applies. The current key issues which would have to be addressed in contracts for procurement of AI solutions include the following: whether the input or output data are used to train the models, ownership of output, liability and warranties, IP-related issues (in particular, dealing with third party claims to the model or output), use of personal data (processor, controller, joint controller), data flows, location of input, output and model, abuse monitoring and content filtering, possibility of suspension of services in cases of abusing services or other violations.
Public entities
Public entities may be obliged to conclude the contract for AI technology under public procurement rules, and they often provide a template contract in the contracting documents. As they are not experts in AI, the proposed contracts may not address relevant risks and may not be consistent with market standards. Therefore, it is recommended that public entities carry out two-step procedures or negotiations to first precisely identify its goals and the way in which they may be achieved.
Employers utilise tech and software for recruitment and termination processes to save costs and time. The use of AI in employment is unregulated in Poland, so employers must adhere to general anti-discrimination and privacy laws:
Employers use various digital tools to evaluate employees' performance, track working time, and review employees' work or use of resources. If the technology is used to monitor employees' email and/or activity, such monitoring should be introduced in a formal way via relevant internal policies and procedures, announced to employees, and applied within their frameworks. It cannot infringe on the integrity of correspondence or on an employee's personal interests.
The breach of the rules may result in employees’ claims for breach of their rights by illegal monitoring and compensation. It may also constitute a breach of privacy laws.
Using AI on digital platforms should be assessed in light of the Digital Services Act (“DSA”). Most of all, the following conclusions shall be kept in mind:
There are no specific rules regarding employment in Digital Platform Companies (see also section 13. AI in Employment).
Financial services institutions ("FSI") are very focused on innovation, including AI. For example, a Polish bank implemented a chat service for customers, which informs customers about the bank's services and analyses customers' transactional data. FSI are also interested in services that automate internal activities, eg, anti-money laundering and anti-fraud purposes.
There are no legal provisions regarding specifically AI in FSI. However, financial services are highly regulated and introducing new technologies is usually subject to complex obligations:
New technologies may be highly beneficial for the healthcare sector. ML algorithms may analyse big datasets and entail accuracy and speed in healthcare providers/health research activity. ML and AI can assist in diagnosis and disease management, interpreting medical images, drug discovery, operations. Also, new technology may enable the use of new ways of collecting data and providing health assistance, eg, telemedicine/chats or wearable technology.
Regulations and main issues
There are no regulations related specifically to using AI in healthcare and connected ML. The general regulations will apply, ie:
Risks
Polish law generally prohibits the use of autonomous vehicles (AVs); however, automation features under the supervision of a human driver can be used. There is an exemption for approved research testing on public roads, but not every type (level) of an AV can currently be tested on Polish roads – only vehicles at level 3 of automation can be tested in Poland. There are no AI-specific regulations. The Ministry of Infrastructure intends to facilitate testing autonomous vehicles on all levels of automation and their equipment on public roads (starting in 2025).
Liability
The standard vehicle liability rules also apply to AVs (see section 10. Liability for AI). Motor vehicle users are required to hold mandatory insurance for civil liability.
Significant issues
In the AI Policy, it is acknowledged that AI-based systems used in autonomous transport can significantly lower the number of accidents – and, as a result – the number of fatalities. However, using AVs is linked to certain issues and risks, ie:
There are no specific regulations related to using AI in manufacturing - the rules related to liability are described in section 10. Liability for AI and the employment issues are described in section 13. AI in Employment. Data privacy (sections 8.3 Data Protection and Generative AI and 11.2 Data Protection and Privacy) apply. The rules regarding product safety are based on the Machinery Regulation, which generally aims to cover new technologies. AI may be beneficial to reduce the size of the workforce. However, as AI will automate certain activities, it may lead to layoffs, increased unemployment and loss of competencies. Manufacturers may be one of the key sources of data for training AI based on the Data Act.
There are no specific regulations related to using AI in professional services; thus, the rules related to liability described in section 10. Liability for AI will apply. Providing some professional services is covered by sector-specific regulations and ethical rules (eg, legal services) and using AI should enable compliance with them. Most importantly:
There are no decisions in Poland relating to whether AI technology can be an inventor or co-inventor for patent purposes or an author or co-author for copyright purposes.
The prevailing view is similar to one presented already in the USA or other countries in the EU, ie, that AI-created works or inventions cannot be copyrighted or protected by industrial property law.
Patent law
With regard to patent protection, only a human can be an inventor. It was confirmed in the DABUS case in which both the European Patent Office and later the Board of Appeal refused patent protection for an AI system.
Copyright law
In Poland, copyright protection arises by operation of law. There is no need to file an application, and there is no Copyright Office. Disputes relating to copyright infringements are decided by special IP departments of common courts.
See also section 8.2 IP and Generative AI.
Recently, in the EU, the first case regarding copyright ownership of AI creations was decided when a Prague court ruled that DALL-E creations aren't copyrightable as they're not human-made.
Contractual provisions
Non-disclosure arrangements are the common legal instruments to protect AI technologies and generated content. However, it is limited to the parties and isn't generally enforceable like IP protection, which applies to all potential violators. See section 8.2 IP and Generative AI.
Trade secret
AI technology, training data, input, or output may be protected as trade secrets, as they do not necessitate human authorship. As confidentiality is one condition of such protection, appropriate instruments must be in place (eg, non-disclosure contracts; see above and section 8.2 IP and Generative AI).
The prevailing view is that the creator of copyright-protected works can be human only; however, video or sound output may be protected as derivative rights. See sections 8.2 IP and Generative AI and 15.1 Intellectual Property.
Using OpenAI while creating works and products is generally associated with the same risks as using other GAI systems.
When advising corporate boards of directors in identifying and mitigating the risks in the adoption of AI, the following key issues should be discussed:
Based on market practice, the following best practices are usually adopted in organisations implementing AI solutions:
Jasna 26 Street
00-054 Warsaw
Poland
+48 22 608 70 00
+48 22 608 70 01
office@skslegal.pl www.skslegal.pl