At our recent webinar, Commercial Contracts in 2026 | AI, Data Protection & Technology Risk, Richard Meehan, Partner in the Myerson Commercial Team and Head of the Technology Sector Group, explored five key themes shaping commercial contracts in 2026.
The session focused on the practical issues arising from the complex, rapidly changing nature of modern technology, as well as the effects of an increasingly unstable geopolitical environment, and considered how these issues are affecting commercial contracts in practice.
Below, we revisit some of the key themes discussed during the webinar.
Watch: Five Key Themes for Commercial Contracts in 2026
Drafting for the Use of AI
Artificial intelligence is increasingly difficult to ignore in the commercial contracting landscape.
AI as a concept feels unlike anything else businesses have previously had to contend with when thinking about commercial contracts, particularly given the ethical, political and regulatory questions it raises. At the same time, AI products are increasingly prevalent and now form the subject matter of many of the contracts businesses are negotiating on a daily basis.
One of the key questions for businesses is what provisions they should look out for when entering into a contract for the supply of an AI-enabled solution, and how they can mitigate the legal risks associated with the use of AI by service providers.
AI Governance, Customer Requirements and Due Diligence
Before considering the contract itself, there are a number of preparatory steps businesses can take to mitigate risks associated with introducing AI-based solutions.
AI governance is not solely the province of a business’s legal team and may require input from IT, information security, data protection and operational stakeholders.
Businesses should consider whether they have a formal AI policy in place and, if not, whether one should be implemented. It is important to understand what guardrails are in place in respect of acceptable use, risk classification and human oversight.
A clear understanding of an organisation’s AI policy allows stakeholders to share a common understanding of risks and issues. It may also provide confidence when pushing back on unreasonable contractual positions and assist businesses in evidencing compliance under regimes such as the EU AI Act or sector-specific rules where applicable.
When procuring an AI solution, organisations should also ensure that customer requirements are clearly defined from the outset.
Questions businesses should consider include:
- Whether AI will make automated decisions or merely support decision-making
- Whether outputs will be customer-facing or internal
- Whether the use case is considered high risk
- How personal data will be processed
Due diligence should extend beyond financial and information security checks and include consideration of:
- What AI models are being used
- Whether third-party models are embedded
- How data is used for training purposes
- What controls exist to prevent hallucinations, bias or unlawful outputs
Service Descriptions, Warranties and Exclusions
AI contracts frequently contain high-level descriptions of functionality, referring to concepts such as “generative AI assistance”, “intelligent insights” or “automated recommendations”.
While businesses may understand what they expect to receive from the product, vague contractual descriptions create risk.
Businesses should therefore ensure that intended functionality is clearly stated, that any significant limitations on use are identified and that the nature of AI outputs is properly specified.
AI vendors will also typically seek to soften warranties that customers might otherwise expect to receive in a traditional services contract.
For example, contracts may contain:
- No warranty that outputs are accurate, complete or fit for purpose
- No warranty of non-infringement of third-party intellectual property rights
- Express disclaimers that AI may generate incorrect or misleading information
Even where some negotiation is possible, businesses should ensure they fully understand the limits of any warranties they provide and consider whether additional operational safeguards are required.
Contracts should also be carefully reviewed for exclusions which may undermine the commercial value of the service, particularly where suppliers seek to exclude responsibility if the solution is used without human review or in regulated or safety-critical contexts.
Input, Output and Liability
AI contracts frequently place significant responsibility on the customer in respect of both inputs and outputs.
Typical provisions may make the customer solely responsible for the accuracy and quality of inputs, require the customer to validate outputs independently and acknowledge that outputs may not be unique.
From a legal and operational perspective, this means businesses must ensure that users do not place unjustified reliance on AI-generated outputs.
Internal governance policies should therefore be implemented to address appropriate reliance on outputs and to ensure that meaningful human review remains in place where outputs are material.
Intellectual Property and Data Protection
AI contracts also raise important intellectual property and data protection considerations.
Key questions include:
- Who owns AI-generated outputs
- Whether customers receive sufficiently broad licence rights
- Whether outputs could infringe third-party intellectual property rights
- How vendors may use customer data or prompts for model training
From a data protection perspective, organisations remain responsible for compliance with UK GDPR and related obligations even where AI tools are being used.
Businesses should therefore understand:
- Whether personal data is being processed
- Whether data will be retained or used for model improvement
- Whether international transfers are involved
- Whether appropriate contractual protections are in place
Liability and indemnification clauses also require careful scrutiny.
AI vendors frequently seek broad indemnities from customers for the use of inputs and outputs, including indemnities for intellectual property infringement and violations of applicable law. This can represent a significant shift from more traditional technology contracting positions.
Ongoing Governance and Monitoring
Signing the contract is not the end of the process.
Businesses should ensure that user acceptance testing validates matters such as:
- Accuracy thresholds
- Bias and discrimination risks
- Behaviour under edge cases
Operational governance should also include defined acceptable uses, escalation procedures for problematic outputs and ongoing monitoring of evolving AI models.
AI products are not static, and businesses should continue to assess whether outputs are drifting from intended specifications, whether errors are increasing and whether regulatory expectations have changed.
Contracts can support this ongoing governance process through provisions such as audit rights, transparency obligations and change notification requirements.
Revisiting Data Protection Compliance
Data protection remains one of the topics clients most frequently seek advice on.
The UK data protection framework continues to be governed primarily by:
- UK GDPR
- The Data Protection Act 2018
- The Data (Use and Access) Act 2025
The DUA Act introduced targeted reforms intended to make the UK’s data protection regime more practical and adaptable while maintaining accountability obligations.
Legitimate Interests
Legitimate interests remain one of the most important and widely relied upon lawful bases for processing personal data.
The DUA Act and updated ICO guidance provide additional clarity regarding:
- What may constitute a legitimate interest
- How the necessity test should be applied
- How organisations should approach balancing exercises
The ICO has confirmed that legitimate interests can include commercial objectives, third-party interests and wider societal benefits.
Importantly, the necessity test should not be interpreted in an overly narrow manner. Instead, organisations are expected to use personal data in a targeted and proportionate way to achieve legitimate objectives.
The guidance is particularly relevant for direct marketing activities where consent may not always be required.
However, organisations relying on legitimate interests must still be able to explain and evidence their reasoning.
Privacy notices and contracts should therefore clearly describe processing purposes and avoid overly broad or generic wording.
Data Subject Access Requests
The DUA Act also introduces reforms intended to make DSAR handling more practical and proportionate.
Organisations are now only required to undertake “reasonable and proportionate” searches when responding to requests.
The updated framework also provides greater flexibility when handling complex requests and additional clarity concerning manifestly unfounded or excessive requests.
However, organisations must still:
- Respond within statutory timeframes
- Provide transparent responses
- Maintain appropriate records
Contracts with processors should continue to include obligations requiring processors to support controllers with DSAR compliance.
International Data Transfers
The DUA Act also supports a more flexible, risk-based approach to international data transfers.
The focus is now on whether protections in the destination country are “not materially lower” than UK standards.
While this may simplify aspects of transfer risk assessments, organisations must still:
- Understand where personal data is being transferred
- Assess transfer risks appropriately
- Implement suitable safeguards
Contracts involving overseas processors should clearly address:
- Where data is stored and accessed
- What safeguards apply to onward transfers
Delivering and Receiving Technology Solutions
The webinar also explored several key clauses commonly encountered in technology contracts.
Payment Structures and Service Levels
Many technology contracts now operate on usage-based pricing models, with charges linked to API calls, compute usage or AI token consumption.
While these pricing models may provide flexibility for suppliers, they can create uncertainty for customers.
Businesses should therefore consider negotiating:
- Usage caps
- Cost alerts
- Transparent charging definition
- Flexibility for scaling services
Service levels also remain heavily negotiated.
Customers should assess whether service credit regimes provide meaningful remedies in practice and consider whether repeated failures should trigger termination rights.
Businesses should also carefully review contractual provisions permitting unilateral changes to services or functionality.
Liability and Risk Allocation
Liability clauses remain among the most important provisions in technology contracts.
Suppliers commonly seek to:
- Cap liability by reference to annual contract value
- Exclude losses such as profit, revenue and business interruption
- Limit remedies to service credits
While this may be acceptable in some low-risk SaaS arrangements, it may be problematic in business-critical, implementation-heavy, or customer-facing solutions.
Businesses should carefully consider:
- Whether caps are aggregate or claim-specific
- Whether indemnities fall within liability caps
- Whether exclusions remove meaningful recovery rights
- Whether separate caps should apply to different categories of risk
The case of Drax Energy Solutions v Wipro remains an important reminder of the need for clear drafting where liability caps are linked to charges paid over specific periods.
Intellectual Property and Licensing
Technology contracts also continue to raise important intellectual property and licensing issues.
Customers sometimes assume they “own” technology solutions when, in practice, SaaS arrangements usually grant only limited licence rights.
Businesses should therefore assess:
- User and territorial restrictions
- rights on termination
- Restrictions on modification or reverse engineering
- Ownership of custom developments
Open-source software is also an increasingly important issue in technology contracts.
Contracts frequently include warranties regarding open-source compliance together with disclosure obligations and indemnities relating to licence breaches.
Providing for Force Majeure
Force majeure clauses remain critical because they allocate risk where events outside a party’s reasonable control disrupt contractual performance.
These events may include:
- Geopolitical instability
- Energy crises
- Supply chain disruption
- Natural disasters
- Government-imposed restrictions
Under English law, force majeure is entirely contractual, and there is no standard legal definition.
As a result, the effectiveness of a force majeure clause depends entirely on the drafting.
Supply Chain Disruption and CO₂ Shortages
The webinar considered the impact of carbon dioxide shortages as a practical example of force majeure risk.
CO₂ shortages can significantly affect the food and drink sector, including the production of carbonated drinks and food packaging processes.
Previous shortages demonstrated the importance of:
- Notice requirements
- Allocation and rationing clauses
- Termination rights
- Supply chain alignment
Businesses should therefore ensure that upstream and downstream contracts operate consistently where force majeure risks arise.
Payment Obligations During Force Majeure
One key issue is whether payment obligations are automatically suspended where a supplier invokes force majeure.
The answer depends on the wording of both the payment clause and the force majeure clause.
Where payment obligations are linked directly to delivery or usage, suspension may arise naturally.
However, where charges are expressed as recurring fixed fees, customers may remain liable to continue paying unless the contract expressly provides otherwise.
Customers may therefore wish to negotiate express wording confirming that payment obligations are suspended during periods where services are not supplied.
Using Third-Party Solutions
The final section of the webinar focused on services dependent on independent third-party providers, such as:
- Cloud hosting providers
- Telecoms networks
- Payment processors
- Infrastructure suppliers
These arrangements create complex contractual dependencies.
Responsibility for Third-Party Performance
A key issue is whether the supplier remains responsible for third-party failures.
Contracts may:
- Remain silent on the issue
- Exclude liability for third-party failures
- Limit obligations to reasonable endeavours
Customers should carefully assess the extent to which suppliers are expected to remain responsible for integrated third-party services.
Businesses may also wish to negotiate:
- Differentiated service levels
- Minimum performance guarantees
- Enhanced remedies
- Insurance requirements
Supply Chain Alignment and Change
Businesses should also consider whether suppliers have effectively flowed down key contractual obligations to third-party providers.
This is particularly important for:
- security standards;
- business continuity obligations;
- regulatory compliance; and
- service levels.
Technology contracts should also address how changes to third-party services will be managed.
Questions businesses should consider include:
- who bears the cost of change;
- whether customer approval rights apply;
- what notice periods are required; and
- what happens if a third-party solution becomes unavailable.
Exit rights, substitution rights and business continuity arrangements should all be considered carefully.
Final Thoughts
Contact Our Commercial Team
If you would like advice on AI contracts, technology agreements, data protection compliance or commercial risk allocation, please contact our Commercial Team.
0161 941 4000
Latest Myerson Commercial Law News
7
Retail and Hospitality: Growing your Local Business
A practical webinar for retail and hospitality businesses on employment, property and commercial law for growth. Growing a retail or hospitality business brings exciting opportunities but also a range of legal and commercial considerations that can affect long-term success. Join Myerson Solicitors’ Retail and Hospitality sector specialists for a...
View Event
1
Five Key Legal Themes for Online Platforms in 2026
A practical webinar on the legal risks and key considerations for online platforms, marketplaces and digital services . The opportunities for businesses to operate as online platforms have never been greater whether acting as a marketplace for goods, facilitating peer-to-peer services, or offering outsourced platform-based functionality such as...
View Event
Myerson Celebrates Four Nominations at the Manchester Legal Awards 2026
Myerson Solicitors has been shortlisted in four categories at the Manchester Legal Awards (MLA) 2026 , one of the region’s most prestigious celebrations of legal excellence. The ceremony will take place on Thursday 2nd July at a gala event bringing together the North West legal community.
Read News
CO₂ Shortages: Key Legal and Contractual Issues for Manufacturers
Current geopolitical tensions in the Gulf region have renewed concerns about the resilience of global energy and industrial supply chains, increasing the risk of disruption to key inputs such as carbon dioxide. While the UK has recently agreed to invest £100 million to reopen a carbon dioxide production plant on Teesside as part of a contingency...
Read Blog
Commercial Contracts in 2026: 5 Key Trends in AI, Data Protection & Technology Risk
At our recent webinar, Commercial Contracts in 2026 | AI, Data Protection & Technology Risk , Richard Meehan , Partner in the Myerson Commercial Team and Head of the Technology Sector Group, explored five key themes shaping commercial contracts in 2026. The session focused on the practical issues arising from the complex, rapidly changing nature...
Read Blog
Ring-Fencing Risk in Manufacturing: Is It Time for a Holding Company?
Manufacturing is one of the most asset-heavy and risk-exposed sectors in the UK. When something goes wrong for the business, the financial consequences can be significant. Despite the risks associated with a manufacturing business, many still operate through a single limited company that owns everything, from the trading operation to properties...
Read Blog
Richard Meehan
Partner
Richard is a Partner in our Commercial Team and Head of the Life Sciences sector with over 13 years of experience acting as a Commercial solicitor. Richard has specialist expertise in the negotiation of commercial contracts relating to the supply and distribution of goods and services, the licensing of software, and intellectual property.
About Richard Meehan