Creating a level playing field: the EU AI Act and copyright

The EU AI Act is due to be published in the Official Journal of the EU in the coming days and will enter into force 20 days after publication.

Whilst the EU AI Act is not IP focused, it does contain some important obligations relating to copyright. And so, with its imminent entry into force, we thought now is a good opportunity to review these obligations and understand what they will mean in practice for AI providers. 

Background

With the rapid development of generative AI tools, significant numbers of rightsholders across the world have started to bring copyright infringement claims against generative AI providers. Broadly speaking, the copyright owners claim that these AI tools infringe their copyright because they have been trained using their copyright-protected works without a licence. As such, there has been a lot of focus on potential exceptions to copyright infringement that AI developers might rely on.

Central to the training of AI systems is a process known as text and data mining (TDM). TDM involves the automated processing of large bodies of text and data to extract the relevant data and uncover new insights and patterns. There is currently an exception to copyright infringement in the EU which permits TDM for commercial purposes, but this is subject to rightsholders being able to reserve their rights and “opt-out”.

Whilst that opt-out provision is aimed at striking a fair balance between AI developers and rightsholders, as discussed in previous blogs the black box nature of many AI systems makes it difficult for copyright owners to identify where their works have been used as training data in breach of their opt-out. This concern seems to have resonated with EU legislators, who, prompted by the Chat GPT phenomenon, ultimately included in the EU AI Act various transparency related obligations targeted at general purpose AI (GPAI) providers. 

Key copyright related obligations in the EU AI Act

The final version of the EU AI Act contains two key copyright related obligations.  These require GPAI providers to: 

1. put in place a policy to ensure compliance with EU copyright law, including any rightsholder TDM opt-outs (Article 53(1)(c)); and
2. make publicly available a “sufficiently detailed” summary of the training data used to train their model (Article 53(1)(d)).

It’s worth highlighting that these two obligations only apply to providers of GPAI models that are placed on the EU market. This means they do not apply to: (i) other actors in the AI supply chain, e.g., deployers, importers, distributors or users; (ii) AI systems that fall outside the definition of GPAI models; and (iii) GPAI models that are not placed on the EU market. 

Policy to comply with EU copyright law

The self-expressed aim behind the Article 53(1)(c) obligation is to prevent AI developers from forum shopping and to create a “level playing field among providers of general-purpose AI models where no provider should be able to gain a competitive advantage in the Union market by applying lower copyright standards than those provided in the Union”. 

The concern seems to be that, absent such a requirement and owing to the traditional territorial scope of copyright, AI developers might be able to circumvent EU copyright-holders’ rights (including any TDM opt-outs), by carrying out the training of their models in a jurisdiction with fewer restrictions on the use of copyright works and subsequently importing these models into the EU. 

Indeed, the Act’s recitals make it clear that this obligation applies "regardless of the jurisdiction in which the relevant copyright-relevant acts underpinning the training of those [GPAI models] take place". The result is that where a provider wants to place a GPAI model on the EU market, that model must have been trained in a way that is compatible with EU copyright law.

The obvious question then is, what exactly does the required policy need to contain? At this stage it’s not entirely clear, although further guidance is expected to be provided through a code of practice and, in time, harmonised standards. In the meantime, the EU AI Act specifies that, as a minimum, the policy must detail how the provider will identify and comply with any rightsholder TDM opt-outs. 

Summary of content used for training GPAI

As already noted, the purpose behind the Article 53(1)(d) obligation is to ensure greater transparency in the data used to train GPAI models thereby enabling rightsholders to better identify when their works have been used and whether their opt-outs have been adhered to.

How much detail is required? Once again, it’s not entirely clear. However, we are expecting the AI Office to publish a template summary, as well as a separate code of practice, which will hopefully provide further guidance. 

For now, we’re reliant on the wording of the EU AI Act itself, which suggests that this summary doesn’t need to be technically detailed or list out every copyright work used to train the GPAI model, but rather just “generally comprehensive”, listing the main data collections used (e.g., large private or public databases or data archives), with a narrative explanation of other sources, so that rightsholders can exercise and enforce their rights.  

Comment

The EU AI Act is only in its infancy and there are a number of points that will require clarification in due course. 

One area that has attracted a lot of attention so far, however, is the apparent extra-territorial effect of the copyright related provisions. Whilst this may seem to be overreaching, it’s not without precedent - as we’ve seen with GDPR. Even in the UK, which is not subject to the EU AI Act, there is an argument (which Getty Images is running against Stability AI) that importing a trained generative AI model into the UK could amount to secondary infringement of copyright (see our blog). 

Closely linked to this, it also remains to be seen whether non-compliance with Article 53(1)(c) would only amount to a breach of the EU AI Act, or whether it could also amount to an infringement of EU copyright for which rightsholders may obtain compensation. 

In any event, if a provider intentionally or negligently fails to comply with these obligations, the consequences could be severe – they may receive a fine of up to 3% of their annual total worldwide turnover in the previous financial year or €15 million (whichever is higher) and could also be required to remove the model from the EU market.

We, for one, will be keeping a very close eye on how this all plays out!

*Since this blog was written, the EU AI Office has opened a call for expression of interest to participate in the drawing up of the Code of Practice for GPAI model providers. It has also launched a multi-stakeholder consultation to gather inputs on that Code of Practice (including on the template summary of content used for training GPAI) from interested stakeholders.