Legal Compliance for AI Training: Navigating Copyright, GDPR, and the AI Act in Practice
Generative AI critically depends on extensive data. This necessity brings it into direct conflict with established legal frameworks, particularly copyright law (regarding TDM exceptions and opt-out mechanisms), the GDPR (covering legal bases, information obligations, and data subject rights), and the AI Act (mandating transparency and copyright compliance for general purpose models). Establishing a robust structure of legal bases, contractual assurances, technical opt-out mechanisms, and clear processes for objections, deletions, and evidence is therefore crucial. This guide outlines practical steps for legally compliant AI training, with a particular focus on German and European regulations.
Legal Framework Overview: TDM Exemptions, Opt-Out, and German Implementation
The TDM exceptions of Directive (EU) 2019/790 (DSM) are central to EU law concerning training on copyright-protected content. Article 3 grants privileges for text and data mining by research institutions and cultural heritage institutions, provided there is lawful access. Right holders cannot object in such cases. Article 4 extends a general TDM barrier for other purposes, including commercial AI training.
However, this applies only if right holders do not expressly reserve the right of use "in an appropriate form." This opt-out mechanism ideally needs to be machine-readable and available online. In Germany, these rules are implemented as Section 60d UrhG (for research) and Section 44b UrhG (for general TDM with opt-out).
In practice, this means:
- Research training with lawful access regularly falls under Section 60d UrhG.
- Commercial training can be based on Section 44b UrhG, provided no effective opt-out was set and access was lawful.
- Database rights may also be affected, as TDM exceptions address extractions from protected databases.
The opt-out must be expressed online in a machine-readable form. Discussions and initial decisions in Germany clarify that "machine-readable" does not automatically equate to classic robots.txt bans. Instead, a specific TDM reservation that clearly and technically signals reserved TDM uses is gaining acceptance. Early court decisions underscore this. The legality of access, adherence to opt-outs, and proper documentation are all relevant for liability, even when creating datasets for training, not just during model training itself.
GDPR Compliance in AI Training: Legal Bases, Limits, and Obligations
AI training on personal data requires a viable legal basis under Article 6 GDPR. The debate primarily centers on legitimate interests (Art. 6 para. 1 lit. f). Data protection authorities emphasize that while legitimate interests may be conceivable, they demand a strict three-step test. This includes robust security and transparency measures, a thorough balancing of interests, clear opt-out mechanisms, and comprehensible accountability. For special categories of data (Art. 9 GDPR), the standard is considerably higher; legitimate interests are insufficient, requiring explicit consent or another specific exception.
Further key points for GDPR compliance:
- Transparency/Information Obligations (Art. 13/14): Information obligations must be fulfilled for web scraping. Any exceptions require justification and documentation.
- Rights of Data Subjects: This includes the right to objection (Art. 21), deletion (Art. 17), and correction/comment on accuracy. These rights relate to training datasets and, under certain circumstances, to models themselves.
- Data Minimization & Storage Limitation (Art. 5 para. 1 lit. c/e): Curate corpora, filter sensitive fields, limit retention, and maintain deletion routines and "do-not-train" blacklists.
- Risk Management & DPIA (Art. 35): A Data Protection Impact Assessment (DPIA) is regularly required for broad-based scraping and training projects. Its outcomes must be reflected in relevant policies and technology.
European and national authorities have published 2024/2025 guidelines and task force reports to refine this framework. The EDPB addresses transparency, accuracy risks, and legal bases. The CNIL explains conditions for training based on legitimate interests, including technical and organizational safeguards. Furthermore, the ICO (UK) specifies requirements for web scraping and legitimate interest testing. In practice, demonstrably embedding these requirements into governance and technology is crucial.
AI Act and Copyright Compliance for General Purpose Models
The AI Act was published in the Official Journal in July 2024. Key parts will take effect in stages until 2026. This legal framework standardizes transparency and copyright compliance obligations for providers of general-purpose AI models (GPAI). Providers of GPAI models must, among other things, maintain a policy on compliance with EU copyright law. They also need to publish a sufficiently detailed summary of the content used for training, irrespective of where the training occurred.
Simultaneously, a GPAI Code of Practice (2025) is being developed. This voluntary framework aims to facilitate the practical implementation of obligations, including copyright respect and documentation. Consequently, rights and data compliance will be subject to auditing and verification, moving beyond mere "best efforts."
Opt-Out in Practice: Machine-Readable Reservations and Technical Implementation
The DSM directive mandates a machine-readable reservation for online content. In practice, the TDM Reservation Protocol (TDMRep) has emerged as a dedicated, analyzable standard. It can signal via HTTP header or a TDM file that TDM uses are reserved, optionally referring to license paths. Unofficial signals, such as "noai" meta or robots tags, also exist. However, these are not harmonized and are inconsistently observed.
Anyone relying on Section 44b UrhG must consistently parse TDM signals in the data pipeline and prove that opt-outs are respected. Failure to do so poses a significant risk of copyright infringement. Public bodies like the Council and Commission are pushing for parallel standards and registry considerations. Their goal is to make the opt-out mechanism interoperable across Europe.
Minimum Technical Measures for AI Data Acquisition
- Parser for tdm-reservation: This should be in place, along with tdm-policy if available. Robust robots.txt adherence alone is insufficient.
- Positive/negative lists and blockers: Implement these against known AI crawler blocks and TDM reservations.
- Evidence repository: Maintain for each source, including time, HTTP header/file snapshot, opt-out status, license path, and legal access.
- Re-crawl rules: TDM opt-outs can be set retrospectively; reconcile runs must be scheduled to detect these changes.
- License router: If a reservation is set, trigger the license path (e.g., direct to the rights contact URL from the TDM policy).
Integrating Copyright and GDPR: Four Key Challenges
Legal access alone does not grant a free pass. Content freely accessible under copyright law still requires a valid legal basis under data protection law. Without a viable Article 6 basis and transparent information, training on personal data becomes risky, even if no opt-out is explicitly set.
Special categories of personal data (e.g., health, political opinion, religion) can easily infiltrate web-scraped corpora on a large scale. Typically, there is no viable exception for training on such data without explicit consent or under very narrow special circumstances. Therefore, filters, exclusions, and blacklists for sensitive entities are mandatory.
Database rights are often underestimated. Many "open" collections qualify as sui generis databases. Mass extractions from these can infringe rights under Section 87b UrhG if no TDM privilege applies.
Subsequent opt-outs and data subject rights impact not only data records but also model artifacts (e.g., vectors, embeddings). While there isn't always an absolute "right to erasure in the model," robust processes for suppression, fine-tuning corrections, and information provision are required and increasingly demanded by supervisory authorities. (German Copyright Act, EDPB Report)
Practical Roadmap for AI Training: Governance, Contracts, and Technology
Governance and Documentation
- Policy stack: This includes a TDM compliance policy (covering opt-out respect, license paths), a copyright policy (addressing work/performance protection rights, database rights), a privacy policy (Art. 6/9, transparency, data subject rights), and a retention policy for corpora and artifacts.
- Roles: Clearly define roles such as Data Sourcing, Rights & Privacy Counsel, Dataset Steward, Security/ML-Ops, and Audit.
- DPIA and Legitimate Interest Assessment: Conduct these with concrete safeguards, including pseudonymization, blacklists, sensitive data filters, rate limits, access controls, and purpose limitation.
- Transparency: Provide layered notices and Model Cards/Datasheets. For GPAI models, a training content summary is required under the AI Act.
Contracts and Chain of Rights
- Content sources: Ensure license clauses address TDM permission/restriction, purpose limitation ("training/fine-tuning/evaluation"), territories, term, remuneration, audit/chain of rights, and no-scrape warranties.
- API/partners: Obtain assurances of lawful provision, confirmation that no opt-outs have been violated, no special categories of data are provided without a legal basis, and include exemption and audit rights.
- User content (SaaS/UGC): Implement clear Terms and Conditions permissions or default no-training with granular opt-ins. Alternatively, provide an opt-out in privacy settings. Establish explicit rules for finely granular purposes (e.g., "quality improvement only," "no third-party model training").
- Data providers (annotation, synthesis): Contracts must cover confidentiality, copyright/benefit protection, personal data, bias/quality KPIs, and rights to labels.
Technology and Processes
- Crawler/loader: Ensure it respects `tdm-reservation`, with a parser mandatory in the pipeline.
- Sensitive data filter: Implement this before inclusion in training corpora, using hashes, heuristics, rules, and human samples.
- Data subject rights: Provide search/suppression functions for corpora and artifacts. Document objection and deletion processes, differentiated for training vs. evaluation sets and fine-tuning adapters.
- Dataset provenance: Document content, source URL, timestamp, opt-out status, license path, and legal basis. Ensure immutability (e.g., WORM store) and maintain an audit trail.
- Model-level controls: Conduct red team evaluations for personal outputs, implement prompt guards, throttling, and output transparency notices.
- Security by design: Address access/keys, segmentation, secret management, and protection against data leakage and poisoning. Conduct regular audits.
Implementation for Product Teams: "Legal by Architecture"
Corpus Design Considerations
- Initial sourcing should be only from sources without TDM reservations or with explicit licenses. Utilize technical whitelists.
- Maintain a dedicated research corpus separate from any commercial corpus. Avoid unchecked transfer of Section 60d UrhG uses into commercial paths.
- Avoid recurrence sampling (repeated sampling of sensitive content) to reduce overfitting to personal samples.
Transparency and User Control
- For products with user uploads, provide granular consent/opt-ins for training, defaulting to restrictive settings. Separate consent is needed for special data categories.
- Offer an information layer for scraping sources and data subject rights. Include easy-to-find "Do-Not-Train" buttons.
Evaluation and Operation
- Address accuracy/precision for personally identifiable outputs; the EDPB emphasizes these accuracy requirements.
- Carefully curate content aggregation (as required by the AI Act): Categorize sources, specify license paths, and respect opt-outs, all while protecting trade secrets.
- Establish an incident response plan for rights/data breaches, including an intake channel, immediate action (blocking/suppression), notifications, and remediation procedures.
Common Misconceptions in AI Legal Compliance
- "Publicly accessible does not equate to freely trainable." Publicly available content is still protected by copyright and data protection laws. It requires a TDM privilege or license and a GDPR basis.
- "Robots.txt is often insufficient as an opt-out mechanism." The TDM reservation signal is a more robust and technically evaluable method.
- "The notion that 'once trained, never erasable' is not entirely accurate." A deletion or objection process can be linked to the corpus (removal/suppression), artifacts (filter/adapter retraining), and output control. The necessity of a full model retraining depends on individual circumstances, such as proportionality, technical feasibility, and risk.
- "The 'research clause' does not cure all issues." Section 60d UrhG is limited to authorized entities and lawful access. Transfers to commercial use must be licensed or examined separately.
Checklist 2025: From Legal Theory to Audit Security
- Data source register in place with opt-out status (tdm-reservation), legality, and license path.
- TDM parser productive, with blockers for TDM reservations active.
- GDPR basis identified (Art. 6/9), LIA/DPIA documented, and transparency texts available.
- Sensitive data mitigation implemented before training, with current exclusion lists.
- Data subject rights process (information, objection, deletion) fully end-to-end.
- AI-Act-GPAI compliance: Copyright policy and training content summary implemented; Code of Practice signed where applicable.
- Contractual assurances in place with content/API partners (clearing, exemption, audit).
- Audit trail maintained for sourcing, training, evaluation, and releases; regular management reviews conducted.
Conclusion
Legally compliant AI training is not a matter of guesswork, but rather a discipline of process and evidence. Organizations that technically respect TDM opt-outs, organizationally map GDPR obligations, and substantially fulfill AI Act transparency requirements significantly reduce the risk of disputes and sanctions. This approach also establishes a solid foundation for predictable licensing with right holders. The true operational difference emerges not from policy documents, but from robust crawler logs, parsers, filters, well-defined policies, and enforceable contracts that can withstand scrutiny during an audit.