EU AI Office Publishes Third Draft of EU AI Act-Related General-Purpose AI Code of Practice: Key Copyright Issues

This LawFlash summarizes key EU copyright aspects of the European AI Office’s third draft of its General-Purpose AI Code of Practice developed in connection with the EU AI Act.

The Code of Practice sets out “commitments” and “measures” for providers of general-purpose AI models (GPAI models) (whether involving “systemic risks” or not) that are subject to the AI Act. The AI Act's key provisions relating to GPAI models will enter into force in August 2025. Providers of GPAI models, which become signatories to the Code of Practice, may be favorably considered when determining whether the provider has complied with the AI Act, even though a provider’s compliance with the Code of Practice will not, in and of itself, be deemed to constitute compliance with the AI Act. 

The Code of Practice is currently in its third draft and is expected to be finalized in May 2025. The Code of Practice establishes commitments and measures relating to (1) transparency and copyright-related rules; (2) risk assessment for systemic risk; (3) technical risk mitigation for systemic risk; and (4) governance risk mitigation for systemic risk. This LawFlash highlights key EU copyright aspects of the latest draft of the Code of Practice.

THE SUBSTANTIVE SCOPE OF TRAINING DATA OBLIGATIONS

A key obligation under the AI Act concerns the use of training data. Providers of GPAI models must establish policies to comply with EU law on copyright and related rights. These policies must be suitable to ensure that if a right holder has made a statement that their protected content may not be used for AI training (opt-out), this opt-out is observed.

A German court has interpreted the obligation to consider an opt-out under copyright law relatively broadly to cover any machine-readable declaration, including a declaration in natural language. The Code of Practice now specifies these obligations and distinguishes between instructions expressed in accordance with the Robot Exclusion Protocol (robots.txt) and any other appropriate machine-readable protocols. While robots.txt protocols must be considered in any case, the obligations of providers to consider any other protocol is limited to the use of best efforts.

THE CODE OF PRACTICE IN A NUTSHELL

Compared to the second draft, the third draft of the Code of Practice is significantly more streamlined, with clearer articulation of individual commitments. The overall measures relating to copyright compliance have been limited to the following:

• Measure I.2.1(1)/(2): Signatories (1) must draw up, keep up to date and implement a copyright policy and (2) are encouraged to publish a summary of their internal copyright policy.
• Measure I.2.2: Signatories may reproduce and extract only lawfully accessible copyright-protected content when crawling the world wide web. In particular, (1) they may not circumvent effective technological protection measures, including paywalls, and (2) they must make reasonable efforts to not crawl from piracy domains.
• Measure I.2.3
  • (1): Signatories must identify and comply with rights reservations (opt-out) when crawling the world wide web. In particular, they (1) may only employ web-crawlers that read and follow instructions expressed in accordance with robots.txt and (2) must make best efforts to identify and comply with other appropriate machine-readable protocols.
  • (2): Signatories must take reasonable measures to enable rightsholders to obtain information about the web crawlers employed and their robot.txt features and other measures adopted to identify and comply with opt-outs.
• Measure I.2.4: Signatories must make reasonable efforts to obtain adequate information about protected content web crawled by third parties, including whether their web crawlers read and follow robot.txt instructions.
• Measure I.2.5: Signatories must mitigate the risk of production of copyright-infringing output by (1) design of the GPAI model (reasonable efforts) and (2) prohibiting copyright-infringing uses in downstream contracts.
• Measure I.2.6: Signatories must designate a point of contact and enable the lodging of complaints.

FINAL THOUGHTS

Navigating AI copyright law in the European Union requires a blend of legal knowledge and practical planning because there are material differences between (for example) US and EU copyright law. To illustrate, the “fair use” doctrine as understood under US copyright law (which is very relevant to AI-related training) is not recognized under EU law in the same way. Instead, EU law applies written exceptions and/or limitations to copyright.

In relation to AI training, the text and data mining (TDM) exception under Articles 3 and 4 of Directive (EU) 2019/790 (DSM-D) is most important, but the details of its application to AI training remain unclear due to a lack of case law to date. In addition, future rulings or regulatory clarifications may clarify the interplay between EU and non-EU copyright law with respect to AI training conducted outside the EU.

Importantly, the AI Act, EU copyright law, and other EU laws (including the General Data Protection Regulation) operate in parallel. Notably, the AI Act establishes provider (and other related AI stakeholder) obligations, while copyright law governs potential individual rights and enforcement against such AI stakeholders.