A few days ago, we began our series of articles on legislation and AI, explaining the importance of the AI Act in the European Union as a central piece of the framework that regulates the use of artificial intelligence. However, the regulation is supported by an entire ecosystem of ‘pieces’ that had already been developed as technology has advanced and shaped our daily lives.
GDPR and ePrivacy Directive
The GDPR and the ePrivacy Directive are fundamental bases for any law concerning artificial intelligence, as it is well known that it is based on data and that data privacy and protection are key.
Although we accept cookies and terms and conditions in order to use so many services in our daily lives, there are a series of regulations in place to ensure that our data has a certain level of privacy and protection.
The European Data Protection Board has published Opinion 28/2024 on AI models to clarify:
- When can the data used to train models be considered anonymous?
- Under what conditions can it be considered legitimate interest?
- What limits should be placed on the scope of scraping (searching and collecting data from the internet on a massive scale) to train AI?
Data protection law is a vast subject in itself and covers many issues, such as the fact that the data of a European citizen cannot physically leave Europe unless there are a series of legal guarantees regarding data protection in the physical location where it will be stored outside the Union.
Other rules
In addition to the AI Act, we have two other regulations on how AI is deployed, or what we might call the ‘pipelines’ through which it flows:
The DSA, or Digital Services Act, directly affects large platforms and online marketing businesses such as Google, as it requires a certain degree of transparency and limits sensitive targeting and targeting of minors.
On the other hand, the DMA or Digital Markets Act regulates the major internet gatekeepers and prohibits their self-privilege or reinforces interoperability and access to data between third-party AIs.
Then we have the Data Act, which came into force relatively recently, on 12 September 2025. It is a pillar of the European data strategy that aims to regulate the use of data in connected devices (Internet of Things), gives consumers the possibility of greater interoperability between cloud service providers, prohibits abusive contracts, etc. It also allows Member State governments, in justified cases, to access data from private companies in the public interest, such as in emergencies.
Who owns the copyright to the creations?
Finally, a very important piece of our regulatory puzzle, one that particularly affects the world of advertising, creativity and marketing, is copyright regulation. This is precisely a murky area. The DSM Directive allows certain forms of TDM (text and data mining) on protected works, but recognises an ‘opt-out’ for commercial uses: rights holders can exclude their content, for example, by means of machine-readable signals.
Recent studies by the European Parliament emphasise that AI-generated content may not be clearly protected by copyright if it lacks ‘human creativity’, leaving companies and creators in limbo regarding ownership and exploitation.
However, it is not directly a law. Authors and management entities have criticised the AI Act for leaving a ‘copyright loophole’ and not directly addressing remuneration for mass use in training. Article 50 of the AI Act is where the specific rules on generative AI and synthetic content are presented.
What does each regulation cover?
In summary, we can say that:
- AI Act: defines what you can do with AI and what guarantees you have depending on the level of risk.
- GDPR / ePrivacy: continue to govern everything involving personal data, including prompts and logs.
- DSA / DMA: force large platforms and gatekeepers to make their algorithms more transparent and controllable, which changes the ‘playing field’ for those who do business on top of them: media, e-commerce, or advertising.
- Data Act: regulates access to and use of industrial/IoT data and portability in the cloud, affecting the datasets that feed AI.
- Copyright: still in the adjustment phase, trying to fit massive training and generated outputs into a framework designed for human works.
It is clear that regulating such a comprehensive and widely used technology requires a thorough study of all its uses and scenarios in which it is applied, and that the scenarios faced by those responsible will continue to increase.
