2.1 Existing law applied to AI: privacy, data protection & IP

Key Takeaways

  • Technology-neutral law—privacy, IP, contract, and tort—already governs AI because it regulates outcomes and conduct rather than a specific technology, so obligations attach even without any AI-specific statute.
  • GDPR Article 5 principles (lawful basis, purpose limitation, and data minimization) constrain AI across the lifecycle, and data minimization sits in direct tension with machine learning's appetite for large training datasets.
  • GDPR Article 22 lets individuals refuse decisions based solely on automated processing that has legal or similarly significant effects, with safeguards including human intervention, the right to express a view, and the right to contest.
  • A DPIA under GDPR Article 35 is mandatory for high-risk processing such as large-scale profiling, making it a natural governance checkpoint before an AI project launches.
  • US courts hold that AI outputs lacking meaningful human authorship are not copyrightable (Thaler v. Perlmutter) and that an AI cannot be a named patent inventor (Thaler v. Vidal), while training-data fair use remains unsettled and litigated.
Last updated: July 2026

Existing law already reaches AI

A central AIGP theme is that AI does not operate in a legal vacuum. Long before any AI-specific statute existed, general bodies of law—privacy and data-protection law, intellectual property, contract, and tort—already governed how AI systems may be built and used. These "technology-neutral" laws apply to AI because they regulate outcomes and conduct (processing personal data, copying protected works, causing harm) rather than a particular technology. For the exam, you should be able to explain how each body of law attaches to AI even where no rule mentions "artificial intelligence."

Privacy and data-protection law

The EU General Data Protection Regulation (GDPR) is the anchor here because AI systems are trained on, and make decisions about, personal data. Its core principles (Article 5) constrain AI at every stage of the lifecycle:

  • Lawfulness, fairness, and transparency — every processing activity needs a lawful basis (Article 6): consent, contract, legal obligation, vital interests, public task, or legitimate interests. Scraping personal data to build a training set, for example, must rest on a valid basis, and "legitimate interests" demands a documented balancing test against the individual's rights.
  • Purpose limitation — data collected for one specified purpose cannot be freely repurposed. Reusing customer records to train a new model raises a compatibility question the controller must answer before proceeding.
  • Data minimization — only data necessary for the purpose may be processed. This sits in obvious tension with the "more data is better" instinct of machine learning.
  • Accuracy, storage limitation, and integrity/confidentiality round out the set, requiring correct data, retention limits, and appropriate security.

Two mechanisms are especially exam-relevant. Article 22 gives individuals the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects—an automated denial of credit, insurance, or a job. It applies unless the decision is necessary for a contract, authorized by EU or member-state law, or based on explicit consent; even then the controller must provide safeguards, including the right to obtain human intervention, to express one's point of view, and to contest the decision. Combined with the transparency duties in Articles 13–15 (meaningful information about the logic involved), Article 22 is the closest the GDPR comes to an "AI provision." Data protection impact assessments (DPIAs) under Article 35 are mandatory for high-risk processing—including large-scale profiling and systematic monitoring—making the DPIA a natural governance checkpoint for any significant AI project.

Two further constraints matter for AI teams. Processing special-category data (Article 9)—health, race, biometrics, sexual orientation—is prohibited unless a narrow exception applies, which directly limits training on sensitive attributes even for the worthy goal of testing a model for bias. And data protection by design and by default (Article 25) obliges controllers to bake safeguards such as pseudonymization and minimization into a system from the outset, not to bolt them on afterward. Together these turn abstract principles into concrete design requirements for any AI pipeline that touches personal data.

In the United States there is no single comprehensive privacy law. AI must instead navigate a patchwork: state statutes such as California's CCPA/CPRA (which regulate profiling and automated decision-making and grant opt-out rights, with detailed ADMT regulations finalized), plus sectoral laws like HIPAA (health), the FCRA (consumer reports and credit), and GLBA (financial). The exam expects awareness that this fragmentation—not a single rulebook—is the US baseline, and that a global AI system typically must satisfy the strictest regime that applies to it.

Intellectual property applied to AI

IP law reaches AI from two directions: the inputs (training data) and the outputs.

On inputs, the flashpoint is copyright in training data. Training a model normally requires copying vast quantities of text, images, and code—much of it protected. In the US, developers argue this copying is fair use; rightsholders disagree, and cases such as The New York Times v. OpenAI, Getty Images v. Stability AI, and Thomson Reuters v. Ross Intelligence—where a 2025 ruling rejected a fair-use defense—show the law is unsettled and still evolving. The EU takes a different tack: its 2019 DSM Directive created text and data mining (TDM) exceptions (Articles 3–4) that permit mining unless the rightsholder has expressly reserved its rights (an opt-out), and the EU AI Act now requires general-purpose AI providers to honor those reservations.

On outputs, the key rule is the human-authorship requirement. The US Copyright Office and courts hold that works generated without meaningful human authorship are not copyrightable—Thaler v. Perlmutter confirmed that a purely machine-generated image cannot be registered. The Copyright Office's 2025 guidance clarifies that human-authored elements and the creative selection and arrangement of AI outputs can still be protected, but the raw machine output alone cannot. Trade secret law offers a complementary route: model weights, architectures, training datasets, and prompts can be protected as trade secrets—while an employee pasting confidential information into a public chatbot can inadvertently destroy that secrecy. Finally, patents raise inventorship questions: courts (e.g., Thaler v. Vidal) hold that an AI system cannot be a named inventor, and USPTO guidance requires a significant human contribution for an AI-assisted invention to be patentable.

Understanding these overlapping regimes—GDPR principles, Article 22, DPIAs, copyright, trade secrets, and patents—lets a governance professional spot where an AI initiative already faces binding obligations, long before any dedicated AI statute enters the picture.

Test Your Knowledge

Under GDPR Article 22, when may an individual generally object to a decision produced entirely by automated processing?

A
B
C
D
Test Your Knowledge

A team wants to reuse personal data originally collected for order fulfillment to train a new recommendation model. Which GDPR principle most directly requires them to assess whether this new use is compatible?

A
B
C
D
Test Your Knowledge

Based on recent US authority, which statement about copyright and AI is most accurate?

A
B
C
D