Artificial Intelligence (AI), European Union, Legislative process

(Potter Clarkson LLP and King's College London)/ /Leave a comment
Photo by BoliviaInteligente on Unsplash

Last year we reported on the European AI Office facilitating the drawing-up of the General-Purpose AI Code of Practice (the “Code”). The first draft of the Code was published on 14 November 2024. Our article on the first draft of the Code can be found here.

This blog post is to report on the updates in the second and third drafts of the Code. These were published on 19 December 2024 and 11 March 2025 respectively.

 

What’s new?

 

Second draft

Compared to the first draft, the second draft of the Code included new obligations for AI providers (“Providers”) of general-purpose AI (“GPAI”) models and GPAI models with systemic risk (“GPAISR”).

The second draft generally provided more detailed provisions and concrete examples, especially regarding the proportionality of measures and key performance indicators (KPIs). It refined the approach to proportionality taken in the first draft, ensuring measures are suitable for different sizes and types of Providers.

The second draft emphasised the need for both internal copyright policies and public summaries of these policies. There was a stronger focus on ensuring third-party datasets comply with copyright laws, including due diligence and documentation of assurances from third parties.

These changes aimed to create a more robust and detailed framework for the development and deployment of GPAI models, ensuring compliance with the AI Act and addressing systemic risks more effectively.

 

Third draft

The third draft is set to be the last draft of the Code. The final version of the Code will be based on the current third draft and stakeholder feedback on it. Stakeholders could provide written feedback by 30 March 2025. The final version of the Code is expected by 2 May 2025.

Overall, the third draft is designed to be more transparent and practical, incorporating feedback from the second draft, refining and improving the Code’s commitments and measures. The focus of the third draft is on streamlining the structure and clarifying elements of the Code.

Contrary to the second draft, the third draft does not include KPIs and instead sharpens the reporting commitments. The working groups tasked with preparing the Code (“Working Groups”) confirmed that we should not expect the final adopted version of the Code to contain any KPIs.

Related to transparency, the third draft introduces a user-friendly Model Documentation Form which allows Providers to easily document the necessary information in a single place.

A transparency measure in the third draft requires the Providers to disclose if and when external input, including from government actors, informs the development or use of a GPAISR. This measure does not require input from external actors but does require transparency around its presence, in accordance with existing international commitments.

Providers are also expected to commit to making public certain information about the systemic risks stemming from their GPAISRs. Notably, compared to the second draft, the new commitment has been adjusted such that Providers only commit to publicly sharing such documents where doing so is necessary to assess and mitigate risks.

Finally, to ensure the Code for GPAISRs remains proportionate to risks, the AI Office will conduct regular reviews every two years, with necessary adaptations.

 

Copyright provisions in the second and third drafts

 

One of the leading objectives of the Code is that Providers should be able to effectively comply with EU laws on copyright and related rights (Article 53 and Recital 106 AI Act). Providers, therefore, recognise that any use of copyright protected content requires the authorisation of the rightsholder(s) concerned unless relevant copyright exceptions and limitations apply (Recital 105 AI Act).

Importantly, according to Recital 109 AI Act, compliance with the obligations of the AI Act should take due account of the size of the Provider and allow simplified ways of compliance for small and medium enterprises (“SMEs”), including start-ups, that should not represent an excessive cost and not discourage the use of GPAI models.

 

Second draft

To comply with this objective, the second draft of the Code built on the AI Act to put certain obligations on Providers in relation to copyright compliance. Such obligations include:

 

  • The requirement for Providers to draw up, implement, and keep up to date an internal policy to comply with Union law on copyright and related rights. Responsibilities within the organisation must be assigned for the implementation and oversight of this policy.

 

  • Providers must make a summary of their internal copyright policy publicly available and keep it up to date.

 

  • Providers must undertake copyright due diligence when acquiring datasets from third parties. Reasonable efforts must be made to obtain assurances from third parties about their compliance with Union copyright law.

 

  • Providers must ensure they have lawful access to copyright-protected content when engaging in text and data mining.

 

  • Providers must take reasonable measures to exclude widely known piracy websites from their crawling activities.

 

  • Providers must make public adequate information about the measures they adopt to comply with rights reservations. Compared to the first draft, second draft includes more specific measures for identifying and complying with machine-readable means of expressing rights reservations.

 

  • Providers must make best efforts to prevent overfitting of their models to mitigate the risk of generating copyright-infringing output. This was not explicitly mentioned in the first draft.

 

  • Providers must prohibit copyright-infringing uses of their models in their acceptable use policies or equivalent documents.

 

  • Providers must designate a point of contact for communication with affected rightsholders and enable them to lodge complaints.

 

Third draft

As mentioned above, the third draft no longer includes separate KPIs and instead incorporates these into some of the consolidated measures.

The third draft aims to make the copyright provisions more accessible and easier to implement while retaining the essential requirements from the first two drafts. Its stated aim is to present core measures in a simplified and clearer form, consolidating them where appropriate.

Such core measures include:

 

  • Drawing up, implementing and keeping up to date a copyright policy. Providers are encouraged to make this policy publicly available and assign responsibilities within their organisation for the implementation and overseeing of this policy.

 

  • Reproducing and extracting only lawfully accessible copyright-protected content when crawling the internet. This means excluding “piracy domains” and not circumventing technological measures such as paywalls. The non-circumvention measure has replaced the obligation to ensure lawful access, which may be seen as an improvement of the third draft.

 

  • Identifying and complying with rights reservations when crawling the internet. This commitment is without prejudice to the right of rightsholders to expressly reserve the use of lawfully accessible works and other protected subject matter for the purposes of text and data mining.

 

  • Obtaining adequate information about protected content not web-crawled by Provider. Providers should make reasonable efforts to verify if web-crawlers used to collect works and other protected content from the internet followed the Robot Exclusion Protocol (robots.txt) as specified by the IETF. This measure specifically excludes a commitment to verify such data in terms of copyright compliance.

 

  • Mitigating the risk of production of copyright-infringing output. This measure replaced the problematic overfitting requirement from the previous draft. Large Providers claimed that the term “overfitting” was too vague, and some overfitting was necessary for proper model performance. According to this new measure, Providers should strive to prevent models from memorising and reproducing copyright protected content and prohibit copyright-infringing uses in their policies and terms. Providers do not need to ban copyright infringing uses of a model in their terms if the GPAI model was released under a free and open-source licence. This is no doubt a welcome change for the developers of open-source AI models.

 

  • Designating a point of contact and enabling the lodging of complaints. Providers should designate a contact point for rightsholders and provide accessible information about it. Providers should also establish a mechanism for submitting and addressing complaints about non-compliance, with the right to refuse unfounded or excessive complaints.

 

Conclusions

The introduction of the Code to assist Providers with the AI Act compliance is generally a step in the right direction. The second and third drafts of the Code provide even more clarity for Providers on how to comply with the requirements of the AI Act.

Importantly, planned ongoing updates to the Code by the AI Office, to reflect technological advancements will also ensure that the Code does not become obsolete before it is even finalised.

However, on the other hand, the current draft still does not cover significant issues such as clear guidance on handling datasets containing infringing content, deepfake labelling, and strategies for compensating creators for the use of their IP.

As critically noted by the Working Groups, the third draft “still does not contain the level of clarity and coherence that we expect in the final adopted version of the Code”. Therefore, we anticipate some more “meat on the bones” in the final version of the Code.

Considering that the third draft will be the final draft of the Code, we envisage more obligations placed on Providers. Undoubtedly, some obligations of the Code specifically exclude SMEs, which may be seen as a loophole. This is especially true, considering the popularity of AI start-ups worldwide.

Non-mandatory (guidance) nature of the Code means some Providers may decide to ignore the Code. Indeed, many large Providers (to whom the Code is primarily addressed!) have already indicated that they will not sign the Code. They argue that the Code should clarify the AI Act instead of imposing new obligations.

Considering that the overall adherence to the Code does not constitute conclusive evidence of compliance with the AI Act, one might question the overall usefulness of the Code for Providers. Nonetheless, any guidance is better than none. As before, we predict that the finalised Code will have a wide-spread global influence, not just within the EU. Providers from outside of the EU, seeking to deploy their AI systems within the Member States will be wise to consult the Code for guidance on how best to comply with the AI Act.

 

The second draft of the Code is available here and the third draft here. The AI Office has also prepared a Q&A to help Providers comply with the AI Act. The Q&A can be accessed via this link.


________________________

To make sure you do not miss out on regular updates from the Kluwer Copyright Blog, please subscribe here.


Kluwer Arbitration
This page as PDF

Leave a Reply

Your email address will not be published. Required fields are marked *