?asOf= parameter to see the current catalog state.Copyright, consent, text-and-data-mining exceptions.
Abstract
Training-data governance — the rules on what data may be used to train models, and on what legal basis — is governed directly by several catalogued instruments, notably the GDPR (through purpose-limitation, lawful-basis, and special-category-data rules) and the EU's general-purpose-AI code of practice (through its copyright chapter), among others; a separate set of instruments, including the EU AI Act itself, reaches it only implicitly. Policy Window records the empirical consensus as contested: whether text-and-data-mining exemptions cover commercial foundation-model training is unresolved and under active litigation. This article maps each instrument's training-data obligations with primary-source citations.
Definition & scope
The cross-jurisdiction picture below shows how each of 45 tracked instruments treats this topic. The patterns vary substantially — and 25 regimes are silent, leaving gaps that future policy work could address.
Coverage across jurisdictions
Historical primacy & cross-jurisdiction tension
First addressed by General Data Protection Regulation (GDPR) on (governs). Subsequent regimes have either codified, diverged from, or remained silent on this baseline.
- Forum-shoppingInterim Measures for Generative AI Service Management↔Executive Order 14110 on Safe, Secure, Trustworthy AI
- Forum-shoppingNIST AI RMF Generative AI Profile↔Executive Order 14179 — Removing Barriers to American Leadership in AI
- Forum-shoppingIndia Digital Personal Data Protection Act + AI Advisory (MEITY)↔UK Pro-Innovation Approach to AI Regulation (White Paper)
Compare jurisdictions: EU vs US · EU vs UK · EU vs CN
Enforcement & impact
Silent regimes — gap signal
Instruments that do not address Training-Data Rights — candidates for future policy work.
- Executive Order 14110 on Safe, Secure, Trustworthy AIUS
- Executive Order 14179 — Removing Barriers to American Leadership in AIUS
- UK Pro-Innovation Approach to AI Regulation (White Paper)UK
- G7 Hiroshima AI Process Code of ConductG7
- OECD AI Principles (Recommendation)OECD
- UN GA Resolution on Safe, Secure, Trustworthy AIUN
- Bletchley Declaration on AI Safetyglobal
- Seoul Declaration on Safe, Innovative and Inclusive AIglobal
- California SB-1047: Safe and Secure Innovation for Frontier AI Models ActUS
- ASEAN Guide on AI Governance and EthicsASEAN
- Anthropic Responsible Scaling Policy (RSP) v2US
- OpenAI Preparedness FrameworkUS
- Google DeepMind Frontier Safety FrameworkUS
- UK-US AI Safety Institute Memorandum of Understandingglobal
- White House Voluntary AI CommitmentsUS
- Singapore Model AI Governance Framework for Generative AISG
- OMB Memorandum M-24-10 (Advancing Governance, Innovation, and Risk Management for Agency Use of AI)US
- DoD Responsible AI Strategy and Implementation PathwayUS
- California SB-53: Transparency in Frontier Artificial Intelligence Act (TFAIA)US
- California SB 243: Companion ChatbotsUS
- California SB 942: AI Transparency ActUS
- Revised Product Liability Directive (Directive (EU) 2024/2853)EU
- Directive (EU) 2024/2831 on improving working conditions in platform workEU
- New York RAISE Act: Responsible AI Safety and Education ActUS
- TAKE IT DOWN Act (Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act)US
See also
Further reading
27 academic & grey-literature sources bearing on this topic — catalogued metadata with a primary link; one-line findings are ✦ AI-generated summaries, labeled as such (charter §7.9). Browse the full literature index.
- Open Foundation Models and TDM Exceptions to Copyright – Building Blocks for an AI Ecosystem Peer-reviewed✦ AIArgues Art. 3 CDSM Directive's scientific-research TDM exception 'does not grant rightsholders any control' and can be a 'safe harbor' for training openly released foundation models without licensing data.
- Copyright and AI in the UK: Opting-In or Opting-Out? Peer-reviewed✦ AIContends the UK opt-in/opt-out framing is a 'missed opportunity'; a broadened research exception plus market-entry transparency and creator remuneration would better serve both innovation and rightsholders.
- Technical Challenges of Rightsholders' Opt-out From Gen AI Training after Robert Kneschke v. LAION Peer-reviewed✦ AIExamines post-LAION practical obstacles to the EU TDM opt-out (robots.txt, machine-readability, memorisation): 'While the TDM exceptions may seem workable in theory, implementing them in practice presents a variety of practical…
- Generative AI in EU law: Liability, privacy, intellectual property, and cybersecurity Peer-reviewed✦ AIExamines how the EU AI Act, liability regimes, GDPR, copyright and cybersecurity rules apply to generative AI, identifying gaps and proposing targeted regulatory refinements.
- A large-scale audit of dataset licensing and attribution in AI Peer-reviewed✦ AIAudit of 1,800+ AI training datasets finds "licence omission rates of more than 70% and error rates of more than 50%" on popular hosting sites.
- Lawfulness of the mass processing of publicly accessible online data to train large language models Peer-reviewed✦ AIArgues LLM training on scraped web data should be assessed under Art. 9 GDPR (sensitive data), and that consent and the 'manifestly made public' route leave only a 'limited amount of personal data' lawfully usable.
- Copyright protection during the training stage of generative AI: Industry-oriented U.S. law, rights-oriented EU law, and fair remuneration rights for generative AI training under the UN's international governance regime for AI Peer-reviewed✦ AIComparatively maps US (industry-oriented fair use), EU (rights-oriented TDM opt-out) and a proposed UN fair-remuneration approach to copyright at the generative-AI training stage.
- Fairness and Fair Use in Generative AI Peer-reviewed✦ AIRejects blanket lawful/unlawful verdicts on AI training, proposing 'an analytical framework for making that assessment in particular cases' for where owners' rights end and use freedoms begin.
- Consent in Crisis: The Rapid Decline of the AI Data Commons Preprint✦ AILongitudinal audit of 14,000 web domains finds a 2023-24 surge in AI training restrictions, with '~5%+ of all tokens in C4...fully restricted from use' within a single year.
- Foundation Models and Fair Use Peer-reviewed✦ AIShows foundation models "are trained on copyrighted material" and warns "fair use is not guaranteed", urging technical mitigations to keep training and deployment within fair use.
- A Deeper Look into the EU Text and Data Mining Exceptions: Harmonisation, Data Ownership, and the Future of Technology Peer-reviewed✦ AICritiques the EU TDM regime: "an excessively broad definition of TDM" makes data-driven AI development dependent on an exception, with narrow beneficiaries and lawful-access hurdles.
- Datasheets for Datasets Peer-reviewed✦ AIProposes "that every dataset be accompanied with a datasheet that documents its motivation, composition, collection process, recommended uses" for transparency and accountability.
- Dual-Use Research Norms (DURC for AI) PreprintSolaiman, I., et al. (2019), 'Release Strategies and the Social Impacts of Language Models' — the canonical articulation of structured-access norms for foundation models.
- Training-Data Attribution PreprintGrosse, R., et al. (2023), 'Studying Large Language Model Generalization with Influence Functions' (Anthropic) — the canonical articulation of scalable influence-function-based attribution for foundation models.
- Data Poisoning PreprintCarlini, N., et al. (2024), 'Poisoning Web-Scale Training Datasets is Practical' — establishes practical feasibility of poisoning frontier-model training corpora.
- Model-Merging Risk PreprintBhardwaj, R., et al. (2024), 'Language Models are Homer Simpson! Safety Re-Alignment of Fine-tuned Language Models through Task Arithmetic' — canonical demonstration that safety training is not preserved under task arithmetic / merging.
- Retrieval-Augmented Generation (RAG) PreprintLewis, P., et al. (2020), 'Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks,' NeurIPS — the canonical articulation of RAG.
- AI Risk Management Framework | NIST Standards body✦ AIUS voluntary AI risk-management framework (Govern/Map/Measure/Manage).
- ISO/IEC JTC 1/SC 42 - Artificial intelligence Standards body✦ AIInternational committee developing AI standards.
- ISO - Security, safety and risk Standards body✦ AIISO security, safety & risk standards portal.
- OECD AI Incidents Monitor, an evidence base for trustworthy AI - OECD.AI Incident database✦ AIOECD tracker of real-world AI incidents and hazards.
- Artificial Intelligence Research institute✦ AIUS National Academies' AI consensus-study hub.
- Capturing the Potential of Generative AI’s Use in Health and Medicine Requires Collaboration and Oversight, Consideration of Risks, Says NAM Special Publication Research institute✦ AINAM special publication on generative AI in health & medicine.
- One Hundred Year Study on Artificial Intelligence (AI100) Research institute✦ AIStanford's standing century-long study of AI's societal impact.
- Measuring up | Ada Lovelace Institute Civil society✦ AIAda Lovelace Institute policy briefing.
- Anthropomorphic AI terms create gaps in accountability | Brookings Think tank✦ AICommentary on how anthropomorphic AI language obscures accountability.
- Policy Brief: Our recommendations for strengthening data access for public interest research Civil society✦ AIRecommends stronger platform data-access rules so independent researchers can study automated systems in the public interest.
References
The primary instrument sources behind the article's classifications.
- EU-AIA-2024: Recital 105; CDSM Directive provides primary copyright framework
- CN-GENAI-2023: Art. 7 (legal source + IP requirements)
- COE-AI-CONV: Art. 11 (privacy + data protection)
- NIST-AI-RMF: Manage 4: data integrity
- NIST-AI-RMF-GENAI: NIST AI 600-1 §3.4 Data Privacy + §3.7 Intellectual Property
- IN-DPDP-2023: DPDPA §§4-7 (consent + purpose limitation for AI training data)
- BR-AIBILL-2024: PL 2338/2023 cross-references LGPD (2018) for data-rights baseline
- AU-AI-STRATEGY-2024: AU Strategy §5 + Malabo Convention (2014) data-protection baseline
- META-FRONTIER-2024: Open-weight framing engages training-data + IP issues; not the framework's primary lane
- JP-METI-AI-2024: Principle 4 (Safety) + Principle 2 (Education-Literacy) brush against training-data norms; ACA copyright regime separately addresses
- EU-GDPR-2016: Art. 5(1)(b) purpose limitation; Art. 6 lawful basis; Art. 9 special-category overlay for sensitive training data; Art. 5(1)(c) data minimisation
- EU-GPAI-COP-2025: Chapter 2 (Copyright) — Art. 53(1)(c) training-data summary obligations + Art. 53(1)(d) text-and-data-mining opt-out compliance
- GSA-AI-GUIDE-2024: Supply-chain risk-management considerations include training-data provenance + dependency disclosure
- FEDRAMP-AI-2024: Supply-chain risk-management considerations include training-data + model-weight provenance disclosure within the SSP
- DFARS-252-204: 252.204-7012 — training-data sets stored on covered contractor information systems require NIST SP 800-171 implementation when designated CDI; data-spill / exfiltration events trigger 72-hour cyber-incident reporting under 252.204-7012(c)
- UNESCO-AI-ETHICS-2021: Policy Area 'Data Policy', para 71 — data-governance strategies ensuring continual evaluation of training-data quality
- CN-DEEPSYN-2022: Art. 14
- IT-AILAW-2025: Art. 25 (new Art. 70-septies l. 633/1941) permits text-and-data-mining reproductions/extractions for AI training from lawfully accessible material (per Arts. 70-ter/70-quater); Art. 16 delegates the Government to enact an organic regime on data, algorithms and mathematical methods for training AI.
- JP-AIPROMO-2025: Act No. 53 of 2025, Arts. 12 & 3(4)
- UN-GDC-2024: GDC Objective 3 para 36(c) and Objective 5 capacity-building (A/RES/79/1, Annex I)
Cite this article 8 formats · BibTeX, RIS, APA, Chicago, … · 1-click copy
Persistent identifier: https://policywindow.org/wiki/training-data — committed-stable URL with content-versioning via ?asOf= (rollout pending per methodology §7). DOIs via Zenodo are on the roadmap.
Article tools — track changes, suggest an edit
View history — every captured revision of this article · What links here
20 instruments tracked.