2 September 2025
, ,

Toward Compliance Zero: AI and the Vanishing Costs of Regulatory Compliance

The Network Law Review is pleased to present a special issue entitled The Law & Technology & Economics of AI.” This issue brings together multiple disciplines around a central question: What kind of governance does AI demand? A workshop with all the contributors took place on May 22–23, 2025, in Hong Kong, hosted by Adrian Kuenzler (HKU Law School), Thibault Schrepel (Vrije Universiteit Amsterdam), and Volker Stocker (Weizenbaum Institute). They also serve as the editors.

**

1. Toward Compliance Zero

Thanks to recent advances in artificial intelligence, we can now automate tasks that we have never before been able to automate.[2] Work that was expensive has become cheap;[3] tasks that once required a lot of time can now be accomplished nearly instantaneously.[4] We can often now bypass the messy bottleneck of human labor.[5] These developments have placed a bullseye on the back of knowledge and creative workers across industries, making us fear for the future prospects of lawyers, computer programmers, artists, authors, and educators.[6]

Another kind of worker hasn’t often been mentioned in these prognostications, yet there is no reason to omit them from the list of the disrupted: compliance experts.[7] Any person who makes a living by helping companies, government agencies, and individuals comply with the burdens of government regulation will also soon be replaced by new forms of AI that can automate their work. These range from highly paid workers at name-brand firms like PricewaterhouseCoopers, McKinsey, or Covington, to workaday lawyers and consultants toiling in relative obscurity.[8]

I am not indulging in fantasies of Artificial General Intelligence (AGI). My prediction is based on an understanding of three factors: the work required for regulatory compliance, the AI advances that have been made to date, and modest and grounded predictions of what AI will soon be able to do in the near term. Compliance work entails precisely the kind of work that the latest advances in AI have disrupted. Compliance involves, among other things, interpreting complex regulatory texts, staying apprised of changes to the rules, and performing a series of knowledge-bound tasks such as assessing risk, summarizing documents, writing reports, and making disclosures. AI can assist or single-handedly accomplish all these tasks.[9]

If modest predictions of current and near-future AI capability come to pass, then AI automation will drive the cost of regulatory compliance down so close to zero that, going forward, we should consider most regulations to impose no compliance burden whatsoever.

This development will be a boon for investment and innovation. The era of crippling government compliance costs is over.

The automation of compliance will give rise to low-cost consultancies that use AI to specialize in helping companies comply with a broad set of government regulations. Cheap and ready access to these specialists will mean that small businesses and startups, not only deep pocketed giants, will enjoy the benefits of near-zero-cost compliance.

This will also be a boon for those promulgating, defending, and supporting new and aggressive forms of regulation. It will remove one of the most significant objections that can be lodged at a regulation: the high-cost of compliance. For as long as we have had regulations, critics have assailed them for the way they create waste and inefficiency.[10] Going forward, we can dismiss arguments like these as false and outdated, a relic of a bygone era. Regulatory compliance is now basically free.

2. The Road to Compliance Zero

In this short essay, I cannot offer a complete proof that we are heading for compliance zero. Instead, I present significant supporting evidence, confident that future work will more fully prove the thesis. I offer three forms of evidence. First, the compliance zero thesis is a simple extension of broader contemporary claims that have been made about AI’s looming impact on knowledge work. Second, I survey the compliance obligations of the EU AI Act, demonstrating how they require mostly the kind of work that can be automated by large language models and agentic AI. Third, I point to a recent judicial opinion from a court in Hamburg, Germany, which provides one concrete example of how large language models can now automate a once burdensome compliance task, namely recognizing the “no scraping allowed” opt-out wishes of website owners.

2.1. AI and Knowledge Work

It is very important to clarify what I mean by “compliance burden.” I am talking about the effort and work required to comply with a law or regulation. I mean what might also be called paperwork, office work, or due diligence. But this goes beyond rote or mechanistic paperwork—I also mean sophisticated and complex steps that have, until now, required human interpretation, judgment, coordination, and organization.

This definition of compliance burden excludes the changes in behavior and system and organizational design mandated, encouraged, or incentivized by a law or regulation. In other words, it does not cover a law or rule’s direct regulatory mechanisms. For example, a ban on facial recognition technology (FRT) may impose an expensive burden on police departments to dismantle preexisting FRT systems and to find alternative means of conducting investigations, but these are not the kinds of paperwork burdens I mean.

Begin with two propositions: (1) most compliance work counts as legal work; and (2) compliance tasks tend to be on the simpler, more rote, less creative end of the spectrum of types of tasks that lawyers perform. Think simple contract review versus complex strategic advising.

Consider evidence to support these propositions. Several U.S.-based law schools now offer degree programs for compliance.[11] Compared to a full JD program, these tend to be shorter (one year versus three), are often held exclusively online, require courses drawn from a limited subset of the law school curriculum, and are targeted at students who do not need to pass the bar or practice law.[12]

If these propositions are mostly true, meaning compliance work tends to be a simplified subset of legal work, then every argument that has been made in the past few years about how AI will begin to automate legal work will have even greater force when it comes to compliance work.

The emerging literature debating and measuring whether AI will replace lawyers is already vast and rapidly expanding.[13]Controlled studies suggest that large language models can pass the bar exam[14] and ace some law school exams.[15] Researchers have conducted randomized controlled experiments in which law students have completed typical legal work both with and without using AI tools, and they suggest that these tools speed up legal tasks, make legal workers more productive, and produce higher quality work on most tasks.[16]

The conventional wisdom is that AI will replace humans for some legal work, although many hold out hope that work requiring judgment and subtlety and creativity cannot be automated, at least not given the state of the art of AI.[17] Compliance work tends to be on the automatable end of this spectrum.

Others have noted the likelihood that AI can and will be used for compliance tasks.[18] Many vendors pitch their products and services specifically for regulatory compliance.[19] Some use the label, RegTech, particularly for compliance in the FinTech industry.[20] Recently, reports suggest that Meta will begin to automate “up to 90% of all risk assessments.”[21]

2.2. Compliance Under the EU AI Act

To make this argument more concrete, consider a recently enacted law that has been decried as cripplingly burdensome:[22]the European Union’s AI Act.[23] To be clear, my claim extends beyond rules that regulate AI, and I could have illustrated the point with many other types of law, such as data protection, consumer protection, securities, or tax law. One reason to highlight an AI regulation is because the companies covered by these rules will also be the companies best positioned to harness the power of AI to reduce their regulatory burden.

Every single supposedly burdensome compliance obligation or requirement introduced by the AI Act can be partially or entirely automated given recent advances in frontier models.

To start, the EU AI Act is a long and complex text. It is as long as a typical novel.[24] But a novel this isn’t, and the language is densely written and jargon laden. Reading it once through would take a typical lawyer hours. Comprehending and organizing the Act’s many interlocking requirements would require weeks of study by teams of lawyers. Modern LLMs excel at summarizing long texts. The entire EU AI Act can fit within most cutting-edge LLMs’ “context windows,” and produce a passable and accurate summary of the Act’s obligations in seconds.[25] To be fair, some provisions of the AI Act have been criticized as vague, contradictory, or ambiguous,[26] problems that an LLM cannot alone remedy.

Moving beyond simply understanding the rules, the central focus of the AI Act is on technical documentation, record keeping, and transparency.[27] For systems deemed “high risk,”[28] the Act obligates companies to track dozens of categories of information, such as the “intended purpose” of the system, “the forms in which the AI system is placed on the market or put into service,” “the methods and steps performed for the development of the AI system,” “the design specification of the system,” and “the description of the system architecture.”[29] Large language models excel in analyzing texts, internally representing the subtle meaning of those texts, and summarizing those texts in human-understandable prose.[30]

The AI Act obligates companies to analyze and summarize large datasets, for example training data sets.[31] Once again for high risk systems, it requires “data governance and management practices” concerning “design choices,” data collection processes,” “an assessment of the availability, quantity, and suitability of the data sets that are needed,” and a number of other assessments necessary to assess bias in the system.[32] LLMs are also quite capable of automating the analysis of large amounts of data.[33]

Many obligations in the AI Act require the production of long and detailed texts: assessments, risk summaries, compliance summaries, etc.[34] Providers of high-risk systems must generate “technical documentation” to permit the government to “assess the compliance” of their system under the Act.[35] They must also produce “instructions for use” of the system by deployers by conveying “concise, complete, correct, and clear information that is relevant, accessible, and comprehensible to deployers.”[36]LLMs are famously capable at writing coherent texts quickly.[37]

Some AI Act requirements require the generation of images and videos. For example, the AI Act obligates providers and deployers of AI systems “to ensure, to their best extent, a sufficient level of “AI literacy” of their staff and other persons” dealing with their AI systems.[38] One way to comply is by delivering tailored training and education materials for employees.[39] A European Commission FAQ opines that this might require more than simple instructions for use in favor of “trainings and guidance.”[40] Many companies have produced video tutorials for their staff to comply with this requirement.[41] Image and video generation models are increasingly capable at generating visuals based on user inputs and prompts.[42]

The AI Act will require the evaluation and creation of computer source code and configuration code. For example, provisions of the law require cybersecurity assessments, remediation, and countermeasures.[43] This obligates companies to put in place systems “to prevent, detect, respond to, resolve and control for attacks” in their systems.[44] LLMs are quite proficient at interpreting, modifying, and writing this kind of technical code.[45] Of course, cybersecurity requires far more than detection, and it is one area in which LLM assistance will only be partial; we will still need human expertise to fully comply with parts of the AI Act, at least for now.

Other advances in AI will help stitch together these disparate tasks. So-called reasoning models excel at breaking down complex tasks into discrete separate pieces.[46] Mixture-of-expert approaches deploy different strategies to solving problems, helping find optimal solutions.[47] Increasingly advanced tools orchestrate multiple AI agents each performing different tasks, combining their inputs into a pipeline of work.[48]

2.3. LAION v Robert Kneschke

In addition to this back-of-the-envelope analysis of the EU AI Act, consider a more discrete example drawn from real-world legal practice. A trial judge in Hamburg, Germany, recently demonstrated how the law will be interpreted to recognize the way AI models can be used to automate legal compliance in ways that would have felt like science fiction only a few years ago. Understanding the analysis requires a short primer on European Union and German copyright law.

The case involved the activity of a nonprofit organization called LAION.[49] LAION built a dataset that contained the URL locations of billions of images by analyzing the data crawled by another group, called Common Crawl.[50] Many of the images associated with LAION’s URLs were protected under German copyright law. LAION makes this list of URLs (but not the images themselves) free for all as an internet download,[51] and many image generation and multimodal models, such as Stable Diffusion, have used the LAION list to find and download millions of images.[52] These images have served as crucial training data for these models,[53] and these downloads have been characterized as massive infringements of copyright.[54]

A group of the owners of some of these copyrights sued LAION in German court for infringement.[55] Focus only on one narrow issue litigated in this case: a caveat to an exception to an exception to the ordinary prohibition against infringement.

The exception is the Text and Data Mining (TDM) exception.[56] It is a defense to copyright infringement to scrape images for the purpose of text and data mining.[57] LAION asserted that because its list is primarily useful for TDM, it can claim this exception.[58]

The TDM exception has a significant exception to the exception, at least for TDM that cannot qualify as “scientific research purposes.”[59] That exception to the exception applies when the copyright owner invokes a “reservation of rights” alongside the copyrighted content.[60] In other words, it creates an “opt out” opportunity for copyright owners to the TDM exception.[61]

Finally, the caveat: the copyright owner must convey this reservation of rights to the web scraper in a “machine readable” way.[62] This phrase had already received considerable expert commentary and analysis.[63] Much of this commentary focused on the so-called robots.txt protocol, a widely but informally recognized internet standard.[64] According to the standard, the owner of a webpage may include a file called robots.txt on its web server and within the file, it can specify which web scraping bots are welcome or not.[65] Well-behaved (ie standard-compliant) scraping bots will respect the wishes expressed in a robots.txt file. The Internet Engineering Task Force (“IETF”), the standards body that promulgated the original robots.txt protocol, has actively been debating whether to modify it to better serve the TDM opt-out purpose.[66]

Regardless, many of the images in the LAION dataset were not protected by a machine readable robots.txt entry.[67] In the Hamburg litigation, the copyright owners argued that they had expressed their reservations of rights, through “terms of service” documents that prohibited scraping for certain purposes, including for training machine learning models.[68] Although terms of service are written in human language (in many cases, English) and ostensibly published for human comprehension, these plaintiffs argued that these documents were sufficiently machine readable to qualify as a TDM reservation of rights under German copyright law.[69]

The Hamburg trial court agreed, expressing the kind of logic that is at the core of this essay.[70] “Machine readable,” within the meaning of the act, includes anything that is possible using “state-of-the-art technologies,” the court said.[71] Today’s state-of-the-art includes Large Language Models (LLMs) embedded in web scraping systems, tools that seem amply capable of noticing the presence of a terms-of-service hyperlink, following that link to download the terms, finding the part of the terms that address web scraping, and accurately interpreting whether scraping for TDM purposes has been forbidden.[72]

The court found that this kind of ability was well within the capabilities of recent advances in LLMs.[73] It noted the special irony of these particular defendants disclaiming this power, hoisting them on their own AI petard:[74] “it would, in the Chamber’s view, present a certain inconsistency in valuation to allow the development of increasingly powerful text-understanding and text-generating AI models through the [TDM] exception . . . , while simultaneously not requiring the use of already existing AI models within the [reservation of rights provision.]”[75]

2.4. To the AI Skeptics

Some readers will still be skeptical. For every believer in the unbounded potential of AI power, there is an equally confident skeptic convinced that such claims are overinflated hype. The skeptics point to the persistent tendency of LLMs to hallucinate, the brittleness of guardrails, and the track record of the tech industry to overpromise and underdeliver to support their disbelief. LLMs are not ready for prime time, these people argue, not even for relatively constrained tasks like regulatory compliance.

I am not so skeptical. I have been convinced that LLMs are quite capable at performing complex tasks that could not have been automated a decade ago, and that they will begin to replace the human labor used for many knowledge industry tasks.

But if the skeptics are right—if AI solutions are not nearly as powerful as some claim them to be, and if AI cannot capably perform compliance work, then time will tell. And if future developments reveal that the skeptics are right and LLMs are too error-prone and irredeemably hallucinatory to conduct somewhat rote compliance work, even though it would disprove this essay’s core thesis, it would nevertheless strengthen arguments in favor of the beefed-up regulatory compliance of the AI industry, which is a principal takeaway of this essay. For if AI is too error prone for even simple compliance work, we surely must regulate it to prevent the inevitable harms those errors will cause.

3. What This Means, and Doesn’t Mean

Advances in AI will tend to drive the costs of regulatory compliance toward zero beyond the regulation of AI. In every possible sphere of industrial regulation, many once labor-intensive, impossible-to-automate compliance tasks can now be performed by AI, and we will soon see a dramatic reduction in the amount of time and money spent on compliance. From tax to climate to consumer protection and beyond, the ability of LLMs to gather, process, interpret, and generate texts; the ability of image-and-video generation models to generate visuals; and the ability of AI agentic systems to perform complex multi-step data tasks will streamline the way companies comply with regulation.

To be clear, this does not mean that we can stop debating the efficacy or wisdom of new regulation. Quite the contrary, this will have the simple, salutary effect of removing one major objection to forms of new regulation: compliance costs. Saying that a regulation poses no significant costs of compliance is not the same thing as saying the law is a good law. We will be liberated to debate non-compliance-cost-based arguments in favor or against a new regulation, for example whether it addresses an important problem, whether it is sufficiently tailored to the problem, whether it improperly selects winners and losers, and whether it assigns a proper role to government. I predict that many proposed regulations will fall in this gantlet of considerations. The difference is we can avoid debating whether a proposal imposes an undue compliance burden: going forward, the answer will always be “no.”

We must also be mindful that the promise of compliance zero could lead us to expand the regulatory state in ways we should resist. If we are not judicious, regulating with compliance zero might tend to produce laws that are more complex and technocratic and beyond human comprehension than the laws we create when humans perform compliance. After all, the complexity of any legal regime can now be met by the complexity of AI-powered compliance responses. Within an increasingly byzantine call-and-response of regulation and compliance, we may create warrens of arbitrage, fraud, and unfair competition. The trick is to recognize the way that automation reduces the burden of compliance, without using it as an excuse to maximize complexity. In other words, the fact that companies can comply with any law with minimal burden should not liberate us from the goal of crafting human-scale, explainable, interpretable, frictionful regulation.

This short essay will not be the final word on these matters; there is much left for future work. First, although we are sliding down an asymptote toward compliance zero, we will never reach truly cost-free compliance. Setting up agentic workflows to do compliance work will cost something, and running a large system of AI agents imposes real costs, both financial and environmental. We need to learn to measure and accurately characterize these irreducible costs. Second, some regulations will impose compliance work that will indeed be difficult to automate, despite AI. For example, regulations that require humans to work with one another—say a rule that requires board scrutiny, review by an oversight committee, or consultation with users or the public—cannot be fully automated, by definition. Poorly drafted or ambiguous regulations will also resist automation. We should study the kinds of compliance burdens that cannot be automated, to teach us both about regulation and about AI.

The burden of regulatory compliance will soon be nothing but a bad memory of days past, a story the old-timers tell the young ones about how the law used to operate. Thanks to advances in AI, most compliance work will soon be automated. Liberated from worrying about the costs imposed by our rules, our challenge is to write rules that are effective, tailored, and wise.

Paul Ohm[1]

Citation: Paul Ohm, Toward Compliance Zero: AI and the Vanishing Costs of Regulatory Compliance, The Law & Technology & Economics of AI (ed. Adrian Kuenzler, Thibault Schrepel & Volker Stocker), Network Law Review, Summer 2025.

References:

  • [1] Professor of Law, Georgetown University Law Center. Thanks to the organizers and participants of the Law, Technology, and Economics of AI Regulation workshop of the Platforms, Markets, and the Digital Society project. Special thanks to organizers Adrian Kuenzler, Thibault Schrepel, and Volker Stocker. This work benefited greatly from conversations with Steve Albrecht, William Lehr, Jason Potts, Michal Shur-Ofry, and Harry Surden. Finally, thanks to Taylor Courtney for excellent research assistance.
  • [2] Christian Catalini, Jane Wu & Kevin Zhang, What Gets Measured, AI Will Automate, Harv. Bus. Rev. (June 19, 2025), https://hbr.org/2025/06/what-gets-measured-ai-will-automate.
  • [3] Id.
  • [4] Shakked Noy & Whitney Zang, Experimental Evidence on the Productivity Effects of Generative Artificial Intelligence, 381 Science187 (2023).
  • [5] Daron Acemoglu, Harms of AI, at 21 (Nat’l Bureau of Econ. Rsch., Working Paper No. 29247, 2021).
  • [6] Ali Zarifhonarvar, Economics of ChatGPT: A Labor Market View on the Occupational Impact of Artificial Intelligence, 10 J. Eur. Bioethics & Data Ethics 100, 113 (2023), https://doi.org/10.1108/JEBDE-10-2023-0021.
  • [7] To be fair, some commentators have reported on the impact AI will have on compliance experts. For a very recent example, see Chip Cutter, AI Is Coming for the Consultants. Inside McKinsey, ‘This Is Existential.’, Wall. St. J., Aug. 2, 2025, https://www.wsj.com/tech/ai/mckinsey-consulting-firms-ai-strategy-89fbf1be
  • [8] Marie-Therese Sekwenz, Rita Gsenger, Volker Stocker, Esther Görnemann, Dinara Talypova, Simon Parkin, Lea Greminger & Georgios Smaragdakis, Can’t LLMs do that? Supporting Third-Party Audits under the DSA: Exploring Large Language Models for Systemic Risk Evaluation of the Digital Services Act in an Interdisciplinary Setting, 4 ACM Proc. Symposium on Human-Computer Interaction for Work(CHIWORK ’25 Adjunct), 1, 1–12. https://doi.org/10.1145/3707640.3731929 (2025).
  • [9] Id.
  • [10] Francesco Trebbi & Miao Ben Zhang, The Cost of Regulatory Compliance in the United States, Nat’l Bureau of Econ. Rsch., Working Paper No. 30691, at 13–17, 27–28 (Nov. 2022), http://www.nber.org/papers/w30691.
  • [11] E.g. Online Master’s in Compliance, Fordham Law, https://www.fordham.edu/school-of-law/admissions/msl-admissions/online-msl-in-compliance/ (last visited July 28, 2025); Online Master’s in Compliance With a Corporate Focus (MSL), Pitt Law,https://online.law.pitt.edu/msl/corporate-compliance (last visited July 28, 2025); Master of Studies in Law (MSL) – Business Law & Compliance, Wake Forest Law, https://law.wfu.edu/msl-blc/; https://www.colorado.edu/law/academics/degrees/msl-ethics-and-compliance (last visited July 28, 2025)..
  • [12] M.S.L. Admissions: Online Master’s in Compliance, Fordham Law, https://www.fordham.edu/school-of-law/admissions/msl-admissions/online-msl-in-compliance/ (last visited July 28, 2025) (online-only, twelve-month degree program); Pitt Law’s Master of Studies in Law Curriculum, Pitt Law, https://online.law.pitt.edu/msl/curriculum (last visited July 28, 2025) (online-only with set courses).
  • [13] See, e.g., Daniel Schwarcz, et al., AI-Powered Lawyering: AI Reasoning Models, Retrieval Augmented Generation, and the Future of Legal Practice, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5162111 [hereinafter Schwarcz AI-Powered]; Richard Susskind, Tomorrow’s Lawyers: An Introduction to Your Future (2023); Jonathan H. Choi, Amy Monahan, & Daniel Schwarcz, Lawyering in the Age of Artificial Intelligence, 109 Minn. L. Rev. 147, 150 (2024); Aksh Garg & Megan Ma, Opportunities and Challenges in Legal AI, Stanford Law School(Jan. 2025); John G. Roberts, Jr., 2023 Year-End Report on the Federal Judiciary, Sup. Ct. of the U.S.. 5 (2023).
  • [14] Daniel Martin Katz, Michael James Bommarito, Shang Gao & Pablo Arredondo, GPT-4 Passes the Bar Exam, Phil. Trans. R. Soc., Apr. 15, 2024, at 1, 3–5. Too much has been made of additional commentary supposedly “debunking” the claim that GPT-4 can pass the bar, when the study in question merely showed that the GPT-4 model could pass the bar exam but best only 62% of human test takers. Eric Martínez, Re-Evaluating GPT-4’s Bar Exam Performance, 1 Artificial Intelligence and Law 1 (2024). The latter study stands for the proposition that GPT-4 might not have “aced” the exam, but it still would have passed the exam.
  • [15] Andrew Blair-Stanek et al., AI Gets Its First Law School A+s, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5274547 (2025).
  • [16] E.g. Schwarcz, AI-Powered, supra note 11, at Part III.
  • [17] Josef Valvoda et al., The Ethics of Automating Legal Actors, https://arxiv.org/pdf/2312.00584 (noting that AI tools already exist to carry out “due diligence, document review, regulatory compliance, and e-discovery”); Sayash Kapoor, Peter Henderson & Arvind Narayanan, Promises and Pitfalls of Artificial Intelligence for Legal Applications, https://arxiv.org/pdf/2402.01656 (arguing that it is easier to evaluate how well AI can perform legal tasks involving “information processing” than tasks requiring “creativity, reasoning, or judgment”).
  • [18] Narendra Sharma, AI-Powered Compliance: The New Frontier of Regulatory Innovation, Union Leader (May 18, 2025), https://www.unionleader.com/news/business/ask_the_expert/ask-the-expert-ai-powered-compliance—the-new-frontier-of-regulatory-innovation; Rabihah Butler, Generative AI and its Impact on Corporate Compliance, Thomson Reuters (July 19, 2023), https://www.thomsonreuters.com/en-us/posts/corporates/generative-ai-corporate-compliance/; Matt Kunkel, Harnessing AI For Future-Proofing Regulatory Compliance, Forbes (Jan. 25, 2024), https://www.forbes.com/councils/forbestechcouncil/2024/01/25/harnessing-ai-for-future-proofing-regulatory-compliance/.
  • [19] E.g. Compliance.AI, https://www.compliance.ai/ (last visited July 25, 2025); Moritz Homann, How Artificial Intelligence is Revolutionizing Compliance Management, EQS (July 11, 2024), https://www.eqs.com/compliance-blog/how-artificial-intelligence-is-revolutionizing-comopliace-management/; Zvi Korn, How AI Can Help Regulatory Compliance, Datarails (July 12, 2024), https://www.datarails.com/how-ai-can-help-regulatory-compliance/.
  • [20] Matt Morgan, What Is Regulatory Technology, and How Are Businesses Using It?, BizTech (Oct. 7, 2024), https://biztechmagazine.com/article/2023/12/what-regulatory-technology-and-how-are-businesses-using-it-perfcon.
  • [21] https://www.npr.org/2025/05/31/nx-s1-5407870/meta-ai-facebook-instagram-risks
  • [22] Elizabeth M. Renieris, David Kiron & Steven Mills, Organizations Face Challenges in Timely Compliance With the EU AI Act, MIT Sloan Mgmt. Rev., June 13 2024, https://sloanreview.mit.edu/article/organizations-face-challenges-in-timely-compliance-with-the-eu-ai-act/(highlighting challenges organizations face in complying with the EU AI Act, including insufficient time, the need for integrated expertise, and the division of resources).
  • [23] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act), 2024 O.J. (L 2024/1689) 1.
  • [24] The 113 operative Articles (including footnotes) contain more than 49,000 words. The thirteen annexes contain almost 8,000 words. The 180 recitals contain more than 35,000 words.
  • [25] What is a Context Window?, IBM (Nov. 7, 2024), https://www.ibm.com/think/topics/context-window.
  • [26] Alexander Procter, EU’s AI Rules Are Coming And Nobody’s Sure What They Mean, Spark Expert Insights by Okone (Aug. 13, 2025), https://www.okoone.com/spark/industry-insights/eus-ai-rules-are-coming-and-nobodys-sure-what-they-mean/.
  • [27] ISACA, Understanding the EU AI Act: Requirements and Next Steps (Oct. 18, 2024), https://www.isaca.org/resources/white-papers/2024/understanding-the-eu-ai-act.
  • [28] Regulation (EU) 2024/1689 Article 6 (defining high-risk systems).
  • [29] Regulation (EU) 2024/1689 Annex IV.
  • [30] Vicente J. Bermejo, et al., LLMs Outperform Outsourced Human Coders on Complex Textual Analysis, SSRN (Nov. 13, 2024) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5020034.
  • [31] ISACA, supra note 24 (describing the “data and data governance” obligations of the Act.)
  • [32] Regulation (EU) 2024/1689 Art. 10.
  • [33] Immanuel Trummer, Data Analysis with LLMs (2025).
  • [34] ISACA, supra note 24 (describing the obligations to create and maintain “technical documentation” under the Act.)
  • [35] Regulation (EU) 2024/1689 Art. 11.
  • [36] Id. at Art. 13.
  • [37] Tom B. Brown, Language Models are Few-Shot Learners, Arxiv (revised July 22, 2020), https://arxiv.org/abs/2005.14165.
  • [38] Id. at Art. 4.
  • [39] Regulation (EU) 2024/1689, recital 56.
  • [40] European Commission, AI Literacy – Questions and Answers, https://digital-strategy.ec.europa.eu/en/faqs/ai-literacy-questions-answers.
  • [41] European Commission, Living Repository to Foster Learning and Exchange on AI Literacy, https://digital-strategy.ec.europa.eu/en/library/living-repository-foster-learning-and-exchange-ai-literacy (April 2025 update available at link).
  • [42] Sora, OpenAI, https://openai.com/sora/ (last visited July 28, 2025) (text-to-video model and service).
  • [43] Regulation (EU) 2024/1689, art. 15.
  • [44] Regulation (EU) 2024/1689, Art. 15(5).
  • [45] Ze Sheng et al., LLMs in Software Security: A Survey of Vulnerability Detection Techniques and Insights (Feb. 12, 2025), https://arxiv.org/pdf/2502.07049.
  • [46] OpenAI o1 System Card, OpenAI (Sept. 12, 2024) https://cdn.openai.com/o1-system-card.pdf.
  • [47] DeepSeek-AI, DeepSeek-V3 Technical Report (Feb. 18, 2025), https://arxiv.org/pdf/2412.19437.
  • [48] Lei Wang et al., A Survey on Large Language Model based Autonomous Agents (last revised March 2, 2025) https://arxiv.org/abs/2308.11432.
  • [49] LG Hamburg [Regional Court Hamburg], Sept. 27, 2024, 310 O 227/23, available at Hellenic Copyright Organization, https://opi.gr/en/news/5388/ (Ger.). The court did not make an English translation of its opinion available, so the analysis below relies on the translation prepared by a third-party at Chat GPT Is Eating the World, Unofficial English Translation by ChatGPT,
  • https://chatgptiseatingtheworld.com/wp-content/uploads/2024/09/Hamburg-Regional-Court-decision-on-LAOIN-TDM-exception-ChatGPT-unofficial-English-translation-UPDATED-Sept-30-2024.pdf (Ger.).
  • [50] Christoph Schuhmann et al., LAION-5B: An Open Large-Scale Dataset for Training Next Generation Image-Text Models (Oct. 16, 2022) https://arxiv.org/abs/2210.08402.
  • [51] LAION, Projects, LAION, https://laion.ai/projects/.
  • [52] E.g., Robin Rombach et al., High-Resolution Image Synthesis with Latent Diffusion Models (last revised April 13, 2022) https://arxiv.org/abs/2112.10752.
  • [53] Christoph Schuhmann, Richard Vencu, Romain Beaumont, Robert Kaczmarczyk & Jenia Jitsev, LAION: Pioneering the democratization of AI research and bridging gaps in the field, Falling Walls Science Summit (2023), https://apply.falling-walls.com/discover/articles/laion-pioneering-the-democratisation-of-ai-research-and-bridging-gaps-in-the-field/.
  • [54] Chloe Xiang, A Photographer Tried to Get His Photos Removed from an AI Dataset. He Got an Invoice Instead, Vice (April 28, 2023).
  • [55] LG Hamburg, 310 O 227/23 (Ger.).
  • [56] Directive 2019/790 of the European Parliament and of the Council of 17 Apr. 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC, 2019 O.J. (L 130) 92 (EU).
  • [57] Directive 2019/790, recitals 8–10.
  • [58] LG Hamburg, at 10. See also European Union Intellectual Property Office, Recent Case Law: Germany—Hamburg District Court, 310 O 227/23, LAION v. Robert Kneschke (Sept. 27, 2024), EUIPO, https://www.euipo.europa.eu/en/law/recent-case-law/germany-hamburg-district-court-310-o-22723-laion-v-robert-kneschke.
  • [59] EU and German copyright law contain two separate but related TDM exceptions, covering TDM for “scientific research” and for other purposes. Article 3 of the Copyright Directive provides an exception “for the purposes of scientific research” for TDM. Directive 2019/790 art. 3 (transposed in German Law in § 44a UrhG). This exception is not subject to a “reservation of rights.” Article 4 provides a separate exception for other purposes. Directive 2019/790 art. 4 (transposed in German Law in § 60d UrhG). Only this exception allows rightsholders to reserve their rights. Directive 2019/790 art. 4(3).
  • The Hamburg court undertook a detailed analysis of Article 4 and concluded that LAION could not rely on the exception because the plaintiff had exercised its opt out right, as discussed below. LG Hamburg at 8-14 (English translation). At the same time, the court ruled that LAION could rely on the Article 3 exception for scientific research, thereby handing the litigation victory to LAION. Id. at 14-16.
  • [60] Directive 2019/790, recital 10, art. 3.
  • [61] Ana Lazarova et al., Statement on the Opt-Out Exception Regime / Rights-Reservation Regime for Text and Data Mining under Article 4 of the EU Directive on Copyright in the Digital Single Market, Creative Commons, Dec. 17, 2021, https://creativecommons.org/wp-content/uploads/2021/12/CC-Statement-on-the-TDM-Exception-Art-4-DSM-Final.pdf.
  • [62] Directive 2019/790, recital 18.
  • [63] E.g., Louise de Béthune, Balancing the Scales: Navigating Text and Data Mining, Awaiting Standardisation, CiTiP Blog (KU Leuven), Mar. 18, 2025, https://www.law.kuleuven.be/citip/blog/balancing-the-scales-navigating-text-and-data-mining-awaiting-standardisation/.
  • [64] E.g., Shayne Longpre et al., Consent in Crisis: The Rapid Decline of the AI Data Commons (last revised July 24, 2024), https://arxiv.org/abs/2407.14933 (measuring the rapid proliferation of restrictive robots.txt signals, many geared to preventing AI-related scraping).
  • [65] See Internet Engineering Task Force (IETF), A File Format to Aid in Accessibility of Web Content for Automated Processing (RFC 9309), Internet Engineering Task Force (Aug. 2022), https://datatracker.ietf.org/doc/html/rfc9309; Justin Hendrix, Robots.txt Is Having a Moment. Here’s Why We Should Care, Tech Policy Press (Apr. 9, 2024), https://www.techpolicy.press/robotstxt-is-having-a-moment-heres-why-we-should-care/.
  • [66] IAB Workshop on AI-CONTROL (aicontrolws), IETF, https://datatracker.ietf.org/group/aicontrolws/about/ (last visited July 28, 2025).
  • [67] According to its documentation, LAION collects data from another dataset, the Common Crawl, and LAION states that Common Crawl respects the wishes expressed in robots.txt files. https://laion.ai/faq/ (“[W]e are not crawling websites to create the datasets. Common Crawl did the crawling part in the past, and they did respect the robots.txt instruction. We only analyse their data and then look at the pictures to assess their value concerning the provided alt text.”)
  • [68] Adrian Aronsson‑Storrier & Oliver Fairhurst, How to ‘Opt‑Out’ Your Images from Use in AI Training: German Court Considers the EU Text and Data Mining Copyright Exceptions, Lewis Silkin (Oct. 7, 2024), https://www.lewissilkin.com/insights/2024/10/07/how-to-opt-out-your-images-from-use-in-ai-training.
  • [69] Morrison & Foerster, To Scrape or Not to Scrape? First Court Decision on the EU Copyright Exception for Text and Data Mining in Germany, MoFo Insights (Oct. 4, 2024), https://www.mofo.com/resources/insights/241004-to-scrape-or-not-to-scrape-first-court-decision.
  • [70] LG Hamburg at 12-14 (English translation).
  • [71] Id. at 13.
  • [72] Id.
  • [73] LG Hamburg at 13.
  • [74] The phrase “hoist on one’s own petard” originates with Shakespeare. William Shakespeare, Hamlet act 3, sc.4. It means to use one’s own weapons against them. Melissa Mohr, The Explosive Origin of ‘Hoist by One’s Own Petard’, Christian Sci. Monitor (Sept. 27, 2021) https://www.csmonitor.com/The-Culture/In-a-Word/2021/0927/The-explosive-origin-of-hoist-by-one-s-own-petard.
  • [75] LG Hamburg at 14.
About the author

Paul Ohm is a Professor of Law at the Georgetown University Law Center in Washington, D.C. In his research, service, and teaching, Professor Ohm builds bridges between computer science and law, utilizing his training and experience as a lawyer, policymaker, computer programmer, and network systems administrator. His research focuses on information privacy, computer crime law, surveillance, technology and the law, and artificial intelligence and the law. Professor Ohm has published landmark articles about the failure of anonymization, the Fourth Amendment and new technology, and broadband privacy. His work has defined fields of scholarly inquiry and influenced policymakers around the world.

Related Posts

Reading suggestions – August 2025

Special issue on “The Law & Technology & Economics of AI”

Reading suggestions – July 2025

How Employee Networks Drive Innovation, and How Remote Work Alters Both

The U.S. Supreme Court and the Merger Efficiency “Defense”

The Counterintuitive Economics of Default Positions

Reading suggestions – June 2025

Computational Antitrust: Evidence From 25 Antitrust Agencies

,