Can I use scraped web data to train an AI model?

Only if the source material is explicitly licensed for that purpose or the applicable TDM exception covers it. In the EU, rights holders may opt out of TDM exceptions via machine-readable signals such as robots.txt. In Switzerland, no general TDM exception exists — scraping for commercial AI training without a licence is legally risky. Always audit your dataset sources and document licensing status before training.

What does the EU AI Act require about training data documentation?

Under EU AI Act Article 53, providers of general-purpose AI models must maintain technical documentation of training data sources, keep a sufficiently detailed public summary, and comply with EU copyright law including TDM opt-outs. For high-capability models above the 10^25 FLOPs threshold, additional adversarial testing and incident-reporting obligations apply. Non-compliance exposes providers to fines up to 3% of global turnover.

How can a cryptographic timestamp prove training data provenance?

A qualified electronic timestamp under eIDAS or ZertES embeds a cryptographic hash of your dataset at a specific point in time, anchored to a trusted time source. This creates an immutable, court-admissible record proving the dataset existed in that exact form on that date. It is the primary technical mechanism for demonstrating legitimate, pre-existing sourcing when rights holders or regulators audit your data pipeline.

Which jurisdictions have the strictest AI training data copyright rules?

The EU has the most comprehensive framework — CDSM Directive TDM exceptions with opt-out rights, plus the EU AI Act documentation requirements. Switzerland has no TDM exception, making unlicensed scraping riskier than in the EU. The US applies fair use analysis, which is less predictable. Japan has the broadest TDM exception, permitting scraping for AI training even of commercial works without opt-out mechanisms.

AI Training Data Copyright Protection: What Developers Must Know in 2026

Q: Is AI training data protected by copyright?

Yes. Copyright attaches automatically at creation under the Berne Convention (Art. 5) in all 181 member countries. Scraping copyrighted works to build a training dataset creates copies of protected material. Whether it constitutes infringement depends on jurisdiction and whether applicable exceptions — such as the EU CDSM Directive Art. 4 TDM exception — apply and have not been opted out of by the rights holder.

AI training datasets are protected by copyright unless the source material is explicitly licensed or in the public domain. Scraping copyrighted content to train a model without permission constitutes infringement in most EU and Swiss jurisdictions as of 2026, regardless of whether the output reproduces the original verbatim.

Is AI Training Data Protected by Copyright?

Yes — in most cases. Copyright protection attaches to original works at the moment of creation without any registration requirement (Berne Convention, Art. 5). When developers scrape websites, books, code repositories, or images to build training datasets, they are creating copies of protected works. Whether that copying constitutes infringement depends on jurisdiction, licensing terms, and the applicability of exceptions such as "text and data mining" (TDM) under EU law.

In the EU, Article 4 of the Copyright in the Digital Single Market (CDSM) Directive (2019/790/EC) permits TDM for commercial purposes — but only if the rights holder has not opted out. Publishers may place a machine-readable opt-out on their content (e.g., robots.txt or meta tags). If they do, scraping that content for AI training is not covered by the TDM exception.

What Does the EU AI Act Say About Training Data?

The EU AI Act (Regulation 2024/1689) imposes transparency and documentation obligations on providers of general-purpose AI (GPAI) models. Article 53 requires providers to:

Draw up and keep up to date technical documentation of the training process, data sources, and data governance policies

Publish a sufficiently detailed summary of the training data used — enough for affected rights holders to assert their rights

Comply with EU copyright law, including respecting TDM opt-outs

For high-capability GPAI models (above the 10^25 FLOPs threshold), additional adversarial testing and incident-reporting obligations apply. Failure to document data provenance is a direct regulatory risk under the AI Act, not just a copyright risk.

Can You Use Scraped Web Data to Train AI Models?

You can — with conditions. The EU TDM exception (CDSM Art. 4) permits scraping for commercial AI training unless the rights holder has opted out. In Switzerland, the revised Copyright Act (URG) enacted 2020 contains a similar research TDM exception but its scope for commercial AI training remains contested in 2026.

Key rules:

Opted-in content: Permissible under EU TDM exception. Document your compliance.
Opted-out content (robots.txt noai, machine-readable tags): Not covered. Licensing required.
Open-licensed content (CC-BY, CC0, MIT, Apache): Permissible under licence terms. Check attribution requirements.
Public domain works: Permissible. Document sourcing to prove provenance.
Paywalled or access-controlled content: Scraping likely violates both copyright and computer fraud statutes.

What Is the Risk of Getting This Wrong?

Significant. In 2023–2024, multiple class-action lawsuits (Getty Images v. Stability AI; Doe 1 v. GitHub Copilot) progressed through initial pleadings, establishing that AI training on scraped data without consent raises actionable infringement claims., establishing that AI training on scraped data without consent raises actionable infringement claims. The EU AI Act adds a regulatory layer: non-compliance with data governance documentation is subject to fines up to €15 million or 3% of global annual turnover.

Beyond liability, reputational risk is real. Investors and enterprise clients increasingly conduct IP due diligence on AI companies' training datasets before signing commercial agreements.

How Can You Prove Your Training Data Was Legitimately Sourced?

This is where cryptographic timestamping changes the game. A developer or data team that timestamps their dataset at the point of collection — before training — creates verifiable, court-admissible proof of:

What was in the dataset (hash of the dataset manifest)

When it was assembled (cryptographic timestamp under eIDAS Regulation Art. 41)

What licensing terms applied at that moment in time

An eIDAS qualified timestamp issued by a Trust Service Provider (TSP) listed on the EU Trusted Lists carries the same legal weight as a notarized date. It cannot be backdated. This matters when a rights holder claims you scraped their content after they opted out — you can prove the dataset predates the opt-out.

Swiss Trust Layer issues eIDAS-compliant qualified timestamps on datasets, manifests, and licensing documentation in a single sealing step. The resulting certificate is verifiable by anyone without login.

What About Training Data You Created or Commissioned?

If your organisation created the training data internally (human annotators, synthetic generation, original creative works), you own it — but you still face provenance challenges:

Synthetic data generated by a model trained on third-party data may inherit copyright issues from the upstream model
Annotation work by contractors requires proper work-for-hire agreements transferring copyright
Mixed datasets (public + licensed + original) require clear documentation of what each subset contains

Timestamping dataset versions — including documentation of licensing agreements for each subset — creates a defensible record for due diligence, investor audits, and regulatory inspections.

Which Jurisdictions Have the Strictest Rules?

|---|---|---|---|

EU-based AI developers face the highest combined copyright + regulatory burden. Swiss developers should follow EU standards proactively given cross-border data flows.

AI-Generated Content vs. AI Training Data: What's the Difference?

These are legally distinct issues. AI-generated content IP protection addresses who owns the output of an AI model. Training data copyright addresses whether the input to training is legally used. Both must be assessed for a compliant AI product.

The EU AI Act data governance requirements build on both: developers must document data sourcing practices (training data) and implement safeguards against generating infringing output.

Practical Checklist for AI Developers in 2026

Audit your training dataset: identify all sources and applicable licences

Check robots.txt and machine-readable opt-outs on scraped sources

Remove or replace opted-out content before training commences

Document dataset manifests with cryptographic timestamps — seal your dataset on Swiss Trust Layer

Publish training data summaries as required by EU AI Act Art. 53(d)

Obtain licensed alternatives for high-value datasets (e.g., Getty, Associated Press licensing deals)

Establish a monitoring process: content owners can opt out retroactively, affecting future training runs

The cost of getting this right upfront — documentation, timestamps, licensing — is far lower than the cost of defending a copyright infringement case or an EU AI Act compliance audit.

What Does the eIDAS Framework Specifically Provide?

Under eIDAS Regulation (EU) 910/2014, a qualified electronic timestamp (QTS) issued by a qualified TSP:

Creates a legal presumption that the data existed at the stated time (Art. 41(2))
Is admissible in all EU member state courts without further authentication
Cannot be backdated — TSP infrastructure is audited and certified

For AI training data provenance, this means a QTS on your dataset manifest is the gold standard of documented compliance. It transforms a self-assertion ("we assembled this dataset on date X") into a legally defensible fact.