Artificial intelligence lawyers (AI)
Master AI before it outpaces you.
Since 2021, INFLUXIO has secured startups, companies, agencies and creators facing artificial intelligence: AI Act compliance, internal AI policies, AI training programmes (Article 4 AI Act), SaaS and licensing contracts, copyright in AI-generated content, deepfakes, synthetic voices and algorithmic GDPR. Startup founders: read our complete AI Act compliance guide for startups. Team led by Maria Berrada, in Paris and Brussels.
served
rating
appearances
Our services
How we can help you.
Practical examples
AI Act compliance audit for a HealthTech startup
A startup developing an AI medical diagnostic tool needed to assess its risk level under the AI Act. A complete audit was performed, the system classified as 'high risk,' and the compliance roadmap defined.
Dispute over ownership of AI-generated works
A creative studio used generative AI to produce commercial visuals. A client disputed rights ownership. The contractual framework was structured and the studio's ownership successfully defended.
Client reviews
What our clients say about us.
“Great responsiveness from all team members, with solutions found quickly and efficiently.”
Christ C.
“We entrusted INFLUXIO with a complex case. Their technical expertise, strategic vision and the quality of their legal briefs were decisive.”
Mia-Line C.
Contact
Contact INFLUXIO.
Would you like to schedule a meeting or get a quote?
We respond within 24 hours.
Insights
Learn more about this area.
What is an artificial intelligence attorney?
Artificial intelligence no longer raises only technical questions. It raises unprecedented legal questions whose answers shift in months and whose penalties now reach €35 million or 7% of worldwide turnover. Three questions come up repeatedly in our consultations. The first comes from startup founders: 'I'm launching a SaaS built on the OpenAI API or an open-source model like Llama or Mistral.
Do I risk an AI Act fine?'. The answer is never binary and depends on the qualification of your system, your role (deployer, provider, GPAI provider), your use case and the indicative fine-tuning threshold set by the Commission on 18 July 2025. The second comes from company executives: 'My staff are putting our confidential data into ChatGPT. How do we govern this?'. The risk combines a potential GDPR breach, loss of trade-secret protection under the Law of 30 July 2018, and now a breach of the training obligation imposed by Article 4 of the AI Act, applicable since 2 February 2025. The third comes from agencies and creators: 'I use Midjourney, Suno and ElevenLabs. Who owns what I deliver to my clients?'. INFLUXIO was one of the first French firms to specialise in these issues from 2021. We turn this uncertainty into strategic leverage, from upstream counsel through to technology litigation when disputes become unavoidable.
- ✓Protect your models, data and intellectual property rights
- ✓Anticipate disputes and clearly allocate responsibilities
- ✓Secure your contracts with partners, subcontractors and clients
- ✓Ensure your compliance with the European AI regulation (AI Act) and the GDPR
The European AI Act.
Regulation (EU) 2024/1689, known as the 'AI Act', is the world's first horizontal legal framework dedicated to artificial intelligence.
Voted by the European Parliament on 13 March 2024, finally adopted by the Council on 21 May 2024, published in the OJEU on 12 July 2024 and entered into force on 1 August 2024, it applies progressively between 2024 and 2027. Its obligations differ according to your role (provider, deployer, importer, distributor) and the risk level of your system.
Application timeline 2024-2027 and the digital omnibus.
The Article 5 prohibitions and the Article 4 AI literacy obligation have applied since 2 February 2025. Obligations on general-purpose AI models (GPAI, Articles 51 to 55), governance and penalties have applied since 2 August 2025. Obligations on Annex III high-risk systems and on transparency (Article 50) are due to apply on 2 August 2026, subject to the final adoption of the 'digital omnibus' proposed by the Commission on 19 November 2025, which could conditionally postpone this deadline until 2 December 2027 at the latest.
Until the omnibus is formally adopted, the 2 August 2026 deadline remains legally binding: serious operators do not bet on the postponement, they prepare ahead.
Risk-level classification.
The regulation classifies AI systems into four levels that determine the intensity of compliance required: unacceptable risk (prohibited since 2 February 2025), high risk (strict obligations on risk management, data quality, human oversight and CE marking), limited risk (transparency obligations and AI content marking), and minimal risk (no specific obligations).
- Unacceptable risk: social scoring, subliminal manipulation, exploitation of vulnerabilities, predictive policing by profiling alone, untargeted scraping of facial images, real-time remote biometric identification in public spaces
- High risk: recruitment and HR management, credit scoring, access to education, justice, biometrics, critical infrastructure, medical devices, migration
- Limited risk: chatbots, deepfakes, recommendation systems, AI-generated content
- Minimal risk: spam filters, video games, leisure applications, AI systems without direct interaction
Are you a provider or a deployer?
If you wrap the OpenAI or Mistral API to offer a service to your clients, you are a deployer towards the GPAI provider, and a provider of your own AI system built around it. If you fine-tune an open-source model, you remain in principle a deployer, unless your modifications cross the indicative threshold set by the Commission on 18 July 2025: use of more than one third of the original model's compute or one third of the 10²³ FLOP threshold.
In practice, that threshold is crossed only by a tiny minority of fine-tuners. If your use case falls under Annex III (HR, scoring, biometrics, justice, education), you become a high-risk system provider and inherit all Article 16 obligations, regardless of the GPAI provider you rely on.
General-purpose AI models (GPAI) and Code of Practice.
The European Commission published, through the AI Office, on 10 July 2025, the Code of Practice for General-Purpose AI Models, formally endorsed by the Commission and the AI Board on 1 August 2025. This voluntary code is the preferred channel to demonstrate compliance with Articles 53 and 55. It contains three chapters: transparency (applicable to all GPAI providers), copyright (policy of respecting Article 4 of Directive 2019/790 opt-outs and mitigating the risk of infringing outputs) and safety and security (reserved for systemic-risk models exceeding the 10²⁵ FLOP threshold). The AI Office also published, on 24 July 2025, a standardised template for the summary of training content, mandatory for all GPAI providers, to be updated at least every six months and published in an accessible manner.
Provider and deployer obligations.
Providers of high-risk systems must, under Article 16: implement a risk management system across the lifecycle, ensure quality and representativeness of training data, maintain technical documentation in line with Annex IV, automatically log system operation, give transparent information to deployers, ensure effective human oversight, and pass a conformity assessment before placing on the market.
Deployers, under Article 26, must use the system in line with its instructions, entrust oversight to trained persons with real authority, monitor operation and report incidents, retain logs for at least six months, inform affected persons and, in the cases set out in Article 27, conduct a fundamental rights impact assessment prior to deployment.
Regulatory sandboxes (Article 57).
Each Member State must establish at least one regulatory sandbox operational by 2 August 2026. The CNIL has already run several thematic sandboxes (public services, silver economy). The interest is legal as much as operational: a provider following the validated plan benefits from administrative immunity (no AI Act fine) and the exit report facilitates subsequent conformity assessment.
Penalties.
Penalties are among the highest in EU law. For Article 5 prohibited practices: up to €35 million or 7% of worldwide annual turnover. For other breaches: up to €15 million or 3%. For inaccurate information given to authorities: up to €7.5 million or 1%. GPAI model providers are subject, under Article 101, to specific fines of up to 3% of global turnover or €15 million.
Generative AI and creators: who owns what?
ChatGPT, Midjourney, Suno, ElevenLabs: generative AI is reshaping creation. Creators, influencers, artists, musicians and agencies are on the front line.
INFLUXIO was the first French firm to address these issues through the lens of the creator economy and continues to support studios delivering AI-produced visuals, voices and music to their clients.
Copyright in AI-generated works.
Under French law, settled case law holds that only a natural person can be recognised as an author (Article L.111-1 of the Intellectual Property Code, as interpreted in particular by Cass. ass. plén., 7 March 1986, 'Pachot', and by the CJEU, Infopaq, C-5/08, 16 July 2009). The work must also bear the imprint of the author's personality.
A creation purely generated by AI, without creative human intervention, is therefore not protectable. This aligns with US courts: the D.C. Circuit Court of Appeals, in Thaler v. Perlmutter on 18 March 2025, unanimously confirmed that the Copyright Act requires human authorship, and the US Copyright Office, in its January 2025 report, took the same line.
AI-assisted works can however be protected if human intervention is creatively substantial: iterative and nuanced prompt selection, creative curation of outputs, recompositions, retouching, editorial arrangement.
Proof comes from rigorous documentation of the creative process (preserving prompts, iterations, choices made). This is precisely what we set up for the creative studios and agencies we advise.
Commercial licences: Midjourney, Suno, ElevenLabs, DALL-E.
Platform licences differ and their terms shift with US litigation.
Midjourney provides that the subscriber 'owns all Assets' created subject to payment and compliance, and grants other users a licence on public images (Stealth mode in the Pro plan restricts visibility). For OpenAI / DALL-E, the user owns the outputs subject to compliance with the terms, but those terms do not guarantee copyrightability. Suno authorises commercial use of songs generated under Pro or Premier plans, with no royalty take, but explicitly states that music entirely generated by AI is not eligible for copyright protection.
ElevenLabs varies by plan; cloning a real voice requires explicit consent and a separate commercial licence. For agencies delivering to clients, we systematically include in service contracts transparency clauses (mention of AI use), limited eviction warranties, framed assignment of rights covering arrangement and human modifications, and explicit allocation of third-party claim risk.
Deepfakes: the SREN law of 21 May 2024 changed the game.
Law no. 2024-449 of 21 May 2024, known as 'SREN' (securing and regulating digital space), significantly strengthened the repression of deepfakes in French law. It amended Article 226-8 of the Penal Code to punish bringing to the public's or a third party's knowledge visual or audio content generated by algorithmic processing representing a person's image or words without their consent, where it is not obvious that the content is algorithmically generated or expressly stated to be so. The penalty is one year imprisonment and €15,000 fine, raised to two years and €45,000 when distributed via an online public communication service.
Article 21 of the same law created Article 226-8-1 of the Penal Code, specifically punishing non-consensual sexual deepfakes: two years imprisonment and €60,000 fine, raised to three years and €75,000 online.
These offences combine with identity theft (Art. 226-4-1), invasion of privacy (Art. 226-1), cyberbullying (Art. 222-33-2-2), sexual blackmail (Art. 312-10) and, on the civil side, image rights (Article 9 of the Civil Code) and neighbouring vocal rights.
The AI Act adds, from 2 August 2026, a transparency obligation requiring deployers to visibly label deepfakes (Article 50(4)) and providers to technically mark AI-generated content (watermarking, C2PA metadata, cryptographic signatures). The first draft Code of Practice on Transparency was published on 17 December 2025 and proposes a common 'AI' pictogram across Europe.
Synthetic voices and performers' neighbouring rights.
Synthetic reproduction of a performer's voice without authorisation infringes their neighbouring rights, guaranteed by Articles L.212-1 et seq. of the Intellectual Property Code. The performer holds an inalienable moral right to the respect of their name, status and performance, and economic rights to authorise or prohibit the fixation, reproduction and communication of their performance.
Collective management runs through ADAMI for principal performers and SPEDIDAM for accompanying performers. The voice is also protected under Article 9 of the Civil Code, extended by case law to vocal attributes.
The dispute between Scarlett Johansson and OpenAI over the GPT-4o 'Sky' voice in May 2024 brought these issues to the spotlight: OpenAI suspended the voice without going to trial, after an independent acoustic analysis concluded an exceptional similarity with the actress's voice.
In France, no specific case law has yet been issued on synthetic voices, but the field is mapped by neighbouring rights, the Civil Code and now Articles 226-8 and 226-8-1 of the Penal Code. The positions of ADAMI, SACEM and SCAM converge on the requirement of explicit prior consent and equitable remuneration.
Training AI on protected works: French litigation has begun.
Using protected works to train AI models raises the text and data mining (TDM) exception.
Directive (EU) 2019/790, transposed into French law in Article L.122-5-3 of the Intellectual Property Code, provides two exceptions: one for scientific research (Article 3 of the directive, non-overridable), and a general one (Article 4 of the directive), overridable subject to rights holders' opt-out, in particular by machine-readable means for online content.
On 12 March 2025, the Syndicat national de l'édition, the Société des gens de lettres and the Syndicat national des auteurs et compositeurs sued Meta Platforms before the Paris judicial court for training Llama, in particular, on the Books3 dataset containing about 200,000 protected books.
The first French case against a major generative AI player, based on counterfeiting and parasitism.
Abroad, Bartz v. Anthropic (N.D. Cal., 23 June 2025) found training on lawfully acquired books to be 'quintessentially transformative' but refused fair use for building a library from pirated works, leading to a $1.5 billion settlement granted preliminary approval on 25 September 2025. Kadrey v. Meta (N.D. Cal., 25 June 2025) also retained fair use with more nuanced reasoning.
NYT v. OpenAI (S.D.N.Y., order of 4 April 2025) is ongoing and led to OpenAI producing 20 million ChatGPT logs. In the UK, Getty Images v. Stability AI (EWHC, 4 November 2025) dismissed secondary infringement and found only limited trademark infringement.
In Germany, OLG Hamburg, in its 10 December 2025 decision, clarified that an opt-out expressed in natural language but not technically machine-readable is not valid. For publishers, creators and platforms, we deploy opt-out strategies cumulating robots.txt, the TDMRep protocol, C2PA or IPTC PLUS metadata and clear mentions in the terms.
Protecting your AI assets.
Your algorithms, models, hyperparameters, training data and user data represent considerable value. Their legal protection requires a combined strategy involving several complementary mechanisms, to activate from the design phase.
Algorithms and software.
Algorithms as such are not patentable in Europe, but the software implementing them can be protected by copyright (Article L.112-2, 13°, of the Intellectual Property Code). Computer-implemented inventions may also be patented under certain conditions (technical effect, technical character of the solution). We define the protection strategy best suited to your architecture.
Databases and training datasets.
Databases benefit from dual protection under European law: copyright on their original structure (Article L.112-3 of the Intellectual Property Code) and the sui generis right of database producers for substantial investment (Articles L.341-1 et seq. of the same code, transposing Directive 96/9/EC). Your training datasets are strategic assets whose protection must be anticipated from collection.
Trade secrets and know-how.
Law no. 2018-670 of 30 July 2018, transposing Directive (EU) 2016/943, provides specific protection for trade secrets (Articles L.151-1 et seq. of the Commercial Code). For your models, hyperparameters, training pipelines and technical know-how, implementing reasonable protection measures (NDAs, access restrictions, traceability of consultations, logging, information classification) is essential to benefit from this regime, which does not apply to information whose confidentiality has not been actively preserved.
GDPR and AI: indispensable compliance.
Any AI system processing personal data falls under the GDPR. Requirements are reinforced when AI produces automated decisions affecting individuals (Article 22 GDPR). The AI Act and the GDPR complement rather than replace each other: the AI Act is lex specialis on certain points, but the GDPR retains full application on personal data.
GDPR / AI Act articulation and EDPB Opinion 28/2024.
The European Data Protection Board (EDPB) issued, on 17 December 2024, its Opinion 28/2024 on data protection aspects in AI models, at the request of the Irish authority.
The opinion lays down several key points: an AI model can only be deemed anonymous if the probability of extracting or re-identifying personal data, by reasonable means, is insignificant (many large language models do not meet this criterion, due to the risk of memorisation and regurgitation); legitimate interest can serve as a legal basis for development and training, subject to the three-step test set out in EDPB Guidelines 1/2024; unlawful processing in the development phase may, on a case-by-case basis, contaminate the deployment phase.
CNIL recommendations: legitimate interest at the core.
The CNIL published, on 19 June 2025, its final recommendations on legitimate interest as a legal basis for the development and training of AI models, following a public consultation. Three cumulative conditions must be met: a lawful, real and precise interest; necessity of processing (minimisation test); a favourable balancing.
Expected additional safeguards include pseudonymisation, access restriction, exclusion of sensitive data, transparent information of individuals, a discretionary and prior right to object, a right to erasure, and technical anti-memorisation and anti-regurgitation measures.
The CNIL also published, on 19 June 2025, a web scraping practical sheet, and rolled out in December 2025 a traceability tool for open-source models. The PANAME project, launched in February 2026, is to deliver a GDPR audit framework for models.
Governing ChatGPT, Claude or Gemini in the company: the AI policy is no longer optional.
For executives facing uncontrolled deployment of generative AI by their teams ('shadow AI'), the internal AI policy is no longer best practice: it is now the only enforceable tool.
Concretely, the policy must define authorised tools and their version (the Enterprise version and the standard version do not offer the same contractual guarantees), list categories of prohibited data (identifiable client data, ongoing contracts, health and HR data, undisclosed financial data, proprietary source code, industrial secrets), require systematic human supervision of outputs, organise a procedure for declaring new tools, and provide for disciplinary sanctions.
To make the policy enforceable against an employee, it must be annexed to the internal regulations under the procedure of Articles L.1321-4, R.1321-2 and L.2312-8 of the Labour Code (consultation of the social and economic committee, filing with the labour inspectorate and the registry of the local labour court). Without this formal integration, the policy remains a mere recommendation, with no disciplinary basis.
AI training: Article 4 AI Act obligation and our tailored programmes.
Since 2 February 2025, Article 4 of the AI Act requires providers and deployers to take measures to ensure a sufficient level of AI literacy of their staff and any persons acting on their behalf. No certification is imposed, but a training register is strongly recommended.
In the event of a breach of another AI Act obligation, the absence of training will likely be retained as an aggravating factor, by parallel with GDPR case law. INFLUXIO designs and delivers enforceable AI training programmes, tailored to your sector and the maturity of your teams: executive sessions for boards and management committees (AI Act framework, governance, directors' liability), role-based modules for exposed functions (HR, marketing, legal, R&D, IT, customer support), technical workshops for data and product teams (provider/deployer qualification, risk classification, Annex IV technical documentation, logging, human oversight), and dedicated programmes for creators and agencies (generative AI, copyright, Midjourney, Suno and ElevenLabs licences, deepfakes and the SREN law). Each programme is delivered with its enforceable AI policy, time-stamped training register, sector-specific case studies and skills assessment, forming a file directly enforceable in any review by the AI Office, the CNIL or a market authority.
DPIA, transfers outside the EU and subprocessing.
Any structuring AI deployment processing data at scale, sensitive data or involving systematic evaluation triggers a data protection impact assessment (Article 35 GDPR). Transfers outside the EU to AI providers (often US-based) must be governed by standard contractual clauses, where applicable relying on the EU-US Data Privacy Framework.
Processing contracts must contain all Article 28 GDPR safeguards, supplemented by AI-specific stipulations (prohibition on using data to train models, unless explicit opt-in; log retention; cooperation with authorities).
AI contracts: securing your relationships.
A poorly drafted contract can turn a promising AI partnership into costly litigation. Pre-2024 standard SaaS terms cover neither the new AI Act obligations nor the risks specific to generative AI (hallucinations, infringement by output, disclosure of training data). INFLUXIO drafts and negotiates your full contractual arsenal.
AI SaaS terms and GPAI API contracts.
For a startup founder marketing a SaaS built on a GPAI provider, the terms must contain: definitions aligned with the AI Act, a clear qualification of provider and deployer roles, allocation of compliance (who bears the risk management system, technical documentation, six-month minimum logging, post-market surveillance), an explicit hallucination disclaimer with a human supervision obligation for the deployer, IP framing on outputs and inputs, a DPA aligned with Article 28 GDPR, prohibition on reuse of user data for training (unless opt-in), a serious incident notification obligation combining Articles 26(5) AI Act and 33 GDPR, liability caps, and a termination clause for regulatory reclassification.
AI development contracts.
Ownership of rights over developments, deliverables, training data and intermediate models must be defined precisely, distinguishing what is assigned, what is licensed and what remains the contractor's property (generic models, pre-existing technical building blocks, know-how). We secure your contracts with providers, freelancers and internal teams.
Agency-client contracts using generative AI.
For agencies and creative studios, client contracts must now include seven specific clauses: transparency on AI use, limited eviction warranty (the agency cannot fully guarantee the absence of third-party claims on training data), assignment of rights covering arrangement and human modifications (without warranty of copyrightability of purely AI elements), capped liability and exclusion of indirect damages, GDPR compliance for data injected by the client, audit and log retention of at least six months (consistent with Article 26 of the AI Act), reversibility and secure destruction at the end of the relationship.
Liability and insurance clauses.
Liability for AI-caused damage is rapidly evolving. The proposed AI Liability Directive (Proposal 2022/0303) was withdrawn by the Commission in 2025, due to lack of agreement between co-legislators.
We already integrate limitation, sharing and subrogation clauses adapted to this emerging framework, working with specialised brokers to identify the relevant cyber and professional civil liability covers.
Our AI expertise, articulated with the entire field of digital law.
INFLUXIO was one of the first French firms to specialise in AI legal issues, from 2021. Our team, led by Maria Berrada, combines deep technical expertise with a fine knowledge of the creative ecosystem.
We advise AI startups, content creation platforms, communication agencies using generative AI, and artists facing deepfakes and unauthorised reproductions.
Our dual Paris-Brussels presence gives us proximity with European institutions, in particular the AI Office, DG CNECT and DG JUST. We regularly publish on AI law developments in our INFLUXIO Talk podcast and specialised articles.
The first step in any AI Act compliance is to map all AI systems deployed or under development within your organisation, then classify each according to the four risk levels defined by the regulation. For high-risk systems, a complete technical dossier must be prepared.
Limited-risk systems must satisfy the Article 50 transparency obligations and will be subject, from 2 August 2026, to the marking requirements for generated content. INFLUXIO conducts classification audits, supports the preparation of technical documentation, and implements the governance processes required by the regulation.
Useful glossary in AI law.
- ✓AI Act: Regulation (EU) 2024/1689 of 13 June 2024, entered into force on 1 August 2024; first horizontal global framework on artificial intelligence; classifies systems by risk level (unacceptable, high, limited, minimal).
- ✓AI literacy (Article 4): obligation for providers and deployers to ensure a sufficient level of understanding and responsible use of AI by their staff; applicable since 2 February 2025.
- ✓AI Office: European AI Office, set up within the Commission; supervises GPAI models, coordinates AI Act enforcement with national authorities and publishes guidelines, codes of practice and standardised templates.
- ✓DPIA: data protection impact assessment (Article 35 GDPR), mandatory for high-risk processing; to be distinguished from the fundamental rights impact assessment provided for in Article 27 of the AI Act.
- ✓Regulatory sandbox: controlled framework set up by an authority (CNIL in France) allowing the development and testing of innovative AI systems for a limited period, with administrative immunity in case of compliance with the validated plan (Article 57 of the AI Act).
- ✓AI policy: internal company document governing AI use by staff; must be annexed to the internal regulations (Articles L.1321-4, R.1321-2 and L.2312-8 of the Labour Code) to be enforceable disciplinarily.
- ✓GPAI Code of Practice: code of practice for general-purpose AI models, published by the AI Office on 10 July 2025; three chapters (transparency, copyright, safety); preferred channel of compliance with Articles 53 and 55.
- ✓Deployer: any person using an AI system under their own authority (except for personal non-professional use); subject to Article 26 obligations of the AI Act when deploying a high-risk system.
- ✓Deepfake: under Article 3, point 60, of the AI Act, image, audio or video content generated or manipulated by AI, resembling existing persons, objects, places or events, and likely to falsely appear authentic; punished by Articles 226-8 and 226-8-1 of the Penal Code since the SREN law.
- ✓Provider: person who develops or has developed an AI system and places it on the market or puts it into service under their own name or mark; subject to Article 16 of the AI Act for high-risk systems.
- ✓GPAI (General-Purpose AI): general-purpose AI model trained on large amounts of data and showing significant generality, able to perform a wide range of tasks (Articles 51 to 55 of the AI Act).
- ✓Hallucination: production by a generative AI system of false information presented as true; major source of legal risk (defamation, disinformation, professional misconduct).
- ✓Systemic-risk model: GPAI model whose capabilities or distribution can significantly affect the market or fundamental rights; indicative threshold of 10²⁵ FLOP; reinforced obligations under Article 55 of the AI Act.
- ✓Social scoring: evaluation or classification of persons based on their social behaviour or personal characteristics, leading to detrimental treatment; practice prohibited by Article 5 of the AI Act.
- ✓TDM opt-out: expression by rights holders of their opposition to the use of their works for text and data mining (Article 4 of Directive 2019/790, Article L.122-5-3 of the IPC); must be expressed by machine-readable means for online content.
- ✓Prohibited practices: closed list of eight AI practices banned by Article 5 of the AI Act, applicable since 2 February 2025; penalties up to €35 million or 7% of worldwide annual turnover.
- ✓Shadow AI: use by staff of AI tools not validated by their employer; source of GDPR risks, loss of trade secret protection and breach of Article 4 of the AI Act.
- ✓High-risk system: AI system listed in Annex III of the AI Act (biometrics, HR, education, justice, critical infrastructure) or integrated into a regulated product; strict requirements of Article 16 from 2 August 2026.
- ✓Watermarking: imperceptible technical marking allowing content to be identified as AI-generated; provider obligation under Article 50 of the AI Act, applicable on 2 August 2026.
- ✓Web scraping: automated collection of online data to build training datasets; framed by the CNIL practical sheet of 19 June 2025 and subject to compliance with machine-readable opt-outs.
Tailored support
Discuss your situation.
Receive a clear, personalized quote from our team.
FAQ
Frequently asked questions.
The prohibitions and the AI literacy obligation have applied since 2 February 2025. Obligations on GPAI models have applied since 2 August 2025. Obligations on high-risk systems and on the transparency of AI content are due to apply on 2 August 2026, subject to the final adoption of the digital omnibus proposed by the Commission on 19 November 2025, which could conditionally postpone this deadline until 2 December 2027 at the latest.
Systems already in service before 2 August 2025 benefit from an additional period until 2 August 2027.
Yes. When you use an AI system under your own authority in a professional context, you are a deployer. Your obligations depend on the system's risk level. For ChatGPT in general use (drafting, brainstorming), you fall mainly within transparency obligations and Article 4 on AI literacy.
If you use it for Annex III use cases (HR, scoring, biometrics), you are a deployer of a high-risk system and inherit the obligations of Article 26.
For it to be enforceable against an employee and to ground a disciplinary sanction, the AI policy must be annexed to the internal regulations, after consultation of the social and economic committee and filing with the labour inspectorate and the registry of the local labour court (Articles L.1321-4, R.1321-2 and L.2312-8 of the Labour Code). Without this integration, it remains a mere recommendation.
For companies with fewer than 50 employees, it can be integrated into the IT policy.
Shadow AI accumulates several risks: potential GDPR breach (uncontrolled transfer outside the EU, fragile legal basis, right to information not respected); loss of trade secret protection over injected content (Law of 30 July 2018); breach of professional secrecy for regulated professions; breach of Article 4 of the AI Act on training.
The response is an audit of the tool stack, an AI policy and a training programme.
No, if the image is purely AI-generated. Protection requires the imprint of a natural person's personality (Articles L.111-1 and L.112-2 IPC). However, when the user exercises substantial creative intervention (iterative and nuanced prompt selection, retouching, recompositions, editorial arrangement), the assisted creation can be protected.
Proof comes from rigorous documentation of the creative process.
No, unless your modifications cross the indicative threshold set by the Commission's guidelines of 18 July 2025: use of more than one third of the original model's compute or one third of 10²³ FLOP. In practice, that threshold is crossed only by a tiny minority of fine-tuners. As a rule, you remain a deployer of the base model and a provider of your own AI system built around it.
You must express an Article 4 opt-out under Directive 2019/790, transposed in Article L.122-5-3 IPC, by machine-readable means. Protection is effective when signals are cumulated: robots.txt, the TDMRep protocol (W3C/EDRLab), C2PA or IPTC PLUS metadata, and a clear statement in the terms.
The OLG Hamburg decision of 10 December 2025 clarified that an opt-out expressed in natural language but not technically machine-readable is not valid.
Law no. 2024-449 of 21 May 2024 (SREN) amended Article 226-8 of the Penal Code to punish non-consensual deepfakes (1 year and €15,000, raised to 2 years and €45,000 online) and created Article 226-8-1 for sexual deepfakes (2 years and €60,000, raised to 3 years and €75,000 online). These offences combine with identity theft (226-4-1), invasion of privacy (226-1), cyberbullying (222-33-2-2) and image rights (Article 9 of the Civil Code).
For Article 5 prohibited practices: up to €35 million or 7% of worldwide annual turnover. For other breaches: up to €15 million or 3%. For inaccurate information given to authorities: up to €7.5 million or 1%. For GPAI model providers: up to 3% of global turnover or €15 million (Article 101).
No certification is imposed. The right setup combines a 1-2 hour general awareness session for all staff, a 2-4 hour role-based training for regular users, and a decision-maker training for managers. A training register is strongly recommended in case of audit. The absence of training will likely be retained as an aggravating factor in case of another breach.
If you are a provider of a GPAI model within the meaning of Articles 51 et seq. of the AI Act, yes: you must publish a summary in line with the AI Office standardised template of 24 July 2025. The summary must identify the provider, the model and versions, list data sources (public datasets, licensed datasets, scraped data, user data, synthetic data) and describe processing methods.
Updated at least every six months. If you only use a GPAI API without becoming a provider yourself, the obligation lies upstream.
Related publications
Our latest articles.

In short
INFLUXIO is a law firm specialized in artificial intelligence lawyers (AI), based in Paris and Brussels. AI Act compliance (Reg. EU 2024/1689), AI Office, GPAI, enforceable AI policy, algorithmic GDPR, SaaS contracts, deepfakes (SREN law) and synthetic voices.
Response within 24 hours.
Updated on



