AI data becomes legal liability: Impact of the EU AI Act

Despite concerted late collective opposition from many of the world’s biggest tech companies, the EU AI Act’s transparency requirements for General-Purpose AI models go live on August 2, 2025—and most organizations leveraging or integrating large models are likely unprepared for what the legislation will demand of them.

Launch day: Preparing for €15m fines

The countdown is over. On August 2, 2025, every provider of General-Purpose AI (GPAI) models must begin publishing detailed summaries of their training data under the EU AI Act’s transparency requirements—the precise wording of the legislation says those summaries must be “sufficiently detailed”, wording that is sure to be battled over for the foreseeable future.

The Act is a lot more than a soft rollout or guidance document. It is a binding law with penalties up to €15 million or 3% of worldwide annual turnover. The magnitude of those penalties call to mind the GDPR legislation of 2018, which immediately and forever transformed the state of data and privacy globally.

For Chief Privacy Officers, the August 2 deadline represents the line in the sand when AI development shifts from proprietary black boxes to mandatory transparency (in Europe at least) radically transforming how organizations will approach data governance in AI systems.

New AI models placed on the EU market after August 2, 2025 must comply immediately, while models already deployed have until August 2027.

The primary issue many organizations will struggle to grasp: the EU’s extraterritorial application means any entity providing AI systems to EU markets faces these requirements, regardless of where they’re headquartered. This extraterritoriality means geographic boundaries don’t shield organizations from compliance obligations when their models serve European users, while the so-called “Brussels Effect” has led to enterprises adopting the rigor of EU laws as a global benchmark, even when other jurisdictions have looser legislation.

Scope of the EU AI Act

The EU AI Act’s scope is broader than many organizations realize, creating compliance obligations for enterprises that may never have intended to become “AI providers”.

What Qualifies as General-Purpose AI (GPAI)?

The regulation establishes a three-part test that captures most large language models and multimodal systems. A model qualifies as GPAI if it:

• – displays significant generality
• – demonstrates capability to perform a wide range of distinct tasks, and
• – can be integrated into various downstream systems. 

Models trained with computational resources exceeding 10^22 FLOPs face a rebuttable presumption that they qualify as GPAI.

To put this in context, 10^22 FLOPs represents roughly the computational threshold where models like GPT-3 and similar large language models operate. Many enterprise-scale AI initiatives involving foundation models will cross this threshold, meaning the laws will apply more broadly than the accepted GPAI model providers, including OpenAI, Anthropic, Google, Meta and others.

The EU AI Act and GPAI provider definitions

The regulation defines “provider” as any entity that develops or has developed a GPAI model and places it on market under its own name or trademark. This will include API access, software library distribution, chatbot interfaces and mobile applications.

Critically, organizations that outsource AI development but place the resulting model on market still qualify as providers and the legal responsibility will almost certainly not transfer to the developer but will remain with the entity bringing the model to market.

Exclusions and gray areas

Research and development models not placed on the market will remain exempt, as will military, defense and national security applications (with some important caveats).  However, the boundary between internal research and market deployment often blurs in enterprise environments where AI systems evolve from experimental tools to production applications.

The EU AI Act template: What “sufficiently detailed” really means

The European Commission’s training data summary template, released in January 2025, reveals the practical complexity that lies behind seemingly simple transparency requirements. 

Legal analysis of the template points to:

1. 1. Model Identification: Organizations must provide detailed model identification including provider information, contact details, model identifiers, market placement dates and knowledge cutoff dates. This requirement, seemingly administrative in nature, will create complex ongoing obligations as models are updated or fine-tuned.
2. 2. Data Source Categorization: Classification of training data will be required across six distinct categories: publicly accessible datasets; private third-party datasets; crawled and scraped online sources; user-sourced data collected by the provider; self-sourced synthetic datasets; data acquired through other means. Each of these demands both the specific disclosure of data size per modality (text, images, audio) and the identification of sources. 
3. 3. Processing and Compliance Measures: Beyond source identification, the template also requires disclosure of the measures that have been implemented to respect “copyright and related rights”. Organizations must describe the measures they have taken to avoid or remove copyrighted material.
4. 4. The Trade Secret Balance: While the template demands detailed disclosure, it avoids requiring what might be categorized as “trade secrets”, including revealing proprietary algorithms or the processes for how, specifically, data is treated. However, as past experience shows, the line between the transparency required and protected trade secrets often proves difficult to navigate in practice.

The data archaeology problem: Reconstructing what you never tracked

For most organizations, the EU AI Act’s training data requirements will expose a critical gap in their data infrastructure, in that they will often find it impossible to systematically reconstruct what data was used to train their AI models.

Organizations that built AI systems without comprehensive data lineage tracking will now face expensive retroactive discovery processes. Engineering teams must find a way to carry out a series of fiendishly complex tasks, including:

• – reverse-engineering training datasets
• – tracing data sources across complex pipelines, and 
• – documenting data processing decisions that were never systematically recorded.

These challenges only compound when organizations use multiple data sources, third-party datasets or iterative training approaches where datasets evolved over time. The technical complexity of modern AI development—involving data preprocessing, augmentation, filtering, and synthetic generation—makes retroactive documentation the most dangerous of double-edged swords: carrying significant cost to carry out, and also incomplete and therefore seriously vulnerable to rigorous application of the law.

Other requirements

Beyond the increasingly obvious data archaeology problems, there are other key requirements under the template definitions:

1. 1. Tokenization and Technical Disclosure: Organizations must disclose their tokenization methodologies: how they break down raw data such as words and pictures into digestible units suitable for AI training. This might reveal information about bias mitigation strategies, content filtering approaches and model capabilities. These technical disclosures will likely create new categories of competitive intelligence that organizations must balance against compliance obligations.
2. 2. Dataset Splitting and Threshold Gaming: The regulation’s focus on “main datasets” could create incentives for organizations to artificially fragment large datasets to avoid disclosure thresholds. However, such strategies will carry a real risk of non-compliance if regulators determine that related datasets should be treated as unified sources.
3. 3. The Broader Compliance Web: Training data transparency requirements will often overlap with existing GDPR obligations, particularly for models trained on personal data. Organizations will therefore face the twin challenge of having to navigate existing consent requirements, lawful basis determinations and data subject rights while also meeting the new AI Act’s transparency mandates. Additionally, as copyright law experts have pointed out, detailed training data summaries could provide “pre-action discovery” information for copyright litigation, creating new legal exposure vectors.

Moving from performative compliance to infrastructure advantage

While most privacy vendors treat EU AI Act requirements as documentation and reporting challenges, the underlying technical demands expose a deeper opportunity: building systematic data governance infrastructure that enables confident AI deployment at scale.

Beyond templates and forms

Organizations that treat training data transparency as an infrastructure challenge rather than purely a policy and documentation one will gain a powerful new systematic visibility into their data lineage. 

Such visibility will enable exponentially better model governance and risk management, but also allow innovation velocity by creating a systemized approach to compliance that can scale rapidly beyond the strictures previously imposed by legal teams and advisors.

Real-time data lineage discovery

The technical challenge stretches far beyond just documenting historical training data. In practice, the technical challenge will be building systems that can automatically and in real-time discover and track data lineage across complex AI development pipelines. 

Among the requirements of that data infrastructure will be:

1. 1. Lineage Tracking Capabilities that enable organizations to maintain continuous visibility into training data sources and processing decisions without the overhead of manual documentation. (To this end, Ethyca’s data lineage tracking systems provide automated discovery of data flows across AI development pipelines.)
2. 2. Operational Competitive Advantages: Organizations that build robust data lineage and model governance infrastructure will now achieve compliance with all applicable regulations, including GDPR, CCPA and the EU AI Act, while gaining significant operational advantages. They can innovate and deploy AI faster because they have systematic understanding of and visibility over their data foundations, allowing them to manage risk more effectively and adapt to regulatory changes quicker because their governance scales with their systems.
3. 3. Immediate Preparation Steps: Best practice dictates that Chief Privacy Officers will begin implementing data lineage standards and practices immediately, even for models that are not yet subject to EU requirements. This will include creating multidisciplinary teams that bridge legal, technical and data governance functions, and implementing vendor assessment processes that capture training data transparency capabilities.

The August 2025 deadline signals the beginning of systematic AI governance that will define competitive advantage in the next phase of enterprise AI adoption, and not just within EU borders.

Organizations that recognize this shift and invest in foundational data infrastructure will emerge stronger, while those treating it as another wave of necessary compliance theater will struggle with both regulatory requirements and operational limitations.

---

Ready to understand how training data transparency fits into the broader GPAI compliance framework? Read Part 2 of our EU AI Act series: “Four Key Pillars of GPAI Compliance: Technical Documentation, Risk Management, and Operational Reality”

---

About Ethyca: Ethyca is the trusted data layer for enterprise AI, providing unified privacy, governance, and AI oversight infrastructure that enables organizations to confidently scale AI initiatives while maintaining compliance across evolving regulatory landscapes.