Generative AI Copyright & EU AI Act: ISO 42001 Compliance Guide for Taiwan Enterprises

Winners Consulting Services Co., Ltd. points out that generative AI copyright disputes are rapidly becoming a core legal risk in corporate AI governance. A 2025 study by Professor J. Quintais of the University of Amsterdam clearly reveals that under the EU AI Act framework, purely AI-generated content struggles to obtain copyright protection due to a lack of human originality. Taiwanese companies that fail to establish an ISO 42001-compliant AI governance mechanism will find themselves in a legal vacuum regarding risks such as ambiguous copyright ownership and training data infringement.

About the Author and This Study

J. Quintais is a senior researcher at the Faculty of Law, University of Amsterdam, specializing in the intersection of digital copyright law, artificial intelligence, and intellectual property. With an h-index of 15 and over 623 citations, he holds significant academic influence in the field of European AI regulatory law. This paper, published in the Computer Law & Security Review, has already accumulated 24 citations as of 2025, making it one of the most representative academic studies on generative AI copyright and regulatory frameworks in recent years.

What makes Quintais's research unique is its focus not just on the static rules of copyright law, but on how the emerging regulatory framework of the EU AI Act interacts with the existing copyright system, and the practical impact of this interaction on corporate AI applications. This provides highly valuable insights for Taiwanese companies currently assessing their EU AI Act compliance obligations.

Three Key Legal Tensions in Generative AI Copyright

Quintais's central argument is that structural tensions exist between the current copyright law system and the regulatory design of the EU AI Act. These tensions cannot be resolved by individual court rulings or internal corporate policies alone but must be re-architected at a systemic level. The study identifies three key areas of conflict.

Key Finding 1: The Human Originality Threshold Determines Copyright Ownership

Whether in U.S. court decisions, D.C. Circuit rulings, or interpretations of the current EU Copyright Directive, the emphasis is on the need for a "substantial creative contribution" from a human author for copyright protection. Quintais's research further analyzes that "prompt engineering" in most cases fails to meet this threshold because while the user provides instructions, they lack substantial control over how the AI model generates the final output. This means that marketing copy, images, or code mass-produced by companies using AI tools may legally belong to the public domain, allowing any competitor to use them freely, with the company unable to claim exclusive rights.

Key Finding 2: The Text and Data Mining Exception for AI Training Data Has Limits

The study points out that Article 53 of the EU AI Act requires developers of General-Purpose AI (GPAI) models to disclose a summary of their training data and comply with copyright reservations. However, the Text and Data Mining (TDM) exception under Article 4 of the current EU Copyright in the Digital Single Market (DSM) Directive is not unlimited—copyright holders can explicitly reserve their rights in a machine-readable format, excluding their works from being used for AI training. Quintais warns that if companies use commercial AI models for content generation without conducting due diligence on the copyright status of the training data, they will be exposed to potential risks of indirect infringement.

Key Finding 3: The EU AI Act's Transparency Obligations Create New Compliance Burdens

The EU AI Act imposes mandatory documentation and transparency requirements on GPAI models, which directly affects downstream corporate users. When a company integrates a third-party AI service into its core business processes, it must be able to answer, "Does this AI system's training data respect the reservations of copyright holders?" This requirement corresponds to the supplier due diligence clauses in ISO 42001, yet most Taiwanese companies have not yet established a systematic AI supplier evaluation mechanism.

Three Key Implications for AI Governance Practices in Taiwan

The intersecting risks of copyright and AI governance faced by Taiwanese companies are not distant European or American legal issues but are already real compliance pressures when entering the EU market, procuring AI services from the West, or being bound by client contracts. The following three points are critical issues that Taiwanese companies must address now.

Implication 1: The Legal Reality that "AI-Generated" Does Not Equal "Company Asset"

The use of Generative Artificial Intelligence is rapidly growing in Taiwan, but many companies mistakenly assume that "content generated by a company's paid AI tool automatically belongs to the company." Quintais's research clearly indicates that without substantial human creative contribution, the copyright status of AI-generated output is extremely precarious. While Taiwan's AI Copyright regulatory direction is not yet finalized, the Intellectual Property Office of the Ministry of Economic Affairs initiated a policy study on generative AI copyright in 2025, expected to reference U.S., Japanese, and European models. If companies do not establish a "human-machine collaboration documentation mechanism" now, they may struggle to provide evidence of human creative involvement in the future.

Implication 2: Supplier Due Diligence Under ISO 42001 is Non-Negotiable

ISO 42001, Clause 8.4, explicitly requires organizations to conduct risk assessments of external AI service providers to confirm that their AI systems' design, training data, and output comply with the organization's AI policy. The training data copyright risks revealed by Quintais's research are precisely the dimension that must be included in ISO 42001 supplier due diligence. During the ISO 42001 certification process, Taiwanese companies should make the "AI supplier's training data copyright compliance declaration" a standard clause in procurement contracts, not an optional item.

Implication 3: EU AI Act Compliance Requirements Now Extend to Taiwanese Export-Oriented Enterprises

The EU AI Act officially took effect in August 2024, with its obligations being phased in starting from 2025. For Taiwan's export-oriented manufacturing and software service industries, any AI system or product/service with AI functions entering the EU market must comply with the Act's transparency and documentation requirements. Although Taiwan's AI Basic Act (draft) is still under review in the Legislative Yuan, companies that proactively establish governance mechanisms based on the EU AI Act standard will be able to meet future local regulatory requirements simultaneously, avoiding the waste of resources on redundant efforts. The EU Artificial Intelligence Act's classification of high-risk AI systems and its transparency obligations for GPAI models should serve as a benchmark for Taiwanese companies' AI risk classification assessments.

How Winners Consulting Helps Taiwanese Companies Establish AI Copyright Governance

Winners Consulting Services Co., Ltd. assists Taiwanese companies in establishing AI management systems that comply with ISO 42001 and the EU AI Act, conducting AI risk classification assessments, and ensuring that artificial intelligence applications align with Taiwan's AI Basic Act. To address the copyright governance challenges highlighted by Quintais's research, we recommend that companies take the following concrete actions:

1. Establish a Human Intervention Documentation Mechanism for AI-Generated Content: For each type of AI-assisted creation, develop a "Human Creative Contribution Record Form" to detail the personnel's choices, edits, and judgments during the generation process. This creates an auditable documentation trail for future copyright claims and meets ISO 42001's documentation requirements.
2. Conduct Due Diligence on AI Suppliers' Training Data Copyright: When procuring or renewing AI service contracts, require suppliers to provide a declaration of copyright compliance for their training data. Incorporate the transparency obligations of Article 53 of the EU AI Act into contract clauses to ensure the supplier's adherence to copyright reservations is traceable and auditable.
3. Initiate an ISO 42001 Gap Analysis to Identify Copyright-Related AI Risks: Within the ISO 42001 AI risk classification framework, list "copyright infringement risk" and "risk of ambiguous copyright ownership for AI-generated content" as separate risk categories. Set risk acceptance criteria and mitigation measures, and integrate them into a periodic review mechanism.

Frequently Asked Questions

Can content generated by my company using ChatGPT or other AI tools be protected by copyright?

The answer depends on the degree of human involvement, not the type of AI tool used. According to Quintais's (2025) research and recent U.S. court rulings, copyright protection requires "substantial creative contribution" from a human author, including significant control over the selection, arrangement, and expression of the output. If an employee merely inputs a generic prompt without making substantial creative edits to the AI's output, the resulting content legally falls into the public domain, and the company cannot claim copyright. Businesses should establish a system for documenting human creative intervention and clearly define the criteria for "copyrightable AI-assisted creations" in their AI governance policies, aligning with ISO 42001 documentation requirements.

When implementing ISO 42001, how should Taiwanese companies incorporate copyright risk into their AI risk assessment?

Copyright risk should be integrated as a distinct legal compliance risk category under ISO 42001, Clause 6.1, which requires organizations to identify risks and opportunities related to their AI systems. Specifically, the assessment should cover three dimensions: 1) the risk of ambiguous copyright ownership for AI-generated content, affecting commercialization and licensing; 2) the risk of indirect infringement from AI training data that violates third-party copyrights; and 3) compliance risks related to the transparency requirements for GPAI models under Article 53 of the EU AI Act. Although Taiwan's AI Basic Act is still a draft, companies can proactively use the EU AI Act as a benchmark to build their risk matrix, preventing redundant assessments when local regulations are enacted.

How long does ISO 42001 certification take, and what are the main steps?

The ISO 42001 certification process for a Taiwanese company typically takes 7 to 12 months, depending on the company's size and existing AI governance maturity. The process involves four main stages. Stage one (months 1-2) is a current state diagnosis and gap analysis. Stage two (months 3-5) involves designing the AI management system, including AI risk classification, human oversight mechanisms, and supplier due diligence procedures, where copyright-related risk documentation should be completed. Stage three (months 6-9) is the system-wide implementation and internal audit. The final stage (months 10-12) is the formal audit by a third-party certification body. Throughout this process, maintaining an auditable trail of copyright governance documentation is crucial.

When procuring external AI services, how can a company assess the copyright compliance risk of the training data?

Companies should establish a structured due diligence checklist for AI supplier copyright compliance, covering at least four key areas. First, does the supplier provide a declaration of copyright compliance for their training data, in line with Article 53 of the EU AI Act? Second, does the training process respect copyright holders' machine-readable opt-out reservations? Third, are the supplier's liability clauses for copyright infringement clear and adequate? Fourth, can the supplier provide technical documentation for the AI system that meets ISO 42001 requirements? As Quintais (2025) notes, the EU AI Act is strengthening transparency obligations for GPAI training data, with more detailed rules expected from 2026. Taiwanese companies should proactively include these requirements in their standard procurement contracts.

Why choose Winners Consulting Services for assistance with AI governance issues?

Winners Consulting Services Co., Ltd. specializes in AI governance and intellectual property compliance for Taiwanese companies, offering a one-stop service from ISO 42001 certification consulting to EU AI Act compliance assessment. Our approach integrates legal, technical, and management perspectives. Our team has hands-on experience guiding manufacturing, software, and financial companies in Taiwan to build robust AI governance frameworks and is well-versed in Taiwan's legislative progress on the AI Basic Act and the latest regulatory trends in Europe and the US. Unlike pure law firms or IT consultants, we can simultaneously handle copyright risk identification, ISO 42001 documentation design, and EU AI Act gap analysis, helping companies establish an auditable and sustainable AI governance system within 7 to 12 months.

Related Services & Further Reading

Related Services

▶AI Governance📋ISO 42001 AI Governance📋AI Transformation📋Digital Transformation