The rapid diffusion of generative artificial intelligence systems capable of producing highly realistic images has triggered regulatory responses across multiple legal domains. On 23 February 2026, the European Data Protection Board (EDPB) adopted a Joint Statement on AI-Generated Imagery and the Protection of Privacy, endorsed by numerous data protection authorities from around the world. The document expresses serious concern about the privacy and data protection implications of AI systems that generate synthetic images of identifiable individuals, particularly where such images are created without consent and may cause reputational, psychological, or economic harm. It further addresses risks associated with the processing of personal data, the creation of deepfakes, and the proliferation of non-consensual imagery. Yet the significance of the Statement extends beyond privacy regulation. It forms part of a broader legal discourse about the status of generative AI outputs within law including the question of whether such outputs qualify for copyright protection.
This intersection between privacy and copyright is not a tension. Generative AI systems challenge both the protection of personal rights and the traditional architecture of intellectual property. A recent decision of the Munich District Court (AG München, 142 C 9786/25) illustrates this convergence particularly well. While the EDPB grapples with privacy harms arising from AI-generated imagery, national courts are clarifying that outputs produced without sufficient human creative contribution fall outside the scope of copyright protection, as noted in the Munich District Court decision.
Together, these developments suggest that AI-generated imagery occupies a legally unstable space, although many issues remain pending. The doctrinal insistence on human authorship thus serves as a gatekeeping device, preventing the automatic extension of exclusive rights to machine outputs. At the same time, data protection moves in the opposite direction as it expands its protective reach to cover synthetic representations of individuals. Even fictional depictions can constitute personal data if they render someone identifiable. At first glance, the Joint Statement of the European Data Protection Board and the decision of the Munich District Court appear to belong to entirely different legal worlds. The former approaches generative AI from the perspective of personal data protection, while the latter examines it through the lens of copyright law. Their institutional positions are equally distinct: one represents an EU-level regulatory body, the other a national court of a Member State. Even their legal nature differs. The EDPB statement is a non-binding instrument intended to guide interpretation and enforcement, whereas the Munich judgment is a binding judicial decision within the national legal order. Yet despite these differences, the two interventions ultimately address parallel legal regimes that increasingly intersect in the governance of AI-generated content. Together, they illustrate how different parts of the European legal system are beginning to grapple with the regulatory implications of generative technologies.
- The EDPB’s Joint Statement: Privacy Risks in Synthetic Imagery
The Joint Statement reflects growing regulatory alarm about the misuse of generative AI systems capable of producing convincing depictions of real persons. The EDPB emphasises that such systems may be used to generate non-consensual intimate images, defamatory portrayals, or otherwise harmful representations. Even when the depicted scenario is entirely fictional, the image may nonetheless constitute personal data if an individual is identifiable. In such circumstances, the processing of that data must comply with the General Data Protection Regulation (GDPR). The increased risks of online harassment facilitated by generative AI, particularly affecting women and occurring within domestic settings, have been explicitly recognised in Directive (EU) 2024/1385 on combating violence against women and domestic violence.
The Statement reiterates several foundational principles of European data protection law, such as the valid legal basis for data processing, purpose limitation, data minimisation, and raises concern for children and other vulnerable groups. Notably, the Statement does not propose a new law. Rather, it insists on the continued applicability of existing frameworks. This approach mirrors a broader regulatory strategy in the European Union: rather than treating AI as legally exceptional, authorities emphasise continuity and doctrinal adaptation. Generative AI systems are not beyond the reach of established norms; they are subject to all of them. This is at least true in the case of the domains of the human rights framework, liability and the risk-based approach to technology regulation, well-established pillars of both the EU law and the legal systems of its Member States.
Yet the Statement also implicitly acknowledges that enforcement may be difficult. The global and decentralised nature of AI deployment complicates the identification of controllers and processors. Moreover, AI-generated imagery may circulate rapidly across platforms, making ex post remedies insufficient. The privacy harm can be immediate and irreversible. This regulatory anxiety about harm is crucial. On the other hand, an opposite regulatory trend—aimed at watering down the so-called digital acquis—is emerging, embodied in the Digital Omnibus initiative. The real tension lies here, and it will be interesting to see how this balance is ultimately settled.
In early 2026, another interesting decision was published. The Munich District Court (Amtsgericht München) addressed the issue of IPissue. The dispute concerned AI-generated logos and whether they qualified as protected works under the German Copyright Act (Urheberrechtsgesetz, UrhG). German copyright law, consistent with EU law, requires that a work constitute a “personal intellectual creation” (persönliche geistige Schöpfung). The originality standard, as shaped by the Court of Justice of the European Union, demands that the work reflect the author’s own intellectual creation, meaning that it embodies free and creative choices attributable to a human author. The Munich court reaffirmed a fundamental principle: copyright protection presupposes human authorship. Where an output is generated autonomously by an AI system, and where human involvement is limited to general prompts or technical instructions, the resulting image lacks the requisite creative attribution. The decisive question is not whether a human initiated the process, but whether the human exercised creative control over the expressive elements of the final output. The court found that the prompts used to generate the logos were too general to establish a sufficient creative contribution. The AI system’s algorithms determined the specific aesthetic features, composition, and stylistic choices. Consequently, the logos did not qualify as protected works. It seems that the decision is doctrinally orthodox. It aligns with the long-standing European commitment to anthropocentric copyright. Authorship remains inseparable from human personality, which, although affirmed elsewhere, is yet not a global standard.
- The Emerging Interplay
The juxtaposition of the EDPB’s Joint Statement and the Munich court’s ruling reveals a structural interplay. On the one hand, AI-generated imagery can cause serious harm to individuals. On the other hand, such imagery may not qualify as protected intellectual property. This duality produces a peculiar legal configuration whereby an AI-generated deepfake depicting a real person may violate data protection law while may not be protected by copyright because it lacks human authorship.The prompter may have no exclusive rights over the output, and the depicted individual may rely primarily on privacy, personality, or defamation law rather than intellectual property. Historically, copyright has been justified partly as a mechanism for rewarding creative labour and incentivising production. With generative AI, the marginal cost of creation approaches zero, and the human creative contribution may be minimal.
Both the Joint Statement and the Munich ruling reflect a broader European regulatory approach. Rather than crafting entirely new categories for AI-generated content, European institutions and courts rely on established principles. In data protection law, the key question remains whether personal data are processed. In copyright law, the key question remains whether a human author has exercised creative freedom (among others, such as a treatmet of training data. (Buick, 2025) This approach preserves doctrinal coherence and prevents the proliferation of exclusive rights over purely algorithmic outputs.
However, the approach also raises unresolved issues. First, how should courts assess the sufficiency of human creative contribution? A user who engages in extensive prompt engineering, selection, and editing may plausibly claim authorship. The Munich decision leaves open the possibility that a different factual configuration could produce a different outcome. Second, what is the relationship between copyright and data protection in cases involving real persons? An AI-generated image might be non-protectable as a work, yet still infringe data protection rights. Third, the AI Act, though primarily focused on risk classification and compliance obligations, interacts with both regimes. High-risk AI systems must meet specific transparency and governance requirements. Generative AI models may be subject to obligations concerning training data and documentation. It seems, however, that the AI Act had not been made with generative AI in mind from the outset, which is why it lacks traits of adaptable governance stance.
- Convergence and Fragmentation
Data protection and copyright law increasingly converge in practice. Both regimes must address the realities of generative AI and confront questions about attribution, responsibility, and harm. Some of the main difference are that data protection authorities focus on controllers and lawful bases for processing, while copyright courts focus on originality and authorship. The remedies also differ. It is unrealistic to expect that either of the institutions discussed here would attempt to rethink the legal categories governing generative AI in a more radical way, although scholarhip offers such ideas. (Arikan, 2026, Delacroix, 2024) Data protection authorities, such as the European Data Protection Board, operate within a clearly defined mandat and so do national courts. Expecting these bodies to move far beyond the categories embedded in existing doctrine may therefore be misplaced. Neither of them possesses an institutional vantage point from which the broader technological and social transformation produced by generative AI could be comprehensively assessed. Such an approach might amount to what is famously described as “law of the horse” (Easterbrook, 1996). A radical (and perhaps necessary) non-legislative legal reform may perhaps come from the Court of Justice of the EU, as it occured before in the famous cases such as Google Spain or Schrems series of cases.
- Normatively Coherent and (Perhaps) Viable Space
Generative AI systems challenge the conceptual boundaries of European law. The Joint Statement on AI-Generated Imagery and the Protection of Privacy demonstrates that data protection authorities are prepared to assert jurisdiction over synthetic content that affects identifiable individuals. The Munich District Court decision confirms that copyright protection remains anchored in human authorship. AI-generated imagery occupies a space where privacy protections must exist, yet proprietary claims are not guaranteed. Technological evolution intensifies pressure on both regimes. In recent years, the EU approach to epistemological uncertainty caused by digital technologies has been grounded in a risk-based approach, which requires supplementary legal devices (such as impact assessments and ethical guidelines). (Vargas and De Gregorio, 2026) Introducing a new approach and legal solution would therefore not be novel in the EU legal landscape.
For now, however, the European response to generative AI has been characterised by continuity, more or less. Generative AI is disruptive from a tech-perspective, but legally it is being absorbed into existing frameworks based on the assessment of the risk and the insistence on transparency and through the existing data protection and copyright legal principles and doctrine. It may not be too far in the future that European bodies, primairly the Court of Justice of the EU, will engage in more complex assessments of the interaction of different legal regimes governing generative AI.
