On July 10, 2025, a stack of documents was released from the EU AI Office in Brussels. A Code of Practice for General-Purpose AI Models. 284 pages. Inside were new rules that companies building the world's smartest machines would have to follow. OpenAI, Google DeepMind, Meta, Anthropic. They had already signed the document.

That same June, the opposite was happening in the Northern District of California. Two judges, in separate courtrooms, almost simultaneously ruled in favor of AI companies. Anthropic and Meta won their copyright infringement lawsuits. The rulings held that fair use, a legal doctrine two centuries old, applied to twenty-first-century artificial intelligence.

Europe wrote rules. America let them fight it out in court. These are the two fronts of the AI regulation war. And between them sits China, playing its own game.

Copyright-Related Regulations

On December 27, 2024, exactly one year after the New York Times sued OpenAI, a historic question was raised in a California courtroom. Is an AI reading a book theft, or study?

The American Approach: Find the Answer in Court. On June 23, 2025, Judge William Alsup issued his ruling in Bartz v. Anthropic. His conclusion was clear. Using books to train AI is a "spectacularly transformative" act and qualifies as fair use. Authors write books so that people will read them. What AI does with those books is something entirely different. It learns statistical relationships between words. Like a chef who reads thousands of cookbooks and then creates original recipes.

But Judge Alsup drew one important line. Anthropic had downloaded millions of books for free from pirate sites. That was not fair use. "Building a library for research" and "filling a warehouse with stolen books" are different things, the judge wrote. In September 2025, Anthropic settled for $1.5 billion. It was the largest sum in the history of AI copyright disputes.

Two days later, on June 25, Judge Vince Chhabria reached a similar but distinct conclusion in Kadrey v. Meta. He recognized Meta's training of the Llama model as fair use as well. But Judge Chhabria added a warning. This ruling "does not mean Meta's conduct was lawful. It means only that the plaintiffs pressed the wrong arguments and failed to build a record supporting the right ones."

America's regulatory philosophy reveals itself here. Congress does not write new laws. Instead, judges interpret a 200-year-old copyright statute line by line, writing new rules as they go. It is slow and expensive. But Americans prefer it. Innovation first, regulation later.

The European Union's Approach: The Free Lunch Is Over. Europe chose a different path. The EU AI Act entered into force on August 1, 2024, with phased implementation. Rules for general-purpose AI models began applying on August 2, 2025.

The core principle is transparency. All general-purpose AI model providers must publish a detailed summary of the content used for training. On July 24, 2025, the European Commission released a template for those summaries. Data sources, licensing status, copyright compliance. All must be documented.

More important is the opt-out system. If a rights holder marks their work in a machine-readable way saying "do not use my content for AI training," AI companies must respect that. The German court ruling in GEMA v. OpenAI reinforced this principle. To do AI business in Europe, you must give creators a veto.

Penalties for violations are severe. Fines can reach up to 7% of global annual revenue. For OpenAI, that could amount to billions of dollars.

China's Approach: Two Doors. China is dual-natured. The Interim Measures for the Management of Generative AI Services, effective August 2023, stipulates that training data must not infringe others' intellectual property rights. But at the same time, Chinese courts are actively recognizing copyright in AI-generated works.

In November 2023, the Beijing Internet Court issued a landmark ruling. It granted copyright to an image created with Stable Diffusion. The judge held that "if a human contributes intellectually and aesthetically by inputting prompts, adjusting parameters, and selecting outputs, the result is a copyrightable work." This is the direct opposite of the U.S. Copyright Office's position.

On the other hand, the Guangzhou Internet Court held a platform liable in the Ultraman AI image case. If an AI was allowed to generate images resembling original characters, the platform bears secondary liability for copyright infringement. Keyword filtering, watermark labeling, complaint handling systems. All of these must be in place.

South Korea's Approach: The Middle Path. On December 26, 2024, the National Assembly of the Republic of Korea passed the AI Basic Act. It is the first comprehensive AI regulatory law in the Asia-Pacific region. It takes effect on January 22, 2026.

South Korea's copyright regulations for AI remain unfinished. Current copyright law recognizes exceptions for temporary reproduction for research and non-commercial purposes, but there is no general exception for commercial AI training. The Ministry of Culture, Sports and Tourism and the Korea Copyright Commission are discussing text and data mining guidelines. Creator groups demand a compensation system, and companies want training exceptions. Somewhere between those positions, a compromise will be found.

Personal Data Regulations

In March 2023, Italy's data protection authority (Garante) blocked ChatGPT. It was the first among EU member states. Their question was straightforward. On what legal basis did OpenAI collect the personal data of Italians?

The European Union: GDPR as Shield. In December 2024, the Garante imposed a 15 million euro fine on OpenAI. It was the first GDPR sanction against generative AI. The violations were threefold: no valid legal basis for processing personal data used to train ChatGPT; failure to meet transparency obligations toward users; inadequate age verification to protect minors under 13.

The fine was not all. OpenAI was required to run a public awareness campaign in Italian media for six months, informing users how ChatGPT collects and uses data and what their rights are. OpenAI called it "disproportionate" and signaled intent to appeal. According to OpenAI, the fine was nearly 20 times the revenue it earned in Italy during the same period.

GDPR's core principles are acquiring new meaning in the AI era. Purpose limitation: data may only be used for the purpose stated at collection. But was AI training included in that purpose? Data minimization: collect only what is necessary. But AI gets smarter with more data. Storage limitation: data cannot be kept forever. But how do you delete information an AI has already learned?

This is the problem of "machine unlearning." Just as erasing a person's memory is impossible, completely removing the influence of specific data from an AI model is technically difficult. But GDPR's "right to be forgotten" still applies. If you want to do business in Europe, technical limitations are not an excuse. The United States: A Patchwork of Regulations. The U.S. has no comprehensive federal privacy law. Instead, different rules apply state by state and sector by sector.

Illinois's Biometric Information Privacy Act (BIPA) is the most dangerous minefield. Collecting facial recognition data without consent means facing class action lawsuits. Clearview AI paid over $50 million in settlements under this law. Meta's facial recognition tagging lawsuit settled for $650 million.

California's Consumer Privacy Act (CCPA/CPRA) sets another standard. Consumers have the right to know how their information is collected and used. Companies must explain what AI did with that information.

The Federal Trade Commission (FTC) wields a powerful weapon called "algorithmic disgorgement." Models trained on illegally collected data must be destroyed. Not just the data. The algorithm trained on that data must be eliminated entirely. In the Rite Aid case, the FTC ordered this measure.

China: Strict on Companies, Exceptions for the State. China's Personal Information Protection Law (PIPL) resembles GDPR on its surface. Consent requirements, purpose limitation, cross-border transfer controls. All present. The 2023 Deep Synthesis Management Regulations require consent before editing someone's face or voice with deepfake technology. Violations can lead to criminal penalties.

But there is an enormous exception. National security. Companies that misuse personal data face punishment. But state surveillance of citizens through facial recognition goes unquestioned. China's privacy regime carries a message: "Companies must not overstep. The state is exempt."

South Korea: Combining PIPA and the AI Basic Act. South Korea's Personal Information Protection Act (PIPA) rivals the EU's GDPR in strength. The AI Basic Act adds to it. High-impact AI systems must implement human oversight, output labeling, and safety measures.

The Personal Information Protection Commission (PIPC) announced special oversight measures for AI services in its 2025 work plan. These include pre-deployment on-site inspections of AI agent services and reviews of AI use in legal and human resources services. To run an AI business in South Korea, personal data must be managed not as "a lock on a storage box" but as "an access control system that records who opens what."

Discrimination and Bias Regulations

Noland Arbaugh applied to over 100 companies. He did not get a single interview. He was a Black man in his 40s who had once been diagnosed with anxiety disorder. One day he thought: what if all these companies didn't reject me, but one algorithm did?

In May 2024, the Northern District of California certified a class action in Mobley v. Workday. According to plaintiff estimates, more than one billion applicants had passed through Workday's AI hiring system. The court ruled that the system could bear direct liability for discrimination as the employer's "agent." The company that built the AI became a defendant in a discrimination lawsuit.

The United States: Old Laws Applied in New Ways. There is no federal law in the U.S. that directly prohibits AI discrimination. Instead, existing anti-discrimination statutes, the Civil Rights Act of 1964, the Equal Employment Opportunity Act, the Americans with Disabilities Act, apply to AI as well.

New York City moved ahead. Local Law 144, effective July 2023, introduced the world's first specific regulations for AI hiring tools. Companies using automated employment decision tools (AEDT) must undergo an independent bias audit annually and publish the results. If audit findings show adverse impact on a particular group, the company must explain why.

Colorado took a broader approach. The Colorado AI Act, enacted in May 2024, is the first comprehensive state-level AI regulation in the United States. Originally scheduled to take effect on February 1, 2026, it was postponed to June 30, 2026, due to industry pushback and definitional ambiguities.

The Colorado AI Act centers on "reasonable care." Both developers and deployers bear an obligation to prevent the risk of algorithmic discrimination in high-risk AI systems. "Algorithmic discrimination" means any situation in which the use of an AI system results in discriminatory treatment or impact against individuals or groups based on protected characteristics such as age, race, sex, disability, national origin, or religion.

Violations carry fines of up to $20,000 per incident. A "safe harbor" provision mitigates liability for those who comply with recognized standards such as the NIST AI Risk Management Framework.

California approaches through employment discrimination rules. Fair Employment and Housing Act (FEHA) regulations taking effect October 1, 2025, allow bias test results from AI hiring tools to be used as evidence in discrimination lawsuits. If no bias testing was conducted, that absence itself becomes unfavorable evidence. The European Union: Inspection Before Market Entry. The EU AI Act classifies AI used in hiring, education, loan decisions, and law enforcement as "high-risk AI." High-risk AI systems must meet strict requirements before reaching the market.

Data governance: training datasets must be verified for bias. Risk management systems: risks must be continuously assessed and mitigated. Fundamental Rights Impact Assessment (FRIA): effects on human rights must be evaluated in advance. Human oversight: humans must be able to intervene in automated decisions.

Europe's position is not "punish after the accident" but "inspect at the point of market entry."

Some AI is banned outright. AI that classifies natural persons based on sensitive characteristics such as race or political opinions. AI that assigns social scores. Real-time remote biometric identification in public spaces (with extremely narrow exceptions).

China: Guarding Against Ideological Bias. China's bias regulations focus on a different point than those in the West. The Interim Measures for the Management of Generative AI Services require that content generated by AI must reflect "core socialist values."

Generating discriminatory or demeaning content about groups based on ethnicity, gender, or occupation is prohibited. But the actual purpose of these regulations has less to do with Western-style fairness and more to do with regime stability. Biased information that incites subversion of state power or disrupts social order is the primary regulatory target.

The algorithm recommendation regulations prohibit platforms from engaging in "unfair algorithm practices" such as discriminatory pricing, worker exploitation, and inducing excessive use by minors. Authorities hold the power to receive algorithm reports, conduct audits, and issue correction orders.

South Korea: Focused oversight on high-impact AI. Korea's AI Basic Act centers on "high-impact AI," defined as AI systems that may significantly affect or pose risks to human life, physical safety, or fundamental rights. Eleven sectors fall under this designation, including healthcare, energy, public services, hiring, and credit assessment.

Operators running high-impact AI must conduct human rights impact assessments, establish risk management systems, and guarantee human oversight. When government agencies adopt high-impact AI, they must give priority to systems that have completed impact assessments. Maximum penalties reach 30 million won (roughly $20,000), far lower than the EU's thresholds. The Ministry of Science and ICT has stated it will focus on guidance rather than punishment during a one-year grace period. The approach seeks a balance between fostering industry and building trust, rather than imposing heavy sanctions.

Regulations on Liability Structures

A Tesla Autopilot causes a crash. Who bears responsibility? The driver or Tesla? An AI hiring system discriminates. Is the company that hired responsible, or the company that built the AI? A chatbot tells a lie. From whom should the victim seek compensation?

European Union: Distributing liability across the entire value chain. The EU AI Act imposes role-based obligations on every participant in the AI ecosystem. The Provider develops an AI system and places it on the market. The Distributor makes it available through the supply chain. The Deployer actually uses it.

Providers carry the heaviest obligations: building risk management systems, data governance, technical documentation, conformity assessment, quality management, post-market monitoring, and reporting serious incidents. All of these must be in place.

Deployers also bear responsibility: context-specific risk analysis, assigning human oversight, retaining logs, informing affected individuals, and reporting serious incidents. If a deployer changes the intended purpose of an AI system or substantially modifies it, the deployer is reclassified as a "de facto provider" and assumes provider-level obligations.

The European Commission is preparing the AI Liability Directive and a revised Product Liability Directive. The core principle is easing the burden of proof. The internal workings of AI systems resemble a black box. Victims struggle to prove defects and causation. The new directive allows causation to be presumed under specific conditions, neutralizing corporate defense arguments.

The new Product Liability Directive (Directive (EU) 2024/2853), adopted in October 2024, explicitly covers digital elements including software. AI systems are now treated as "products" and fall within the scope of product liability.

United States: Expanding vendor liability. The traditional American approach treated AI as a "tool" and held users responsible. Recent case law is changing that structure. Mobley v. Workday set an important precedent. The court ruled that an AI hiring platform is not a mere tool but an "agent" exercising delegated authority from the employer, and can bear direct legal liability. The AI vendor became a co-defendant in a discrimination lawsuit.

Tesla Autopilot litigation has also strengthened manufacturer liability. In 2024, a Florida jury recognized not only the driver's negligence but also Tesla's partial responsibility for system defects and misleading advertising.

The United States has Section 230 of the Communications Decency Act, which grants platform immunity. Whether this provision applies to AI-generated content remains contested. Under the Roommates.com precedent, a platform loses immunity when it "materially contributes" to content creation. Content directly generated by AI is likely to meet that standard. If platform immunity disappears for defamatory chatbot statements, the legal landscape of the American AI industry will change at its foundation.

China: The service provider is a content manager. China treats AI service providers as "content producers," not mere intermediaries. Like a shop owner, they are responsible for everything that happens inside the store.

Under the Interim Measures for the Management of Generative AI Services, providers must verify that generated content aligns with core socialist values. When illegal content is detected, they must immediately stop generation, modify the algorithm, and report to authorities. Non-compliance results in administrative sanctions including warnings, service suspension, and fines.

The Ultraman case at the Guangzhou Internet Court applied this principle to civil liability. If a platform fails to adequately fulfill its filtering, warning, and labeling obligations, it bears secondary liability for copyright infringement. Violation of administrative regulations became the basis for determining civil liability.

Deepfake service providers are required to apply watermarks. Violations can lead to criminal penalties. Operating an AI business in China is nearly equivalent to bearing unlimited liability for every output the algorithm produces.

South Korea: Contracts and records serve as shields. Korea's AI Basic Act clarifies operational responsibilities and safety obligations for high-impact AI. Operators must guarantee human oversight, label AI-generated content, and take measures to ensure reliability. For now, existing legal frameworks apply, including general tort liability under the Civil Act, the Product Liability Act, and the Act on Promotion of Information and Communications Network Utilization. After the AI Basic Act takes effect, compliance status will become a critical factor in liability determinations.

The practical implications are clear. When an incident occurs, "the tool created by the technology provider" and "how the organization actually used it" are examined separately. Liability clauses in contracts, log records, version control, and data provenance documents all function as evidence in disputes. Documentation is the defense itself.

The comparison arrives at one conclusion through the comparison table. AI technology knows no borders, but the legal soil on which that technology stands varies widely.

Europe says, "Set the rules first, then innovate within them." The United States says, "Innovate first, and if problems arise, resolve them in court." China warns, "Innovation is permitted, but do not cross the lines the state has drawn." South Korea watches all three approaches and searches for its own path.

For global AI companies, this is a complex chess game. Which country's regulations should you tune your model to? In which market will you restrict which features? Which jurisdiction's legal team needs reinforcement? An era has arrived where legal strategy matters as much as coding ability.

The winner of the AI legal war has not been decided. But one thing is certain: to survive this war, you must understand each country's regulatory terrain as well as you understand the technology. That is why this comparison table exists.