You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

June 15, 2026

Synthetic Data in AI Model Training: Legal Challenges and Intellectual Property Risks

Subscribe to Updates
Dow Jones Risk Journal

The surge in AI development has led to a desperate demand for large, high-quality training data. However, real-world data can be expensive to collect, difficult to access, and often subject to strict privacy and regulatory constraints.

Synthetic data, which consists of artificially generated records that replicate the statistical properties of real-world data without reproducing specific individuals’ information, provides an appealing solution by generating artificial datasets at scale without relying on identifiable personal information. It combines speed, cost efficiency, and regulatory compliance, making it a sensible alternative for organizations seeking to reduce risks while maintaining data utility. When properly anonymized, synthetic datasets may fall outside the scope of laws such as the EU’s General Data Protection Regulation (GDPR) or Thailand’s Personal Data Protection Act (PDPA), reducing compliance burdens while still supporting high-quality model training.

However, relying on synthetic data without rigorous legal due diligence could be a strategic mistake. It replaces one set of known risks (scraping, direct privacy liability) with a new set of complex liabilities. The narrative that synthetic data is a “silver bullet” for privacy and IP compliance is dangerous and could be misleading.

While synthetic data addresses data scarcity, it also introduces new legal uncertainties. Legal counsel should anticipate downstream risks arising from compromised data sources. Models trained on unlawfully obtained data may need to be decommissioned, even if their outputs appear lawful.

What is synthetic data?

Synthetic data refers to artificially generated information created using AI techniques such as deep learning and generative models. Instead of copying real records, it reproduces the statistical patterns and relationships found in the original dataset.

Synthetic data generally falls into three categories:

  • Fully synthetic data – Entirely new data points generated from learned patterns. The model studies the structure of the original data and produces records that resemble real-world behavior without replicating any specific individual.
  • Partially synthetic data – Real datasets in which sensitive fields (names, ID numbers, contact details) are replaced with artificial values while nonsensitive attributes remain intact.
  • Hybrid synthetic data – A combination of real and synthetic records, often used where some genuine information must be retained for accuracy or operational purposes.

The appeal of synthetic data lies in its protection of privacy and its operational efficiency.

Properly generated synthetic datasets exclude real personal identifiers and can often be

used for development, testing, analytics, and model training without exposing the information of actual individuals. In highly regulated sectors such as healthcare and financial services, synthetic data allows organizations to work with large, realistic datasets while minimizing the legal and operational constraints associated with using real customer or patient information.

Synthetic data is often used in the following sectors:

  • Healthcare: Synthetic patient records and images for safe model development.
  • Finance: Simulated transactions for fraud detection and risk modeling.
  • Mobility and autonomous vehicles: Generated driving scenarios to train for rare or dangerous events.

Each of these sectors leverages synthetic data to accelerate AI innovation. It provides realistic, varied training examples without leaking sensitive details.

Intellectual Property considerations

Despite the clear benefits of using synthetic data, its use for AI training may still give rise to intellectual property risks. The main concerns relate to possible infringement and whether synthetic data can be protected by copyright.

Infringement Risks Arising from the Source Data

Although synthetic data can reduce privacy exposure, it does not eliminate IP risks. Every synthetic dataset starts with the same foundational step: an AI model must first access, copy, and analyze the original “source data.” If that source data is protected by copyright or contractual terms, training on it without permission may constitute infringement.

Some stakeholders adopt a more permissive view of AI training, characterizing it as a form of computational analysis that extracts abstract statistical patterns rather than protected expressive content, and therefore does not constitute infringement. However, this view reflects a policy-based interpretation rather than settled law.

Courts and regulators have increasingly indicated that using copyrighted works for AI training may amount to prima facie infringement, unless a specific legal exception applies. Developers often invoke defenses such as U.S. fair-use principles, but these are narrow, fact-dependent, and unsettled in the context of AI.

Recent U.S. cases, such as Bartz v. Anthropic and Thomson Reuters v. ROSS, have so far found fair use only where the underlying materials were lawfully acquired and the secondary use was genuinely transformative. Conversely, they have rejected fair use where the model was trained on pirated or unauthorized copies. In practice, this means that organic (real) data collected without permission still presents a significant copyright risk for model developers.

Copyrightability of Synthetic Data: Lack of Human Authorship

Even when synthetic data does not copy any specific protected work, it raises a different issue: copyright protection generally requires human authorship. Many copyright systems require a work to result from a human’s creative expression. Authorities in the U.S., U.K. and Thailand take a similar approach: the U.S. Copyright Office has repeatedly rejected registrations for fully AI-generated works on the basis that they lack human authorship. As a result, a fully synthetic dataset produced without meaningful human creative input may not be protected by copyright at all, meaning third parties could potentially reuse it freely. Nevertheless, when meaningful human judgment is involved in designing, selecting, or arranging synthetic samples, copyright may protect that creative selection or arrangement even if the individual records themselves are not protected.

Copyrightability of Synthetic Data: Originality and the Creativity Threshold

Aside from the issue of human authorship, synthetic data often fails the originality requirement. Modern copyright law does not protect works based solely on labor or investment (“sweat of the brow doctrine”). Courts require at least a minimal degree of creativity.

In the U.S., Feist Publications v. Rural Telephone Service Co. confirmed that originality requires independent creation plus a “modicum of creativity.” EU courts apply a similar test, requiring that a work reflect the author’s “own intellectual creation.”

For synthetic data producers, this creativity threshold is difficult to meet. Many synthetic outputs simply replicate statistical patterns without meaningful human creative contribution, leaving them ineligible for copyright protection. Developers should not assume that large or expensive synthetic datasets are automatically protected. To secure such copyright protection, it is necessary to clearly document the human creative decisions involved in designing or curating the synthetic data.

Compliance considerations

Synthetic data should not be presumed to fall outside privacy regulation. Under laws such as the EU’s General Data Protection Regulation and Thailand’s Personal Data Protection Act, information still qualifies as personal data if it relates directly or indirectly to an identifiable individual. Synthetic data may still fall within this scope when it is:

  • Generated from real individuals’ records,
  • Capable of being linked to a person when combined with other available information, or
  • Structured in a way that allows specific traits or behaviors of an individual to be inferred.

In these situations, regulators are likely to treat the synthetic dataset as containing personal data, meaning full compliance obligations still apply.

Ensuring true anonymization is technically challenging. Studies have repeatedly shown that even heavily anonymized datasets can be re-identified with the original individuals with high accuracy using only a few demographic attributes such as age, gender, and ZIP code. The same risks apply to synthetic datasets that replicate the structure of real-world data, especially in domains involving rare characteristics.

Therefore, anonymization cannot be treated as a single, conclusive action. As computational methods advance, datasets considered anonymous today may become identifiable tomorrow. Synthetic data remains a valuable tool, but organizations should deploy it with a realistic understanding of these evolving risks.

 

This article was originally published by Dow Jones Risk Journal in April 2026.

Related Professionals

Industries

Technology

Practices

Intellectual Property

Location

RELATED INSIGHTS​

June 11, 2026
Thailand’s Electronic Transactions Development Agency (ETDA) has released a revised draft Electronic Transactions Act (ETA) for public hearing from May 12, 2026, to June 15, 2026. This is not merely an amendment to certain provisions of the current ETA, but a comprehensive redrafting of the entire act. The revised draft ETA introduces several significant changes from the current framework, with practical implications for businesses operating in Thailand. Unified Coverage of Public and Private Sectors The current law segregates government transactions into a separate chapter with distinct rules. The draft ETA eliminates this division, defining “transaction” to encompass civil and commercial juristic acts as well as administrative procedures, administrative contracts, and other acts of government agencies. Enhanced E-Signature Definition The definition of “electronic signature” is broadened to expressly include biometric data and refocused on identifying the signatory and demonstrating intent regarding the content of the electronic data. Shift in Burden of Proof When a party challenges the reliability of electronic data created using a “trusted electronic method” or a method prescribed by the ETDA, the burden of proof and the cost of proving unreliability shifts to the challenger. Introduction of New Digital Method Concepts The draft ETA introduces several new digital method concepts that are not currently recognized under the existing ETA framework. These include: Electronic timestamping (e-timestamp) Electronic registered delivery Electronic company seals Electronic stamp duty compliance Electronic identity authentication and verification Electronic transferable records (electronic bills of lading, promissory notes, and similar negotiable instruments) Recognition of Automated Systems and Electronic Contracting The draft ETA expressly recognizes the legal validity and enforceability of contracts formed through automated systems, including contracts concluded entirely between automated systems or between an automated system and a person. A party may not deny the binding effect of such contracts solely because no human review
Read More
June 5, 2026
Vietnam’s AI regulatory framework has reached an important milestone. While the Law on Artificial Intelligence No. 134/2025/QH15 (AI Law) established the foundation for AI governance, many practical compliance requirements were left to implementing regulations. On April 30, 2026, the government issued Decree No. 142/2026/ND-CP (Decree 142), which took effect on May 1, 2026, and provides the first detailed guidance on the implementation of the AI Law. Although an official list of high-risk AI systems is still pending from the prime minister, Decree 142 provides valuable insight into how Vietnam’s risk-based AI regulatory framework will operate in practice. Risk Classification Framework The AI Law adopts a risk-based approach under which AI systems are classified as high-risk, medium-risk, or low-risk. Decree 142 builds on this framework by providing detailed guidance on how these classifications are determined. High-risk AI systems are determined based on factors such as (i) their potential impact on life, health, property, human rights, public interests, or national security; (ii) the sector in which they are deployed; and (iii) the scale of affected users or integration with critical infrastructure. The latest draft list of high-risk AI systems appears to follow these same principles. Medium-risk AI systems generally include systems that may mislead, influence, or manipulate users, particularly where users may not realize they are interacting with AI or AI-generated content. The focus is therefore on transparency and authenticity risks rather than broader societal or safety concerns. Low-risk AI systems are those that do not meet the criteria for either high-risk or medium-risk classification. Importantly, Decree 142 seeks to avoid over-classification. Certain systems may fall outside the high-risk or medium-risk regimes, including internal-use systems, office-support tools, technical editing applications, certain back-end processing systems, and AI systems used in artistic, gaming, cinematic, or other creative contexts. Providers must also review and
Read More
June 5, 2026
On May 11, 2026, Thailand’s Ministry of Social Development and Human Security released a draft Child Protection Act (“CPA”) for public review. The draft CPA would completely repeal and replace the current Child Protection Act B.E. 2546 (2003). This represents the most comprehensive overhaul of Thailand’s child protection framework in over two decades, reflecting the government’s stated objective of modernizing the law to address evolving social challenges—including those arising from digital technology—and to promote greater coordination among government agencies, local authorities, and civil society. The public review period closes on June 9, 2026. Key changes introduced by the draft CPA that could have significant implications for businesses, particularly online platform providers, media companies, and entities operating child-related services in Thailand, are set out below. Expanded Definition of “Child” Under the current CPA, a “child” is defined as a person under the age of 18, excluding those who have attained legal majority through marriage. The draft CPA removes the marriage exception entirely, broadening the scope of the law’s protections to include all individuals under 18 without exception. Replacement of “Abuse” with Broader Concept of “Violence” The current CPA uses the term “abuse/cruelty,” which covers acts causing harm to a child’s liberty, body, or mind; sexual offenses against children; and using children in harmful or immoral activities. The draft CPA replaces this with the broader concept of “violence,” which encompasses any act or omission causing harm to a child’s body, mind, or development; abandonment or neglect; improper exploitation; and sexual abuse. Notably, the new definition adds developmental harm as a recognized category of injury and captures all forms of misconduct regardless of the child’s consent. New Standalone Definition of Sexual Abuse, Including Online Conduct One of the most significant additions in the draft CPA is the introduction of a standalone definition
Read More
May 25, 2026
After several years of policy discussion and continued efforts led by the Ministry of Commerce (MOC) to relax the list of reserved businesses under the Foreign Business Act B.E. 2542 (1999) (FBA), the reform process has now reached a significant milestone. On May 12, 2026, the Thai cabinet approved in principle two draft subordinate legislative instruments aimed at delisting certain reserved business activities under the FBA and reducing licensing requirements for foreign business operators. These developments signal a renewed and concrete effort by the government to modernize Thailand’s business regulatory framework in order to attract foreign investment and boost Thailand’s competitiveness in the global market. Nine Businesses Set for FBA Delisting Below is a list of the nine businesses that are being targeted for delisting from the FBA’s restrictions. A draft ministerial regulation would delist the first eight reserved businesses, while a royal decree has been drafted to delist the ninth business: Telecommunications services (Type 1 license only, covering operators without their own telecommunications infrastructure), under the supervision of the Office of the National Broadcasting and Telecommunications Commission. Treasury center services subject to the Foreign Exchange Control Act B.E. 2485 and under the supervision of the Bank of Thailand. Securities-collateralized lending, pursuant to the laws governing securities and exchange and derivatives regulated by the Securities and Exchange Commission. Agency, dealer, advisory, or fund management services relating to derivatives where the underlying assets fall outside the scope of the Derivatives Act B.E. 2546 (2003) Intra-group shared services, including administrative, human resources, and IT functions Intra-group domestic debt guarantee services Leasing of partial space for installation of financial service machines and automatic vending machines for employee use Petroleum drilling services Trading of agricultural product derivatives through a futures exchange, with physical delivery or receipt of agricultural products at a futures exchange–designated
Read More