GEMA v ChatGPT: Lyrics, AI, and Why “We Comply with All Applicable Laws” Is Useless Drafting
The Munich Regional Court just handed down a decision in GEMA v OpenAI that should be flashing red on every SaaS and content business’ radar.
In short:
- GEMA (Germany’s music rights society) sued over ChatGPT’s use of song lyrics.
- The court held that training on and reproducing protected lyrics is copyright infringement under German law unless licensed. (Reuters)
- OpenAI must pay damages and obtain a GEMA licence if it wants to use German lyrics going forward. (Juve Patent)
For SaaS and content businesses, the real lesson is not “lyrics are risky” (you knew that). It’s that territorial differences in AI + copyright law are now sharp enough that boilerplate like “we comply with all applicable laws” is functionally worthless.
You need territory-specific AI clauses in your contracts and sensible limits in your own ToS on what users feed into AI.
What the Munich Court Actually Decided
The judgment is not about some vague “AI is scary” sentiment. It’s very specific about what ChatGPT did and why it crosses the line.
Case snapshot
| 🎭 Actor | Role | What the court found |
|---|---|---|
| GEMA 🎵 | German collecting society for ~100,000 songwriters and publishers | ChatGPT reproduced substantial parts of lyrics from GEMA’s repertoire (e.g., “Männer”, “Atemlos durch die Nacht”) when given simple prompts. (The Guardian) |
| OpenAI 🤖 | Developer of ChatGPT | During training, ChatGPT stored lyrics in a way that allowed later reproduction; this went beyond mere analysis and fell outside Germany’s text-and-data-mining (TDM) exception. (Bird & Bird) |
| Munich Regional Court I ⚖️ | Court of first instance (Case 42 O 14139/24) | Training on and outputting protected lyrics without consent is unauthorised reproduction; OpenAI must pay damages and license use via GEMA for future training/operation. (Reuters) |
Key points the court emphasised:
- ChatGPT could output near-verbatim lyrics to simple prompts. Hallucinations or minor deviations did not save OpenAI; recognisability of the work was enough. (Bird & Bird)
- German TDM law (implementing the EU DSM Directive) covers analysis and extraction of patterns, not memorisation of full lyrics that can be replayed on demand. (Bird & Bird)
- This is the first European judgment directly holding an AI developer liable for using protected works in training and outputs without a licence. (Music Business Worldwide)
Compare this with the UK High Court in Getty v Stability AI, which accepted that Stable Diffusion’s model weights do not store full images and found no training-stage infringement. The Munich court went the opposite way on lyrics: the model does store and reproduce works. (Inside Tech Law)
That divergence is the heart of your drafting problem.
Why “We Comply with All Applicable Laws” Is Worthless as an AI Clause
SaaS and content companies love the line:
“We comply with all applicable laws.”
In a world where:
- UK courts lean one way on AI training,
- Germany leans another on memorisation and lyrics, and
- Japan has its own AI exceptions with different limits,
…that sentence does precisely nothing for you.
Why it fails legally and commercially
| 🚩 Problem | What “we comply with all applicable laws” actually does |
|---|---|
| No allocation of risk | It doesn’t say who bears the risk if a particular training dataset is later found infringing in Germany but arguably fine in the U.S. |
| No factual assurance | It avoids saying what you actually do: whether you train on customer data, scraped web, or licensed corpora. Clients want to know how you’re compliant. |
| No territorial nuance | It pretends “applicable laws” form a single coherent standard. GEMA v ChatGPT has just shown they don’t. |
| No contractual hook | If something goes wrong, the clause gives the other side no clear breach theory beyond “you broke the law,” which is usually harder to prove than “you broke this specific warranty.” |
For sophisticated counterparties, that language is a red flag: it reads like “we’d rather not talk about our data sources.”
Post-GEMA, expect enterprise customers, labels, publishers, and large SaaS buyers to ask specifically:
- Where do you train?
- On what data?
- How do you deal with EU, German, and Japanese quirks?
You need contract language that actually answers those questions.
How to Add Territory-Specific AI Clauses
The practical fix is to stop pretending AI/data law is harmonised and start drafting for key territories explicitly.
Think in two roles:
- when you license content out (you’re GEMA, the publisher, the course creator, etc.), and
- when you license AI tools in (you’re the SaaS customer or platform using third-party models).
When You License Your Content Out
If you own valuable text, music, video, or code and license it to platforms or AI vendors, your agreements should stop being neutral on “machine learning” or “analytics.”
A simple pattern (sketch only, not verbatim):
| 🌍 Territory block | What to say about AI training / TDM |
|---|---|
| EU / Germany 🇪🇺🇩🇪 | Make clear that any training, text-and-data-mining, or model evaluation that goes beyond internal, non-expressive analysis requires an express licence. State that your works are opted out of Article 4 DSM TDM exceptions and German §44b UrhG for commercial AI use, and that memorisation / reproduction of lyrics, scripts, or text is not authorised. (Bird & Bird) |
| Japan 🇯🇵 | Acknowledge Article 30-4’s “non-enjoyment” exception but carve out that the licensee may not use your content in training aimed at reproducing expressive elements (e.g., anime styles, lyrics, character art) or outputs that compete with your works, without a separate written licence. (Bird & Bird) |
| Rest of world 🌐 | Clarify whether you permit training use at all, and if so, under what conditions (anonymisation, internal-only models, no output that is substantially similar, etc.). Explicitly reserve rights where fair-use or TDM outcomes are uncertain. |
You can then add a “GEMA rider”-style clause:
“For avoidance of doubt, Licensee shall obtain and maintain at its own cost any necessary licences from national collective management organisations (including GEMA in Germany) where Licensee uses musical works or lyrics in training or operation of AI systems in those territories.”
That kind of clause ties the GEMA risk directly to the licensee rather than leaving it floating in “applicable law” limbo.
When You Subscribe to AI Tools or AI-Powered SaaS
Flip the perspective: you’re buying an AI tool or an AI-enhanced SaaS product, and you don’t want to wake up in GEMA’s shoes—or OpenAI’s.
You need territory-aware warranties and indemnities from your vendor.
A workable structure:
| 📑 Clause | What it should say post-GEMA |
|---|---|
| Data provenance warranty | Vendor represents that training data used for the service (including pre-training and fine-tuning) is lawfully acquired in each territory where you will deploy, and does not include unlicensed music lyrics or text corpora in countries where such use requires a licence (explicitly naming Germany / GEMA). (Music Business Worldwide) |
| Territorial compliance schedule | Instead of “all applicable laws,” the agreement has a short schedule: “In the EU/Germany, Vendor will ensure compliance with DSM/TDM rules and will obtain any needed CMO licences for protected works in training or outputs. In Japan, Vendor will restrict uses to those permitted by Article 30-4 and obtain additional rights if outputs reproduce expressive content.” |
| IP indemnity for training data | Vendor indemnifies you against claims that the training or system operation (not just outputs you create) infringes IP in the EU, Germany, Japan, etc. You can let them cap this differently, but it should be clearly carved in. (WILLIAM FRY) |
| No “local opt-out only” defence | Vendor agrees that any “opt-out” mechanisms it offers to rights holders are not your only compliance mechanism and will not be invoked as a defence against infringement claims affecting your use. This is a direct answer to the opt-out vs licence problem highlighted in European debates. |
This is where a bland “we comply with all applicable laws” does you no good. You want something you can actually red-pen and enforce when the GEMA of some other sector sends a demand.
Should Your Own ToS Limit Users Feeding Third-Party IP into AI?
Short answer: yes, absolutely, but with realistic expectations about what that actually protects.
The Munich court did not blame GEMA’s problem on “bad users.” It pinned liability on the developer, finding that the model itself memorised and reproduced lyrics. (HLK)
So your ToS can’t magically immunise you from training-stage infringement. But it can:
- cut down your output-side exposure, and
- cleanly allocate risk when users paste content they have no rights to.
Why it still helps to restrict user inputs
If your SaaS product lets users:
- paste data that you then send to an LLM API, or
- run prompts directly against your own model,
there are at least two risk vectors:
- A user asks the model to generate full lyrics or copy-heavy content from a third party (classic “give me the full song” problem).
- A user uploads a copyrighted body of work (e.g., proprietary docs, third-party code) that is then used for model tuning, analysis, or “AI features” in a way that could infringe.
Your ToS should explicitly say things like:
- Users may only input content they have the right to use in that way;
- Users must not use the service to obtain or reproduce full lyrics, book chapters, scripts, etc. without permission;
- Users indemnify you for claims arising from their breach of these promises.
You should also back that up with product design:
- filters that reject prompts like “give me all the lyrics to X,”
- rate limits / guardrails on verbatim output,
- content recognition / redaction where feasible.
Otherwise, you risk a plaintiff arguing that you’re not just passively hosting, but actively facilitating infringing use of AI, especially once rulings like GEMA are on the books.
Putting It Together: How a SaaS / Content Business Should React to GEMA v ChatGPT
If you strip away the music-industry branding, GEMA v ChatGPT is essentially this:
A court in a major EU market said:
“Your AI memorised our members’ content and can replay it. That’s not ‘data mining,’ that’s reproduction. You need a licence and you owe damages.”
For SaaS and content businesses, the practical agenda looks something like this:
| ✅ Task | Why it matters after GEMA |
|---|---|
| Audit your AI touchpoints | Identify where you or your vendors are training on or processing content that includes music, lyrics, books, news, or code in markets like the EU, Germany, Japan. |
| Upgrade contract language | Replace “we comply with all applicable laws” with territory-specific AI warranties, indemnities, and data-source disclosures, like the patterns above. |
| Tighten outbound licences | When you license your content, explicitly control AI training, TDM, and territorial use. Consider adding “GEMA-type riders” requiring licensees to deal with CMOs. |
| Tune your ToS & product | Add clear prohibitions on feeding unauthorised third-party IP into your AI features, plus practical UX/technical guardrails to avoid becoming an output-side test case. |
GEMA v ChatGPT won’t be the last time a court takes a hard territorial line on AI training and outputs. It’s just the clearest early signal that generic compliance boilerplate has officially expired as a risk-management strategy.