AI-Generated Images on Irish Business Websites (2026)

You have been using DALL-E to make blog header images for a year. A new client asks whether you need a licence to publish them. The short answer for most ordinary marketing images is no. The four risk layers below explain when that answer changes and what the AI Act's Article 50(4) adds from 2 August 2026.

How Irish law treats AI-generated images

Irish copyright on still images sits under the Copyright and Related Rights Act 2000 (CRRA 2000, Number 28 of 2000), with the Information Society Directive 2001/29/EC and the DSM Directive (EU) 2019/790 transposed by S.I. No. 567 of 2021 layered on top. The test for whether anything qualifies as a protected work runs through section 17 and the Infopaq line of CJEU authority. Infopaq International A/S v Danske Dagblades Forening (Case C-5/08) requires that a work be the author's own intellectual creation, and Painer v Standard Verlags GmbH (Case C-145/10) applies the same originality threshold to photographs, framed as the photographer's free and creative choices in setting, lighting and composition. An Irish court asked whether a pure DALL-E or Midjourney prompt produces a protected work would walk that same path: there is no human author exercising free and creative choices over the specific arrangement of pixels, only a prompt that triggers a probabilistic generation. The output is typically unprotected by Irish copyright, which means the operator who publishes it does not gain an exclusive right and a competitor can reuse it without infringing. That is a marketing consideration more than a legal exposure, but it is the correct starting point for Irish law.

Section 21(f) CRRA 2000 attempts to address the computer-generated case, assigning first authorship to the person by whom the arrangements necessary for the creation of the work are undertaken. The provision predates large language model image generation by twenty years and is drafted around procedural generators and database-driven outputs. Whether section 21(f) confers protection on a Midjourney output where the human contribution is a short prompt is unresolved in the High Court. Conservative practitioners assume Infopaq controls and that section 21(f) does not save an otherwise non-original work. An operator should not rely on owning the output unless it has been substantively edited by a human.

The Data Protection Commission's involvement in the AI image question is unusually visible because the DPC formally requested the EDPB Opinion 28/2024 on AI models, which the European Data Protection Board adopted on 17 December 2024. The DPC's request concerned the lawfulness of training AI models on personal data and the implications for downstream deployers. The Opinion confirms that an AI image of an identifiable real person is personal data under Article 4(1) GDPR for the deployer, regardless of any conclusion the EDPB reached about the training-side analysis. For an Irish operator that means the publication of an AI-generated portrait that depicts a real recognisable person triggers Article 6 lawfulness obligations and, if the person is identifiable from the image, Article 13 transparency duties when their data is being processed by the AI system in the operator's deployment.

Beyond copyright and data protection, two Irish statutes need separate consideration when an AI image touches a real person. The Defamation Act 2009 (Number 31 of 2009) creates liability for publication of a statement, including by image, that injures the reputation of an identifiable person. An AI-generated image that depicts a real Irish individual engaging in conduct they did not engage in is a publication and is actionable. The threshold for an SMB Defamation Act claim is low, and the Circuit Court limit currently sits at €75,000. Sitting underneath the Defamation Act is Article 40.3.2° of the Constitution of Ireland, which protects the personal rights of the citizen including the right to a good name. Article 40.3.1° also supplies the Irish constitutional basis for the unenumerated right to privacy, which has been developed by the Supreme Court since Kennedy v Ireland [1987] IR 587 and which can be engaged by deepfake imagery affecting an identified person. Defamation and privacy actions run separately from any DPC complaint.

The Trade Marks Act 1996 (Number 6 of 1996), as amended by S.I. No. 561 of 2018 implementing the EU Trade Mark Directive (EU) 2015/2436, gives a separate route. If the AI image reproduces a registered trade mark such as the Coca-Cola wordmark or the Apple logo in a way that suggests trade origin, the operator publishing it on a commercial Irish website may be infringing section 14 of the Act regardless of any copyright analysis. This is the route a major brand uses when an AI marketing image accidentally renders their logo or trade dress. The Irish remedy is an injunction in the High Court and, in practice, a takedown letter that arrives long before any pleading.

The 2024 PLD framework adds nothing on the AI-image side directly, but Article 50 of the AI Act does. Regulation (EU) 2024/1689, the AI Act, applies its Article 50(4) labelling rule to deepfakes from 2 August 2026, and the Irish competent authority that will enforce it has not been finalised as of May 2026. The Department of Enterprise, Trade and Employment is running the designation pipeline. The likely candidates are Coimisiún na Meán, established under the Online Safety and Media Regulation Act 2022 as the Irish digital services coordinator, and the DPC for the components touching personal data. For an Irish small operator the practical implication is that the labelling duty crystallises in August 2026 regardless of which authority enforces it, and the deepfake definition in Article 3(60) of the AI Act is the operative test, not any Irish-specific gloss.

The short answer

Generic AI marketing imagery is usually fine to publish from an Irish business website. The risk concentrates in four places: images that reproduce a specific existing work, images that carry a brand logo or stock-photo watermark, images that contain identifiable real people and images that look authentic enough to pass for real photography. If you have ever wondered whether the kind of Getty demand letter Irish businesses receive for stock-photo issues could land for an AI image, it can. But only when the output reproduces a recognisable existing photograph or contains a Getty watermark.

What the courts have actually decided

The most-cited ruling is Getty Images (US) Inc & Ors v Stability AI Ltd [2025] EWHC 2863 (Ch), a UK High Court judgment of 4 November 2025. You can read the full judgment on the Judiciary website. The popular headline was "Stability AI mostly wins." That is roughly true, but the holdings are narrower than the headline suggests. Irish readers should treat the UK judgment as persuasive context rather than as a binding EU authority.

Getty abandoned its primary copyright infringement claim mid-trial because it could not prove the relevant training activity took place in the UK. The court did not rule on whether training a diffusion model on copyrighted images is itself an infringement. The "the court said training is fine" reading of the judgment is wrong. The court did not reach the question.

The court did rule on secondary copyright infringement under sections 22, 23 and 27 of the UK's Copyright, Designs and Patents Act 1988. It held that Stable Diffusion model weights are not a "copy" of the training images. The model contains trained parameters, not stored reproductions. Trademark infringement under sections 10(1) and 10(2) of the Trade Marks Act 1994 partially succeeded on a narrow set of synthetic images that bore the Getty or iStock watermark.

For Ireland the unsettled questions matter more than the UK holdings. The Copyright and Related Rights Act 2000 sets the Irish originality threshold, and the Infopaq test applies as a matter of EU-derived case law. The Data Protection Commission has been particularly active. The DPC requested EDPB Opinion 28/2024 on AI models, adopted on 17 December 2024, which addresses lawful processing for AI training and downstream use. Robert Kneschke v LAION in Germany produced a 2024 first-instance decision favourable to LAION on a TDM exception, with an appeal expected. Like Company v Google Ireland Limited (Case C-250/25) is a CJEU referral pending. Treat the EU position as open for now.

The four risk layers for your business

Layer 1. Does it reproduce a specific recognisable existing work?

Most AI outputs do not. Some do. Diffusion models occasionally produce near-copies of training images, and prompts that name a living artist, a recent film or a copyrighted character raise that risk substantially. A prompt for "a friendly dentist's office" is low-risk. A prompt asking for "in the style of [named living photographer]" is not. A reverse image search on hero images and paid-ad visuals will usually surface any close original within a minute.

Layer 2. Does it contain a trademark, logo or watermark?

This is the layer the Getty ruling actually touched. Stable Diffusion was generating images with the Getty and iStock watermarks visible, and the UK court found that this constituted trademark infringement on those specific outputs. The same logic applies under Irish trademark law if your AI image contains a recognisable brand logo, a sports team crest, a film studio mascot or a stock-agency watermark fragment.

Watermarks are the easiest defect to catch. Zoom in to 200% on the corners of any hero image before publishing. The companion crisis guide on responding to Getty letters covers what to expect if a demand still arrives.

Layer 3. Does it contain identifiable real people?

A photograph of an identifiable real person is personal data under Article 4(1) GDPR. An AI image that resembles an identifiable real person raises the same controller-level obligations under Article 5 and may engage special-category processing under Article 9. The DPC's EDPB Opinion 28/2024 request focused on training-side processing, but the downstream-publication obligation falls on you as the website operator regardless of what is decided on the training side. Article 40.3 of the Irish Constitution protects an unenumerated right to privacy that has been recognised in image-rights case law.

The practical rule is the same as for ordinary photography. If you want to publish an image that resembles a specific real person, you need their consent. AI does not change the rule. If you have no consent, prompt explicitly for "a fictional person, not resembling any real individual" and check the output before publishing.

Layer 4. Do you "own" what you made?

Probably not, in any useful sense. The US Copyright Office stated in March 2023 that pure AI-generated output without sufficient human creative input is not eligible for copyright. The Infopaq test (Case C-5/08) requires "the author's own intellectual creation" under EU-derived Irish law, which a prompt-only output is unlikely to satisfy. Irish courts have not produced a clear ruling on AI authorship, but the direction of travel is the same.

That ownership gap matters less than people fear. Most SMBs use marketing images to communicate, not to license out. The practical implication is that any competitor can re-use the same image you generated. It is a marketing concern. The broader question of who pays when AI-related compliance goes wrong on an Irish website is more layered, and the answer is rarely "the AI vendor."

Article 50 of the AI Act, applicable 2 August 2026

The EU AI Act applies from 2 August 2026 in relation to its Article 50 transparency obligations. Two paragraphs of Article 50 matter for images on a website.

Article 50(2) puts a marking obligation on the provider of a generative AI system. Midjourney, OpenAI, Stability and the rest must mark their outputs as artificially generated in a machine-readable way. This is not your obligation as the website operator.

Article 50(4) puts a labelling obligation on the deployer (you) when the AI-generated content is a deepfake under Article 3(60). The definition is narrow.

An estate agent in Dublin generating "virtual staging" of an actual listing that could pass for a real photograph of that specific room sits in the red quadrant and needs an "AI-generated" label. A café using AI to depict a generic pastry on its menu does not. The maximum fine under Article 99 is the higher of EUR 15 million or 3% of worldwide annual turnover, but Article 99(6) tells Member States to apply lower fines to SMEs, and realistic Irish enforcement against a small business will be far below the maxima. The full AI Act guide for website owners covers the other paragraphs of Article 50. The Irish Coimisiún na Meán has been designated as one of the national competent authorities for AI Act enforcement, alongside the DPC for AI uses involving personal data.

A 7 May 2026 provisional Digital Omnibus on AI may give providers of generative AI systems already on the market a transitional period until 2 December 2026 for Article 50(2) marking. The 2 August 2026 application of Article 50 itself does not move. Verify status before acting.

Practical rules for your business

A short checklist for any Irish SMB using AI imagery on a website.

1. Do not prompt with "in the style of [named living artist]." It elevates copyright risk without much creative benefit.
2. Zoom in to 200% on every AI image before publishing and look for stray watermarks, brand logos and signature fragments in the corners.
3. If you need an image of a person, prompt for "a fictional person, not resembling any real individual." If you want a real person, get their written consent. AI does not change the rule.
4. Keep prompt logs. A folder of "prompt + date + tool" records is cheap insurance if a question is ever raised by the DPC or a complainant.
5. If you publish an image that depicts a real-looking person, place or event, label it as AI-generated. A short caption is enough and keeps you safe under Article 50(4).
6. Do not claim copyright on AI-generated images in marketing contracts. You may not have any to assign.
7. For high-stakes images (campaign hero, packaging, legal documents), use a licensed library or a human illustrator. Our recommendations on free stock photo sources that are safe to use are a starting point. <!-- TODO: replace with /ie/en equivalent when published -->

If you want a check on the rest of the site at the same time, our free compliance scan covers GDPR, cookies, accessibility and image rights. It does not yet check AI-image legitimacy directly. AI-image checks are on the roadmap.

What this article does not tell you

It does not tell you whether the AI provider was entitled to use the training data. That question stays open in the EU and is contested in Germany, in California and at the CJEU. EDPB Opinion 28/2024 frames the GDPR overlay but does not settle copyright. It does not tell you that an AI image is automatically safe. The four layers can each go wrong. And it does not tell you what happens if your AI provider is eventually found liable for its training. The cascade through their terms of service is untested.

The cluster pieces this article connects to cover the related strands. Who is liable when AI helps build an Irish website sits next to this one. The same agency-tool-operator chain applies whether the AI generated code or generated an image.

Common Questions

Can someone send me a Getty-style demand letter for an AI-generated image?

Possible, but only when the AI output reproduces a recognisable existing photograph or contains a Getty or iStock watermark. Getty v Stability AI confirmed that point in November 2025. For typical AI marketing imagery with no watermarks and no recognisable real subjects, the risk of a demand letter stays low.

Do I own the AI image I generated for my website?

Probably not. The Copyright and Related Rights Act 2000 requires an original work, and the Infopaq test requires the author's own intellectual creation. Pure prompt-based output usually fails it. A competitor can re-use the same image, which is a marketing concern more than a legal one.

Do I have to label AI-generated images on my website under the AI Act?

Only when the image is a deepfake under Article 3(60), meaning it resembles a real person, place or event and would appear authentic to a reasonable viewer. Article 50(4) labelling applies from 2 August 2026. Generic AI marketing imagery without identifiable real subjects falls outside.

What did the DPC ask the EDPB about AI models?

Ireland's Data Protection Commission requested the EDPB Opinion 28/2024 on AI models, adopted in December 2024. It addressed lawful processing for training and downstream use. AI images of identifiable real people remain personal data under Article 4(1) GDPR for the deployer, regardless of training-side conclusions.

Is Midjourney safer than DALL-E or Stable Diffusion for business use?

No meaningful legal difference today. All three rely on similar training-data practices and their terms of service all push output risk back to the user. Pick on quality and licensing terms, not on a notional safety advantage.

Related reading

The image cluster on this site sits around:

• Received a Getty Images letter. The crisis guide for human-sourced image claims in Ireland.

The AI cluster pieces this article connects to:

• AI-built website liability under Irish law. The hub article on GDPR, EAA and cookie liability when AI helped build the site.
• The EU AI Act for website owners. Article 50 in depth, including chatbot disclosure and the editorial-review exemption.

This article is technical analysis, not legal advice. The author is not your solicitor and is not your registered controller. For a binding view, talk to one of those.