From copyright dispute to data governance crisis: What NYT v. OpenAI means for corporate AI strategy

The legal battle between The New York Times and OpenAI began as a high-profile copyright infringement case. But in a matter of months, it has evolved into a defining moment for corporate data governance and privacy compliance in the age of generative AI. Affecting over 400 million users worldwide, Magistrate Judge Ona T. Wang’s order is the first time a court has mandated mass preservation of AI-generated content on such a scale.

For companies deploying AI tools (whether internally or through third-party platforms), the implications of this case are profound and immediate. The decision highlights critical issues about AI, privacy rights and data governance frameworks.

The court order that redefined AI data obligations

The court order originally stems from The New York Times v. OpenAI case. The 2023 lawsuit filed by the New York Times (NYT) alleges that OpenAI unlawfully used millions of NYT articles to train its AI models, including ChatGPT. The controversy deepened when The New York Times accused OpenAI of deliberately erasing user conversations that could potentially serve as evidence of copyright violations.

On 13 May 2025, U.S. Magistrate Judge Ona T. Wang issued a sweeping preservation order requiring OpenAI to “preserve and segregate all output log data that would otherwise be deleted”. This includes:

• deleted user conversations
• Temporary chats
• API-generated outputs

Most importantly, this order applies to all ChatGPT users whether they opted out of data retention or actively deleted their chats and includes enterprise API users. The only users excluded are those who are party to a Zero Data Retention Agreement or ChatGPT Enterprise and Edu plans.

What was the court’s rationale for granting such an order?

Plaintiffs in the case alleged that OpenAI may have deleted outputs that could demonstrate copyright infringement. In response, the judge ordered preservation of all potentially relevant data, regardless of user privacy settings or jurisdictional data laws.

This is the first court order of its kind, and it sets a precedent that could reshape how companies and businesses manage AI-generated content, user data, and litigation risk.

Why this matters to your business

If your company uses generative AI such as platforms like ChatGPT, custom-built models, or third-party integrations, this case is a wake-up call. Not only could your output data no longer be confidential and private, but it signals a shift in how courts view AI-generated content: not as anonymous, but as discoverable evidence subject to preservation and production. Here’s what this means for your business.

1. AI outputs are now legal records in the USA and most likely in Australia too

AI-generated content whether it’s a chatbot response, a code snippet, or a marketing draft is now squarely within the scope of litigation discovery in the USA. Given the AI-generated content is, by its very nature, public content, we consider it likely that Australian courts will also follow the USA’s example and allow discovery of input prompts and generated outputs where relevant in litigation proceedings. Resultingly, companies should treat these outputs as

potentially evidentiary, with the same care applied to them as emails, contracts, and internal memos.

If your AI tools generate content that could be relevant to a dispute; whether IP-related, employment-related, or regulatory, your company is likely going to need to be able to preserve, retrieve, and produce that data on demand.

2. Privacy compliance is no longer a shield

OpenAI’s objection to the court order centred on privacy concerns. The company argued that retaining deleted chats violates user expectations and global privacy laws, including the EU General Data Protection Regulation and California Privacy Rights Act. But the court prioritised litigation discovery over privacy preferences.

For businesses and companies, your data will be retained and may be accessible in court proceedings, even if you opt out of data retention or actively delete outputs and logs.

3. Vendor risk is now legal risk

Many companies rely on third-party AI platforms to power customer service, internal productivity, and product innovation. But as this case shows, outsourcing AI does not outsource liability.

If your AI vendor is subject to a preservation order, your company’s data may be swept into litigation—even if you weren’t a party to the dispute. This underscores the need for:

• robust vendor due diligence
• contractual safeguards around data ownership, retention, and discovery obligations, and
• contingency planning for legal exposure tied to third-party platforms.

Strategic recommendations for corporate clients

To navigate this new landscape, companies should take the following steps.

1. Audit your AI footprint
   Identify all generative AI tools in use across your organisation, including internal models, third-party platforms, and shadow IT deployments.  We have prepared an excel spreadsheet to assist with this – if you’d like a copy, please contact Mark Metzeling.
2. Update data governance policies
   Ensure your policies address AI-generated content, retention schedules, and cross-border compliance.
3. Review vendor contracts
   Renegotiate terms to include data preservation obligations, indemnification clauses, and discovery cooperation protocols.
4. Train legal and compliance teams
   Equip your teams with the knowledge and tools to manage AI-related discovery, privacy conflicts, and regulatory inquiries.
5. Engage outside counsel early
   Involve legal advisors with AI and IP expertise to guide strategy, especially if your company is building or deploying proprietary models.

Looking ahead: AI accountability is here

OpenAI has filed a motion to vacate the preservation order, arguing that it undermines user trust and global compliance efforts. But regardless of the outcome, the message is clear: Courts are beginning to treat AI outputs as discoverable, regulated, and accountable.

For companies and businesses, this is not just a headline, it’s a strategic inflection point. Companies and businesses must move beyond experimentation and embrace responsible, resilient AI governance. If your business is using or building AI, now is the time to act.

If you want to review your practices and policies, or need assistance with AI vendors reach out to Mark Metzeling to ensure you are properly protected.

Make sure you also follow Macpherson Kelley on LinkedIn to stay up to date on the latest legal updates.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.