Border Cyber Group | Analysis

A Threshold Moment

On 28 May 2026, the Regional Court of Munich issued a preliminary injunction in case number 26 O 869/26 that will be studied in law schools for years. The ruling is narrow in its immediate scope — it concerns two Munich-based publishers and a set of false statements Google's AI generated about their businesses — but its legal reasoning is anything but narrow. What the court produced is a carefully constructed argument about the fundamental nature of AI-generated content, one that dismantles two decades of accumulated legal shielding in a few dozen pages and replaces them with a proposition that is, once stated, almost embarrassingly obvious: if a machine writes something false and harmful on your behalf, you wrote something false and harmful.

Google's AI Overviews, the court found, are not search results. They are not summaries. They are not neutral aggregations of third-party information made conveniently findable. They are, in the court's language, "independent, new, and substantive statements" — and they belong to Google. That conclusion, extended to its logical reach, restructures the liability landscape for every company currently operating a product that synthesises web content into generated answers. It is a ruling about Google. It is also a ruling about the entire AI search industry.

Understanding why requires going beyond the headline and examining what the court actually did — and what it declined to do, because the gaps in existing legal frameworks are as revealing as the ruling itself.

__________________________

What the AI Actually Did

The facts of the case are worth dwelling on, because they illustrate a failure mode that is neither exotic nor exceptional. When users searched for the names of two Munich-based publishing companies, Google's AI Overviews feature placed a generated summary at the top of the results page. That summary linked the companies to scams, subscription traps, and what the AI characterised as "dubious business practices." It opened with confident declarative statements — the court's ruling describes language of the form "Yes, [company] is known for dubious business practices" — and proceeded to build out a self-contained narrative: a summary of alleged misconduct, a list of red flags, and practical guidance for users on how to avoid being victimised.

None of this appeared in any of the linked sources. The AI had retrieved information about other companies — genuinely problematic ones — and attributed their characteristics to the plaintiffs. It had then generated original framing, original structure, and original claims that did not exist anywhere in the underlying web content it had processed. The output was not a distortion of what the sources said. It was a fabrication that used the sources as raw material for something entirely new.

This is the named-entity disambiguation problem in its most consequential form. Two companies, superficially similar in some indexing dimension the retrieval system weighted, were collapsed into a single profile. The synthesis layer then constructed a coherent, authoritative-sounding narrative around that collapsed identity. The result reached every user who searched for either company's name, presented at the top of the page in a visual register that signals settled fact.

The publishers sent a cease-and-desist letter. Google's response was inadequate. The case went to court.

__________________________

To appreciate the significance of what Munich did, it is necessary to understand what it replaced — specifically, the liability framework that has shielded search engines since the early years of the commercial internet.

In Germany, the Federal Court of Justice had established that traditional search engine operators bear only indirect infringer liability for the content they surface. The reasoning was functional: a search engine makes third-party content findable. It does not create that content. Imposing a proactive duty to review and verify every result would make search engines operationally impossible and would, in effect, restrict access to the open web. The framework reflected a genuine policy judgment: the social benefit of indexing the internet outweighs the harms caused by occasionally surfacing bad information, and the responsibility for that information rests primarily with whoever created it.

The Digital Services Act extended similar protection at the EU level. Platform operators acting as hosts of third-party content — including social media companies, marketplaces, and search engines — were shielded from liability for that content under a notice-and-takedown model, provided they acted promptly once violations were identified. The logic was the same: neutrality of the intermediary as the basis for limited liability.

The Munich court examined these precedents and found that neither applied to AI Overviews. A traditional search engine points to outside websites. AI Overviews generate "independent, new, and substantive statements" by evaluating and combining content from various third-party sites. That is a categorically different activity. The court's reasoning was precise: because the AI rewrites and judges results in its own words and according to its own structure, and because the statements it produces are not traceable to any of the linked sources, those statements cannot be characterised as third-party content that Google merely made findable. They are Google's content — generated by Google's model, served by Google's infrastructure, displayed under Google's brand, to Google's users.

The DSA safe harbour argument fared no better. You cannot be both the author and the neutral host of the same content. Google cannot claim the protections designed for passive intermediaries when it is the active producer of the content in question. The court was explicit: the possibility of victims pursuing the underlying source websites was illusory, because those websites had not made the defamatory claims. The AI had. Under the pre-ruling framework, the victim of an AI-generated false statement had nowhere to go. The court identified this as a protection gap: if Google were only liable for obvious violations and the third-party sources didn't even make the claims in question, victims had no real legal recourse. The Munich court closed that gap.

Google also raised a free speech defence. The court's response was concise and worth quoting in substance: an AI's output is not the expression of an acquired conviction. It is the result of an algorithm. Offering AI-powered research is, above all, an expression of commercial activity. When the court weighed privacy rights against Google's interests in this context, Google's interests were not found to constitute protected speech in any meaningful sense. An algorithm does not have convictions. It has outputs. The company that deployed the algorithm owns those outputs.

__________________________

The "Users Can Check" Defence and Why It Failed

Google's primary defence at the hearing deserves its own analysis, because the company has repeated it since the ruling was issued — a choice that tells you something about either their legal strategy or their institutional culture, and neither interpretation is flattering.

The argument was this: users can verify AI Overview claims by clicking through to the linked sources. Users generally understand that AI-generated content should not be blindly trusted. Therefore, Google should not be liable for the content of summaries that users could, in principle, fact-check themselves.

The court rejected this directly. The AI overview was "understandable on its own" and contained "a self-contained statement with independently understandable content and no reference to other possible interpretations or even unreliable content." The court drew a parallel to press law, where publishers are liable for teasers that are understandable on their own, even if readers never read the full article.

The empirical context here is important. Studies show that users almost never click on sources in AI Overviews. Pew Research data cited in proceedings found that figure at approximately one percent. Google built a product specifically designed to provide answers without requiring users to click through to sources — that is the product's stated value proposition — and then argued in court that users should click through to sources. The court was not persuaded. The product cannot simultaneously claim to eliminate the need for further research and then invoke the possibility of further research as a liability shield.

There is a deeper problem embedded in this defence that the court identified but that deserves further examination. Even if users wanted to verify an AI Overview claim by checking the linked sources, the Oumi analysis of Gemini 3's AI Overviews found that 56 percent of the correct answers couldn't be backed up by the sources Google linked. The AI is giving answers whose origins users can't trace. The verification pathway Google was proposing does not actually exist for more than half of the cases where it would be needed. Users who followed Google's implicit advice — check the sources — would find that the sources do not contain the information being attributed to them. The defence described a verification mechanism that the product's own architecture makes structurally unavailable.

__________________________

The Technical Problem the Ruling Creates

The Munich ruling demands accountability for a product whose outputs are, by design, generated at the moment of delivery. This is not a detail. It is the central technical challenge the ruling creates, and it is worth examining carefully because the scale of the problem is what separates this from conventional content moderation.

Google's AI Overviews are generated through retrieval-augmented generation. When a user submits a query, the system retrieves the top relevant web pages from its index and feeds the text from those pages into its Gemini model, which synthesises an answer. The entire process takes between 1.4 and 5 seconds. Every single AI overview is a unique piece of content that did not exist until somebody searched for it. There is no master copy. There is no editorial review. There is no human being who reads the output before it reaches the user.

At Google's scale, this means the company is producing billions of unique editorial statements per day, each one potentially defamatory, each one served to a specific user in response to a specific query, and none of them reviewed by any human being before publication. The court has now established that each of those statements carries Google's legal authorship. The implication is not merely significant — it is computationally vertiginous.

Conventional content moderation, which is itself an enormous unsolved challenge, involves reviewing content that exists before it is published. AI Overviews do not exist before they are published. They exist only at the moment of delivery. Pre-publication review is not possible with current architecture. What is possible — and what the ruling effectively mandates as a commercial imperative — is investment in the failure modes that produce harmful outputs in the first place.

Those failure modes have been identified in the research literature for years. Retrieval failure: the system pulls the wrong documents, confusing entities with similar surface characteristics — precisely what happened in the Munich case. Synthesis failure: the model has the right sources but draws unsupported connections or generates claims the sources do not contain, the phenomenon behind the 56-percent ungrounded citations finding. Confidence calibration failure: the model presents uncertain or contested information with the same visual authority as established fact, giving users no signal about when the output might be wrong.

Technical approaches to each of these exist. Knowledge graphs and entity disambiguation systems address retrieval failure. Faithfulness verification — a second-pass check that compares generated text against source documents — addresses synthesis failure. Uncertainty quantification, which flags claims where model confidence is low or sources conflict, addresses calibration failure. None of these are exotic research frontiers. They are engineering choices that have been deprioritised because deploying them adds latency, increases cost, and makes the product appear less definitively capable. A summary that says "sources conflict on this point" is a less impressive product than one that says "Yes, this company is known for fraud." The market, until now, has rewarded the latter.

__________________________

The Structural Extraction Problem

The Munich ruling arrives against a broader context that has received insufficient attention in the coverage of this case: the systematic economic relationship between AI Overviews and the publishers whose content feeds them.

Zero-click searches — where users receive an answer without visiting any external website — rose from 56 percent to 69 percent of all Google searches between May 2024 and May 2025. For news-related searches, that figure reached 69 percent in the year after AI Overviews launched. Google search traffic to publishers fell 33 percent globally in the year to November 2025. Individual publishers have been hit harder. HubSpot estimates it lost 70 to 80 percent of its organic traffic. Chegg, the education platform, reported a 49 percent decline.

Independent research conducted throughout 2024 and 2025 shows click-through rate reductions ranging from 34 percent to 46 percent when AI summaries appear on search results pages. Meanwhile, Google Search revenue reached $63.07 billion in Q4 2025, up 17 percent year over year, while GenAI product revenue surged nearly 400 percent.

The geometry of this arrangement is worth stating plainly. Publishers produce content. Google's AI consumes that content, synthesises it into generated answers, and serves those answers to users who then do not visit the publishers. Google's revenue grows. Publishers' traffic declines by a third globally, with individual outlets reporting losses of 50, 70, even 90 percent. The AI Overviews feature is, in economic terms, a mechanism for extracting value from the web's content ecosystem while simultaneously reducing the traffic flows that make producing that content economically viable.

The Munich ruling intersects with this dynamic in a way that has not been widely examined. The court established that when Google's AI generates a false statement about a company using that company's web presence as raw material, the company harmed has legal recourse against Google. What the ruling does not directly address — though it creates the conceptual foundation for future arguments — is the prior question: whether the extraction of content for AI synthesis without compensation is itself a legally sustainable model as the regulatory environment tightens. The EU copyright directive, the Digital Markets Act, and the ongoing European Commission probe into AI Overviews all bear on this question. The Munich ruling is one piece of a much larger legal structure that is assembling itself around the AI search industry in real time.

__________________________

Jurisdiction, Precedent, and the Portability Problem

The Munich ruling is a preliminary injunction from a regional court in one EU member state. It will almost certainly be appealed. Google confirmed the appeal on June 12, 2026, arguing that the ruling targets "specific and narrow errors, not the foundational way AI Overviews displays web content." The company's position is that most AI Overviews are accurate and that occasional misinterpretations are common to all search features.

That framing is worth examining critically. The court's reasoning was not premised on the error rate. It was premised on the nature of what AI Overviews produce: generated content that did not exist in any source, presented as Google's authoritative synthesis. Even a 99 percent accuracy rate would not change the legal character of the 1 percent, any more than a newspaper's accuracy rate exempts it from liability for the stories it gets wrong. The argument that errors are "common to all search features" collapses precisely at the line the court drew — because traditional search features point to sources that contain the statements being attributed, while AI Overviews do not.

The ruling's reasoning is, as observers have noted, structurally portable. It derives from first principles about the nature of generated content, not from specific provisions of German law that would not apply elsewhere. The Munich court's logic aligns with the EU AI Act's emphasis on assigning responsibility to the deployer of AI systems rather than treating AI outputs as passively surfaced content. The full provisions of the AI Act applicable to high-risk systems enter application on 2 August 2026 — less than two months from the date of this writing. The European Commission's enforcement powers activate simultaneously. China has issued its own court ruling on AI hallucinations. The legal systems of three major economic blocs are independently converging on the same structural observation.

Any jurisdiction examining the same technology — a model that generates new statements from web sources, presents them as authoritative answers, and serves them at scale without editorial review — could arrive at the same conclusion by examining the same facts. The question is not whether Munich's specific precedent travels. It is whether the reasoning travels. And it plainly does.

__________________________

What This Means for the Industry Beyond Google

The ruling names Google because Google is the defendant. But the court stripped the search-engine liability shield from AI summaries — a ruling that, if it holds, could reach far beyond Google to every AI answer engine. OpenAI's ChatGPT with web search, Perplexity, Anthropic's web-enabled models, Microsoft's Copilot integrated into Bing — all of these products perform some version of the same operation. They retrieve content from the web, synthesise it into generated answers, and present those answers to users as authoritative responses to their queries.

The legal exposure is not identical across these products — the degree of synthesis, the visual authority of the presentation, the availability and legibility of source citations, and the presence of uncertainty markers all vary. Perplexity, for example, presents inline citations in a more legible format than Google's AI Overviews and has experimented with more explicit hedging. These differences may matter at the margin when courts assess whether the product's design adequately signals its limitations. But the core question — does this product generate new statements that cannot be traced to the sources it cites — applies to all of them, and the Munich court's answer to that question is the same regardless of which company is deploying the model.

The practical implication is that every company operating in this space needs to engage with the technical failure modes described above not as future research priorities but as current engineering requirements. Faithfulness verification, entity disambiguation, and confidence calibration are no longer optional features that can be deferred until the market demands them. The Munich ruling, combined with the approaching EU AI Act enforcement deadline, establishes that the market is no longer the primary mechanism by which those demands are communicated.

__________________________

The Incentive Structure That Made This Inevitable

The deeper question — the one that makes this ruling a diagnostic rather than merely a legal event — is why these failure modes were tolerated for so long. The answer is not ignorance. The research community has understood entity disambiguation, synthesis faithfulness, and confidence calibration as problems for years. Papers exist. Approaches exist. The problems were not prioritised because the market was not punishing inaccuracy with the same force that it was rewarding capability and speed to deployment.

When an AI Overview defames a Munich publisher, the cost of that defamation falls on the publisher. Google absorbs no direct cost. When an AI hallucination wastes a user's time, the cost of that wasted time falls on the user. Google absorbs no direct cost. When an AI-generated medical summary provides wrong information to one in ten people who trust it, the cost of that wrong information falls on those people. Google absorbs no direct cost. The externalities of AI error were systematically borne by everyone except the deployers of the systems producing the errors.

This is not a novel economic phenomenon. It is the standard structure of negative externalities, and the standard mechanism for correcting them is liability. When the deployer of a system bears the cost of the system's failures, the calculation changes. Accuracy becomes a legal requirement, not a product differentiator. Investing in faithfulness verification adds cost and latency, but that cost and latency are now weighed against the cost of litigation, injunctions, and reputational damage rather than simply against a slower product launch.

The Munich ruling changes that calculation for Google in Germany. The EU AI Act changes it for all deployers across the entire European market starting in August. The trajectory is clear: the period in which AI errors could be treated as acceptable externalities is ending. What replaces it will be shaped by how seriously the technical community engages with the failure modes the law has now made unignorable.

__________________________

The Productive Pressure of Accountability

There is a version of this analysis that frames the Munich ruling as a threat to AI development — regulatory overreach that will impede innovation, increase costs, and slow the deployment of genuinely useful technology. That framing is available. It is also wrong.

The technology's potential utility is proportional to its reliability. An AI knowledge synthesis tool that is 91 percent accurate at scale is not 91 percent useful. It is useful for queries where its errors are tolerable and dangerous for queries where they are not. A medical summary that gives wrong information nine percent of the time is not primarily a useful medical tool with an acceptable error rate. It is an unreliable medical tool that will, at scale, cause harm that would not have occurred without it. The vision of AI as a transformative tool for synthesising the expanding body of human knowledge — enabling researchers, clinicians, policymakers, and journalists to navigate domains too vast for individual human comprehension — requires accuracy as a foundational property, not an aspiration.

The Munich ruling does not impede that vision. It creates the conditions under which serious investment in that vision's prerequisites becomes commercially rational. The companies that emerge from this transition with reliable, verifiable, well-calibrated synthesis systems will have built something genuinely useful. The companies that resist the transition will face an increasingly hostile legal environment while continuing to produce a product that is not actually doing what its users need it to do.

This is, ultimately, what the Munich Regional Court established on 28 May 2026: that the author of a statement cannot hide behind the algorithm that generated it. That proposition is not legally radical. It is not technologically unprecedented. It is, in retrospect, almost obvious. The fact that it took a court order to establish it tells you something about the assumptions the industry has been operating under — and something about how much work remains to be done.

__________________________

Border Cyber Group covers the intersection of cybersecurity, technology infrastructure, and the policy frameworks that govern them. Primary source documentation for this analysis includes the Munich Regional Court ruling (case no. 26 O 869/26, issued 28 May 2026), reporting from The Decoder, and publicly available industry traffic and accuracy data from Oumi, Similarweb, Semrush, and Seer Interactive.

— Jonathan Brown, Border Cyber Group | bordercybergroup.com Support independent security journalism!

Easy way to support our work... Subscribe (free or paid), or buy us a coffee! https://bordercybergroup.com/#/portal/support

Analysis and defender guidance in this digest are informational only. BORDER CYBER GROUP has no visibility into reader environments, patch states, or operational constraints. Nothing published here constitutes professional cybersecurity, legal, or compliance advice. All remediation and response decisions should be evaluated by qualified personnel against your organization's specific context. BCG assumes no responsibility for actions taken or not taken in reliance on this content.