African Union
The African Union's Continental AI Strategy sets the stage for a unified approach to AI governance across the continent.
Artificial intelligence (AI) has made enormous strides in recent years and has increasingly moved into the public consciousness.
Increases in computational power, coupled with advances in machine learning, have fueled the rapid rise of AI. This has brought enormous opportunities, as new AI applications have given rise to new ways of doing business. It has also brought potential risks, from unintended impacts on individuals (e.g., AI errors harming an individual's credit score or public reputation) to the risk of misuse of AI by malicious third parties (e.g., by manipulating AI systems to produce inaccurate or misleading output, or by using AI to create deepfakes).
Governments and regulatory bodies around the world have had to act quickly to try to ensure that their regulatory frameworks do not become obsolete. In addition, international organizations such as the G7, the UN, the Council of Europe and the OECD have responded to this technological shift by issuing their own AI frameworks. But they are all scrambling to stay abreast of technological developments, and already there are signs that emerging efforts to regulate AI will struggle to keep pace. In an effort to introduce some degree of international consensus, the UK government organized the first global AI Safety Summit in November 2023, with the aim of encouraging the safe and responsible development of AI around the world.
Most jurisdictions have sought to strike a balance between encouraging AI innovation and investment, while at the same time attempting to create rules to protect against possible harms. However, jurisdictions around the world have taken substantially different approaches to achieving these goals, which has in turn increased the risk that businesses face from a fragmented and inconsistent AI regulatory environment. Nevertheless, certain trends are becoming clearer at this stage:
Businesses in almost all sectors need to keep a close eye on these developments to ensure that they are aware of the AI regulations and forthcoming trends, in order to identify new opportunities and new potential business risks. But even at this early stage, the inconsistent approaches each jurisdiction has taken to the core questions of how to regulate AI is clear. As a result, it appears that international businesses may face substantially different AI regulatory compliance challenges in different parts of the world. To that end, this AI Tracker is designed to provide businesses with an understanding of the state of play of AI regulations in the core markets in which they operate. It provides analysis of the approach that each jurisdiction has taken to AI regulation and provides helpful commentary on the likely direction of travel.
Because global AI regulations remain in a constant state of flux, this AI Tracker will develop over time, adding updates and new jurisdictions when appropriate. Stay tuned, as we continue to provide insights to help businesses navigate these ever-evolving issues.
The African Union's Continental AI Strategy sets the stage for a unified approach to AI governance across the continent.
Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.
The enactment of Brazil's proposed AI Regulation remains uncertain with compliance requirements pending review.
AIDA expected to regulate AI at the federal level in Canada but provincial legislatures have yet to be introduced.
The Interim AI Measures is China's first specific, administrative regulation on the management of generative AI services.
The Council of Europe is developing a new Convention on AI to safeguard human rights, democracy, and the rule of law in the digital space covering governance, accountability and risk assessment.
The successful implementation of the EU AI Act into national law is the primary focus for the Czech Republic, with its National AI Strategy being the main policy document.
The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.
France actively participates in international efforts and proposes sector-specific laws.
The G7's AI regulations mandate Member States' compliance with international human rights law and relevant international frameworks.
Germany evaluates AI-specific legislation needs and actively engages in international initiatives.
National frameworks inform India’s approach to AI regulation, with sector-specific initiatives in finance and health sectors.
Israel promotes responsible AI innovation through policy and sector-specific guidelines to address core issues and ethical principles.
Japan adopts a soft law approach to AI governance but lawmakers advance proposal for a hard law approach for certain harms.
Kenya's National AI Strategy and Code of Practice expected to set foundation of AI regulation once finalized.
Nigeria's draft National AI Policy underway and will pave the way for a comprehensive national AI strategy.
Position paper informs Norwegian approach to AI, with sector-specific legislative amendments to regulate developments in AI.
The OECD's AI recommendations encourage Member States to uphold principles of trustworthy AI.
Saudi Arabia is yet to enact AI Regulations, relying on guidelines to establish practice standards and general principles.
Singapore's AI frameworks guide AI ethical and governance principles, with existing sector-specific regulations addressing AI risks.
South Africa is yet to announce any AI regulation proposals but is in the process of obtaining inputs for a draft National AI plan.
South Korea's AI Act to act as a consolidated body of law governing AI once approved by the National Assembly.
Spain creates Europe's first AI supervisory agency and actively participates in EU AI Act negotiations.
Switzerland's National AI Strategy sets out guidelines for the use of AI, and aims to finalize an AI regulatory proposal in 2025.
Draft laws and guidelines are under consideration in Taiwan, with sector-specific initiatives already in place.
Turkey has published multiple guidelines on the use of AI in various sectors, with a bill for AI regulation now in the legislative process.
Mainland UAE has published an array of decrees and guidelines regarding regulation of AI, while the ADGM and DIFC free zones each rely on amendments to existing data protection laws to regulate AI.
The UK prioritizes a flexible framework over comprehensive regulation and emphasizes sector-specific laws.
The UN's new draft resolution on AI encourages Member States to implement national regulatory and governance approaches for a global consensus on safe, secure and trustworthy AI systems.
The US relies on existing federal laws and guidelines to regulate AI but aims to introduce AI legislation and a federal regulation authority.
Spain creates Europe's first AI supervisory agency and actively participates in EU AI Act negotiations.
Currently, there are no specific laws, statutory rules, or regulations in Spain that directly regulate AI, and Spain is not currently expected to enact its own general, far-reaching AI regulation. As for all EU Member States, the EU AI Act will likely be Spain's central general and cross-sectoral AI legislation.
However, Spain has published a Charter of Digital Rights (July 2021) (the "Charter") which establishes a set of non-binding principles and rights that may influence the interpretation of Spanish laws.1 The Spanish government has also published a National Artificial Intelligence Strategy (the "National AI Strategy") (November 2020), which may inform the country's regulatory efforts2 (together, the "Spanish Guidelines").
As part of the Spanish digital transformation strategy, Royal Decree 817/2023, which establishes a controlled test environment in compliance with the EU AI Act ("RD Sandbox") has been enacted. This initiative creates a controlled test environment designed to enable participants to implement high-risk AI systems under the EU AI Act with the aim of obtaining guidance on achieving compliance. This initiative is expected to crystalize in a report containing good practices,3 the conclusions of which are expected to inform future national regulations.
In connection with the above, the Spanish government has also approved Royal Decree 729/2023, on the Statute of the Spanish Agency for the Supervision of Artificial Intelligence (Agencia Española de Supervisión de Inteligencia Artificial) ("AESIA Statute"), which regulates the incorporation of AESIA, whose activities will be focused on supervisory tasks (including inspection and sanctioning powers on AI provided for in the EU AI Act), advice, awareness and training for the proper implementation of all national and European regulations regarding the proper use and development of artificial intelligence systems.4
In addition, Order ETD/670/2020, creates and lays down the legal regime of an Artificial Intelligence Advisory Council (Consejo Asesor de Inteligencia Artificial), aimed at providing independent advice and recommendations to the Ministry of Digital Transformation on matters related to the development and promotion of artificial intelligence policies and to encourage expert debate on public policies.5
Likewise, organizations such as the Organisation for Economic Cooperation and Development (OECD) have also published principles in relation to the use of AI, to which Spain adheres.6
The EU AI Act is addressed separately here: AI watch: Global regulatory tracker - European Union
As noted above, there are currently no specific laws or regulations in Spain that directly regulate AI. Having this in mind, and by way of context, the National AI Strategy is proposed as a reference framework for the period of 2020-2025 that allows for the orientation of sectoral, state, and regional strategies on this matter, which are in line with the policies developed by the EU.
For completeness:
Spain's National AI Strategy explicitly mentions that there is still no formal and universally accepted definition of AI and merely refers to the one used by the European Commission. Notwithstanding the above, in the recently approved Spain's RD Sandbox, for the purpose of determining the characteristics of the participants in the controlled environment, some definitions close to AI are included. In particular:
As there are currently no specific laws or regulations in Spain that directly regulate AI, there is no specific territorial scope for such laws. Notwithstanding the above, the Spanish Guidelines are addressed to the whole Spanish territory with the objective of achieving consistency, ensuring organization and cohesion, territorial governance and coordination between different administrative spheres, from the national to the local level. It also addresses coordination with regulation and policies at the European level.
International cooperation focus is reflected in the National AI Strategy, which places special emphasis on promoting participation in international forums such as the Council of Europe or the OECD, as well as through Spain's adherence to European initiatives such as the Digital Agenda for Europe adopted in 2018, the Coordinated Plan on AI 2019-2027, and the White Paper on Artificial Intelligence published in February 2020.
As noted above, there are currently no specific laws or regulations in Spain that directly regulate AI. Accordingly, there is no sectoral scope for such laws.
As noted above, there are currently no specific laws or regulations in Spain that directly regulate AI. Accordingly, there is no formal identification of AI rules addressees. However, it is apparent from the reading of the Spanish Guidelines and the AESIA Statute (in line with the EU AI Act) that AI regulations are addressed to all the different actors with a role in the AI space (public administrations, developers, deployers, managers and users).
The core issues that future AI Regulations may seek to address may be inferred from AESIA's main objectives, which are the following:
The above purposes are also in line with those of the Spanish Guidelines and could be summarized as the maximum development of AI in various areas (such as education and healthcare), enhancing its potential economic and social benefits by adapting our rules of coexistence to the needs of the moment, while moving toward a reliable, accountable, transparent and inclusive AI that ensures compliance with fundamental rights and applicable regulations, as well as respect for fundamental principles and values, and takes into account the collective aspirations of citizens.
As noted above, there are currently no specific laws or regulations in Spain that directly regulate AI. That said, the Charter links the guarantees to be provided by public authorities to the different risk level posed by the AI, which assumes a risk categorization, in accordance with European regulations.
Additionally, as previously mentioned, the RD Sandbox also includes different definitions of AI systems based on the different risks they may pose.
As noted above, there are currently no specific laws or regulations in Spain that directly regulate AI. Nevertheless, the principles of the Charter (set out above), indicate that Spanish laws will be interpreted with the requirements of explainability and accountability in mind.11
As already mentioned, Spain has approved the creation of the AESIA. AESIA is set to be responsible for enforcing the EU AI Act.
Likewise, another important actor to note is the Artificial Intelligence Advisory Council, which is aimed at advising the government on the design and dissemination of AI policies, and who will contribute to the development of the National Artificial Intelligence Strategy and the analysis of its implications.
As noted above, there are no specific laws or regulations in Spain that directly regulate AI. Excluding the EU AI Act, enforcement powers and penalties relating to AI will be pursuant to any applicable non-AI specific regulation.
The AESIA is the entity that has been assigned the inspection, verification and sanctioning of AI matters.
1 The Charter of Digital Rights is available here.
2 The National AI Strategy is available in English here.
3 The Royal Decree 817/2023 is available here.
4 The Royal Decree 729/2023 is available here.
5 The Order ETD/670/202 is available here.
6 The OECD Legal Instrument 0449 – Recommendation of the Council on Artificial Intelligence is available in English here.
7 The Royal Decree 817/2023 is available here, Article 3(3).
8 In order to make more accurate definitions, the RD Sandbox makes certain references to EU legislation and a list of specific areas in which artificial intelligence systems are considered high risk by virtue of the definitions set forth in the RD Sandbox.
9 The Royal Decree 817/2023 is available here, Article 4.
10 The Royal Decree 817/2023 is available here, Article 5.
11 The Charter of Digital Rights is available here.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2024 White & Case LLP
Ana Calvo (Local Partner, White & Case, Madrid), Marcos Soberon (Local Partner, White & Case, Madrid) and Carlos Pena (Associate, White & Case, Madrid) contributed to this publication.