Status of the AI Regulations

The EU AI Act is addressed separately here: AI watch: Global regulatory tracker - European Union

As noted above, there are currently no specific laws or regulations in Spain that directly regulate AI. Having this in mind, and by way of context, the National AI Strategy is proposed as a reference framework for the period of 2020-2025 that allows for the orientation of sectoral, state, and regional strategies on this matter, which are in line with the policies developed by the EU.

For completeness:

• The AESIA Statute was approved on August 22, 2023 and has been in force since September 2, 2023
• The RD Sandbox was approved on November 8, 2023, and has been in force since November 10, 2023, with a maximum duration of 36 months from its entry into force or, until the EU AI Act is applicable in Spain

Other laws affecting AI

• There are a number of laws that do not directly seek to regulate AI but may affect the development or use of AI in Spain. A non-exhaustive list of key examples includes: The Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights
• Law 15/2007 on the Defence of Competition
• Organic Law 1/1982 on the civil protection of the right to honor, personal and family privacy and self-image
• Law 3/1991 on Unfair Competition
• Law 15/2022 on equal treatment and non-discrimination
• The Spanish Organic Law 2/1984 on the right of rectification
• Law 34/2002 on information society services and electronic commerce
• Law 9/2014, General Telecommunications Law
• Law 7/2010, General Law on Audiovisual Communication
• Royal Legislative Decree 2/2015, which approved the revised text of the Workers' Statute Law
• Law 10/2021 on Telecommuting
• Royal Legislative Decree 1/1996, which approved the revised text of the Intellectual Property Law, regularizing, clarifying and harmonizing the current legal provisions on the subject

Definition of “AI”

Spain's National AI Strategy explicitly mentions that there is still no formal and universally accepted definition of AI and merely refers to the one used by the European Commission. Notwithstanding the above, in the recently approved Spain's RD Sandbox, for the purpose of determining the characteristics of the participants in the controlled environment, some definitions close to AI are included. In particular:

• "AI system" is defined as: "system designed to operate with a certain level of autonomy and which, based on input data provided by machines or by people, infers how to achieve a set of objectives set using machine-learning strategies or based on logic and knowledge, and it generates output information, such as content (generative artificial intelligence systems), predictions, recommendations or decisions, that influence the environments with which it interacts"⁷
• "High-Risk AI System" is defined as: "an artificial intelligence system that meets any of the following:⁸
  • An artificial intelligence system constituting a product governed by the Union harmonization legislation shall be considered high risk if it is to be subject to a conformity assessment by a third party with a view to the introduction into the market or commissioning of such a product in accordance with the aforementioned legislation
  • An artificial intelligence system to be used as a component that performs a safety function and whose failure or malfunction endangers the health and safety of persons or property in a product regulated by a harmonized standard of the European Union, whether it is to be subjected to a conformity assessment by a third party with a view to the placing on the market or putting that product into service in accordance with the applicable harmonization legislation. This assumption will be applicable, even if the artificial intelligence system is marketed or put into service independently of the product
  • An artificial intelligence system, from the list of specific areas in which certain artificial intelligence systems are considered high risk, provided that the response of the system is relevant to the action or decision to be taken and may therefore cause a significant risk to health, the rights of workers in the workplace or safety or fundamental rights"⁹
• Spain's RD Sandbox defines "general-purpose AI system" as: "an artificial intelligence system that, regardless of the mode in which it is marketed or put into service, including as open source software, is intended by the system provider to perform general application functions, such as text, image and speech recognition; the generation of texts, audios, images and/or videos; pattern detection; answering questions; translation and others"¹⁰

Territorial scope

As there are currently no specific laws or regulations in Spain that directly regulate AI, there is no specific territorial scope for such laws. Notwithstanding the above, the Spanish Guidelines are addressed to the whole Spanish territory with the objective of achieving consistency, ensuring organization and cohesion, territorial governance and coordination between different administrative spheres, from the national to the local level. It also addresses coordination with regulation and policies at the European level.

International cooperation focus is reflected in the National AI Strategy, which places special emphasis on promoting participation in international forums such as the Council of Europe or the OECD, as well as through Spain's adherence to European initiatives such as the Digital Agenda for Europe adopted in 2018, the Coordinated Plan on AI 2019-2027, and the White Paper on Artificial Intelligence published in February 2020.

Sectoral scope

As noted above, there are currently no specific laws or regulations in Spain that directly regulate AI. Accordingly, there is no sectoral scope for such laws.

Compliance roles

As noted above, there are currently no specific laws or regulations in Spain that directly regulate AI. Accordingly, there is no formal identification of AI rules addressees. However, it is apparent from the reading of the Spanish Guidelines and the AESIA Statute (in line with the EU AI Act) that AI regulations are addressed to all the different actors with a role in the AI space (public administrations, developers, deployers, managers and users).

Core issues that the AI Regulations seek to address

The core issues that future AI Regulations may seek to address may be inferred from AESIA's main objectives, which are the following:

• The awareness, dissemination and promotion of training, development, and responsible, sustainable and reliable use of artificial intelligence
• The definition of mechanisms for advising and assisting society and other actors related to the development and use of artificial intelligence
• Collaboration and coordination with other national and supranational authorities for the supervision of artificial intelligence
• The promotion of real test environments for artificial intelligence systems, in order to reinforce the protection of users and avoid discriminatory biases
• The supervision of the implementation, use or commercialization of systems that include artificial intelligence and, especially, those that may pose significant risks to health, safety, equal treatment and non-discrimination, particularly between women and men, and to other fundamental rights

The above purposes are also in line with those of the Spanish Guidelines and could be summarized as the maximum development of AI in various areas (such as education and healthcare), enhancing its potential economic and social benefits by adapting our rules of coexistence to the needs of the moment, while moving toward a reliable, accountable, transparent and inclusive AI that ensures compliance with fundamental rights and applicable regulations, as well as respect for fundamental principles and values, and takes into account the collective aspirations of citizens.

Risk categorization

As noted above, there are currently no specific laws or regulations in Spain that directly regulate AI. That said, the Charter links the guarantees to be provided by public authorities to the different risk level posed by the AI, which assumes a risk categorization, in accordance with European regulations.

Additionally, as previously mentioned, the RD Sandbox also includes different definitions of AI systems based on the different risks they may pose.

Key compliance requirements

As noted above, there are currently no specific laws or regulations in Spain that directly regulate AI. Nevertheless, the principles of the Charter (set out above), indicate that Spanish laws will be interpreted with the requirements of explainability and accountability in mind.¹¹

Regulators

As already mentioned, Spain has approved the creation of the AESIA. AESIA is set to be responsible for enforcing the EU AI Act.

Likewise, another important actor to note is the Artificial Intelligence Advisory Council, which is aimed at advising the government on the design and dissemination of AI policies, and who will contribute to the development of the National Artificial Intelligence Strategy and the analysis of its implications.

Enforcement powers and penalties

As noted above, there are no specific laws or regulations in Spain that directly regulate AI. Excluding the EU AI Act, enforcement powers and penalties relating to AI will be pursuant to any applicable non-AI specific regulation.

The AESIA is the entity that has been assigned the inspection, verification and sanctioning of AI matters.

_{1 The Charter of Digital Rights is available here.
2 The National AI Strategy is available in English here.
3 The Royal Decree 817/2023 is available here.
4 The Royal Decree 729/2023 is available here.
5 The Order ETD/670/202 is available here.
6 The OECD Legal Instrument 0449 – Recommendation of the Council on Artificial Intelligence is available in English here. 
7 The Royal Decree 817/2023 is available here, Article 3(3).
8 In order to make more accurate definitions, the RD Sandbox makes certain references to EU legislation and a list of specific areas in which artificial intelligence systems are considered high risk by virtue of the definitions set forth in the RD Sandbox.
9 The Royal Decree 817/2023 is available here, Article 4.
10 The Royal Decree 817/2023 is available here, Article 5.
11 The Charter of Digital Rights is available here.}

_{White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.}

_{This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.}

_{© 2024 White & Case LLP}

Ana Calvo (Local Partner, White & Case, Madrid), Marcos Soberon (Local Partner, White & Case, Madrid) and Carlos Pena (Associate, White & Case, Madrid) contributed to this publication.