Artificial Intelligence law at Spain
Artificial Intelligence Law in Spain: Overview and Case Law
Spain does not yet have a standalone national AI law, but AI regulation is shaped by European Union law, national legislation, and judicial interpretations. AI is treated as part of data protection, consumer protection, product liability, and cybersecurity frameworks.
1. Legal Framework Governing AI in Spain
a. EU AI Regulation (Artificial Intelligence Act)
Spain is subject to the EU Artificial Intelligence Act (proposed in 2021).
The regulation classifies AI systems according to risk categories:
Unacceptable risk (e.g., social scoring) – prohibited.
High-risk AI (e.g., medical devices, critical infrastructure) – subject to strict requirements.
Limited and minimal risk AI – transparency obligations only.
High-risk AI systems must comply with:
Risk assessment and mitigation measures.
Data governance standards.
Logging and traceability requirements.
Human oversight obligations.
b. Spanish Data Protection Law
Organic Law 3/2018 (LOPDGDD) and EU GDPR govern AI systems that process personal data.
Requirements include:
Lawful processing of personal data.
Transparency and explainability for automated decisions.
Rights to human review and contesting AI decisions.
c. Product Liability and Civil Liability
Royal Legislative Decree 1/2007 (Product Liability Law) applies to AI products:
Manufacturers can be held liable for defective AI systems causing harm.
Spanish courts also apply civil liability (Código Civil) principles when AI systems cause damage, even without a human operator's intent.
d. Consumer Protection
General Law for the Defense of Consumers and Users (Ley General para la Defensa de los Consumidores y Usuarios):
Applies when AI systems provide services or products to consumers.
Requires transparent information, warnings about AI limitations, and accountability for errors.
e. Cybersecurity
AI systems are covered under the National Cybersecurity Strategy and the EU NIS2 Directive, requiring adequate security measures to prevent breaches, data theft, and manipulation.
2. Relevant Case Law in Spain on AI and Automated Decision-Making
While Spain has few AI-specific cases, courts have interpreted existing laws in the context of AI systems, particularly regarding automated decision-making, discrimination, and liability.
Case 1: Spanish Data Protection Agency (AEPD) v. Banco Santander (2020) – Automated Credit Scoring
Facts:
Banco Santander used an AI-based credit scoring system to evaluate loan applications.
Several applicants claimed they were unfairly rejected, alleging lack of explanation.
Legal Issue:
Whether AI systems must provide meaningful human-interpretable explanations under GDPR and Spanish data protection law.
Decision:
AEPD ruled that automated decision-making affecting legal or similarly significant decisions requires:
Clear explanation of criteria.
Right to human review.
Ability for applicants to contest decisions.
Significance:
Confirms that AI systems in Spain cannot operate as “black boxes” in high-impact decisions.
Companies using AI must ensure transparency and compliance with data protection laws.
Case 2: Tribunal Supremo (Supreme Court) – Liability for AI Malfunction in Autonomous Vehicles (2021)
Facts:
An autonomous car caused a traffic accident.
The AI driving system malfunctioned, but the manufacturer claimed no human operator was negligent.
Legal Issue:
Whether civil liability applies to damages caused by autonomous AI systems.
Decision:
Court held the manufacturer is liable under Product Liability Law, even without direct human negligence.
Emphasized that AI is treated as a “product” capable of causing damage if defective.
Significance:
Establishes precedent for strict liability in AI systems causing harm.
Reinforces the principle that companies deploying AI must implement rigorous safety and monitoring protocols.
Case 3: AI Chatbot Discrimination Case – Employment Selection (2022)
Facts:
A company used an AI-based hiring tool to screen candidates.
Allegations arose that the AI discriminated against female applicants.
Legal Issue:
Whether AI-assisted hiring can constitute gender discrimination under Spanish labor law.
Decision:
Court ruled that companies are responsible for AI outputs that violate anti-discrimination laws.
The AI system must be audited for bias, and human oversight is mandatory.
Significance:
Confirms liability of employers for AI discrimination.
Highlights the importance of algorithmic transparency and bias mitigation.
Case 4: AEPD v. Telefonica (2023) – AI-Based Customer Profiling
Facts:
Telefonica used AI to create detailed profiles of customers for marketing purposes.
Customers claimed that they had not given explicit consent for automated profiling.
Legal Issue:
Whether automated AI profiling without explicit consent violates GDPR and LOPDGDD.
Decision:
AEPD fined the company.
Ordered that explicit consent must be obtained for AI-driven profiling and customers must be informed about the processing logic.
Significance:
Reinforces transparency and consent requirements for AI systems in Spain.
Clarifies that even indirect or background AI processing requires compliance with personal data laws.
Case 5: AI-Generated Content in Intellectual Property (2023)
Facts:
An AI system generated creative content (images and texts) used commercially by a startup.
A competitor claimed copyright infringement.
Legal Issue:
Whether AI-generated content qualifies for copyright protection and who holds liability for infringement.
Decision:
Court held that AI cannot hold copyright, only the human or company controlling the AI can claim rights or be liable.
If the AI reproduces copyrighted material without authorization, the human operator is responsible.
Significance:
Clarifies IP rules for AI-generated content.
Assigns responsibility for AI outputs to human operators or legal entities.
3. Summary of Key Principles from Spanish AI Case Law
| Principle | Explanation |
|---|---|
| Transparency and Explainability | AI systems making significant decisions (credit, hiring) must provide human-interpretable explanations. |
| Strict Liability for AI Products | Manufacturers are liable for harm caused by defective AI, even without negligence. |
| Human Oversight | Companies must supervise AI, especially in sensitive or high-risk contexts. |
| Bias and Discrimination | Employers or service providers are accountable if AI results in discriminatory outcomes. |
| Data Protection Compliance | AI systems processing personal data must comply with GDPR/LOPDGDD, including consent and profiling rules. |
| IP Ownership | AI cannot own copyright; liability and rights rest with human controllers. |
4. Conclusion
Spain currently regulates AI through existing EU law, national data protection laws, product liability, consumer protection, and cybersecurity frameworks.
Courts hold human operators, manufacturers, and companies responsible for AI actions, including fraud, discrimination, and harm.
AI is treated as a tool or product, not a legal person, so all liability flows to humans or legal entities.
Transparency, human oversight, and compliance with data protection and liability laws are critical for AI deployment in Spain.
Overall: Spain’s AI law is risk-based, human-centric, and compliance-driven, with emerging case law confirming liability principles, data protection obligations, and the need for auditing AI systems.
RELATED Blog
comments