The Spanish Government has presented the Draft Law for the Good Use and Governance of Artificial Intelligence (AI), a law that aims to regulate how this technology is applied in the State. This law adapts the European AI Regulation approved in 2023 and specifies how it should be integrated into our legal system, establishing clear obligations for both companies and public bodies.
The draft, currently in the public consultation phase, incorporates from the European Regulation the classification of AI applications according to the level of risk they may pose to society. Those with “unacceptable risk” are prohibited: these are systems that manipulate people or try to deduce their emotions, race or political opinions. Those with “high risk” —such as those used in education, healthcare, employment or essential public services— may be used, but under strict supervision and with specific requirements. Those with “low risk” may be used more freely. In addition, a national register will be created to identify systems considered to be high risk.
One of the most sensitive issues is the use of facial recognition in real time. It will only be allowed in very specific and serious situations, such as searching for victims of crimes or preventing terrorist attacks, and always with judicial authorization. The request must justify the reason, who it is intended to identify, where and for how long. The authorities must respond within a maximum of 48 hours. It sounds like something out of a movie from not so long ago.
Another relevant point is the obligation to clearly identify any AI-generated content, such as texts, images or videos. This means that people will have to know if what they see or read has been created by a machine. It will also be necessary to inform if someone is being subjected to systems that recognize emotions or use biometric data.
To ensure compliance with the law, several bodies will share responsibilities. The Spanish Agency for the Supervision of Artificial Intelligence (Aesia) will be the main body responsible, while other entities such as the Spanish Data Protection Agency or the Central Electoral Board will assume specific functions depending on the area. Any citizen will be able to report breaches, even anonymously.
The sanctioning regime is strong for companies: fines can reach up to 35 million euros or 7% of global turnover, depending on the seriousness of the infringement. On the other hand, if the infringement comes from a public authority, fines are not imposed, but warnings or other internal measures, which has generated criticism for the lack of real consequences precisely when the administration is responsible.
The law is expected to come into force in the first half of 2025, although some obligations will apply from August, or beyond. For SMEs, this means that they need to start getting to know the new rules well, especially if they use AI-based tools. Understanding what can be done, what is prohibited and how to act in accordance with the law will be key to avoiding penalties and using this technology safely and responsibly.
