Spain proposes a new AI bill, including significant fines

Yesterday, the Spanish government announced a proposed bill designed to harmonise Spain's legal framework with the EU’s AI Act. This bill aims to ensure the ethical, inclusive, and advantageous use of AI. It introduces substantial fines for violations connected to banned practices and high-risk systems. While the Spanish Agency for AI Supervision (AESIA) has broad oversight responsibilities, it collaborates with specialised bodies like the Spanish Data Protection Agency, the Bank of Spain, and the Central Electoral Board to monitor sector-specific AI applications.

Context – The EU AI Act

The EU AI Act is already in effect, providing a foundational legal framework for AI regulation across the Union. It sets out a system for gradual implementation, with initial provisions such as AI system definitions, AI literacy, and a range of prohibitions on AI use cases that pose unacceptable risks to take effect from 2 February 2025. This Act is directly applicable across all EU Member States, eliminating the need for national transposition.

Additionally, the EU AI Act establishes a decentralised penalty framework for AI systems, detailing explicit conditions for administrative fines concerning infringements of specific provisions. These conditions aim to ensure uniformity in the level of fines imposed across the EU, particularly by defining maximum fine limits.

The criteria for determining fine amounts include the nature, gravity, and duration of the infringement, the entity's financial capacity, and whether the violation was intentional or negligent. Cooperation with authorities and prior infringements are also considered, allowing for individual assessments of each case.

Member States are tasked with establishing specific penalties and supervisory authorities, while the variability in fine amounts across the EU may pose challenges for stakeholders within the AI system value chain.

Prohibited practices

Starting February 2025, the EU AI Act prohibits certain AI practices, including subliminal techniques to manipulate decisions and exploitation of vulnerabilities related to age or socio-economic status. It also prohibits biometric classification based on race or political, religious, or sexual orientation, and scoring individuals or groups on social behaviours or traits.

Under the EU AI Act, breaches of rules concerning prohibited AI practices can result in administrative fines amounting to as much as €35 million or 7% of the total worldwide annual turnover of the preceding year, whichever is greater.

The proposed Spanish bill frames violations related to banned practices with fines varying between €7.5 million and €35 million, or 2% to 7% of the prior year's global turnover, whichever is higher. For small and medium enterprises, these fines might be capped at the lesser of these two figures.

For regulatory oversight, specific authorities are designated per sector: the Central Electoral Board will oversee systems used in electoral processes, the Bank of Spain will manage AI for creditworthiness ratings, the Directorate-General for Insurance will handle insurance-related systems, and the CNMV will supervise capital market systems. In other cases, the AESIA shall serve as the competent authority.

High-risk systems

High-risk AI systems, which include applications integrated as safety components in various products and sectors, are subject to stringent requirements under the EU AI Act. These systems span industrial products like machines and elevators, protective systems such as PPE, and pressure equipment or gas appliances. They also include toys, radio equipment, medical products like in vitro diagnostics, transportation items, and domains like biometrics, critical infrastructures, education, employment, access to essential services such as credit or insurance, and public benefits.

The EU AI Act mandates that these systems have robust risk management and human supervision, thorough technical documentation, effective data governance, comprehensive record-keeping, transparency, communication to deployment managers, and quality systems in place.

Failure to comply with these requirements may lead to penalties, proportional to the severity of the offence under the proposed Spanish draft bill. A very serious infringement includes not reporting significant incidents, such as a death or environmental damage, or failure to comply with market surveillance authority orders, with penalties ranging from €7.5 to €15 million or up to 3% of global turnover.

Serious infringements involve inadequate human supervision in biometric systems for employee monitoring, or lack of a quality management system in AI-driven industrial robots, attracting fines between €500,000 and €7.5 million or up to 2% of global turnover. Another serious infringement relates to the improper labelling of AI-generated deepfakes, which must be identified clearly as AI-generated during the first interaction.

Minor infringements may include not affixing the CE mark on the high-risk AI system or its packaging, indicating compliance with AI Regulation. Authorities overseeing high-risk systems will default to the existing bodies supervising the affected sector, where products are subject to harmonised legislation.

Additionally, oversight by the Spanish Data Protection Agency applies for migration and asylum systems, the General Council of the Judiciary covers AI used in justice administration, and the Central Electoral Board handles systems in electoral contexts.

Supervision and implementation

The newly created Spanish AI supervisory agency (AESIA) plays a key role in overseeing the governance and regulation of AI systems within Spain's legislative framework. It is tasked with ensuring the proper implementation of AI regulations across various sectors, particularly those not explicitly monitored by other specific authorities. The agency's role is important in maintaining alignment with established legal and ethical standards, thereby preventing misuse or harmful applications of AI technologies.

AESIA also supports AI innovation significantly. It contributes to the development of AI sandboxes – controlled testing environments that facilitate the creation, validation, and refinement of high-risk AI systems before they are deployed. These sandboxes are crucial for meeting European requirements, striking a balance between regulatory compliance and technological progress.

In line with the EU AI Act’s innovation agenda, Spain has proactively initiated an AI sandbox to promote experimental settings for high-risk AI systems. This reflects Spain's commitment to preparing for AI law implementation, ensuring that AI technologies are developed safely and responsibly.

Moreover, AESIA's insights gained from monitoring AI systems and testing environments enable it to publish technical guidance. This aids AI providers and operators in complying with applicable requirements, contributing to a transparent and well-informed AI ecosystem.

While the Spanish Agency for AI Supervision has broad oversight responsibilities, it collaborates with specialised bodies such as the Spanish Data Protection Agency, the Bank of Spain, and the Central Electoral Board to monitor sector-specific AI applications. This collaboration seeks to ensure comprehensive coverage across various domains, including biometric data management and electoral processes.

Looking ahead

With this draft bill, Spain positions itself as one of the first EU countries to implement the AI Act.

The bill will now proceed through the urgent legislative process, returning to the Council of Ministers for final approval and submission to Parliament.

Stay tuned for further updates!