The Metaverse and its Regulation

The metaverse was considered the greatest technological revolution of recent years until the sudden and massive take-off of AI over the last 12 months unseated it as the more promising technology. The two are, however, strongly interconnected.

The metaverse refers to a three-dimensional virtual reality, in which individuals can interact through avatars much like they do in reality, through a fully immersive experience. It will allow us to study, hold work meetings, attend concerts, go shopping and engage in a long list of activities, many of which are currently beyond the imagination. The reality is that the metaverse is still early in its development, despite the fact that it has evolved considerably over the last year. Certainly, it is mainly used today for the development of leisure activities and especially for video games, but its applications will continue to grow exponentially.

Even though AI is currently the focus of all regulatory efforts, it will make a significant contribution to the metaverse’s development, allowing for much more realistic experiences. There is no doubt that the evolution of the metaverse is unstoppable, so it is becoming urgently necessary to regulate the legal aspects that derive from it, encompassing matters such as data protection and cybersecurity.

Currently, regulatory frameworks exist both at Spanish and European levels, which can serve as a basis for the resolution of potential problems that may occur in the development of the metaverse. In the EU, the General Data Protection Regulation (GDPR), the Digital Services Act, the Digital Markets Act and the Cybersecurity Act are all pertinent, among others. In addition, as digital identity is key to interaction in the metaverse, the adoption of EU Regulation eIDAS2, which amends EU Regulation 910/2014, of 23 July 2014, on electronic identification and trust services for electronic transactions in the internal market (eIDAS), and whose approval by the EU Parliament took place on 29 February 2024, will be essential for the development of the economy in the metaverse.

In Spain, the Ley Orgánica de Protección de Datos y garantía de los derechos digitales (LOPDGDD), which transposes the GDPR, and the Ley de Servicios de la Sociedad de la Información (LSSI), which regulates the electronic procurement of goods and services, constitute the main regulations to deal with the metaverse phenomenon for the time being.

Obviously, these rules do not cover the abundance of situations and conflicts that will have to be resolved in the coming years; for now, the aforementioned pieces of legislation will have to be supported with the standard Spanish contractual and consumer protection law.

The Agencia Española de Protección de Datos (AEPD), the Spanish data protection authority, has focused several times on the metaverse and the risks it poses to privacy. This body acknowledges that the metaverse is made possible as a result of the development and expansion of a multitude of technologies in constant evolution which interact in the metaverse. These include the internet of things (IoT), artificial intelligence (AI), blockchain, 5G, digital identity techniques, cloud or edge computing, and virtual reality or augmented reality technologies.

The Challenges Posed by the Metaverse

There are two essential risks that will have to be faced in relation to the metaverse: privacy and data security.

As the AEPD points out, the metaverse can be very intrusive from a privacy point of view since the amount of data processed in this environment is massive. Thus, the processing of some specific categories of data will be of paramount importance and will make it possible to extract extremely detailed information from users. Such is the case with biometric data. Virtual reality glasses will be able to determine what we like and what gives us pleasure or elicits rejection with the analysis of the changes in our pupils.

Likewise, the perception of postural changes or the position of avatars in the virtual environment will reveal information of which the user is not aware. This information might be used to personalise marketing campaigns based on specific profiles.

So, each of the technologies that converge in the metaverse present certain privacy risks that will have to be addressed, ranging from non-consensual profiling to identity theft. Therefore, it will be essential to adopt the necessary measures based on the mechanisms provided for in both of the data protection regulations. These measures must integrate impact assessments, data security, transparency in data processing, the guarantee of the rights of the data subjects and the minimisation of data collection.

As the metaverse gradually becomes a common place for social interaction, one in which real-world transactions take place, trust mechanisms will become vital. Some of Spain’s largest real estate companies are already selling properties in the metaverse, for instance.

The very concept of the metaverse as a virtual reality space in which people interact as they do in the real world also entails the presence of (cyber)criminals and a space conducive to piracy. Blockchain technology, through its process validation system, can help mitigate these risks, but it cannot make them disappear, at least not on its own. It must go hand in hand with the implementation of strong cybersecurity measures that can neutralise techniques such as phishing or prevent the theft of cryptocurrencies.

However, the development of the metaverse will face other challenges, beyond privacy or cybersecurity. For example, there are AI tools for image and video generation that can alter creative processes and consequently affect the work of artists.

This leads on to the potential problems related to intellectual property. Since the non-fungible tokens (NFTs) are subject to transactions in the metaverse, mechanisms must be established to verify their authenticity and identify copies or plagiarism. Some lawsuits have already been filed by luxury firms against the plagiarism of their products through NFTs.

In addition, the sustainability and environmental impact issues arising from the high energy consumption required for interaction in the metaverse cannot be ignored, as well as the accessibility barriers, the mental health issues that can arise from addiction to technology, and the technological challenges of achieving interoperability between metaverses.

All these concerns have been highlighted by the European Parliament’s Committee on Legal Affairs, which in December 2023 adopted a report outlining the challenges posed by virtual worlds.

In any case, none of the above will be a reality without the input of the big technology companies that lead the development of the metaverse. These companies will set the pace for the future development of the metaverse, a technology that still has a long way to go.

Brief Introduction to the Concept of Digital Economy

The digital economy entails the use of technology for the production of goods and services, as well as for their subsequent commercialisation, for example, e-commerce, mobile applications or online banking. There is no doubt about the importance of the role that the digital economy plays in our lives today.

In line with the above, it is a reality that within the EU and in each of its member states, a real digital revolution is being experienced. This is confirmed by the huge number of regulations that have been adopted in recent months and the many others that are under legislative discussion, precisely because more and more aspects of our lives are developing in the digital environment and the inevitable and accelerating advance of technology.

Digital Regulation

Before discussing in detail the regulations that expressly regulate the digital economy, it is convenient to briefly review some of the most relevant provisions approved over the last year that refer in a more general way to digital rights, essential for human beings to interact in an orderly manner in the digital environment.

Decision (EU) 2022/2481 of 14 December 2022 sets out the strategic agenda for the Digital Decade Policy Programme 2030, and is based on the communication of 9 March 2021 entitled “2030 Digital Compass” to guide the digital transformation of the EU for the coming years. In this regard, in September 2023, the first report on the state of the Digital Decade was published. It urged the member states to increase investment to accelerate digital transformation in Europe.

In this context, the declaration on European Digital Rights and Principles for the Digital Decade, adopted on 15 December 2022, must also be noted. It reflects the EU’s commitment to achieving a secure digital transformation, putting people at the centre, in order to achieve the objectives of the aforementioned 2030 Digital Compass.

In Spain, these digital commitments are reflected in the Digital Rights Charter, presented by the Spanish government in July 2021, which aims to protect citizens from the possible risks generated by disruptive technologies. They are not normative in nature and therefore merely constitute a frame of reference for public authorities.

This document is complemented by the Digital Spain 2026 strategy, which constitutes the update of the Spanish digital transformation roadmap launched in July 2020.

Regulation of Digital Services and Digital Markets

Having explained the foundational legislation that should govern any regulatory development in the digital field, we must highlight the publication of several rules that directly regulate certain aspects of the digital economy and that constitute the Digital Services Package presented by the European Commission in 2020.

This digital package basically translates into the approval of Regulation (EU) 2022/2065, of 19 October 2022, known as the Digital Services Act (DSA), and Regulation (EU) 2022/1925, of 14 September 2022, known as Digital Markets Act (DMA).

The adoption of these two rules is an essential part of the EU’s Digital Agenda and aims to create a safer digital space, both for citizens and businesses, in the face of the exponential growth of digital services, especially after the pandemic.

In the end, it is a question of establishing a specific set of uniform rules for the entire EU in order to ensure legal certainty and the proper functioning of the internal market by creating a secure and reliable online environment.

It should also be noted that the EU legislature has chosen a Regulation and not a Directive to regulate the package of digital measures, which implies its direct application as law without the need for transposition in all countries of the European Economic Area (EU plus Iceland, Norway and Liechtenstein).

Digital Services Act

The DSA aims to be a pioneer in the regulation of digital services by reformulating in detail the rights and obligations of certain intermediary service providers, users and digital businesses in order to strengthen respect for fundamental rights in the EU and by establishing a new liability regime for certain platforms. In this sense, new diligence requirements are established for intermediary services providers in terms of the actions to be carried out in the face of illegal content.

It is a necessary update because since the former Directive on electronic commerce was published in 2000 (and transposed into Spanish law by the LSSI), there have been no significant changes in these regulations, despite the fact that the transformation of digital markets and services since then has been overwhelming.

It should be noted that the new DSA does not derogate from the old Directive of the year 2000 and, therefore, the LSSI will continue to be in force in Spain regarding any provisions that do not contradict the DSA. Thus, in Spain, verification work will have to be carried out to verify the enforceability of the provisions of the LSSI that do not contradict the DSA.

As happened with the GDPR, the DSA will involve a significant effort from operators so that they can adapt to its provisions, which is why much of its articles have not been applicable without prejudice to the fact that the rule entered into force on 16 November 2022.

In addition, in the wake of the GDPR, the DSA affects those providers that address their services to citizens located in the EEA, including big Chinese and American technology companies. Moreover, the DSA includes a strong sanctioning regime to deter non-compliance.

The DSA concerns the following intermediary service providers:

• intermediary services offering network infrastructure, such as internet access providers and domain name registrars;
• hosting services – eg, cloud computing and web hosting; and
• online platforms, such as social media platforms, marketplaces and app stores.

In addition, it includes an extensive reference to very large online search engines and very large online platforms (VLOP), which reach more than 10% of Europe’s 450 million consumers, to which a specific regime will apply. Once they have been designated by the Commission, they have four months to comply with their additional obligations.

These above-mentioned services can be divided into three groups:

• those of mere conduit;
• those of caching; and
• hosting services (including online platforms).

Furthermore, the DSA incorporates three new kinds of service provider:

• digital services co-ordinators, to be appointed by each member state;
• trusted flaggers, to recognise and flag illegal content; and
• compliance officers, to be appointed by the VLOP.

One of the central components of this new regulation is the inclusion of measures to fight against illicit goods, services or online content, including a liability exemption regime (“safe harbour”) that applies to mere conduit and caching services, when they are not involved with the information transmitted, and from which providers of hosting services or data storage services may also benefit if certain requirements are met. Among other things, the provider should, upon obtaining actual knowledge or awareness of illegal content, act to remove or to disable access to that content. Thus, the provider will only be liable when it has actual knowledge that the activity or information stored is illicit and does not proceed to the withdrawal of said data or to disable access.

In this sense, the interpretative problems will derive from the consideration of the concept of “actual knowledge”. The practical problems will come because the removal of such illicit content must take place respecting the fundamental rights of the recipients, including the freedom of expression and the right to information. The balancing of such rights will be complicated by providers and may entail serious difficulties in determining liability in court.

So, what would happen if the platform mistakenly removes content upon notice from a trusted flagger and it turns out that content was not illegal? This could happen, for example, in the case of closure of profiles on social media platforms. It seems that the end user affected by such improper termination of their profile has no legal action according to DSA provisions to assert their rights. In this regard, it should be borne in mind that the content of profiles on social media platforms can affect many other areas, such as the intellectual property rights related to such content. Clearly, a solution to this problem will have to be found by the member states.

In April 2023, the Commission designated a first group of VLOPs including, Amazon, Facebook, TikTok and X (formerly Twitter). All this despite the fact that the Commission has recently initiated formal proceedings against X for breaches of the DSA.

Digital Markets Act

The DMA aims to ensure a level playing field for digital companies by fostering competition for the benefit of all users. That is why the position of the “gatekeeper” acquires special relevance, understanding those platforms with a significant impact on the internal market, as they act as a gateway for professional users to reach end users.

In this sense, the DMA aims to prevent gatekeepers from imposing unfair conditions on these users, whether professionals or end users, thus prohibiting the development of unfair practices by platforms with the highest market share. This will facilitate the growth of start-ups that will be able to operate in a fairer and more equitable environment.

For example, gatekeepers will need to ensure that end users can easily unsubscribe from platform services or uninstall pre-installed services. In addition, they must allow their business users to promote their offers and enter into contracts with their customers outside the gatekeeper platform, or provide them with access to the data they generate when using the gatekeeper’s platforms.

As for prohibitions, among others, they will not be able to track end users outside the gatekeeper’s core platform service for targeted advertising purposes, without effective consent having been granted, and they will not be able to classify their products or services more favourably than those offered by third parties.

These companies shall be designated gatekeepers for at least one of the core platform services included in the DMA, which are as follows:

• online intermediation services;
• online search engines;
• online social networking services;
• video sharing platform services;
• number-independent interpersonal communications services;
• operating systems;
• web browsers;
• virtual assistants;
• cloud computing services; and
• online advertising services.

Within the framework of the DMA, as was the case with the DSA, three kinds of service provider are contemplated.

• The gatekeepers ‒ for a company to acquire the status of gatekeeper it must meet certain qualitative and quantitative thresholds provided for in the regulation.
• The high-level group ‒ this will be composed of several European bodies with sufficient expertise to advise on the implementation of the DMA.
• The compliance officers, appointed by each gatekeeper.

The Commission shall be the authority empowered to enforce the provisions of the DMA. To this end, it may count on the collaboration of the authorities and courts of each member state, with whom it may act in a co-ordinated manner to carry out the necessary investigative measures.

In any case, any user who sees their rights violated in relation to the DMA may assert them before the national courts, directly invoking the violation of the provisions contained in the aforementioned legal text.

The DMA was published on 12 October 2022, entered into force on 1 November 2022 and most of its provisions have been applicable since 2 May 2023. In September 2023, the Commission designated, for the first time, a group of six gatekeepers: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft, who were given a six-month period to adapt to the specific provisions included in the DMA.

Brief Reference to Digital Finance

A discussion of the digital economy cannot end without including a brief reference to digital finance, given the growth of the crypto-asset market.

In order to undertake appropriate regulation in the field of digital finance, the EU has also prepared a package of rules to regulate this sector. Only one of these will be discussed here, the Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA) adopted on 16 May 2023, published on 9 June 2023 and entering into force on 30 June 2023. Its provisions will be applicable from July 2026, unless any member state decides to advance said application. Such is the case of Spain, where MiCA will be applicable by December 2025.

The MiCA Regulation is the first global standard regulating the issuance and trading of crypto-assets on platforms, excluding financial instruments, deposits, NFTs, the issuance of decentralised generated crypto-assets and decentralised finance. It aims to cover the existing legal gap in the commercialisation of cryptocurrencies at European level, favouring legal certainty, consumer and investor protection, market integrity and financial stability, which will be supervised by the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA).

Spain has designated the National Securities Market Commission (CNMV) and the Bank of Spain as competent authorities for the implementation of MiCA.

General Perspective

Article 6 (30) of Directive (EU) 2022/2555, of 14 December 2022, concerning measures to ensure a high common level of cybersecurity across the European Union (the “NIS 2 Directive”) defines cloud computing as “a digital service that enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations”.

Edge computing consists of cloud computer services delivered closer to where the data era being generated or collected (Recital 34, NIS 2 Directive).

Cloud service providers are considered “digital service providers” under Directive to EU 2016/1148, known as NIS 1 Directive, which was transposed into Spanish legislation by virtue of Royal Decree-Law 12/2018, on the security of networks and information systems, subsequently developed by Royal Decree 43/2021. The provisions on cybersecurity contained in that legislation are therefore applicable to cloud service providers.

In any case, the NIS 1 Directive has been superseded by the aforementioned NIS 2 Directive (in fact, it repeals it with effect from 18 October 2024). The NIS 2 Directive, which was published in the OJEU on 27 December 2022 and entered into force 20 days after its publication, includes in its scope, as did the NIS 1 Directive, cloud computing services (Recital 33), as long as the providers provide their services or carry out their activities in the EU territory. They should therefore be subject to the new cybersecurity provisions provided for in the NIS 2 Directive, which should be transposed by the member states up to 17 October 2024.

As stated in this regulation, cloud computing services include, among others, infrastructure as a service (IaaS), platform as a service (PaaS), software as a service (SaaS) and network as a service (NaaS).

Regulated Industries

As far as the banking sector is concerned, although there are no specific regulations for cloud computing as such, the EBA published, at the end of the 2017, Recommendations on outsourcing to cloud service providers. Basically, it offers a guide to be followed by financial institutions that decide to make use of this technology.

In Spain, the Bank of Spain, as supervisory authority, ensures compliance and the correct application of these recommendations.

In the insurance sector, the European Insurance and Occupational Pensions Authority (EIOPA) published its Guidelines on Outsourcing to Cloud Service Providers in a similar sense to those applied to the banking sector.

The Dirección General de Seguros y Fondos de Pensiones, the supervisory body in Spain, endorsed the EIOPA guidelines by resolution of 10 July 2020 and since then has been ensuring their correct follow-up.

The ESMA also published its guidelines on 10 May 2021 in the same sense as the previous ones.

Data Protection

The very idiosyncrasy of cloud computing implies that companies providing this type of services must respect the applicable data protection regulations as cloud computing inevitably involves the processing of data. Therefore, it will be necessary to comply with the provisions set forth in the GDPR and the LOPDGDD.

In this sense, the first issue to be resolved is the role in which the cloud computing service provider acts, since, depending on the specific legal relationship that unites it to its client, it will be considered processor (the most common, which entails the signature of the processing agreement provided for in Article 28 GDPR), or joint-controller by exercising control jointly with its client, with the legal consequences that this entails.

It should be borne in mind that the determination of the legal position occupied by each party determines the law applicable to the contract. Thus, when the client is controller and the provider is processor, the applicable law will be that of the client.

In any case, it will be desirable for the client that the contract with the cloud services provider includes a data portability clause in the event of termination of the agreement. The provider should facilitate such portability to the new service provider or to the client themselves.

Finally, we must not ignore the importance of cloud computing services in international data transfers, that is, with third countries outside the EEA. If such transfer takes place, all necessary measures must be taken to safeguard the processing of data by providing adequate guarantees and, if necessary, signing the standard contractual clauses in their latest approved version. In any case, in the strategy set out in the Digital Compass 2030, the EU has highlighted the desirability of achieving European digital sovereignty, which is embodied in edge computing, bringing data processing closer to users and reducing dependence on clouds located outside the EU.

The AEPD published guidelines in 2018 for cloud computing service providers and for clients in order to resolve the doubts that may arise in terms of data protection in this type of relationship.

When referring to non-personal data, it is mandatory to refer to the publication on 22 December 2023 of the Regulation (EU) 2023/2854 of 13 December 2023, on harmonised rules to fair access to and use of data (the “Data Act”). This Regulation urges providers of cloud and edge services to prevent unlawful access to the systems where non-personal data is stored and facilitate cloud interoperability. In addition, it encourages data sharing between competing providers at the user’s request, as the SWIPO Codes of Conduct to facilitate switching cloud providers and data porting have proved to have only limited effect.

The Data Act entered into force on 12 January 2024 and most of its provisions will be applicable from 12 September 2025.

Regulations on Artificial Intelligence.

AI constitutes the ability of a machine to exhibit the same (or comparable) thinking capabilities as humans, allowing learning or problem solving for specific purposes.

AI has seen an undeniably rapid rise in recent years in all areas. This has allowed the application of the technology to a large number of sectors with fascinating results.

However, the use of intelligent systems can in turn entail enormous risks for human beings and even violate their fundamental rights.

For all the above, the public authorities have accelerated normative and institutional development to promptly control this phenomenon and make the most of all the benefits that this technology offers, as well as to protect the individual, who must always be located at the centre of digital law, as the EU has stated in its recent regulation and about those in development.

Regulation is prolific both at EU level and in Spain, although currently only soft law instruments are in force. In any case, every attempt at regulation is accompanied by the arduous task of trying to balance conflicting interests. On one side are the interests of technology companies in developing their systems with the fewest obstacles possible, and on the other side are those of the public authorities that, despite their interest in technological progress, must also ensure the protection of the fundamental rights of their citizens.

EU Regulations

In April 2021, the Commission presented a proposal for a regulation that would be known as the Artificial Intelligence Act (the “AI Act”). On 8 December 2023, the Council and the European Parliament agreed on such proposal, and it is expected to be fully applicable in 2026, although some aspects will enter into force on an earlier stage. As pointed out, this regulation is aimed at encouraging the development of AI by promoting investment and innovation and, in turn, focuses on the risks that this entails in order to achieve safe AI that respect fundamental rights.

Previously, several studies and guidelines had aimed to reflect on AI from an ethical perspective. Examples of such studies are the Ethical Guidelines for a reliable AI, of 2019, endorsed by the European Commission, or the study of the European Parliament Research Service (EPRS) entitled “European framework on ethical aspects of artificial intelligence, robotics and related technologies: European added value assessment”. Subsequently, in February 2020, the European Commission issued the White Paper on Artificial Intelligence, and the European Parliament published the Resolution of 20 October 2020 containing recommendations on ethical aspects of artificial intelligence, robotics and related technologies.

In any case, all that exist so far are soft law instruments, which are not binding. The AI Act is here to change this and is the result of the EU’s claim to leadership in the regulation of AI worldwide; it is one of the essential milestones of its Digital Agenda and constitutes a pioneering standard in the regulation of this technology.

Although the final version of the text has not yet been published, the main features of this regulation are clear from the drafts that have already been distributed. The definition of AI is close to the OECD’s one and the regulation focuses especially on high-risk systems. Thus, worth highlighting are the establishment of the obligation to carry out a fundamental rights impact assessment for high-risk systems and the express prohibition of systems that pose unacceptable risks.

In order to ensure compliance with the provisions contained in the AI Act, the regulation is completed with a strong system of fines and penalties: up to 35 million euros or 7% of global turnover.

With all the above, the European Commission has initiated the so-called IA Pact to encourage key industry players to anticipate the implementation of the requirements of the AI Act by way of “declarations of engagement”, allowing to share their solutions among other participants.

Finally, it should be noted that on September 2022 the Commission submitted a proposal for a Directive on adapting non-contractual civil liability rules to AI (the “AI Liability Directive”). It provides for new rules on disclosure of information and burden of proof in proceedings for claims for damages caused by AI systems. This regulation delves into an issue as important as liability for fault or negligence in the claims indicated and represents a new advance in the package of measures planned by the EU for the regulation of AI, which is completed by the revision of the Directive of 25 July 1985 on liability for damage caused by defective products, including liability for AI systems.

All of this is intended to adapt the rules on product liability, as well as the non-contractual civil liability regime, to the digital age and, in particular, to AI.

Spain

Spain has also taken the development of new technologies very seriously and, with regard to AI, has adopted several regulatory measures with the aim of becoming one of the pioneer countries in the regulation of digital aspects.

In 2019, the Spanish Strategy for I+D+I in AI was approved, as was the Digital Strategy for Artificial Intelligence (ENIA) in 2020, within the framework of the Digital Spain 2026 Agenda, in order to facilitate the development of inclusive, sustainable and citizen-centred AI.

Some of the measures that are provided for and have already been implemented are the creation of the Data Office and the figure of the Chief Data Officer, as well as the implementation of the Artificial Intelligence Advisory Council. In addition, the Spanish Agency for the Supervision of AI was created in September 2023, with headquarters located in A Coruña, and became operational with the appointment of its governing board, in December 2023. With the creation of this Agency, Spain becomes the first EU country to set up such a body, anticipating the requirements of the AI Act.

In addition, the previously revised Digital Rights Charter of 2021 includes a specific section on AI rights.

Article 23 of Law 15/2022, of 12 July 2022, comprehensive for equal treatment and non-discrimination, is the first inclusion in a Spanish Law of a specific provision on AI for the purposes of establishing mechanisms so that the algorithms used by public administrations consider non-discrimination, transparency and accountability, where technically feasible. It also calls for the promotion of ethical AI that respects fundamental rights.

Finally, on 7 November 2023, the government of Spain with the collaboration of the European Commission implemented the first EU regulatory sandbox on AI. The objective is a joint resolution by the competent authorities and companies developing AI on the best practices that should serve as a basis for the application of the AI Act.

Legal Aspects of AI

Although, as indicated, there is a great interest at both EU and domestic level in effectively regulating AI, the truth is that today the legal conflicts that may arise as a result of the use of AI must be resolved by resorting either to common national law in civil/commercial or criminal matters, or to sectoral legislation that regulates industrial and intellectual property, data protection or business secrets, among other things.

However, there are already several initiatives that touch on aspects as varied as product liability or the protection of fundamental rights against the interference of new technologies.

It is undeniable that AI seriously endangers privacy, even more so with the development of neurotechnology by big technology multinationals. Thus, the implications in the field of data protection are unquestionable and, in any case, the provisions of the GDPR and the LOPDGDD must be complied with.

For example, AI may involve certain risks linked to discrimination for possible data processing based on predictions. Therefore, it is essential to constantly monitor the model for bias and adjust it to neutralise potential discrimination.

In addition, it is necessary to bear in mind the practical difficulty posed by the existence of future uses of the data not foreseen at the time of its collection and for which the user’s consent is not granted.

Difficulties may arise around data sources and data reuse. An assessment of the risks and even a data protection impact assessment will have to be carried out and the data will have to be anonymised. In the end, any project involving AI must respect the principle of accountability and be developed with data privacy by default and by design built in.

In any case, the data must be processed lawfully, fairly and in a transparent manner, and the data subjects must be duly informed about the processing of their data.

Many privacy situations may arise regarding common forms of data treatments, such as those involving the so-called web scrapping techniques that, wrongly relying on access to data from public sources, skip the obligations derived from the data protection regulations. All this must be aligned with the Data Governance Act (Regulation (EU) 2022/868, published in the OJEU on 3 June 2022), which establishes mechanisms for the re-use of certain categories of publicly/held protected data.

The extraction of information from websites may also entail intellectual property risks where those pages are protectable, and copyright can be invoked. The European Network and Information Security Agency (ENISA) has identified in a report on big data security, the different digital and cybersecurity threats for big data projects. This reinforces the transversal importance of cybersecurity in terms of AI, so that the application of the regulations in this matter cannot be ignored.

The IoT and its Main Implications

On 16 September 2014, the Article 29 Working Party (now the European Data Protection Board) issued an opinion on the evolution of IoT and defined it as the infrastructure in which multiple sensors embedded in common devices record, process, store and transfer data and interact with other devices or systems, making use of its network connection capabilities.

From a data protection perspective, it should be noted that on 3 December 2020, the AEPD published an explanatory article detailing the implications that IoT devices could have in terms of data protection. Thus, according to this guide, there are multiple actors involved in the processes linked to IoT devices (manufacturers, developers, cloud computing providers, telecommunications operators and social networks, among others).

Each of these agents may adopt the role of controller or processor, and, based on this, they must assume the obligations provided for each figure in the applicable data protection regulations.

Likewise, the categories of data subject to processing will be diverse, including contact data, internet usage habits, geolocation, physiological data, images, voice, and many more.

IoT devices can process not only data directly captured or provided by the user itself, but also inferred data, which is obtained from the analysis and processing of a large volume of data from various users through the use of technologies such as big data and AI.

All this can pose serious privacy risks since certain devices are able to capture habits and behaviours in an extremely detailed way, to such an extent that any hint of privacy disappears completely and the legal basis that legitimises the processing of data is completely blurred.

This is especially worrying in cases of voice-controlled devices, which can capture conversations totally unrelated to their use.

Also relevant is the incipient rise of home automation IoT devices that allow control of different elements of the home, such as air conditioning, lighting or blinds. There is already an increasing tendency to connect these devices directly to the manufacturer’s cloud, which will be accessed through an app, using 5G technology. This will imply new challenges in terms of privacy protection.

In any case, in the absence of specific regulation, and without prejudice to the provisions below, common Spanish Law must be resorted to in order to resolve possible conflicts arising from the application of the IoT, although most attention must be paid to the EU and Spanish regulations on data protection. Especially relevant are Articles 21 and 22 of the GDPR relating to the right to object to data processing and automated decision-making, including profiling.

IoT Regulations

The complexity derived from IoT devices has been addressed, from the most technical point of view, through the regulation of cybersecurity. It has already become clear that any vulnerability in IoT devices can jeopardise the privacy of users, so it makes perfect sense that cybersecurity stands as the key element in protecting the rights of users of IoT devices.

Thus, in the EU, special mention should be made, on the one hand, of the NIS 2 Directive regarding network and information security, which is applicable to IoT devices, and on the other hand, to the proposal for the Cyber Resilience Act (CRA), given that it will include a regulation on cybersecurity requirements for products with digital elements to ensure more secure hardware and software products. The European Parliament and the Commission agreed on 1 December 2023 on the final proposal of the CRA, which is expected to be adopted in early 2024.

In Spain, the approval of Royal Decree-Law 7/2022, of 29 March, on requirements to guarantee the security of fifth-generation electronic communications networks and services, is essential for the regulation of IoT. 5G technology will be crucial for the connectivity of IoT devices.

From a data protection perspective, and without prejudice to the application of the GDPR, it is mandatory to refer to the Data Act, as it sets rules on the exchange of data generated through the use of connected products, such as those that form part of the IoT, allowing users to access the data they generate, as well as public sector bodies in cases of public interest.

Legislative Overview

The emergence of new forms of audio-visual content consumption led to a review of the regulation of audio-visual media services within the EU, which resulted in the approval of Directive (EU) 2018/1808, of 14 November 2018, published in the OJEU on 28 November 2018 (the “Audiovisual Media Services Directive”). This Directive lays down EU-wide media content rules for the provision of audio-visual media services, including traditional television broadcasts, on-demand services and platform video sharing.

The application of this regulation aims to strengthen the safety of viewers and, to this end, for example, the regulation referring to illegal content is extended to include video-sharing platforms. It also includes measures for the protection of minors and disabled persons and encourages the adoption of codes of conduct to limit the advertising of unhealthy products intended for minors.

The Directive establishes the country of origin principle, according to which audio-visual media service providers are subject to the law and jurisdiction of the member state in which they are established.

It was transposed belatedly into the Spanish legal system by virtue of the Law 13/2022, of 7 July (the “General Law on Audiovisual Communication”), and part of its most relevant content is summarised in the following points.

• Protection of children and teenagers from inappropriate content. Providers must offer an age-rating system. Thus, content not recommended for children under 18 can only be broadcast between 10pm and 6am.
• Besides the television activity, it covers payment platforms in streaming and video sharing services through platforms and users of special relevance (so-called influencers), as long as they are established in Spain. As a result, platforms such as Netflix, HBO or Amazon Prime are not affected by this law.
• All the above-mentioned subjects must:
1. be registered in the state registry of audio-visual communication service providers;
2. include systems to verify users’ ages;
3. establish mechanisms to rate content according to age; and
4. include a functionality for users who upload videos to declare whether they contain advertising.
• Subliminal advertising, tobacco and electronic cigarettes, as well as advertising that violates human dignity is prohibited.
• The advertising of esotericism or gambling, as well as alcoholic beverages, may only be carried out in certain time slots.
• Advertising is generally limited to 144 minutes between 6am and 6pm, and to 72 minutes between 6pm and 12am.
• The European audio-visual work is promoted by reserving certain percentages for its broadcasting.
• The production of audio-visual works by women is encouraged, as well as the promotion of co-official languages in Spain.

Influencers

As noted above, the Spanish regulation includes certain obligations for users of special relevance who use video-sharing platforms.

The European Regulators Group for Audiovisual Media Services (ERGA) includes in the definition of vlogger, content creators, streamers, influencers, or video sharing platforms.

Video sharing platforms (eg, Instagram) are those that:

• offer the general public content created by the users themselves;
• do not have editorial responsibility for such content;
• aim is to inform, entertain or educate;
• are offered through electronic communication systems; and
• organise their content mainly by algorithms.

That said, the users of special relevance (influencers) of video sharing platforms must meet the following requirements:

• the service they offer is an economic activity for which they earn significant income;
• they assume editorial responsibility for their content;
• they have educational, entertainment or informational purposes; and
• they have a significant number of followers or users.

Once the above requirements have been met, they must comply with the aforementioned obligations provided for in the Spanish General Law on Audiovisual Communications.

The requirements for significant income and followers need further development as they were not defined by the General Law on Audiovisual Communication. To this end, a proposal for a royal decree was published on 7 December 2023 which considers that:

• revenues equal to or greater than EUR500,000 are significant; and
• influencers that exceed 2 million followers and have uploaded at least 24 videos in the previous year have a significant number of followers.

This proposal was submitted to public consultation until 20 December 2023, so it now awaits final approval. Until this happens, the legal provisions affecting influencers cannot be enforced.

Requirements for the Provision of Audio-Visual Media Services

The provision of television and radio communication services requires, prior to the start of the activity, responsible declaration before the competent audio-visual authority in Spain (the Ministry of Economic Affairs and Digital Transformation). The service may be provided as soon as such declaration is filed without prejudice to the supervisory powers of the competent authority.

The provision of television and radio communication services by means of radio waves requires a prior licence granted by means of a public tender. This licence shall be accompanied by a concession for the exclusive use of the public radioelectric domain.

To be a licensee, one of the following conditions must be met:

• to have nationality of a member state or a state that recognises this right to Spanish legal persons;
• to have a registered office in a member state or in a state that recognises this right to Spanish legal persons; and
• to have a representative domiciled in Spain for notification purposes.

Licences shall be granted for a period of 15 years, automatically renewable for successive periods of equal duration if the holder has been fulfilling the requirements to be the holder of said licence and provided that there is no third party who, under certain conditions, intends to grant the same licence.

The provision of the video sharing service through platforms, including influencers who make use of these services, should only be registered in the State Register of Audiovisual Communication Service Providers, the operation of which is regulated by the Spanish Royal Decree 1138/2023 of 19 December, in force since 21 December 2023, without prejudice to complying with the rest of the general obligations already explained above.

General Regulatory Framework

The regulation of telecommunications in Spain is given by Law 11/2022, of 28 June (the “General Telecommunications Law”), which entered into force on 30 June 2022. This regulation is the result of the transposition of Directive (EU) 2018/1972 of 11 December 2018, establishing the European Electronic Communications Code, which was part of a telecommunications laws package that included the creation of the Body of European Regulators for Electronic Communications (BEREC).

One of the main objectives of the Spanish General Telecommunications Law is the massive deployment of 5G networks, and it includes the new classification of electronic communications services provided for in the Directive, which distinguishes between:

• internet access services;
• interpersonal communications services (both number-based and number-independent); and
• services consisting of the conveyance of signals.

Over the Top

As for number-independent interpersonal communications services (ie, without public numbering resources assigned), there is the so-called OTT (over the top), whose services are provided by means of data transmission over third-party networks. This is, for example, the case of some social networks that integrate messaging services. Although OTTs are not legally considered as operators, they must first communicate their intention to provide services.

The law provides for certain obligations for OTTs, which obviously also apply to other operators, among which the following should be highlighted:

• communicate the start of its activity to the Registry of Operators, whose management corresponds to the CNMC;
• comply with the obligations to provide information to the authorities;
• ensure the rights of end users; and
• adopt the necessary measures for the management of security risks.

General Requirements

Regarding the requirements for the provision of networks and electronic communications services, it is established that this may be carried out by natural or legal persons who are nationals of any country belonging to the EEA or of any other nationality when so established by international agreements.

Those interested parties must give prior notice to the Register of Operators of the start of their activity and submit to the conditions provided for the specific service they wish to provide. If the content of the notification does not meet the requirements, the service shall be refused. However, bear in mind that this does not apply to OTTs, which will only have to communicate the start of their activity to the Registry of Operators for purely statistical purposes.

In the development of its business, the operator should comply with any obligations regarding consumer protection rights and transparency, as well as respecting fundamental rights and freedoms.

The resolution of conflicts between operators in the Spanish market will be resolved by the CNMC. The resolution of certain cross-border disputes shall be carried out with the intervention and opinion of BEREC.

Telecommunications Equipment

Telecommunications equipment placed on the market must comply with the legally required specifications, in accordance with the conformity assessment procedures to be established. Certain cases of mutual recognition are foreseen where the conformity of equipment has been assessed in accordance with the essential requirements of another member state. Equipment requiring concessions, permits or licences may be put into service only when it has obtained such ratings. The surveillance of the market for telecommunications equipment and its adequacy will be the responsibility of the Spanish Secretary of State for Telecommunications and Digital Infrastructures.

Installers of telecommunications equipment (and those who assume its maintenance) must submit to the Registry of Telecommunications Installation Companies a responsible declaration on compliance with the requirements for the exercise of said activity, prior to commencing installation.

Use of the Public Radio Domain

The common use of the public radio domain shall not require any enabling title. The special use of the public radio domain is carried out of the frequency bands enabled for its exploitation in a shared way, without limitation of number of operators or users. The private use of the public radio domain is carried out through exclusive exploitation or by a limited number of users of certain frequencies in the same physical area of application.

The enabling titles by means of which rights of use of the public radio domain are granted will take the form of general authorisations, individual authorisations, administrative decisions or concessions. The granting of rights of use of the public radio domain will take the form of general authorisation in cases of special use of frequency bands.

The general authorisation will be understood to be granted without any further formalities than the notification to the Spanish Secretary of State for Telecommunications and Digital Infrastructures, without prejudice to the obligation to pay the corresponding fees.

Individual authorisations shall be granted for use by radio amateurs or for private use for self-provision. For the rest of the cases not contemplated above, an administrative concession will be required. The duration of the enabling title will depend on each case.

Regulatory Framework

Technology contracts are commercial contracts that make specific reference to the use and implementation of new technologies. They often pose a challenge for the consumer or small non-specialist business as they are faced with highly technical documents imposed by large technology companies that offer no room for negotiation.

For all the above, it is important that the client takes into consideration certain crucial aspects before formalising the contract.

Technology contracts do not find a specific regulation in the Spanish legal system, so it will be necessary to resort to common Spanish law, mainly the Civil Code and the Commercial Code, depending on whether both parties are merchants, or the client is a consumer, in which case the provisions of the General Law for the Defence of Consumers and Users will apply.

Pre-formulated Standard Agreements

Pre-formulated standard agreements (contratos de adhesión) acquire special relevance in the framework of technology. These are contracts in which there is an imbalance between the parties so that one party imposes the conditions that will govern the contractual relationship on the other, as the weak party has little or no negotiating capacity to refute the provisions of the document imposed on them.

In these cases, the content of the contract is integrated almost entirely by general conditions of mass traffic and, in accordance with the provisions of both the Spanish General Law for the Defence of Consumers and Users, and the Spanish Law on General Contracting Conditions, the unfair clauses that may be included in such contracts will be null and void when contracted with a consumer.

Main Challenges

The formalisation of technology contracts involves risks for the client that must be detected and, if possible, neutralised. Furthermore, it is advisable that the client has at least a minimal knowledge in this area so as to avoid unexpected occurrences.

In addition, on many occasions the contract will ultimately be reviewed by a legal advisor prior to signing (or at least that would be desirable). This implies that lawyers must be very aware of the particularities of this type of contract, and they must also have knowledge, even if it is basic, regarding the object of the contract. This means that professionals in the legal sector have to be increasingly familiar with technological concepts in order to be able to correctly advise their clients in this growing sector.

Main Features of Technology Agreements

As indicated, there are no specific provisions in the Spanish legal system for this type of contract. However, they usually contain certain clauses. It is important to focus on these clauses as they can complicate the execution of the contract. These clauses include the following.

• The duration of the contract and its rollover.
• The price and its possible future revisions.
• The causes of termination and the periods of notice.
• The processing of personal data. This point acquires special relevance in certain services that involve massive access to personal data. It will be necessary to analyse in each case whether it is also appropriate to sign a contract for data processing, as provided for in Article 28 of the GDPR, or if international data transfers will take place, in which case the relevant measures must be adopted.

• The liability assumed by each of the parties. In particular, it is highly advisable to clearly indicate whether the providers are subject to a best-efforts obligation or a performance obligation where the client is seeking specific results.
• It is common to include a service level agreement (SLA) that details in depth the object of the provision and the quality standards.
• The intellectual property of the software or deliverables.
• Confidentiality obligations.
• Technical specifications, which are usually accompanied in the form of an annexe.
• Penalties for non-compliance. In this sense, it is common for the provider to limit its liability economically and, in addition, exclude certain concepts such as loss of profits or indirect damages. It will be necessary to check if these limitations prevent the correct compensation of the client for the damages that may be caused.

Regulations Currently in Force

The use of electronic signatures is becoming more and more common, and contracts are increasingly being signed online for basic needs, such as buying food or clothes, or to interact with the public administration. This creates the need for electronic signature methods that generate trust among users, way beyond the simple insertion of the scanned handwritten signature.

EU

The EU responded to this need with the approval of EU Regulation 910/2014, of 23 July 2014, on electronic identification and trust services for electronic transactions in the internal market (known as eIDAS). In Spain, it finds its legal equivalent in Law 6/2020, of 11 November, regulating certain aspects of electronic trust services, which complements the eIDAS Regulation only in those aspects that have not been harmonised at European level and that must be developed by each of the member states.

The eIDAS Regulation distinguishes between the electronic signature, the advanced electronic signature and the qualified electronic signature.

Each of the aforementioned types of signatures is distinguished below depending on whether it allows identification of the signatory with certainty, security regarding the possible manipulation of the content of the contract and the technical means required for its use.

• The electronic signature is an electronic signature which, for example, consists of accepting payment and the terms and conditions in any online purchase. It is the simplest type of signature since no electronic certificate or physical devices are needed to sign. Just “click”. In this case, the real identity of the signatory is not verified, so this method offers fewer guarantees.
• The advanced electronic signature meets certain technical requirements, specifically, those provided for in Article 26 of the eIDAS Regulation. An example is the biometric signature, which collects the graphics of a handwritten signature on a touch device that stores biometric data and closes with a time stamp that prevents subsequent modifications of the document.
• Finally, the qualified electronic signature is a type of advanced electronic signature created by means of a qualified device for the creation of electronic signatures which is based on a qualified electronic signature certificate. It is used, for example, in relations with public administrations. It provides the maximum legal guarantees and has a legal effect equivalent to that of a handwritten signature.

Both the advanced and qualified electronic signatures allow the signatory to be identified, prevent subsequent modifications of the document in question, display full legal effects and are admissible as evidence in judicial proceedings.

Devices qualified for the creation of electronic signatures shall comply with certain security requirements. Commission Implementing Decision (EU) 2016/650 of 25 April 2016 publishes a list of standards for the safety assessment of such devices.

Spain

Spanish legislation, on the other hand, applies to public and private providers of electronic trust services established in Spain and to those with a permanent establishment who are not supervised by the authority of another member state. The legislation regulates certain aspects, some of the most relevant of which are the following.

• Electronic certificates, for the period of validity shall not exceed five years. Legislation also describes the circumstances for verifying the identity of the signatory.
• Obligations of electronic trust service providers  must be subject to the regulation on data protection and guard and protect the signature creation data. In addition, they must constitute a civil liability insurance for a minimum amount of EUR1.5 million, except if they belong to the public sector. Such insurance may be replaced by a bank guarantee.
• Certain cases of limitation of the liability of electronic trust service providers are included, for example, in cases of negligence on the behalf of the signatory in the preservation of their signature creation data.
• Information security obligations.
• Supervision and control. These tasks will be carried out by the Spanish Ministry of Economic Affairs and Digital Transformation.
• List of infractions and penalties.

Spain is the EU country with the highest number of trust service providers.

The Future of Digital Identity in the EU

In June 2021, a framework for a European Digital Identity was proposed by the EU to be made available to citizens, residents and businesses in the EU through a European Digital Identity Wallet.

To this end, a proposal for a Regulation amending the eIDAS Regulation was prepared. This proposal (so-called eIDAS2) aims to ensure universal access to secure and reliable electronic identification and authentication, all through a personal digital wallet stored on the mobile phone.

It should be noted that since 2006 Spain has issued more than 60 million electronic IDs that allow the electronic signature of documents and its citizens, therefore, are familiar with electronic identification. However, the adoption of the new European digital identity will be voluntary for citizens, although it will have the same legal effects as the traditional ID card.

The wallet shall be issued with an electronic identification system that complies with the “high” security level, all based on cybersecurity certification schemes that should provide a harmonised level of confidence in the security of the wallets. Thus, the Cybersecurity Act will be fully applicable to the Electronic Identity Regulation.

The proposed Regulation has a special impact, not only on cybersecurity, but also on the protection of personal data. Its articles include several references to the GDPR and ensure compliance with its principles by qualified trust service providers. In particular, reference is made to the obligation of member states to ensure the protection of personal data and to prevent user profiling.

The user will have full control over their personal data, deciding when, how and with whom to share it. The e-wallet will allow users to identify themselves  online and prove specific personal attributes, such as age, without having to disclose their full identity or other personal data. Users will therefore take control over their own identities.

“Trilogues” between the EU institutions ended on 8 November 2023 with an agreement on the proposal for eIDAS2 which was finally adopted on 29 February 2024 by the EU Parliament with the e-wallet expected to be ready on 2026.