Photo of Bartolomé Martín

Bartolomé Martín

Contact:Read more about Bartolomé Martín

The EU AI Act is entering into force in stages. While most of its provisions will not apply until August 2026, key requirements for general-purpose AI (GPAI) models took effect much earlier, starting on August 2, 2025.

In anticipation of this earlier milestone, the Code of Practice for General-Purpose AI Models was published on the EU commission’s website on July 10, 2025. It is a voluntary tool, prepared by independent experts in a multi-stakeholder process involving nearly 1000 participants, (general-purpose AI model providers, downstream providers, industry organizations, civil society, rightsholders and other entities, as well as academia and independent experts). The Code represents an initial effort to translate the AI Act’s GPAI-specific obligations into practical measures.

It focuses on three central areas (Transparency, Copyright, and Safety and Security) and offers a framework that developers of GPAI models may rely on to demonstrate responsible practices in line with the EU’s evolving regulatory approach.Continue Reading The EU’s Voluntary GPAI Code: Reflecting on Strategic Choices in an Evolving Regulatory Context

On 21 May 2025, the European Commission published a proposal for a new regulation aimed at simplifying several EU legal instruments, including targeted amendments to the General Data Protection Regulation (GDPR). The announced objective is to ease compliance obligations for small and medium-sized enterprises (SMEs) and extend certain regulatory benefits to small mid-cap companies (SMCs) (a category of businesses that often face comparable regulatory burdens to large corporations but lack equivalent resources). In the field of data protection, the proposal focuses on revising the obligation to maintain records of processing activities under Article 30 GDPR. It suggests raising the employee threshold for this obligation and clarifying that record-keeping would only be required when processing is likely to pose a high risk to individuals’ rights and freedoms.Continue Reading GDPR Relief for SMEs? EDPB and EDPS Weigh in on the EU’s Simplification Plans

With the entry into force of the AI Act (Regulation 2024/1689) in August 2024, a pioneering framework of AI was established.

On February 2, 2025, the first provisions of the AI Act became applicable, including the AI system definition, AI literacy and a limited number of prohibited AI practices. In line with article 96 of the AI Act, the European Commission released detailed guidelines on the application of the definition of an AI system on February 6, 2025.Continue Reading Understanding the Scope of “Artificial Intelligence (AI) System” Definition: Key Insights From The European Commission’s Guidelines

On April 14, 2025, the European Data Protection Board (EDPB) released guidelines detailing how to process personal data using blockchain technologies in compliance with the General Data Protection Regulation (GDPR) (Guidelines 02/2025 on processing of personal data through blockchain technologies). These guidelines highlight certain privacy challenges and provide practical recommendations.Continue Reading From Blocks to Rights: Privacy and Blockchain in the Eyes of the EU data Protection Authorities

The European Commission published its long-awaited Guidelines on Prohibited AI Practices (CGPAIP) on February 4, 2025, two days after the AI Act’s articles on prohibited practices became applicable.

The good news is that in clarifying these prohibited practices (and those excluded from its material scope), the CGPAIP also addresses other more general aspects of the AI Act, which comes to provide much-needed legal certainty to all authorities, providers and deployers of AI systems/models in navigating the regulation.Continue Reading The European Commission’s Guidance on Prohibited AI Practices: Unraveling the AI Act

2024 was an active year for regulation of customer contracts with “negative option” features. Generally, a “negative option” provision in an offer to sell products or provide services means that a customer’s silence or failure to take action to reject the terms of the offer is deemed by the seller as the customer’s acceptance of the offer terms.

Earlier in 2024, three states updated laws related to negative option provisions in customer contracts (together, the 2024 State Autorenewal Laws)

  1. Utah enacted its Automatic Renewal Contracts Act on March 13, 2024, with an in-force date of January 1, 2025. (Utah ARCA)
  2. Virginia amended its consumer protection law related to automatic renewal and continuous service offers (which was effective on July 1, 2024) (Virginia AR Law).
  3. California amended its Automatic Purchase Renewals law on September 24, 2024 with the amendments in force on July 1, 2025 (California AR Law).

Then, on October 16, 2024, the Federal Trade Commission (FTC) issued the final version of its “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (FTC Final Rule). (We previously covered the FTC’s notice of proposed rulemaking for negative options on Privacy World here.)  The Federal Register publication date for the FTC Final Rule is November 15, 2024. Whether the FTC Final Rule will survive the change in Administration is an open question, as discussed below.

Both the 2024 State Autorenewal Laws and FTC Final Rule include new or expanded obligations. When effective, the FTC Final Rule will preempt the 2024 State Autorenewal Laws (and the other similar state laws) to the extent they are “inconsistent” with its requirements. State laws that afford greater protection than the FTC Final Rule are not inconsistent with the FTC Final Rule. In other words, the FTC Final Rule sets a national “floor,” and states may add more consumer-protective obligations, as reflected in certain aspects of the 2024 State Autorenewal Laws described below.Continue Reading Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers

Six years after its enactment and four years after it entered into force, on July 17, 2024, the Brazilian Data Protection Agency (Autoridade Nacional de Proteção de Dados (ANPD)) has issued a regulation developing the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais (LGPD)) and clarifying the regulatory framework for Data Protection Officers (DPOs) in Brazil (ANPD Resolution No. 18/2024, the “Resolution”).

Article 41 of the LGPD establishes that data controllers must appoint a data protection officer (DPO), details their main responsibilities, and requires that the DPO’s identity must be made public. It also invites the ANPD to establish complementary rules for the definition and attribution of the person in charge, including cases of exemption from the appointment requirement, depending on the nature and size of the entity or the volume of the data processing operations.Continue Reading New ANPD Resolution on the Statute of Data Protection Officers in Brazil

When expanding/ directing operations into Europe, foreign organizations often have questions about how to deal with the EU’s ever-expanding regulatory framework. From a data protection perspective, it is often assumed that B2B operations do not trigger the extraterritorial applicability of EU data protection laws (mainly, Regulation (EU) 2016/679 or GDPR) and that it is sufficient to enter into data processing agreements with European data controllers. But is it really that simple?

Some context…

As raised above, one of the most salient elements of the GDPR is that it applies not only to processing operations carried out by controllers and processors established in the European Union, but also to certain processing operations carried out by controllers and processors established outside the Union. This is the case of the processing related to the active offering of goods or services to data subjects in the Union and the monitoring of their behavior, as far as it takes place within the Union (Article 3.2 of the GDPR).Continue Reading A data processing agreement is not always enough.

Last week was a busy one for AI regulation. The week started and ended with big news from Colorado: on Monday, Colorado’s legislature passed “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems” (SB 24-205) (Colorado AI Law) and, on Friday, Governor Jared Polis (D) signed the Colorado AI Law “with reservations” according to his letter to Colorado’s legislature. Although the Colorado legislature is the first U.S. lawmaker to pass general AI legislation, Colorado’s Governor has expressly invited Congress to replace the Colorado AI Law with a national regulatory scheme before the Colorado AI Law’s February 1, 2026, effective date.Continue Reading All Eyes on AI: Colorado Governor Throws Down the Gauntlet on AI Regulation After Colorado General Assembly Passes the Nation’s First AI Law

In February 2023, Spain implemented Directive (EU) 2019/1937 (although it did not become fully applicable until December of that year) by means of Law 2/2023, of February 20, 2023, regulating the protection of persons who report regulatory violations and the fight against corruption (the “Law”). The Law, which requires all public and private organizations (with more than 50 employees or simply operating in certain sectors, even if they have fewer employees) to implement a whistleblowing system, has raised some doubts from a data protection perspective.Continue Reading Never Beyond the Law – the Spanish AEPD’s Position on the Processing of Whistleblower Data