Photo of Bartolomé Martín

Bartolomé Martín

Contact:Read more about Bartolomé Martín

Last week was a busy one for AI regulation. The week started and ended with big news from Colorado: on Monday, Colorado’s legislature passed “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems” (SB 24-205) (Colorado AI Law) and, on Friday, Governor Jared Polis (D) signed the Colorado AI Law “with reservations” according to his letter to Colorado’s legislature. Although the Colorado legislature is the first U.S. lawmaker to pass general AI legislation, Colorado’s Governor has expressly invited Congress to replace the Colorado AI Law with a national regulatory scheme before the Colorado AI Law’s February 1, 2026, effective date.Continue Reading All Eyes on AI: Colorado Governor Throws Down the Gauntlet on AI Regulation After Colorado General Assembly Passes the Nation’s First AI Law

In February 2023, Spain implemented Directive (EU) 2019/1937 (although it did not become fully applicable until December of that year) by means of Law 2/2023, of February 20, 2023, regulating the protection of persons who report regulatory violations and the fight against corruption (the “Law”). The Law, which requires all public and private organizations (with more than 50 employees or simply operating in certain sectors, even if they have fewer employees) to implement a whistleblowing system, has raised some doubts from a data protection perspective.Continue Reading Never Beyond the Law – the Spanish AEPD’s Position on the Processing of Whistleblower Data

The Spanish antitrust regulator, the Comisión Nacional de los Mercados y de la Competencia (CNMC), has joined the proposed “State Pact” for protecting Spanish children from harmful content online and in social media. The CNMC joins the Spanish Data Protection Authority and Attorney General’s Office, as well as civil society and UN bodies, in supporting the proposal to develop long-term approaches to online safety.  Continue Reading The Spanish Antitrust Authority (CNMC) Follows the Spanish Data Protection Authority (AEPD) and Joins Forces with Other National and International Institutions to Protect Minors on the Internet and in Social Networks

Transparency, from the medieval Latin “transparentia”, is thought to have emerged in the late 16th century as a general term for a transparent object. In essence, it means the property of allowing light to pass through so that objects behind it can be clearly seen. But in the 21st century, transparency has a different and broader meaning.

The Spanish Data Protection Agency (Agencia Española Protección de Datos, or AEPD) published an article in September 2023 on transparency in the context of the proposed Artificial Intelligence Act (AI Act) and the General Data Protection Regulation (GDPR), clarifying that different actors, different information and different recipients are involved, depending on the regulation.Continue Reading AEPD’s Position Regarding Transparency (AIA vs. GDPR)

The Spanish Data Protection Authority (AEPD) has issued a set of guidelines on the use of biometric systems for access and employee attendance control defining the criteria for using these systems (and the measures to be considered in the context of these processing activities) in compliance with the General Data Protection Regulation (GDPR).Continue Reading The Spanish DPA’s Restrictive Approach to Processing Biometric Data for Access and Attendance Control

The Spanish data protection and e-commerce legislation has been recently amended in order to, on the one hand, redefine the nature of the process to issue reprimands to data controllers and processors (so that reprimands are removed from the list of sanctions resulting from infringement of the regulations) and, on the other hand, relax the

In a previous blog post, we discussed the European Commission’s criticism of the Dutch data protection authority’s interpretation of legitimate interests as a lawful basis for processing personal data. In that post we noted that the issue would potentially be resolved by the Netherlands’ highest administrative court, the Council of State when it ruled

The EU Commission has expressed concerns about the Dutch data protection authority’s strict interpretation of “legitimate interests”, considering it to be “not in line with the GDPR, the guidelines of the Article 29 Working Party/EDPB and the case law of the European Court of Justice (CJEU)”. Those concerns focus on guidance issued by the Autoriteit

Article 80 (2) of the General Data Protection Regulation (GDPR) provides that Member States can entitle properly constituted not-for-profit bodies, organizations or associations that have statutory objectives which are in the public interest, and are active in the field of the protection of data subjects’ rights and freedoms, with the right to lodge complaints with