This country-specific Q&A provides an overview to technology laws and regulations relevant in Spain.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the technology market.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Yes. Law 9/2014on Telecommunications (hereinafter, "Spanish Telecommunications Act"), which came into force on 9th May 2014, covers the provision of (public) electronic communication networks ("(P)ECN"), as well as the provision of public electronic communication services ("(P)ECS"). Certain additional requirements will apply to providers of publicly available telephone services ("PATS"), which are a sub-set of PECS. PATS is a service made available to members of the public for making and receiving national or international calls through a number in a national or international telephone numbering plan.
Pursuant to article 26 of Annex II of the Spanish Telecommunications Act, operator means a legal or natural person, which provides public communications networks or provides electronic communication services to the public and has notified the relevant authority at the beginning of its activity, or is registered under the Registry of operators.
Therefore, while in Spain it is not necessary to obtain authorisation for the provision of ECS or ECN, notification to the relevant authority remains mandatory. Prior to the provision of the services or networks, the provider should give notice of such activity to the Registry of operators, which is overseen by the Spanish Regulator, The National Commission of the Market and Competition (Comisión Nacional de los Mercados y de la Competencia), commonly known as "CNMC".
The CNMC will then issue a reasoned Decision accepting or rejecting the notified activity within 15 days. If the CNMC does not issue a Decision within 15 days, the provider will be able to commence its activity.
Once registered, a service provider must notify the CNMC every three years of its intention to continue providing the ECS in question. Failure to do this will result in adversarial proceedings that may lead to the cancellation of the Operator's registration. If this happens the operator will not be able to continue providing the ECS.
The following link provides the template for making the notification (https://sede.cnmc.gob.es/sites/default/files/2016-12/Notifica.pdf). Apart from company identification data, a description of the activity must also be included, as well as an estimated start date for the activity.
Although registration with the Registry of Operators is tax free, an annual administrative charge does apply (which is itself decided on a yearly basis) for each operator.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
The CNMC, referred to in the previous answer, is the Spanish regulator that promotes and defends the proper functioning of the markets in the interest of consumers and companies, including the electronic communications market. Under Article 6 of Act 3/2013, adopted on 4th June 2013, regarding the creation of the CNMC, its main functions in the electronic market are to:
- Define and analyse markets related to electronic communications services and networks, including retail and wholesale markets, and its geographical range, whose features can justify the imposition of certain obligations.
- Identify the operator or operators that have significant power in the market and analyse when the markets are not developed in an effective competitive environment.
- Establish the applicable obligations for those operators with significant power on the market.
- Resolve electronic communications disputes in the market.
- Fulfil other obligations established by law.
The CNMC is independent from the Spanish Government, although it is subject to parliamentary control. According to Article 39 of Act 3/2013on the CNMC’s creation, the President of the CNMC has to appear annually before Congress in order to outline the basic plan for its actions and priorities for the year ahead. In addition, the President must, every three years, present in person their evaluation of the action plan and the results achieved by the CNMC. Without prejudice from this annual appearance, the President must appear before the corresponding commission of the Senate or Congress on the same terms established in their respective regulations.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
Any natural or legal person from or established in the European Union can provide ECS or ECN in Spain. Companies registered in non-EU or European Economic Area countries can only enter the telecoms market and provide services in Spain through bi- or multi-lateral agreements, conventions or treaties to which both countries are party. The Spanish government is free to make any exceptions to these rules and can grant direct authorisations.
Among other things, a foreign operator not belonging to the EU would need to present a certificate issued by the respective Spanish diplomatic representation stating that they are listed in their local professional, commercial or similar register or, failing that, that they act legally and regularly in the scope of the corresponding activities. Besides this, they must also identify in their notification the international agreement that enables them to operate networks or provide electronic communications services in Spain or, failing that, show agreement from the Council of Ministers who will authorise such documentation in exceptional circumstance.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
Article 12 of the Spanish Telecommunications Act (in line with Article 4.1 of the EU Access Directive 2002/19/EC) states that operators of public communications networks shall have a right and, when requested by other undertakings so authorised, an obligation to negotiate interconnection with each other for the purpose of providing publicly available electronic communications services, in order to ensure the provision and inter-operability of services throughout the community.
Particular obligations on operators with market power
Article 14 of the Spanish Telecommunications Act states that the CNMC may impose on operators with significant market power certain specific obligations, which include amongst others:
- Transparency obligations; according to which operators may be required to publish information relating to accountability, technical specifications, network characteristics, supply conditions, and/or the publication of a reference offer etc.;
- Non-discrimination obligations; according to which operators may be required to apply equivalent conditions in similar circumstances to other operators that provide equivalent services and provide third parties with services and information of the same quality as those provided for their own services or those of their subsidiaries or associated and in the same condition;
- Other obligations include the separation of accounts, access to specific elements or resources from the network as well as other related services as identity, location and presence services, pricing control etc.
What are the principal consumer protection regulations that apply specifically to telecoms services?
The following parts of regulations are applicable specifically to telecom consumers:
- Regulation (EU) 2016/2286, of 15th December 2016,, sets out detailed rules on the application of fair use policy and on the methodology for assessing the sustainability of the abolition of retail roaming surcharges and on the application that must be submitted by a roaming provider for the purposes of that assessment.
- Regulation (EU) 2015/2120, of 25th November 2015, sets out measures concerning open internet access and amends Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 regarding roaming on public mobile communications networks within the Union.
- General Act 9/2014, of 9th May 2014, on Telecommunications.
- Act 25/2007, of 18th October, on electronic communications and public communication networks data storage.
- Royal Decree 899/2009, of 22nd Mau 2009, approves the telecommunication services users' rights.
- Royal Decree 424/2005, of 15th April 2005, modified by Royal Decree 776/2006, approves the regulation on electronic communications services, universal service and users' protection.
- Ministerial Order IET/2733/2015, of 11th December 3015, assigns public numbering resources to the additional pricing services provided by telephone calls and establishes their conditions of use.
- Ministerial Order IET/1090/2014, of 16th June 2014 , regulates the conditions relating to the quality of the electronic communications services.
- Ministerial Order ITC/3237/2008, of 11thNovember 2008,sets out the use of public numbering resources for the provision of multimedia and text messages.
- Ministerial Order ITC/1030/2007, of 12th April 2007, regulates the resolution procedure of disputes between final users and electronic communications services operators and operators' customer services.
- Ministerial Order PRE/531/2007, of 5th March2007, approves the conditions for guaranteeing the affordability of the applicable offers to the universal services.
- Ministerial Order PRE/361/2002, of 14th February 2002 , modified by Ministerial Order PRE/2410/2004, is on telecommunication and pricing services users' rights.
What legal protections are offered in relation to the creators of computer software?
Computer software is regulated by the Spanish Intellectual Property Act 1/1996 (Intellectual Property Act). The protection given by the Intellectual Property Act is provided not only for computer software, which is defined as any sequence of instructions or data intended for either direct or indirect use in a data processing system to perform a function or tack or to secure a specific result, regardless of its form of expression and recording, but also for the preparatory documentation, technical literature and manuals for the use of the program.
Article 97 of the Intellectual Property Act regulates the holding of computer software rights and provides the following rules:
- The individual or group of individuals that has created a computer program, or the legal person deemed the copyright holder, shall be deemed the author thereof.
- If the computer program is a collective work, unless otherwise agreed, the individual or legal person who published and makes the computer program available under his/her name shall have the status of author.
- If the computer program is a collaborative work made by two or more authors, they shall be joint owners of the program and it shall pertain to all of them in the proportions determined by them.
- Where the computer program is created by an employee in the execution of his/her duties or following the instructions given by his/her employer, the ownership of the relevant exploitation rights in the computer program so created, including both the source program and the object program, shall pertain exclusively to the employer, unless otherwise provided by contract.
Regarding the term of protection provided by the Intellectual Property Act, the duration of these IP rights depend on the specific owner of the rights:
- Where the author is an individual: copyright shall run for the life of the author and for 70 years after his/her actual or declared death.
- Where the author is a legal person: copyright shall run for 70 years counted from the 1st January of the year following that of the lawful communication of the program or that of its creation if it has not been made available to the public.
Do you recognise specific intellectual property rights in respect of data/databases?
Yes, data bases are granted with two specific types of protection according to the Intellectual Property Act:
- Protection provided due to their structure and form of expression:
Article 12 of the Intellectual Property Act provides protection for collections of the works of others or of data or of other independent elements, such as anthologies and databases, which, by reason of the selection or arrangement of their contents, constitute intellectual creations, without prejudice to any rights that might exist in such content. This protection shall solely apply to their structure, meaning the form of expression of the selection or arrangement of their contents, but shall not extend to those contents. Collections of works, data or other independent elements systematically or methodically arranged and individually accessible by electronic or other means shall be deemed to be databases.
- Protection provided due to the substantial investment in the database (sui generis right):
Article 133 of the Intellectual Property Act protects the substantial investment, assessed either qualitatively or quantitatively, made by its manufacturer in the form of finance, time, effort or energy or other means of similar nature spent in the obtaining, verification or presentation of its contents. By the protection provided through this article, the manufacturer of a database may prohibit:
a) the extraction and/or re-utilisation of all or a substantial part of the contents thereof, evaluated qualitatively or quantitatively, provided that obtaining, verification or presentation of such contents represents a substantial investment in terms of quantity or quality; and/or
b) the repeated or systematic extraction and/or re-utilisation of insubstantial parts of the contents of a database implying acts that conflict with normal exploitation of that database or unreasonable prejudice towards the legitimate interests of the manufacturer of the database.
The sui generis rights shall apply regardless of whether or not such database is vested with other intellectual property rights and without prejudice to any rights existing within their contents. Therefore, the same database can be protected both by Article 12 and Article 133 of the Intellectual Property Act in case its structure, meaning the form of expression of the selection or arrangement of their contents can be considered as "original" (Article 12) and in case of the database's obtaining, verification or presentation has constituted a substantial investment for the database manufacturer (Article 133).
What key protections exist for personal data?
In Spain, until 25th May 2018, personal data has been regulated under Organic Law 15/1999, of 13th December 1999, on the Protection of Personal Data ("LOPD") and Royal Decree 1720/2007, of 21st December 2007, that approves the implementation of Regulation of the LOPD ("RLOPD"). Since the 25th May 2016, the EU Regulation 679/2016 ("GDPR") has partially de-regulated both the LOPD and the RLOPD and is now the main regulation that sets out how personal data shall be processed in Spain. A new Spanish data protection act, which will implement and complement the GDPR, is currently being developed in Spain, although the date on which it will come into effect has not yet been decided. In the meantime, the Spanish government has adopted an emergency ordinance (Royal Decree-Law 5/2018, of 27th July 2018, of emergency measures for the adaptation of the European Union data protection legislation to Spanish law ) to give the powers to the Spanish DPA that are required by the GDPR.
The GDPR lays down many obligations for companies that process personal data within the EU and/or personal data of EU nationals. In general terms, under the GDPR personal data shall be processed in accordance with the data protection principles (‘lawfulness, fairness and transparency’); collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). Other obligations include the need to satisfy the data protection rights of data subjects, to notify the Spanish data protection supervisory authority (Agencia Española de Protección de Datos or "AEPD") of personal data breaches, the need to have in place a record of processing activities, the obligation to adopt appropriate security measures or the need to respect the restrictions for international transfers of personal data.
Are there restrictions on the transfer of personal data overseas?
In general terms, personal data cannot be transferred from Spain to countries that are located outside the European Economic Area, unless:
- The EU commission has decided that the country from which the company importing the data offers an adequate level of data protection. Currently the EU Commission has stated that the following countries provide such an adequate level: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework); or
- The data controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. In practice this means that where the data exporter and the data importer adopt contractual safeguards (such as entering into the Standard Contractual Clauses published by the EU Commission or Binding Corporate Rules), the transfer of personal data will be deemed lawful; or
- One of the de-regulations foreseen by Article 49 of the GDPR applies to the transfer. These include the consent of the affected individuals, the need to ensure the adequate enactment of a contract with the data subject, the need to establish, exercise or defend legal claims or the need to protect a vital interest of a data subject.
What is the maximum fine that can be applied for breach of data protection laws?
It is yet to be seen how administrative fines will be imposed under the new Spanish data protection act that is currently being developed. The emergency ordinance, referred to above, defers to the GDPR's fines and therefore, until the new act is published, the fines in Spain will follow the GDPR.
Under the GDPR maximum fines for infringements can be up to 20 000 000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever amount is higher. This maximum fine would only be imposed for the breach of certain obligations under the GDPR, such as infringing the data protection principles, not observing the restrictions for international data transfers or failing to satisfy the rights of the data subjects.
On the other hand, persons who have suffered material or non-material damage as a result of an infringement of the GDPR shall have the right to receive compensation from the controller or processor for the damage suffered. The total amount that will have to be paid for an infringement that resulted in damages would ultimately depend on those damages, which will be decided by a court. A company may be required to pay a fine as well as compensation tothe data subjects.
Are there any restrictions applicable to cloud-based services?
The Spanish legislation does not foresee specific restrictions or limitations for cloud-based services. However, where the use of cloud-based services entails the processing of personal data, the requirements of the data protection legislation will have to be complied with. In general terms, the GDPR will require companies using such services to:
- Certify that when processed in the could-based platform, the personal data is processed in accordance with the data protection principles set out in the GDPR.
- Ensure that the use of such services complies with the requirements laid down by the GDPR for international data transfers (especially relating to where the cloud service provider is located, or where data is hosted in countries that are located outside the EEA).
- Ensure that the relationship with the service provider is regulated under a written agreement that provides the mandatory provisions required by Article 28 of the GDPR, which sets out the requirements for the relationship between data controllers and data processors.
- Guarantee that the affected data subjects can exercise the rights recognised under the GDPR for the data stored in the cloud.
- Guarantee that the cloud-based service is subject to appropriate technical and security measures that prevent personal data from being lost, altered or accessed by unauthorised personnel.
Are there specific requirements for the validity of an electronic signature?
Currently, the Spanish E-signature regulatory framework is composed by: (i) EU Regulation Number 910/2014 on electronic identification and trust services for electronic transactions in the internal market ("eIDAS Regulation") and (ii) Spanish Law 59/2003 on Electronic Signatures (E-Signature Act). Even though the E-Signature Act has not been formally repealed yet, most doctrine considers it applicable to any matters not regulated by the eIDAS Regulation and/or that do not contradict the provisions of the eIDAS Regulation.
In light of the above, there are three types of e-signatures:
- Simple electronic signature, that is data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.
- Advanced electronic signature, that is an electronic signature which meets several legal requirements, for example, is uniquely linked to the signatory or capable of identifying the signatory.
- Qualified electronic signature, that is an electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures. Qualified e-signatures must be validated through the fulfilment of several requirements according to law.
The above types of e-signature must comply with different requirements. In general, electronic contracts will be binding, whatever the form under which they have entered into, provided that they comply with the contract requirements under Spanish law, which are: consent; a certain object; and cause of the obligation.
Most transactions do not require e-signatures. In principle, there are no limitations applicable to the use of e-signatures but only a qualified electronic signature satisfies the legal requirements of a signature in the same manner as a handwritten signature.
This said, in April 2018 a Spanish draft bill regulating certain aspects of "Trust Electronics Services" was issued and this is expected to formally repeal the E-Signature Act. This new law will develop certain aspects of Trust Electronic Services not covered by the eIDAS Regulation and so, once in effect, the Spanish E-signature regulatory framework will be composed of: (i) the eIDAS Regulation (Advance E-electronic signatures will be mostly regulated by this UE Regulation) and (ii) the new law on certain aspects of "Trust Electronics Services".
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No, employees, assets or contracts are not normally automatically transferred in the event of an outsourcing of IT services. The parties involved in the provision of outsourcing services need to negotiate how the services are structured and the resources (employees, assets) to be managed. A mere provision of services with no transfer of a business unit, does not in principle entail a transfer of any resources.
Concerning the possible transfer of employees involved in an IT outsourcing, the most important point to consider is that for the employees to transfer automatically to the outsourcing supplier as per Article 44 of the Spanish Statute of Workers, the principal must transfer its own IT production unit (i.e. including all the assets, agreements etc.) as a whole, autonomous business unit. Otherwise, if the IT production unit is not entirely transferred by the principal to the supplier, the employees would not transfer automatically to the supplier and would remain employees of the principal.
Finally, note that that the outsourcing supplier must provide its services with its own resources and organisation, in order to avoid the declaration of an illegal transfer of employees, prohibited by Article 43 of the Spanish Statute of Workers.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
For the time being, there is no specific Artificial Intelligence existing regulation in Spain. Notwithstanding the above, on 10th April 2018, 25 European Union Member States, including Spain, signed a Declaration of Cooperation on Artificial Intelligence. Consequently, the European Commission will now work with Member States on a coordinated plan.
Additionally the European Commission released a Communication in April 2018 that the European Union will present measures to ensure an appropriate ethical and legal framework regulating artificial intelligence, including, among others, guidance on the interpretation of the Product Liability Directive in the light of technological developments, to ensure legal clarity for consumers and manufacturers in case of defective products. For the time being, the European Commission has appointed experts to build a new High Level Group on Artificial Intelligence, who will make recommendations on how to approach these innovative techniques.
Europe wants to be at the forefront of these developments and therefore its intention is to enact a legal framework that the continent can meet together for artificial intelligence to succeed and work for everyone.
In light of the above, as Spain has not any specific Artificial Intelligence responsibility framework, current software provisions will apply to early forms of Artificial Intelligence malfunctions, being the software developer entity generally found liable for the malfunction of the program.
What key laws exist in terms of obligations as to the maintenance of cyber security?
There are many actions that can be considered as an illicit action from a cybersecurity perspective, such as the introduction of a virus into the computers, stealing account information and/or passwords from users, publishing dishonest information about someone, online scams, or even impersonation or identity theft. This variety means that in Spain (and also in Europe) there is a complex network of laws that aim to regulate the many different situations that can happen online relating to cybersecurity.
In Spain there is:
1. A code for the Cybersecurity Law, published in the Spanish Official Gazette (BOE), updated on the 9th July 2018, collates the main rules laws to be taken into account regarding the protection of cyberspace and to ensure the aforementioned cybersecurity, and includes among others:
1.1. National Security Regulations:
- Law 36/2015, of 28th September 2015 on National Security, which regulates the key principles and agencies, as well as the functions they must perform, for the defence of the National Security.
- Order PRA/33/2018, of 22nd January 2018, by which the Security Council Agreement is published, which regulates the National Council of Cybersecurity.
- Royal Decree 1008/2017, of 1st January 2017, by which the National Strategy Security for 2017 is approved.
1.2. Security regulations:
- Organic Law 4/2015, of 30th March 2015, on the protection of public safety.
- Law 5/2014, of 4th April 2014, on Private Security.
1.3. Security incidents:
- There is a partial inclusion in the Law 34/2002, of 1st July 2002, on services to the society of information and electronic commerce and,
- several Royal Decrees related to the Armed Forces.
- Law 34/2002, of 11th July 2002, on services to the information society and e-commerce.
- Royal Decree 381/2015, of 14th May 2015, which establishes measures against illegal or irregular traffic which has fraudulent purposes in electronic communications.
- Law 11/2007, of 22nd June 2007, on electronic access of citizens by public services
- Law 50/2003, of 19th December 2003, on the electronic signature.
- Law 9/2014, of 9th May 2014, on general telecommunications.
- There is partial inclusion in the Criminal Code, the Organic Law 5/2000, of 12th January 2000, which regulates the criminal responsibility of minors; or in the Royal Decree approving the Criminal Procedure Law.
** It is important to highlight the following computer crimes incorporated in 2015 in the Spanish Criminal Code:
(i) The intrusion of a computing system crime (Article 197 bis);
(ii) Data communication interception crime (Article 197 bis (2)) and so on;
1.6. Protection of data:
- Organic Law 15/1999, of 13th December 2009, and its regulations, approved by the Royal Decree 1720/2007 of 21st December 2007;
- Regulation (EU) 2016/679 of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, Directive 95/46/EC (GDPR).
In Europe, there are also several regulations that regulate cybersecurity at a technical and organisational level. Apart from the aforementioned European Data Regulation (which has yet to be spassed in Spain), it is important to mention the Directive on security of network and information systems (the NIS Directive) adopted by the European Parliament on 6th July 2016 and entered into force in August 2016. It is expected that NIS Directive will be transposed in Spain at some point during 2018.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
What technology development will create the most legal change in your jurisdiction?
Many digital technology trends will require the enactment of specific laws, otherwise our current legal system will be applied analogically to regulate these new legal trends. It is no secret that Artificial Intelligence and its derivatives would preferably need a specific regulation, including, among others, regulations regarding Internet of Things or autonomous vehicles.
Not only Artificial Intelligence, but also the regulation of blockchain will certainly be considered one of the most challenging legal changes that must be faced in order to totally secure the transactions made by blockchain technology. In February 2018, the Banco de España (Spanish Banking Authority) and the CNMC issued a joint declaration about "cryptocurrencies". In this declaration both bodies declared that "cryptocurrencies" are not regulated in the European Union. This implies that if a person buys or keeps "cryptocurrencies", he/she does not benefit from the guarantees and safeguards associated with regulated financial products. Additionally, both entities also argued that on many occasions the different actors involved in "cryptocurrencies" businesses are located in different countries, so that the resolution of any conflict could be outside the competence scope of the Spanish authorities and would be subject to the regulatory framework of the country in question, which may be a problem for the person acquiring these products. In light of the above, transactions made by blockchain technology, including but not limited to financial transactions, would be one of the biggest legal changes not only for Spain but also for the European Union.
Additionally, 3D and 4D printing technology will have a huge impact on many fields, as it could imply a substantial change to the implementation of intellectual property and health regulations. In Spain 3D printing technology has being used in the food, architectural or clothing industries, where lot of start-ups are becoming specifically focused on 3D printing technology, whereas 4D printing technology has been tested and issued in the field of health. Certainly this technology will have to be regulated in order to protect everyone's rights as this printing technology must be controlled in order not to breach third parties' rights and to not create products which are subject to authorisations in Spain or even illegal items.
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
In relation to data protection matters, it is important to highlight that the AEPD is quite active in imposing data protection sanctions and specifically the Telecommunications sector is the most sanctioned industry by the AEPD, as telecommunication operations deal with huge amounts of personal data.
Also, the revised Payment Services Directive (PSD2) will require online platforms operating as central portals that, acting as intermediaries, enable payment transactions between buyers and sellers - without themselves selling the product or service - to obtain an authorisation as a "payment service provider" from the relevant authority, which in Spain is the Banco de España.
This would mean that marketplaces such as Amazon or Ebay will be required to obtain an authorisation and will not be exempted anymore, as they were under PSD1 , if they wish to continue providing this "payment service" to buyers and sellers.
Do you believe your legal system specifically encourages or hinders digital services?
The Spanish legal system enacts laws according to the European Union legal system. Therefore, most of the Spanish regulations have been harmonised according to European Union law. We do not believe our system differs much from others in the EU in this respect.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
Spain has not provided a specific legal framework applicable to artificial intelligence yet but, as explained above, on 10th April 2018, Spain signed a Declaration of Cooperation on Artificial Intelligence, as Artificial Intelligence will be approached from a European Union law perspective. Until then, artificial intelligence is to be applied the current laws by analogy, which of course will imply huge legal challenges.
Regarding autonomous vehicles, Spain is doing its best to regulate driverless cars circulation through a "XXI Traffic Act". Nowadays, although there is still no law which specifically regulates autonomous vehicles in Spain and autonomous vehicles are currently governed by the broader regulatory framework that is applicable to vehicles, since 2015 there is an instruction (Instruction 15/V-113) issued by the Spanish General Directorate of Traffic related to the granting of special authorisations for the testing of such vehicles in Spanish public roads.