Menú principal
To mark the end of the first quarter of 2026, we bring you a selection of the most significant news, rulings, case law and trends from the past three months in the technology sector. THE CODE, Pérez-Llorca’s technology newsletter, is a joint effort between the firm’s teams in Spain, Portugal, Mexico and Colombia.
EUROPEAN UNION
Amendment to the EuroHPC Regulation for the establishment of artificial intelligence (“AI”) gigafactories: The Council of the European Union has adopted an amendment to the Regulation governing the European High-Performance Computing Joint Undertaking (“EuroHPC JU”), with the aim of expanding its remit to facilitate the creation of AI gigafactories in Europe and to incorporate a dedicated quantum technologies pillar. The amended Regulation allows for the development and operation of these world-class AI infrastructures through public-private partnerships involving Member States and industry, and sets out rules on funding, public procurement and the protection of start-ups. The Regulation was published in the Official Journal of the European Union (“EU”) on 19 January 2026 and entered into force the following day. For more information, see here.
Joint Opinions of the EDPB and the EDPS on the “Digital Omnibus” Regulation proposal, the Cybersecurity 2 Act proposal and the proposal on amendments to the NIS2 Directive: The European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) have issued two joint Opinions: the first, on the “Digital Omnibus” Regulation proposal, and the second, on the Cybersecurity 2 Act proposal and the proposal on amendments to the NIS2 Directive.
With regard to the “Digital Omnibus” Regulation proposal, which aims to simplify the EU’s digital regulatory framework and reduce administrative burden, both authorities support measures aimed at improving competitiveness and legal certainty, but have expressed serious concerns regarding the proposal to amend the definition of “personal data” in the General Data Protection Regulation (“GDPR”), as they consider that this could significantly reduce the level of data protection and go beyond the jurisprudence of the Court of Justice of the European Union (“CJEU”). The authorities welcome certain simplification measures, such as changes to the reporting of data breaches and the harmonisation of the notion of ‘scientific research’ but recommend that adjustments be made to ensure that regulatory simplification does not undermine the protection of fundamental rights.
In turn, in the joint Opinion on the Cybersecurity 2 Act proposal and the proposal on amendments to the NIS2 Directive, both authorities support the objective of strengthening European cybersecurity, while making a number of recommendations. Of particular note are the following: (i) they point out that the relationship between cybersecurity and data protection is bidirectional, and that the measures adopted must be assessed not only in terms of their effectiveness, but also in terms of their necessity and proportionality; (ii) they support the establishment of a single reporting window for data breaches; (iii) they recommend that the European Cybersecurity Skills Framework (“ECSF”) include a minimum competency profile for every citizen of working age to interact safely in the digital single market; (iv) they call for clarification of the relationship between cybersecurity certification and the certification provided for in Articles 42 and 43 of the GDPR, requesting that the European Union Agency for Cybersecurity (“ENISA”) consult the EDPB before adopting any scheme; (v) they welcome the designation of providers of European Digital Identity and Business Wallets as “essential entities” under the NIS2 Directive; and (vi) they support the phased approach to ransomware, while recommending that the applicable data protection safeguards be specified in the corresponding implementing act.
You can read the joint Opinion on the “Digital Omnibus” Regulation proposal here and the joint Opinion on the Cybersecurity 2 Act proposal and the amendments to the NIS2 Directive here.
Spain
Law 10/2025, of 26 December, regulating customer services: On 27 December 2025, Law 10/2025 of 26 December regulating customer services, which establishes a mandatory minimum quality standard for companies providing basic services of general interest and for companies or groups of companies that sell goods or provide services to consumers with at least 250 employees, a turnover exceeding €50 million or an annual balance sheet total exceeding €43 million. Key requirements include the provision of the service free of charge and universal accessibility, a guarantee of personalised service provided by a human agent – with the exclusive use of bots prohibited –, a maximum resolution time of fifteen working days, and the introduction of an annual external evaluation and audit system, the results of which must be published on the company’s website. Affected companies have until 28 December 2026 to adapt their services. You can read the law here (only available in Spanish).
Preliminary draft of the Organic Law on the Civil Protection of the Right to Honour, Personal and Family Privacy and One’s Own Image: The Council of Ministers has approved the Preliminary Draft of the Organic Law on the protection of the right to honour, personal and family privacy and one’s own image, which will replace the current law of 1982 and adapt it to the digital environment. The main new features include: (i) an explicit ban on deepfakes made without consent, deeming the use of a person’s voice or image for advertising or commercial purposes via AI to be unlawful; (ii) greater protection for minors, raising the age at which consent may be given for the use of one’s own image to 16; (iii) the extension of protection to victims of crime and to deceased persons; and (iv) the regulation, for the first time, of criteria for determining compensation for non-pecuniary loss. In this regard, the public consultation process concluded on 30 January 2026. You can read the draft Organic Law here (only available in Spanish).
Guidance from the Spanish Data Protection Agency (“AEPD”) on agentic AI from a data protection perspective: The AEPD has published guidelines aimed at data controllers and processors who use agentic AI systems to achieve a specific objective through the use of language models. The main issues addressed include: (i) the autonomy of agents, which allows them to act without explicit instructions from a human user, deciding how to perform tasks, which sources to consult and what decisions to make; (ii) the risks arising from a lack of transparency in internal reasoning processes, which can create an illusion of reliability based on the perception of correct functioning rather than on objective evidence; (iii) the need for the system’s memory to incorporate, by design, the capacity to exercise all the rights under the GDPR; and (iv) a catalogue of measures that controllers and processors may adopt to ensure regulatory compliance and reduce the impact of agentic AI on the rights and freedoms of data subjects. You can read the full guidelines here (only available in Spanish).
AI, images and voice: risks to data protection and fundamental rights: The AEPD has warned of the risks associated with the use of third-party images in artificial intelligence systems, highlighting both the visible impacts—such as the creation of synthetic intimate content, the decontextualisation of images and the impact on minors—as well as the less obvious risks arising simply from uploading images to these tools. Similarly, the use of AI-based voice transcription services raises similar implications, given that voice recordings may constitute personally identifiable information and are often accompanied by metadata and content that are also subject to the GDPR. In both cases, such practices may infringe upon fundamental rights such as honour, privacy or one’s own image, and may even give rise to criminal liability in the most serious cases. Organisations must assess the legal basis for processing, ensure transparency, and check whether there are any additional processing activities, such as model retraining or emotion analysis, that may entail greater risks under the AI Act. You can read the AEPD’s guidance on the use of images here and voice recordings here (only available in Spanish).
The AEPD has published a set of guidelines containing recommendations on how to protect privacy when using AI tools, which you can read here (only available in Spanish).
Portugal
National AI Agenda (“ANIA”) 2026–2030: The Portuguese Government has approved the ANIA for 2026–2030 through Council of Ministers Resolution No. 2/2026, published on 8 January 2026, with an investment of over €400 million earmarked for infrastructure, ethics and digital skills. The ANIA is organised around four key areas of action: (i) infrastructure and data, to ensure strategic computing capacity and a robust data economy; (ii) innovation and adoption, to accelerate the deployment of AI across the economy, particularly in SMEs, with the Public Administration serving as a catalyst; (iii) talent and skills, to train, attract and retain AI talent at the necessary scale; and (iv) responsibility and ethics, to ensure an effective regulatory framework that protects citizens and enables innovation in a safe and transparent manner. The measures came into force on 9 January 2026, and aim to drive the country’s digital transformation through a comprehensive strategic framework covering both the public and private sectors.
Vouchers for Startups (AI and Technology Products): The Portuguese government has launched a €30 million initiative aimed at supporting the development and internationalisation of scalable start-ups focusing on AI and technology. Applications are open until June 2026, under the Recovery and Resilience Plan (RRP), with the goal of promoting the creation of innovative digital and technological products with international reach. Eligible expenses include costs for qualified technical staff (up to 75% of the total eligible amount), the procurement of external specialist services in the areas of digitalisation, marketing, product development and consulting, the purchase or rental of equipment and software licences, as well as costs relating to the protection of intellectual property and indirect project costs. In addition, the costs associated with the accreditation or technological certification of human resources are covered. This strengthens the commitment to qualifying and developing digital skills within the Portuguese entrepreneurial ecosystem.
LATAM
Mexico
Mandatory connection to the Single Identity Platform (Plataforma Única de Identidad, “PUI”): Following the amendment to the General Law on Enforced Disappearance of Persons, published in July 2025, certain private institutions (including the financial, transport, healthcare, telecommunications, education and parcel delivery sectors) are required to link their databases to the PUI, the Federal Government’s centralised system for tracing missing or unaccounted-for persons. A broadly worded catch-all clause potentially extends this obligation to any company that manages customer, user or employee records, which in practice could apply to virtually any company operating in Mexico. Failure to comply may result in fines of up to MX$2.34 million, reputational risk and, in very specific circumstances, criminal liability. The main operational hurdle is that the Unique Population Registry Code (Clave Única de Registro de Población, “CURP”) serves as the unique search identifier in the PUI; therefore, companies that do not currently collect this data will need to incorporate it into their records and implement the interconnection APIs.
New Personal Data Protection Law on the way: The Mexican authority on personal data protection (the Personal Data Protection Unit of the Secretariat for Anti-Corruption and Good Governance) has indicated that a new personal data protection law could be introduced in the coming months. Although there is no formal draft bill yet, the regulator has indicated that legislative reform is on the agenda and is expected to move forward this year. Companies operating in Mexico should closely monitor this process, as a new law could entail additional obligations regarding privacy, data governance, and automated processing using artificial intelligence, issues already on the international regulatory agenda, and Mexico could align with standards such as the European GDPR.
Colombia
Law 2564 of 2026, on mental health and against violence in the digital environment affecting children and teenagers: The Colombian Congress enacted this law, which establishes a comprehensive framework for awareness-raising, prevention, protection, and care regarding mental health and violence in the digital environment affecting children and teenagers. The main new provisions include: (i) the guarantee of minors’ fundamental rights through effective public policies and coordinated actions between the Ministry of Health, the Ministry of Information and Communications Technologies (the “MinTIC”), the Ministry of Education, the Colombian Institute of Family Welfare (ICBF), the National Police and local authorities, who must coordinate protocols, produce reports, activate hotlines, issue opinions, and convene hearings when risks or incidents of digital violence are detected; (ii) broadening the definition of mental health, recognising it as a state of well-being expressed in daily life and elevating it to the category of a fundamental right, a public health priority, and an essential component of general well-being; and (iii) the obligation of digital platforms, content providers, and messaging services to adopt prevention, protection, and moderation measures aimed at ensuring safe digital environments for minors.
The rights chain as a distinguishing factor in audiovisual acquisitions: In the context of acquisitions of companies in the audiovisual and media sectors, it is important to carry out a detailed analysis of the intellectual property rights chain in order to properly assess the target company’s ability to exploit those rights. This analysis makes it easier to determine the scope and strength of the acquired rights, as well as to assess whether they align with the business model the investor intends to develop, given that existing intellectual property rights often do not cover the full scope of the commercialisation activities planned by the acquirer, which may influence both the valuation of the transaction and the structuring of the transfer or licence agreements necessary to ensure the viability of the business.
CJEU
Fair compensation for private copying on storage media sold to commercial end users (C-822/24): On 15 January 2026, the CJEU clarified that fair compensation for private copying may be claimed from manufacturers, importers or traders of storage media, even where these are sold to professional purchasers, provided there is a possibility that the devices may be used by natural persons for private use. The CJEU considers that the mere fact of being a commercial end user does not mean that the media will never be used for private purposes, given that they can ultimately only be used by natural persons. However, the Court specified that this obligation must be accompanied by mechanisms for exemption or reimbursement where it is established that the storage media will not be used for those purposes or that the harm caused to rights holders is minimal. You can read the judgment here.
Spain
PLL TechLaw judgment
Ownership of rights to use custom-made software (Judgment of the Madrid Court of Appeal, Section 32, No. 94/2026, 13 March 2026): The dispute centred on the rights to use two computer programs developed on behalf of an educational publisher, with the claimants arguing that the licence granted was limited in terms of both geography and time, and that the client had exceeded those limits by permitting the use of the programmes by group entities abroad. The Madrid Court of Appeal dismissed the appeal and ordered the claimants to pay the costs, as they had failed to prove that they were the original owner of the rights or that the software had actually been used outside Spain. The Court ruled that the rights were deemed to have been transferred in their entirety to the organising body.
Fine imposed on energy supplier for inadequate identity verification procedures (PS/00459/2024 – AEPD): On 14 January 2026, the AEPD imposed a fine of €1 million on an energy supplier for failing to implement adequate technical and organisational security measures in its customer identity verification protocol for telephone transactions, on the grounds that this practice breached Article 32 of the GDPR. The system used allowed personal data relating to a data subject to be altered using only information readily accessible to third parties, with no record of the actions taken. The AEPD noted that Article 32 of the GDPR does not set out an exhaustive list of specific measures, but rather requires the implementation of measures proportionate to the risk posed by the processing, regardless of whether any specific instance of unauthorised access has been established. You can read the decision here (in Spanish).
Portugal
The Guimarães Court of Appeal fines lawyer for citing fictitious case law generated by AI: On 3 March 2026, the Court issued a public ruling identifying six non-existent case law excerpts that had been included in court documents. In the ruling, the judges emphasised that artificial intelligence ‘hallucinates’ – in the sense that it generates false information to fill data gaps – and that greater rigour is required of human intelligence, especially when it serves a function as critical as the administration of justice. The case, which resulted in the imposition of an additional court fee of approximately €500, highlights the significant legal and ethical risks associated with the use of unverified AI outputs in litigation.
LATAM
Colombia
Colombia’s Supreme Court fines a lawyer for citing non-existent case law generated by AI: The Civil Cassation Chamber of the Colombian Supreme Court imposed a fine of 15 times the current legal monthly minimum wage (salario mínimo mensual legal vigente) on a lawyer who filed an appeal containing vague legal provisions and 10 non-existent rulings generated by AI. The Court clarified that the fundamental issue is not the use of the tool, but rather the failure to fulfil the non-delegable duty of verification. It noted that citing case law implies affirming its existence and content, and that generative AI can ‘hallucinate’ references. This ruling raises the standard of care for litigants and law firms that use AI, and sets out internal guidelines on the traceability of sources in forensic and court documents.
Colombia’s Supreme Court overturns a conviction due to prejudgment and misuse of AI: The Colombian Supreme Court overturned a conviction handed down by the Superior Court of the Judicial District of Cali after detecting in the digital case file a complete draft judgment, signed and prepared before the trial and closing arguments had concluded. The document included an assessment of the evidence, conclusions regarding criminal liability and a proposed sentence, and stated that hearings had already taken place, even though they had not yet occurred. The Court held that this compromised due process and judicial impartiality, noting that impartiality must not only exist but also be perceived. Additionally, the draft incorporated AI-generated segments for legal and evidentiary analysis, a practice the Court deemed excessive. AI may only be used in an auxiliary capacity and under effective human control, without replacing evidentiary assessment or judicial rationality.
New Law
The European Commission has decided not to designate Apple Ads and Apple Maps under the Digital Markets Act (“DMA”): The European Commission has concluded that Apple does not qualify as a gatekeeper in relation to Apple Ads and Apple Maps, having determined that neither of these services constitute an important gateway for business users to reach end users. The decision, taken following an examination of the arguments submitted by Apple on 27 November 2025, is based on the fact that Apple Maps has a relatively low overall usage rate in the EU and that Apple Ads has a very limited scale in the online advertising sector in the EU. You can read more here.
The OECD outlines four scenarios for AI in 2030, ranging from stagnation to surpassing human capabilities: The article, published on 3 February, outlines four scenarios for the development of AI up to 2030: (i) Progress Stalls (progress comes to a halt and capabilities remain at current levels); (ii) Progress Slows (incremental gains at a slower pace); (iii) Progress Continues (rapid progress continues and systems perform complex professional tasks); and (iv) Progress Accelerates (AI matches or exceeds human capabilities in most areas). The available evidence does not allow us to rule out any of these scenarios; consequently, plausible trajectories range from stagnation to a significant surpassing of human capabilities. For decision-makers, the message is clear: they must prepare for the full range of possible outcomes in order to reap the benefits of AI and manage its potential impacts. You can read more here.
Wolters Kluwer’s “2026 Future Ready Lawyer Report”: The report, based on the views of legal professionals from around the world, confirms that the legal sector is undergoing rapid transformation: both law firms and legal consultancies are reshaping their working models, driven by advances in AI and the growing complexity of the business environment. The analysis identifies three drivers of change: AI has established itself as an essential tool for lawyers, its integration yields tangible efficiency gains, and it drives revenue growth within the sector. However, significant barriers remain (ethical and privacy concerns, insufficient training and resistance to change are among the main obstacles), whilst geopolitical and regulatory complexity is driving up demand for expertise in sanctions and cross-border operations, making the effective use of AI a critical factor in managing these growing demands. You can read the report here.
Presentation of Latam-GPT: The Ministry of Information and Communication Technologies (the “MinTIC”), in collaboration with Chilean authorities, has launched Latam GPT, a regional initiative involving 15 Latin American countries aimed at creating a generative AI model trained on data, languages (including Spanish, Portuguese and various indigenous languages) and the specific realities of the region. The alliance aims to strengthen digital sovereignty, reduce biases in global models and promote technological cooperation, innovation and the development of local capabilities in AI, with applications for both the public sector and the private sector.
Study on the use of AI: The Colombian Communications Regulation Commission has published a study analysing how AI is being used in the country’s telecommunications, postal and audiovisual sectors. The report, based on interviews with stakeholders in these industries, shows that AI has become a key driver of efficiency and productivity, although its adoption is progressing at different rates: the telecommunications sector is the most advanced and plans to significantly increase its investment; the audiovisual sector is at an intermediate stage of technology adoption; and the postal sector is only just beginning its adoption process. The document also examines the benefits, challenges and risks associated with the use of AI, including threats such as deepfakes and the importance of safeguarding rights, legal certainty and data sovereignty. You can read the study here (only available in Spanish).
Latest news
Pérez-Llorcast TechLaw #20
Privacy and technology: How are they balanced in the healthcare sector?
In this episode of “Pérez-Llorcast” TechLaw, only available in Spanish, Raúl Rubio, a partner in Pérez-Llorca’s Intellectual Property and Technology practice, talks to Jaime Requejo, Head of Privacy and Data Protection at Sanitas, about the impact of personal data on innovation, AI and business from the perspective of the healthcare sector. They examine the current challenges facing data protection in Spain, the critical role of data in the healthcare sector, the integration of AI into this sector, future objectives and the role of regulators, as well as the challenges of innovation within healthcare organisations.
Pérez-Llorcast TechLaw #21
Regulatory issues: how to anticipate new legislation
In this episode of “Pérez-Llorcast” TechLaw, only available in Spanish, Andy Ramos, a partner in Pérez-Llorca’s Intellectual Property and Technology practice, talks to Carlos Ochoa, Senior Managing Director at FTI Consulting, about the stages leading up to the adoption of a regulation, the work of regulatory affairs professionals, and how these teams operate across different levels and regions. They examine the growing importance of regulation in an increasingly complex technological environment, the key trends that are transforming EU regulation, the changing dynamics between public authorities, businesses and citizens, and, in particular, the Digital Omnibus Regulation. This discussion highlights the current regulatory complexity and the need for lawyers and regulatory experts to work together to achieve companies’ objectives.
