Q4 2025

THE CODE

To mark the end of 2025, we bring you a selection of the most significant news, rulings, case law and trends in the technology sector during the last quarter of the year. THE CODE, Pérez-Llorca’s technology newsletter, is a joint effort between the firm’s teams in Spain, Portugal, Mexico and Colombia.

Regulation

EUROPEAN UNION

Digital Omnibus – a new European regulatory philosophy: The European Commission presented this legislative package to simplify rules on artificial intelligence (“AI”), cybersecurity and data. The proposals includes: (i) linking the entry into force of standards on high-risk AI systems to the availability of supporting tools (maximum 16 months); (ii) introducing a single entry point for cybersecurity incident notifications; (iii) modernising the rules on cookies by reducing banners and allowing centralised preferences; and (iv) consolidating four pieces of data legislation into one. You can read Pérez-Llorca’s legal briefing on the matter here and an article in Expansión by Raúl Rubio, partner of Pérez-Llorca’s Intellectual Property and Technology practice area, here (in Spanish).

AI Act Whistleblower Tool: The European AI Office has established the Artificial Intelligence Act (EU) 2024/1689 (“AI Act”) Whistleblower Tool, a secure and confidential channel for reporting breaches of the AI Act for individuals who wish to anonymously report potential breaches arising from the AI Act, thus contributing to the safe and transparent development of AI technologies. You can access the Tool here (available in French, German and English).

Joint EDPS – European Commission Guidelines on the DMA and the GDPR: European Data Protection Supervisor (“EDPS”) and the European Commission have adopted draft joint guidelines to clarify the interaction between the Digital Markets Regulation (“DMA”) and the General Data Protection Regulation (“GDPR”). The guidelines aim to clarify various issues where conflicts of interpretation may arise, such as how gatekeepers should apply the DMA in accordance with the GDPR, among others. As part of the process of approving the guidelines, the draft guidelines have already been published and stakeholders were able to submit comments from 9 October to 4 December. The final version of the guidelines will be adopted over the course of 2026. See the draft guidelines here.

Opinions on UK adequacy decisions: On 20 October the EDPS adopted two opinions on the European Commission’s draft decisions to extend the validity of the UK’s adequacy decisions under the GDPR and the Law Enforcement Directive until December 2031. The extension will allow European organisations to continue transferring data to the UK without additional safeguards. See the EDPS opinion here.

Revised guidance on generative AI: On 28 October, the EDPS published a revised version of its guidance on the use of generative AI by European Union (“EU”) institutions, bodies, offices and agencies, with the aim of strengthening the protection of personal data in a rapidly evolving technological context. The guidelines introduce a refined definition of Generative AI, a compliance checklist, clarification of roles and responsibilities, and guidance on legal bases, purpose limitation and data subjects’ rights, aligned with Regulation (EU) 2018/1725. You can see the guidelines here.

Spain

Spain-Colombia film and audiovisual co-production agreement: On 6 November, an agreement between Spain and Colombia on film and audiovisual co-production was published in the Official State Gazette (BOE) to stimulate the development of co-productions between the two countries. The agreement establishes a specific legal regime for jointly financed and produced works, including eligibility requirements. The agreement is valid for five years and can be extended. You can read the full agreement here (in Spanish). Pérez-Llorca’s legal briefing on the matter is available here (in Spanish).

AESIA publishes AI Act implementation guidelines: On 11 December, the Spanish government announced the publication of the AI Act compliance support guides, which are now available on the website of the Spanish Agency for the Supervision of Artificial Intelligence (using the Spanish acronym, AESIA). The guides, developed in collaboration with twelve Spanish companies from different sectors, aim to support the implementation of and compliance with European AI regulations and their applicable obligations. While they are not binding and do not replace applicable regulations, they provide practical recommendations aligned with regulatory requirements and include checklists for companies to document compliance measures for each use case. You can find the guides here (in Spanish).

Portugal

National Digital Strategy and AI Agenda: The Portuguese government has approved the new National Digital Strategy, the National AI Agenda and a Digital Skills Pact, aimed at accelerating the adoption of AI in the public sector, modernising state operations and promoting digital skills. According to official projections, the new AI Agenda could contribute up to 2.7 percentage points to Portugal’s GDP.

Transposition of the NIS2 Directive: The Portuguese government has approved a new Cybersecurity Law transposing the EU’s NIS2 Directive, expanding the number of public and private entities considered essential or important and imposing stricter obligations on risk management, incident reporting and governance. The new regime strengthens the powers of the National Cyber Security Centre (using the Portuguese acronym, the CNCS) and enters into force on 3 April 2026.

Lisbon Declaration on AI and digital regulation (D9+ Group): The Portuguese government has signed the Lisbon Declaration of D9+ countries, committing to regulatory simplification, pro-innovation digital standards and targeted investment in AI, digital infrastructure and advanced technological skills. A new national AI and digital strategy is expected by the end of 2025, which could introduce sectoral incentives for international technology companies operating in Portugal.

LATAM

Mexico

Advances in AI regulation: On 30 September, Mexican senators reported on progress in the development of a general regulatory framework for AI regulation, through the work of the Commission for Analysis, Monitoring and Evaluation on the Application and Development of Artificial Intelligence (Comisión de Análisis, Seguimiento y Evaluación sobre la Aplicación y Desarrollo de la Inteligencia Artificial). The proposed framework covers multidisciplinary issues such as governance and oversight of AI systems, risk classification, liability mechanisms and regulatory harmonisation in sectoral laws (including intellectual property, personal data and security), which means that technology companies will need to anticipate and align their compliance strategies with emerging standards of ethical and technical AI regulation.

Reform of the Federal Consumer Protection Law – “easy cancellation”: On 5 November, the Mexican Congress approved the reform adding sections VIII and IX to article 76 Bis of the Federal Consumer Protection Law, published in the Official Journal of the Federation on 12 December and in force since 13 December. The obligation to implement immediate and frictionless cancellation mechanisms in digital services with recurring charges impacts software architecture, user experience and the strategic use of digital design elements, forcing technology companies to align their business models, interfaces and operational flows with regulatory standards that directly impact the way their technological and intangible assets are used and protected.

Creation of the InnovaTecNM Fund and strengthening of academic patent protection: On 26 November President Claudia Sheinbaum announced the creation of the InnovaTecNM Fund, aimed at promoting technological projects developed by students of the Tecnológico Nacional de México (TecNM). The selected projects will be registered with the Mexican Institute of Industrial Property (IMPI), with the aim of enabling students to obtain ownership of the patents derived from them, while increasing TecNM’s budget for training specialised talent. This programme is to strengthen the early protection of technology assets generated in academia, encouraging technology transfer and the proper management of intellectual property rights from the early stages of development.

Colombia

External Circular 002 of 2025 – data protection in technology transfer: The Superintendency of Industry and Commerce (“SIC”) issued this circular, providing instructions to ensure the protection of personal data in technology transfer processes. The standard establishes obligations for entities involved in transactions where datasets containing personal data or technologies enabling their processing (such as AI, biometrics or CRM solutions) are transferred, including verification of compliance, data protection by design, proven accountability mechanisms and contractual safeguards in international transfers.

MinTIC clarifies competences on blocking digital platforms: The Ministry of Information and Communication Technologies (the “MinTIC”) determined that it has no legal competence to block websites, media or digital platforms, in accordance with Law 1341 of 2009 and the principle of net neutrality. This clarification was formalised in an official reply of 27 November, reaffirming that any restriction must come from a competent authority under a legal mandate. The MinTIC emphasised that its role is limited to communicating to operators the decisions issued by entities who do have express competence.

Draft Law 274 of 2024 – updating the data protection regime: On 28 October, the First Committee of the House of Representatives approved, in its first debate, Bill 274 of 2024, which updates the personal data protection regime. The text introduces significant changes: broadening the concept of processing to include AI and big data, mandatory reporting of security incidents, impact assessments for high-risk operations, and redefinition of sensitive data to include information derived from automated profiling. The SIC is ratified as a control authority with greater sanctioning powers.

Bill 043 of 2025 – regulation of AI: The National Congress issued a positive report for the first debate of Bill 043 of 2025, which aims to regulate the use, development and implementation of AI in Colombia. The project establishes the classification of systems by risk levels, the creation of the National Authority for AI headed by the Ministry of Science, guidelines for transparency and human supervision, and mechanisms to promote research and technological sovereignty. With a message of urgency from the Executive, it is emerging as a strategic instrument to enable innovation and guarantee the protection of fundamental rights.

External Circular 001 of 2025 – personal data in FinTech: The SIC issued External Circular 001 of 2025, establishing instructions for processing personal data when offering FinTech products and services designed for financial inclusion. The guidelines include: ensuring legitimate purpose and temporality, data minimisation, informed and differentiated consent, enhanced protection of biometric data, transparency in automated decisions, and validation of the level of protection in international transfers. Failure to comply may result in penalties, underscoring the need to strengthen data governance in the FinTech ecosystem.

Transactional

The importance of the chain of rights: In transactional transactions involving assets protected by intellectual property rights, it is essential to verify the chain of rights to ensure that the acquirer will obtain the necessary title to use the assets. The focus of this analysis varies significantly depending on the structure of the transaction. In a share deal, it must be confirmed that the company effectively holds title to the intangible assets and verify the existence of change of control clauses that can be triggered by any change in corporate control. In an asset deal, it is essential to precisely identify each intellectual property right to be assigned, to ensure that the seller has the necessary powers to transfer them, and to detect clauses prohibiting their transfer. The transfer must be formalised in writing in accordance with the applicable regulations.

The increasing use of AI adds further complexity. The difficulty of attributing authorship in AI-generated works, together with regulatory uncertainties, requires assessment of the origin of the assets, the creation processes used and the feasibility of their commercial use.

Open-source: On the transactional side, we have identified a positive trend in relation to the sale and purchase of businesses whose assets incorporate open-source code subject to free software licences. Traditionally, the presence of open-source code in major technology assets has posed significant risks to the value of the transaction, especially when such code is subject to copyleft licences that oblige the licensee not to impose more restrictive conditions on sub-licensees than those originally imposed. These licences can generate a “contamination” effect on proprietary software when both codes are integrated by static compilation, resulting in derivative works that are subject to the same conditions as free software, which in certain cases can make it impossible to commercialise the asset or drastically reduce its value.

However, evolving software architectures and modern development practices have introduced a natural shield that mitigates these risks. In most of the transactions we have recently analysed, we observed that proprietary software is integrated with open source code through dynamic links that relate to the executable of the code and not to the source code itself. This architecture based on dynamic linking establishes a technical separation that avoids the creation of derivative works in the sense set out by the more restrictive free software licences, which typically impose their conditions on related code by static linking or joint compilation into a single file or module. As a result, the open-source code remains intact and isolated, without contaminating the proprietary software under protection, preserving the transactional value of the technology assets and significantly reducing the contingencies identified during the due diligence process.

Generative AI policy: Virtually all companies use generative AI to optimise their internal processes, increase operational efficiency, and remain competitive in the market, making it an indispensable tool for business growth. However, this widespread and, in many cases, unregulated use creates significant legal and commercial risks that eventually require internal regulation due to both internal and external obligations. To take full advantage of the potential of generative AI while ensuring its responsible and upto-date use, the implementation of a generative AI usage policy is essential for any organisation that seeks to maximise the benefits of this technology without compromising its legal and reputational security. You can read Pérez-Llorca’s full legal briefing on this matter here (in Spanish).

Administrative rulings and decisions

EUROPEAN UNION

CJEU

Liability of online marketplaces for personal data in advertisements (C‑492/23): On 2 December, the Court of Justice of the European Union (“CJEU”) ruled that the operator of an online marketplace is responsible for the processing of personal data contained in advertisements posted by users. When such advertisements contain sensitive data (e.g. relating to sex life), strict technical and organisational measures must be applied before publication: identifying whether the advertisement contains sensitive data, verifying the identity of the user and checking the match with the person whose data appears or the existence of explicit consent; if not, publication must be refused. The CJEU clarified that these obligations under the GDPR cannot be circumvented by invoking the exemptions from liability under Directive 2000/31/EC on electronic commerce. You can read the judgment here.

Copyright protection of objects of applied art (C‑580/23 and C‑795/23): On 4 December, the CJEU confirmed that applied art objects, such as furniture or utilitarian designs, can be protected by copyright if they meet the same criteria of originality applicable to other works: they must reflect the author’s personality through free and creative decisions objectively expressed in the object. The CJEU rejected that there is a rule-exception relationship between design protection and copyright protection, and clarified that the criterion for infringement is not the “overall impression” of design law, but whether the original creative elements are reproduced in a recognisable form in the allegedly infringing object. You can read the judgment here.

Spain

Co-authorship of works of art (STS 1338/2025): The Spanish Supreme Court upheld an artist’s co-authorship of 221 pictorial works created during her collaboration with the defendant between 2006 and 2016. The claimant materially created the paintings according to indications on subject matter and sketches, but also made her own decisions and gave expression to her artistic personality. The Court rejected that the existence of an employment relationship excludes authorship, given that moral rights are inalienable, and affirmed that the material execution of the work may embody originality protectable under the European concept of “intellectual creation”. You can read the judgment here (in Spanish).

PLL TechLaw judgment

Registration of a numerical mark with graphic appearance (STS 1297/2025): The Spanish Supreme Court upheld the appeal against the refusal to register the numerical series “26 1 18 1”, with a certain graphic appearance, ordering that it can be registered. The numbers correspond to the letters ZARA in the English alphabet (the position of each letter). The Court considered that, since ZARA is of great significance within the applicant group of companies, an average consumer can easily identify the goods marked with the numerical sign with their corporate origin. The judgment emphasises that the order of the numbers does not prevent the sign from being mentally retained, especially considering the joint visual and auditory perception. You can read the judgment here (in Spanish).

Meta ordered to pay a fine due to unfair competition (SJM 98/2025): On 19 November, the Madrid Commercial Court ordered Meta to pay €542 million to AMI members for unfair competition. The ruling found that Meta gained a “competitive advantage” by using data from millions of users on a legal basis that did not permit such use for the sale of personalised advertising, an advantage that the claimants, who engage in online display advertising, will never be able to match. The judgment can be appealed before the Madrid Court of Appeal. You can read the judgment here (in Spanish).

The CNMV fines X €5 million for publishing fake cryptocurrency investment ads impersonating celebrities: On 13 November, the Official State Gazette published the sanction imposed on X (Twitter International Unlimited Company) for €5 million for allowing the publication of advertisements for irregular investment companies on its social network. Additionally, the adverts used deepfakes with images of famous people to advertise their investment services, as well as false media reports that encouraged the use of the investment companies’ financial services. You can read more here (in Spanish).

LATAM

Colombia

Annulment of a court order for improper use of AI (Judgment STC17832-2025): The Colombian Supreme Court determined that the ruling of the Superior Court of Sincelejo was based on non-existent jurisprudential citations, allegedly hallucinated by technological tools, which constituted a violation of the fundamental right to due process. The Court warned that the incorporation of unverified information in judicial decisions constitutes a defect of reasoning and a de facto violation, setting a precedent on the limits and risks of the use of AI in the administration of justice.

Closure of transactions for improper data processing (Resolution 78798 of 3 October 2025): The SIC sanctioned the companies World Foundation and Tools for Humanity Corporation with the immediate and definitive closure of all operations involving the processing of personal data in Colombia. The investigation revealed serious breaches of the data protection regime, including lack of policies and procedures to guarantee the right to habeas data, lack of valid authorisation for processing sensitive data and deficiencies in security measures. The companies collected biometric iris images of thousands of people in exchange for financial incentives, without clearly informing them about the purposes for the processing.

Advice – Legal Tech

European “Apply AI” strategy: In October 2025, the European Commission launched the “Apply AI” Strategy, which integrates the “European AI strategy” with a focus on the practical application of AI across Europe. It aims to harness the transformative potential of AI by promoting wider adoption and integration in key industrial and public sectors, paying particular attention to the needs of SMEs and providing targeted support to accelerate their digital transformation, while maintaining the focus on excellence, trust and protection of fundamental rights. You can read more here.

Teams comprising humans and AI outperform teams composed of only humans or only AI: Recent research shows that mixed human-AI teams perform better under pressure than human-only or AI-only teams. The findings suggest that this combination can be particularly effective when the stakes are high and resources are scarce, enabling better task performance even when human understanding of the AI response is limited. You can read the paper here.

McKinsey’s “The State of AI in 2025” report: On 5 November, McKinsey published a report analysing the current state of AI implementation in the business world. In particular, he noted that 88% of companies already use AI in at least one business function, up from 78% last year. However, only a third have managed to scale AI across the board: most continue with pilots or partial implementations. The report concludes that AI has become standard, but its real value depends on the ability to move from pilot to strategic scaling, redesigning internal processes and structures. You can read the report here.

OpenAI updates the ChatGPT usage policy: OpenAI revised ChatGPT’s usage policies to prohibit personalised advice in regulated areas such as law, medicine and finance. ChatGPT will no longer provide diagnostics, legal recommendations or tailor-made investment strategies; it will only be able to provide general information and context. The change is aimed at ensuring responsible use of AI, preventing users from confusing their answers with the opinion of an accredited professional. The amendments entered into force on 29 October. You can read the new policy here.

Spain creates UNE specification to measure AI sustainability: On 9 October, the Spanish Association for Standardisation, at the initiative of the Secretary of State for Digitalisation and Artificial Intelligence, published technical specification UNE 0086, developed by 35 expert entities, which establishes a common framework for measuring energy consumption, carbon footprint, water consumption and the performance of AI systems. The specification provides guidance for quantifying the environmental impact of AI models and algorithms at all stages of their lifecycle. This initiative is part of the National Green Algorithms Programme (PNAV) and positions Spain at the forefront of defining international standards in technological sustainability. You can read more here (in Spanish).