One of the most widespread uses of artificial intelligence (AI) is the automated generation of content, particularly images and videos. Today, the creation of highly realistic faces, landscapes, and other visual representations opens up new opportunities, but it also raises serious concerns.
The spread of deepfakes, which are audiovisual contents manipulated using AI, is one of the most critical issues, as it is often extremely difficult to distinguish what is real from what is not. This practice is increasingly used to create hyper-realistic manipulations that can seriously infringe fundamental rights.
The Spanish Data Protection Authority (AEPD) has recently issued a decision that represents a significant step forward in the regulation of this type of content. For the first time, the creation and dissemination of fake sexualized images generated through AI has been sanctioned, a development that has attracted considerable attention from both the media and the legal community.
Below, we explain what happened, why it matters, and how it affects any company that uses images in the digital environment.
The AEPD’s intervention began after several media reports warned about the circulation of AI-manipulated images in which real faces were placed onto naked bodies that did not belong to them. This material was distributed through social networks, messaging applications, and adult content platforms.
In response to these indications, the Authority opened preliminary investigations to clarify the facts, gather information, and attempt to identify those responsible.
Subsequently, the filing of a formal complaint by one of the affected individuals reinforced the need to continue the investigation. During this phase, the AEPD requested the cooperation of the Public Prosecutor’s Office, due to the possible involvement of minors, as well as the Spanish Tax Agency, in order to verify the identity and residence of the alleged offender.
Once the necessary information had been collected and sufficient indications had been confirmed, the AEPD decided to initiate sanctioning proceedings.
In its decision, the AEPD makes it clear that this type of content is not merely a simple digital montage, but rather constitutes a processing of personal data.
The General Data Protection Regulation (GDPR) considers personal data to be any information that identifies or makes a person identifiable, as is the case with an image or a face. Therefore, the digital manipulation of these photographs, including their creation, modification, and subsequent dissemination, constitutes processing subject to data protection legislation.
In addition, the Spanish authority points out that the creation of these deepfakes is unlawful because there is no legal basis to legitimize it. There is no consent from the affected individuals, no legal obligation, nor can a legitimate interest be invoked that overrides the rights of the individuals concerned.
This absence of a legal basis makes the processing clearly contrary to the GDPR and to Organic Law 3/2018 (LOPDGDD).
One of the most relevant aspects of the case is the presence of minors among the affected individuals. Spanish legislation provides enhanced protection for minors, prohibiting the dissemination of any image that could undermine their honor or dignity.
For this reason, the AEPD referred the facts to the Public Prosecutor’s Office, giving rise to possible additional criminal liabilities.
The message is clear: the harm that these practices can cause to a minor is particularly serious and requires a proportionate response.
Finally, the AEPD imposed a financial penalty on the offender and ordered the immediate cessation of the processing of the images, as well as the obligation to refrain from storing or disseminating any similar content in the future.
Beyond the fine itself, this decision represents a turning point, as it sets out how deepfakes should be addressed from a data protection perspective and anticipates increased scrutiny of AI use in the digital environment.
How does this affect businesses?
Any organization that allows users to upload, host, or display images on its website or digital services may face risks if it does not control the authenticity of the content being published.
These risks include:
To avoid these risks, it is essential to have tools that allow the identification of manipulated images before they reach the public.
To prevent situations like this, at Lawwwing we have developed an automatic detection system for images manipulated or generated using AI, specifically designed to help companies prevent issues such as those analyzed in this decision.
This solution is called:
