Artificial intelligence (AI) fundamentally relies on data, which acts as its main engine. However, companies developing these technologies face an uncertain and risky legal landscape. The recent case of Grok, Elon Musk's AI used on the social network X and linked to the creation of child pornography, has highlighted the urgency of addressing data protection in the field of AI. Neither legal experts, lawyers, nor regulators have clear answers on how to balance technological innovation with privacy, nor the true magnitude of the challenge. In Spain, experts anticipate an increase in sanctions in the coming months, as the current enforcement activity has been limited. Francisco Pérez Bes, deputy director of the Spanish Data Protection Agency (AEPD), points out that the low number of complaints is due to AI still being an emerging technology. However, cases like Grok predict greater scrutiny and potential collective claims in the short term. These issues were discussed at the presentation of the sixth edition of the Practical Guide to Artificial Intelligence, published by Aranzadi LA LEY, which delves into the risks of AI for privacy and personal data. During the event, held at the Madrid School of Legal Practice, experts analyzed the complex regulatory framework attempting to impose limits on a technology that is advancing faster than legislation. They agreed that there is a "normative bicephaly" that complicates legal certainty. In the European Union, the General Data Protection Regulation (GDPR) and the Artificial Intelligence Regulation (RIA) coexist, but their relationship is not yet fully defined, delaying the imposition of harsher penalties and creating uncertainty for companies on how to comply with both regulations. Pérez Bes emphasized that the GDPR and RIA converge, but data protection remains under the jurisdiction of the GDPR, including the power to impose sanctions. Moisés Barrio, a lawyer from the Council of State, clarified that the RIA does not replace the GDPR, so compliance with one does not exempt compliance with the other. From the business perspective, Belén Arribas Sánchez, president of Enatic, highlighted the growing demand for AI systems that work with completely anonymized data, opening new opportunities for technology providers. She also warned of risks such as the collision between data minimization and the use of big data, management of retention periods, and unforeseen uses of information, as well as threats like incorrect attribution of facts, disclosure of data without consent, or processing of sensitive data. Internal governance was another central topic. Alejandro Touriño, managing partner of Écija, explained that the GDPR and RIA protect different legal goods, and their entry into force at different times has led to fragmented organizational responses and confusion in companies. Touriño emphasized the difference between the data protection officer (DPO), responsible for privacy, and the chief AI officer (CAIO), in charge of technology, warning that a purely technical profile for the CAIO may overlook key legal aspects. Cristina Retana, content director of Aranzadi LA LEY, insisted that AI governance requires collaboration between business, technology, legal, and data protection, and recommended operating with systems trained only on well-managed internal data in auditable environments. The Practical Guide to Artificial Intelligence, published by Aranzadi LA LEY, is a bimonthly series in which experts address the legal challenges of AI. Its sixth installment, authored by Moisés Barrio, deeply analyzes the complex relationship between the RIA and the GDPR, especially regarding the processing of personal data. Source: cincodias.elpais.com