The emergence of generative artificial intelligence, with tools like ChatGPT, Gemini, or Claude, is transforming the landscape of claims following security breaches in large companies. A recent example is the case of Endesa, which admitted in January to a data leak affecting 20 million customers, including sensitive information such as ID numbers and bank IBANs. In addition to the usual reputational crisis, companies now face the challenge of managing an unprecedented volume of claims generated by AI. According to legal experts, companies are facing an avalanche of automated claims. Users, after receiving notification of the breach, turn to AI tools to draft precise claims in seconds. This ease is supported by current regulations: the General Data Protection Regulation (GDPR) of the European Union requires informing affected individuals when a breach poses a high risk to their rights and freedoms, as explained by Joaquín Muñoz, a partner at Bird & Bird. In Spain, the Organic Law on Data Protection and the General Telecommunications Law reinforce these obligations, establishing specific penalties and guidelines, while the Spanish Data Protection Agency (AEPD) oversees compliance. The key criterion for notifying a breach is the risk to the rights of the affected individuals, not just to the company. Thus, generative AI multiplies claims, empowering citizens but also generating expectations that sometimes exceed what the law provides. Companies must now not only manage the breach and meet notification deadlines but also respond to a flood of requests for exercising rights—access, rectification, deletion, opposition, or portability—that the GDPR requires to be addressed in a timely manner. Many of these requests do not seek direct compensation but can escalate through two avenues: the administrative route, by filing a complaint with the AEPD, which can impose fines of up to 20 million euros or 4% of annual revenue; and the civil route, where Article 82 of the GDPR recognizes the right to compensation for material or immaterial damages, such as loss of data control or identity theft. Although amounts in Spain are usually moderate, the trend is upward, driven by the massive use of AI in preparing claims. This scenario generates frustration among companies, which perceive that penalties are increasingly based on the outcomes—the existence of the breach—rather than on the means employed to prevent it, even if reasonable measures were taken. The impact of AI also extends to firms specializing in mass claims. Companies dedicated to banking, airline, or consumer litigation observe how automation allows users to generate quality initial claims without intermediaries, eroding the value of more standardized services. Cases like Reclamador or the crisis at Arriaga Asociados reflect this change: users no longer depend on a third party to initiate a basic claim, anticipating a structural transformation in a sector that has relied on standardization and volume for years. Source: elconfidencial.com