Criminal-law developments —legislative reforms, case law and sectoral updates— with a summary of each and a link to the in-depth analysis.
smart_toyAI & data protection
Spain’s data protection agency: creating an AI nude from a real photo is itself processing of personal data
In file EXP202314956, the Spanish Data Protection Agency (AEPD) holds that taking an image a person had uploaded to a social network, manipulating it with an AI tool to depict the person nude (a deepnude), and sharing it via messaging amounts to processing of personal data under the GDPR, with the person doing so acting as the data controller (Art. 4.7 GDPR) because they determine the purposes and means. The case, between minors, ran on two parallel tracks: a juvenile court, which ended in conciliation, and the AEPD itself. The Agency archived the procedure without a sanction, finding the punitive aim had already been met through the court, but set a precedent: the harm lies not only in the image going viral but in the unlawful processing of the image itself.
The EU agrees to toughen child sexual abuse offences, raise penalties and extend limitation periods to 32 years
On 22 June 2026 the European Parliament and the Council of the EU reached a provisional political agreement —still pending formal approval by both institutions— to revise the directive on the sexual abuse and exploitation of minors. It broadens the list of offences (using AI to generate abuse material, livestreaming, sextortion and grooming), raises penalties (at least 10 years for the most serious offences) and extends limitation periods to 32 years from the victim’s age of majority for the gravest crimes, and 20 and 15 years for the rest. Once adopted, member states will have three years to transpose it into national law.
Sexual deepfakes: how the Criminal Code prosecutes them
There is no specific «sexual deepfake» offence: such conduct is prosecuted through crimes against moral integrity, privacy and honour and, where the victim is a minor, as virtual child pornography (Arts. 189 and 197 CP). The analysis covers the legal classification and the digital-forensic lines of defence.
The Supreme Court awards €2.5M for judicial error to a man who spent nearly 18 years in prison for two rapes of which he was acquitted
In a ruling of 18 June 2026, the Fifth Section of the Supreme Court’s Administrative Litigation Chamber found a qualified and unequivocal judicial error and set compensation at 2,500,000 euros (out of the 3,645,000 claimed) under the State’s patrimonial liability for the functioning of the administration of justice (Article 121 of the Constitution and Article 293 of the Organic Law of the Judiciary). The claimant served nearly 18 years in prison for two rape offences of which he was acquitted when the Criminal Chamber reviewed his case: the trial court had failed to assess an admitted, unchallenged biological expert report whose DNA result was incompatible with his authorship, with the conviction resting decisively on the victim’s identifying testimony.
MiCA: the transitional period for exchanges ends on 1 July 2026
On 1 July 2026 the MiCA Regulation’s transitional period ends: only crypto-asset service providers (CASPs) authorised by the CNMV or another EU authority may operate. Using unlicensed platforms may create liability and complicates the recovery of deposited funds.
Compliance: recent Supreme Court doctrine on the burden of proof
Recent doctrine from the Second Chamber of the Supreme Court refines who bears the burden of proving that a criminal-prevention programme is effective. The shift has direct practical consequences for the evidentiary strategy of the company under investigation.
When an autonomous AI agent causes harm or carries out criminal conduct, criminal liability is allocated among developer, deployer and user according to control and foreseeability. We analyse the attribution criteria within the current criminal-law framework.
Organic Law 1/2025: Courts of Instance and digitalised proceedings
Organic Law 1/2025 on the efficiency of the Public Justice Service reorganises the court structure through the new Courts of Instance and reinforces the digitalisation of proceedings. On the criminal side it affects the appeals regime and enforcement, with practical consequences for how cases are processed.
Two former executives convicted for using company trade secrets to set up a competitor (ruling 289/2026)
The Criminal Section of the Court of First Instance of Barcelona (seat 28) —the new judicial structure created by Organic Law 1/2025— issued ruling no. 289/2026 of 15 May convicting two former executives (the commercial director and the IT manager) of the lucrative use of a disclosed trade secret, within the offence of discovery and disclosure of business secrets (Arts. 278-280 of the Criminal Code). After leaving, they used their former employer’s confidential information (client and supplier lists, commercial offers and strategic documentation) to give a competitive edge to the company they had set up. Each received one year in prison and a 1,080-euro fine, plus joint compensation of 22,500 euros, with mitigating circumstances of partial reparation and extraordinary undue delays.
Spain’s Supreme Court sets out 42 criteria for trying gender-based and sexual violence with a gender perspective
In judgment 308/2026 of 29 April, the Criminal Chamber of Spain’s Supreme Court sets out a judicial reference manual for trying gender-based and sexual violence. It is organised in three blocks: 28 criteria for identifying and describing gender-based violence in the proven facts, 7 on the consequences of victimisation for women, and 7 on what applying a gender perspective actually means. The doctrine is laid down while dismissing the cassation appeal of a man convicted of habitual abuse, sexual assault and threats against his partner.
Organic Law 1/2026: repeat offending, phone theft and fuel supply
Organic Law 1/2026, in force since 10 April, toughens the criminal response to repeat offending: it creates an aggravated theft offence where three prior convictions concur, aggravates the theft of phones and devices holding personal data (Art. 235 CP) and criminalises fuel supply to drug-trafficking vessels («petaqueo», Art. 568.2 CP). It also amends the recidivism regime (Art. 22.8) and the suspension of sentences.
The «only yes means yes» law: what has changed in sexual offences
The «only yes means yes» law (Organic Law 10/2022) reorganised sexual offences around consent and merged assault and abuse. We review the later legislative adjustments, the renumbering of Articles 178 et seq. CP and the 2024-2026 case law.
Drink-driving: the breathalyser’s error margin as a defence
In fast-track drink-driving trials, challenging the calibration and error margin of the breathalyser is a defence avenue against readings close to the criminal threshold of Art. 379.2 CP. Securing legal assistance from the outset is decisive to preserve that challenge.
Cybercrime 2026: the era of AI-driven cognitive attacks
Digital crime in 2026 shifts from attacking systems to the «cognitive attack»: AI-driven social engineering at scale —cloned voice, video and images— to impersonate and defraud. The analysis reviews the applicable offences and the keys to defence and prevention.
Compliance 2026: towards mandatory algorithmic auditing
EU directives taking effect in 2026 push towards mandatory auditing of hiring and scoring algorithms, with a direct impact on corporate criminal-compliance programmes under Art. 31 bis CP. We review what companies must check to avoid liability.
We use essential cookies and, if you accept, a Google Ads measurement cookie. We do not use Google Analytics, heatmaps or session recording. See the cookie policy.