Skip to content
AS
Alonso Sala
CRIMINAL LAWYERS
ES

Corporate AI Criminal Risk Defence Lawyers

Algorithmic compliance design and criminal defense for corporate AI use: EU AI Act, discriminatory bias, automated decisions, deepfakes and algorithmic liability.

Last updated:

EU AI Act

Regulation EU 2024/1689 classifies AI systems in four tiers: prohibited (social scoring, cognitive manipulation, real-time biometric identification with exceptions), high-risk (HR, credit scoring, critical infrastructure, healthcare, education, justice), limited risk (chatbots, synthetic content — transparency obligation) and minimal risk. Each tier implies different obligations. Non-compliance generates fines of up to €35M or 7% of worldwide turnover.

Criminal Typologies for AI Misuse

  • Discrimination (Art. 510 and 314 CP): Biased scoring or filtering system denying hiring, credit or service.
  • Fraud (Art. 248 CP): Erroneous output from commercial chatbot inducing client error.
  • Degrading treatment (Art. 173 CP): Surveillance or labor management system imposing humiliating conditions.
  • Privacy offenses (Art. 197 CP): Mass processing of personal data without legal basis.
  • Document forgery (Art. 390 CP): Generation of synthetic documents with legal value.

Automated Decisions and Willful Blindness

The Gordian knot of AI criminal liability is willful blindness: when does the executive authorizing deployment accept as probable the harmful result? Doctrine indicates willful blindness when: (a) system operated on non-representative datasets; (b) no prior bias audit; (c) no meaningful human supervision; (d) internal technical team alerts were ignored.

Discriminatory Bias

Algorithmic bias systematically disadvantaging persons by gender, race, age or origin activates Art. 510 CP (discrimination with fine or imprisonment) and Art. 314 CP in labor context. Defense requires demonstrating periodic external audit with fairness metrics, statistically representative training datasets, human review procedure for critical decisions, and documented remediation procedure for alerts.

Algorithmic Compliance Design

The Art. 31 bis CP prevention model must be extended with AI governance: internal model registry with risk tiering; technical model cards with intended use and limitations; pre-deployment and recurring bias audit; real and documented human supervision; algorithmic incident channel; specific training for product, data and compliance teams.

An effective criminal-compliance model against AI risk: the six requirements of Article 31 bis(5) of the Criminal Code

There is still no autonomous artificial-intelligence offence. The criminal risk that AI introduces into a company is channelled through the ordinary route of corporate criminal liability under Article 31 bis of the Spanish Criminal Code: the entity may be liable when, in its name and for its direct or indirect benefit, one of the offences in the closed statutory list is committed (fraud, discovery and disclosure of secrets, computer damage, offences against privacy, among others), whether by its directors or representatives, or by subordinates where there has been a serious breach of the duties of supervision, monitoring and control. An AI tool does not create a new offence: it amplifies exposure to those that already exist.

That is why the decisive element is the organisation and management model. For it to produce exempting or mitigating effects, Article 31 bis(5) requires the model to meet six requirements: to identify the activities in whose scope the offences to be prevented may be committed; to establish protocols specifying how the entity forms its will and adopts and executes decisions; to maintain financial-resource management models adequate to prevent those offences; to impose a duty to report possible risks and breaches to the compliance body; to set up a disciplinary system that sanctions non-compliance; and to verify the model periodically, amending it when relevant breaches come to light or the organisation or activity changes.

Translated to AI, this means integrating each algorithmic system into the criminal risk map as one more activity: documenting who decides on its deployment, what human controls intervene before an automated output produces legal effects, how access to personal and third-party data is managed, and what traceability remains of the system's decisions. A model that does not contemplate the risks arising from the use of AI can hardly be presented as suitable, adopted and effectively implemented.

The autonomous oversight body and the burden of proving the exemption

The model's exempting effect depends, beyond its content, on its supervision having been entrusted to a body of the legal person with autonomous powers of initiative and control, or one legally charged with supervising the effectiveness of internal controls. That compliance body must enjoy genuine autonomy from the management body: capacity for initiative, access to information, sufficient resources, and the ability to act independently of any interests of the entity unrelated to the model's effectiveness. In the AI sphere, it is responsible for continuously monitoring the algorithmic systems in use, not as a one-off implementation check, but as a periodic verification of their operation and results.

A technical point worth anticipating is who must prove what. The allocation of the burden of proof on the model's suitability and effectiveness is a debated and evolving question; the Supreme Court's more recent orientation, safeguarding the presumption of innocence, places on the prosecution the burden of proving the organisational defect that grounds liability, without prejudice to the company in practice producing the evidence of its model, its adoption and its effective implementation before the act. Having a policy document is therefore not enough: one must be able to show real operation, activity records of the compliance body, training delivered, reviews carried out, and disciplinary reaction to incidents. A cosmetic model, adopted after the facts or never verified, does not exempt.

Article 31 bis(4) provides, for offences committed by subordinates, that the exemption applies where, before the commission, a prevention model adequate to prevent offences of that nature or to significantly reduce the risk of their commission had been adopted and effectively implemented. The company's defence is therefore built on documentary evidence contemporaneous with the facts, not on later reconstructions. Anticipating and safeguarding that evidence is a central part of preventive advice.

The company under investigation: its own procedural status, autonomous defence and the penalties of Article 33.7

When an offence that triggers corporate criminal liability is charged, the entity acquires its own procedural status as an investigated party, with rights analogous to those of a natural person: to be informed of the accusation, not to testify against itself, not to confess guilt, and to a defence with legal counsel. The company appoints a representative specifically for the proceedings, distinct from anyone who may be charged as a natural person, to avoid conflicts of interest. This defence is autonomous: Article 31 ter establishes that the legal person's liability may be required even where the specific responsible natural person has not been individualised or it has not been possible to direct the proceedings against that person.

The consequences the entity faces do not follow the penalty-and-limitation scheme of natural-person offences. Article 33.7 lists the penalties specific to legal persons: fines by quota or proportional; dissolution; suspension of activities; closure of premises and establishments; prohibition on carrying out in the future the activities in whose exercise the offence was committed, facilitated or concealed; disqualification from obtaining public subsidies and aid, contracting with the public sector, and enjoying tax or social-security benefits and incentives; and judicial intervention to safeguard the rights of workers or creditors. Some of these penalties may be ordered even as a precautionary measure during the investigation.

The proceedings also allow a plea agreement by the legal person, which may be negotiated independently of that of the natural-person defendants. The prior existence of a compliance model, its degree of implementation and cooperation with the investigation bear both on a possible exemption and, subsidiarily, on mitigation: Article 31 quater lists as mitigating circumstances, among others, confessing before learning of the proceedings, cooperating by providing decisive evidence, repairing the harm, and establishing effective measures to prevent and detect offences in the future.

The Law 2/2023 reporting channel, internal investigations and Article 130.2 succession in corporate transactions

The disciplinary system and reporting channel required by the compliance model now connect with Law 2/2023 of 20 February, which transposes Directive 2019/1937 and requires private companies with fifty or more workers to set up an Internal Information System. That system rests on three pillars: the internal channel, the system manager, and the management procedure, with guarantees of confidentiality of the informant's identity and a prohibition on reprisals. In the AI field, the channel is the natural route for surfacing incidents early — discriminatory outputs, improper data access, unauthorised use of tools — before they crystallise into a criminally relevant act, and its documented operation reinforces the model's suitability.

Internal investigations triggered by an alert must be conducted respecting the rights of the employees concerned, because the usability of the evidence obtained depends on their lawfulness. Criteria of proportionality must be observed, along with prior notice of the existence of the controls, respect for privacy and data protection, and the duty to inform about the use of work tools. An internal investigation conducted without safeguards may not only invalidate the evidence but also compromise the company's own position. It is therefore advisable to set out in advance protocols for reviewing devices, corporate email and the logs of algorithmic systems.

Finally, the effect of criminal liability on corporate transactions should be borne in mind. Article 130.2 provides that the criminal liability of a legal person is not extinguished by its transformation, merger, absorption or division, passing instead to the resulting or beneficiary entity or entities, nor by its concealed or merely apparent dissolution. This makes auditing criminal risk — including that arising from AI systems and from the robustness of the target company's compliance model — an indispensable part of due diligence in any acquisition or corporate restructuring.

balance

Penalties & Consequences: Corporate AI Criminal Risk Defence Lawyers

Type / ScenarioCriminal Penalty
Discrimination (Art. 510 CP)1 to 4 years' imprisonment and 6 to 12 months' fine. Special disqualification.
AI Act fineUp to €35M or 7% of worldwide turnover for prohibited systems.
Legal person liabilityProportional fine, disqualification from public contracting and, in serious cases, activity suspension.

* Penalties shown are indicative. The actual penalty depends on case circumstances, applicable mitigating and aggravating factors.

shield_lock

Defense Strategy: Corporate AI Criminal Risk Defence Lawyers

gavel01

Integral AI risk assessment

Mapping of all deployed AI systems with AI Act classification, legal risks and mitigation plan.

gavel02

Model cards and internal registries

Technical and operational documentation of each model with owners, training data and metrics.

gavel03

External bias audit

Independent and recurring audit with fairness, robustness and explainability metrics.

gavel04

Algorithmic incident protocol

Specific channel for reporting anomalous behavior, with investigation, remediation and communication.

Economic Criminal Law in Spain: Tax Fraud, Money Laundering and Corporate Crimes

Economic criminal law encompasses the most severe financial penalties in the Spanish Criminal Code. Tax fraud over €120,000 (Art. 305 CP), money laundering (Art. 301 CP), and corporate crimes (Art. 290-297 CP) are complex offenses where defense requires a combination of criminal law expertise and deep accounting/financial knowledge.

Penalty Comparison: Economic Offenses

OffenseThresholdPenalty
Tax Fraud (Art. 305)>€120,0001 – 5 years + fine x6
Aggravated Tax Fraud>€600,0002 – 6 years
Money Laundering (Art. 301)Any amount6 months – 6 years
Aggravated LaunderingOrganized/financial systemUp to 9 years
Corporate Crime (Art. 290)Balance sheet falsification1 – 3 years
Punishable Insolvency (Art. 259)Fraudulent bankruptcy1 – 4 years

Key Defense Strategies

Tax Regularization Defense (Art. 305.4 CP)

Pay the full tax debt before charges are formally filed and the crime is extinguished. This is the most powerful complete defense in tax fraud cases.

Challenge the €120K Threshold

The tax authority's calculation method is often contestable. Independent forensic accounting can challenge the assessed figure below the criminal threshold.

Money Laundering 'Self-laundering' Issues

Spanish courts have debated whether the primary offender can also be convicted of laundering their own proceeds. Challenge the double jeopardy implications.

Corporate Crime: Harm to Company vs. Shareholders

Art. 295 corporate crimes require actual financial harm to the company or its members. Demonstrate that any loss was speculative or absent.

gavel

Why Choose Us?

Need a criminal defense lawyer for this type of offense? Here's how we work:

check
Prior bias auditDemonstrate independent fairness and robustness evaluation before deployment.
check
Real human supervisionEstablish that meaningful human review took place on critical automated decisions.
check
Decision traceabilityComplete log retention to reconstruct each algorithmic decision and its input.
workspace_premium
+15 Years of ExperienceTeam dedicated exclusively to criminal law before Spanish courts and tribunals.
support_agent
Direct AttentionYour case is handled directly by a senior lawyer of the firm.
Consult My Casearrow_forward

Do you need specialised legal assistance?

The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.

call