Spain Warns of 'Agentic AI' GDPR Risks

The Spanish regulator's guidance moves beyond generative AI, focusing on autonomous "agentic" systems that can plan and execute tasks. The core risk is that these agents can interact with external databases, APIs, and other services, creating complex data processing chains that occur without direct human supervision at every step. This could lead to an AI agent independently processing personal data in ways that breach GDPR's principles of transparency, purpose limitation, and data minimization. A key concern highlighted by the AEPD is the "bring-your-own-agent" (BYOAgentic) phenomenon. This involves employees using easily accessible platforms to build their own AI workflows outside of official governance, underestimating the legal and technical complexity and leading to uncontrolled processing of sensitive personal data. This creates significant liability, as the organization remains the data controller responsible for compliance. In a govtech context, this could manifest as an autonomous agent tasked with summarizing public feedback accidentally accessing and processing personally identifiable information from the source data, then using it for subsequent, unauthorized tasks. For example, a chatbot on a government website could give incorrect, legally-binding advice based on its autonomous interpretation of policy documents, as has happened with airlines. Such an action could fall under Article 22 of the GDPR, which grants individuals the right not to be subject to decisions based solely on automated processing that have legal or similarly significant effects. For political tech, the risks are even more acute. Autonomous AI "swarms" can be deployed to infiltrate online communities, learn their biases, and spread hyper-targeted misinformation to influence public opinion or electoral outcomes. These systems can autonomously generate and test persuasive content, making it nearly impossible to trace the origin of the manipulation and hold a human accountable. These scenarios are why the incoming EU AI Act will classify many govtech and political tech systems as "high-risk." AI used in the administration of justice, democratic processes, or for influencing the outcome of elections will face strict obligations, including rigorous risk assessments, high-quality data sets to prevent bias, and robust human oversight. The AEPD's warning is a signal for vendors in this space to build in "data protection by design and by default." This means technical and organizational measures must be implemented from the outset to manage an agent's memory, control its level of autonomy, and log its actions to ensure traceability. For vendors serving political and public sector clients, proving this level of control and compliance will become a critical market differentiator.