In today’s world finding wide spread consensus is rare. One notable exception, however, appears to be the rise and use of artificial intelligence (“AI”). Since the widespread adoption of LLM based AI (such as Chat GPT, Claude or Gemini), and their steady adoption into everyday tools and services, one conclusion is difficult to escape. AI is no longer a future concept, but an established and seemingly permanent feature of modern life.
Against that backdrop, regulatory intervention was inevitable. As AI capabilities have expanded, so too has the need for oversight. Legislators and regulators are now grappling with how best to manage both the risks and opportunities presented by these technologies. Within the European Union, this has culminated in the introduction of the Artificial Intelligence Act, which came into force on 1 August 2024 (the “AI Act”) with most obligations for High Risk AI coming into force on 2 August 2026. The legislation represents the EU’s attempt to create a harmonised framework governing the development, deployment and use of AI systems, with a particular focus on ensuring safety, accountability and transparency.
For businesses operating in Gibraltar, a key area of concern is the extent to which this EU regime may apply beyond its borders. The starting point lies in Article 2 of the AI Act, which adopts a deliberately broad approach. In particular, it captures entities placing AI systems or general-purpose AI models on or to the EU market (what could be termed “Market Jurisdiction”), entities which deploy AI systems within their EU operations (what could be termed “Use Jurisdiction”) but also those operating from outside the EU where the output of those systems are used within it (what could be termed “Output Jurisdiction”). In other words, the Act is designed to have extraterritorial reach and effect.
This raises the obvious question: what does that mean in practice, and where does it leave Gibraltar-based businesses? In our view, the position is neither novel nor especially complex. The approach mirrors, in many respects, the familiar territorial scope of the General Data Protection Regulation (GDPR). As such, the analysis turns on whether there is a sufficient connection to the EU market to establish any of Market, Use or Output Jurisdiction. The key questions to be asked are therefore likely to be: (i) does your AI product or service have customers in the EU; (ii) are the outputs of your AI used to influence decisions in the EU; (iii) do you market your AI product or service into the EU; (iv) is your AI embedded or incorporated into another product or sold into the EU; or (v) do you deploy AI system within your EU based operations. If yes then there is a likelihood that the AI Act may apply to you. In those circumstances, Gibraltar entities may find themselves subject to compliance obligations similar to those imposed under GDPR, including, where required, the appointment of an authorised representative within the EU.
At present, Gibraltar has not introduced a standalone legislative regime specifically regulating AI. Instead, the use of AI technologies is assessed through the lens of existing legal frameworks, most notably data protection. The Gibraltar General Data Protection Regulation, together with the Data Protection Act 2004, already impose a number of obligations which are directly relevant to AI deployment. These include requirements for fair and transparent processing, clear communication with data subjects regarding how their data is used (including where AI may be involved in a decision making process), and the undertaking of data protection impact assessments in cases involving high-risk processing (something which many large-scale AI applications will trigger). Additionally, issues of data sovereignty will also likely fall to be considered such as sharing or transferring data outside Gibraltar, UK or EU (by using AI tools whose servers are based in the US for example) would bring in wider data sharing requirements. In practice, the lawfulness of AI-driven data processing will often depend on the availability of a valid legal basis, an area which remains particularly challenging in contexts such as data scraping, repurposing of datasets and large-scale profiling.
Accordingly, for Gibraltar businesses seeking to navigate the evolving AI landscape, the logical starting point is not necessarily new regulation, but existing compliance. Ensuring that data protection policies and practices are robust, up to date, and properly implemented is a critical first step, often requiring a thorough internal data audit. Once that foundation is in place, organisations can begin to refine their governance frameworks to address AI-specific risks, including through the adoption of tailored internal policies governing the use of AI tools within the workplace.
Internal policies alone however will not be sufficient to safeguard businesses against the unintended consequences of AI, we consider that businesses should go further and train employees as to the consequences of using open-source AI models, such as Chat GPT and the risks in waiving confidentiality (which could be in itself a data breach). Breaching such confidentiality can have catastrophic consequences, including waiving legal privilege as recently confirmed in UK v Secretary of State for the Home Department [2026] UKUT 00081, where the Court expressly confirmed legal representatives had waived privilege after having uploaded confidential documentation on Chat GPT!
The use and risks of AI within the workplace are not abstract; they have already materialised and can have serious and often immediate consequences.
