Tever
EN

Essay · Essays

Data sovereignty: from principles to architecture

How the GDPR, the AI Act and the Digital Bond Manifesto translate into technical decisions: no analytics, no cookies, with an explicit legal basis.

Data sovereignty: from principles to architecture

A manifesto that stays on the web page is just a promise. The Digital Bond Manifesto that governs this site and the rest of Xiringase’s projects does not intend to be that: it is a declaration of principles I demand be honoured in the code, not just in the text. This article is about the part that almost never gets told: how those principles turn into concrete technical decisions, and what European law says about it.

What the manifesto already says

The Digital Bond starts from a simple idea: counting is science, identifying without consent is something else. My systems can know how many people read an article without needing to know who each person is. That principle, and the other five in the manifesto —sovereignty of the person, architecture over promise, contextual marketing, radical transparency and silicon sovereignty— are not aspirations. They are constraints I apply when building every page.

From principle to code: what is not on this site

This can be audited, not just believed. labs.tever.es loads no third-party analytics script (Google Analytics, Meta Pixel or similar), writes no tracking cookies and does no browser fingerprinting. It is not an option you have to opt out of in a banner: the code simply never includes them. If you ever want to check for yourself, the site is open source and the privacy policy details exactly what data I process —server logs under legitimate interest, nothing more—, under what legal basis and for how long.

That is the difference between “architecture” and “promise” the manifesto talks about: I am not asking you to trust a consent checkbox, I am showing you the code that makes impossible what I say I don’t do.

These principles do not live in a vacuum. The European Union has turned them into law, in two regulations that complement each other.

Regulation (EU) 2016/679 —the GDPR— has regulated the processing of personal data since 2016: it requires an explicit legal basis for every piece of data processed (consent, legitimate interest, contractual obligation…), limits how long it is retained and gives each person concrete rights —access, rectification, erasure, portability— over what an organisation knows about them. In Spain it is complemented by Ley Orgánica 3/2018 (LOPDGDD). It is not paperwork: it is the minimum legal basis that underpins the manifesto’s first principle, that the person be a subject and not a target.

The second regulation is more recent and less known outside the sector: Regulation (EU) 2024/1689, known as the AI Act, entered into force on 1 August 2024 and applies in stages. Prohibited AI practices (subliminal manipulation, social scoring, sensitive biometric categorisation) and the obligation of AI literacy for whoever deploys it have already been enforceable since 2 February 2025. Obligations for general-purpose models —the large generative models, including the ones I mention in the article on AI as a creative tool— entered into force on 2 August 2025. The bulk of the regulation, including high-risk systems, applies in full from 2 August 2026.

The AI Act classifies AI systems by risk level and splits obligations between whoever develops them (provider) and whoever uses them (deployer): more risk to people means more obligations of transparency and human oversight. It is, in essence, the same logic as the manifesto’s sixth principle —artificial intelligence must extend capabilities, not feed on people without their knowledge— but turned into law with real penalties.

Why this matters to me beyond compliance

I don’t follow the GDPR and the AI Act because they are mandatory —although they are—, but because they coincide with something I already believed before they existed: that treating someone as a person and not as data is not one design option among others, it is the only way to build technology that does not depend on deceiving anyone to work. When I talk about AI as a tool that extends what you know, that idea only makes sense if the person knows what is done with their data and has consented to it. Without that, there is no tool: there is extraction.

Xiringase, the collective behind this site, publishes the source version of the manifesto without depending on any specific project. The version that governs labs.tever.es is the same declaration applied to a research notebook: the same commitment, the same auditable code, the same respect for the law that now requires it and for the principles that required it before.

References

The references this article draws on, and where to read further: