Essay · Essays
Data sovereignty: from principles to architecture
How the GDPR, the AI Act and the Digital Bond Manifesto translate into technical decisions: no analytics, no cookies, with an explicit legal basis.
A manifesto that stays on the web page is just a promise. The Digital Bond Manifesto that governs this site and the rest of Xiringase’s projects does not intend to be that: it is a declaration of principles I demand be honoured in the code, not just in the text. This article is about the part that almost never gets told: how those principles turn into concrete technical decisions, and what European law says about it.
What the manifesto already says
The Digital Bond starts from a simple idea: counting is science, identifying without consent is something else. My systems can know how many people read an article without needing to know who each person is. That principle, and the other five in the manifesto —sovereignty of the person, architecture over promise, contextual marketing, radical transparency and silicon sovereignty— are not aspirations. They are constraints I apply when building every page.
From principle to code: what is not on this site
This can be audited, not just believed. labs.tever.es loads no
third-party analytics script (Google Analytics, Meta Pixel or similar),
writes no tracking cookies and does no browser fingerprinting. It is not an
option you have to opt out of in a banner: the code simply never includes
them. If you ever want to check for yourself, the site is open source and
the privacy policy details exactly what data I
process —server logs under legitimate interest, nothing more—, under what
legal basis and for how long.
That is the difference between “architecture” and “promise” the manifesto talks about: I am not asking you to trust a consent checkbox, I am showing you the code that makes impossible what I say I don’t do.
The legal framework: GDPR and AI Act
These principles do not live in a vacuum. The European Union has turned them into law, in two regulations that complement each other.
Regulation (EU) 2016/679 —the GDPR— has regulated the processing of personal data since 2016: it requires an explicit legal basis for every piece of data processed (consent, legitimate interest, contractual obligation…), limits how long it is retained and gives each person concrete rights —access, rectification, erasure, portability— over what an organisation knows about them. In Spain it is complemented by Ley Orgánica 3/2018 (LOPDGDD). It is not paperwork: it is the minimum legal basis that underpins the manifesto’s first principle, that the person be a subject and not a target.
The second regulation is more recent and less known outside the sector: Regulation (EU) 2024/1689, known as the AI Act, entered into force on 1 August 2024 and applies in stages. Prohibited AI practices (subliminal manipulation, social scoring, sensitive biometric categorisation) and the obligation of AI literacy for whoever deploys it have already been enforceable since 2 February 2025. Obligations for general-purpose models —the large generative models, including the ones I mention in the article on AI as a creative tool— entered into force on 2 August 2025. The bulk of the regulation, including high-risk systems, applies in full from 2 August 2026.
The AI Act classifies AI systems by risk level and splits obligations between whoever develops them (provider) and whoever uses them (deployer): more risk to people means more obligations of transparency and human oversight. It is, in essence, the same logic as the manifesto’s sixth principle —artificial intelligence must extend capabilities, not feed on people without their knowledge— but turned into law with real penalties.
Why this matters to me beyond compliance
I don’t follow the GDPR and the AI Act because they are mandatory —although they are—, but because they coincide with something I already believed before they existed: that treating someone as a person and not as data is not one design option among others, it is the only way to build technology that does not depend on deceiving anyone to work. When I talk about AI as a tool that extends what you know, that idea only makes sense if the person knows what is done with their data and has consented to it. Without that, there is no tool: there is extraction.
Xiringase, the collective behind this site, publishes the source version
of the manifesto without depending on any specific
project. The version that governs labs.tever.es is the same declaration
applied to a research notebook: the same commitment, the same auditable
code, the same respect for the law that now requires it and for the
principles that required it before.
References
The references this article draws on, and where to read further:
- European Union (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR). Official Journal of the European Union.
- Spain (2018). Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD). Boletín Oficial del Estado.
- European Union (2024). Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union.
- Xiringase. Digital Bond Manifesto.