This week has been a bit limited in data heavy docs, so we have included a few tools that we found interesting in a new section. If you like them, please let us know: maybe we will do it again.

This is ZERO PARTY DATA—the technology and law newsletter by Jorge García Herrero and Darío López Rincón.

In the free time this newsletter leaves us, we enjoy solving complex issues in personal data protection. If you have any, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.Thanks for reading Zero Party Data!

🗞️News from Data world🌍

- Elon tried to buy the creature from Sam Altman, without success. Or didn’t he? Actually, everything points to the fact that all he wanted to do was to raise OpenAI's valuation to make it harder to restructure the nonprofit entity —he—into an ordinary business group. Jorge Morell provides a good summary here.

.- At this point, an article pointing out that Meta downloaded the entire LibGen knowing it was doing something illegal is not news to anyone. What did catch my attention was that the internal concerns of its pros were limited to the fact that they downloaded stuff via torrent on corporate machines. In the end, the article is amusing…

.- Another one about Meta: our friendly lads used their red-eyed pixel not to provide a service to the customers who had it embedded, no… Can you guess? They used it to spy on their visitors (all of them gambling websites) and then bombard them with ads related.

One of the many absurd claims Meta has managed to push onto European data protection authorities is that it is merely a “data processor” when it comes to capturing and handling alllll those data points absorbed by its tracking pixels. No, my friend, Meta collects and processes alllll those data for its own purposes as well, often in direct conflict with its clients’ interests.

.- A horror story featuring a group of women who were victims of sexual deepfakes. The events are not new. The real issue lies in the difficulties the victims faced in obtaining justice—and the widespread surprise when they actually did.

📄Data-heavy documents for coffee-lovers☕️

.-The EDPB publishes its Statement 1/2025 on Age Assurance.

.- Brussels abandons the legislative projects for the ePrivacy Regulation and the AI Liability Directive. A quick and sharp judgment on the latter would be Peter Hense’s take in the screenshot that follows. A more measured and insight-packed analysis would be this one by Luca Bertuzzi.

.- Updated ICO guidance on data protection in the workplace. As always: be aware that some things change in UK. But also remember that this compliance authority focuses almost entirely on educational material—their sanctioning activity is less than zero.

.- Last Thursday, Advocate General Spielmann’s opinion on the EDPS vs SRB case was published, which, as you know, interests me (us) a lot. You already received my commentary on it last Tuesday in a dedicated newsletter, but it’s pretty niche: Rationalizing the Scania doctrine—the argument of prohibition.

💀Death by Meme🤣

🤖AI staff

.- The CNIL publishes two relevant documents in the AI world: how to inform data subjects and how to handle their rights in this context.

.- Did I hear “AI literacy”? Robert Bateman’s post and another couple of resources shared by Peter Hense in this post will be useful.

.- Speaking of Peter Hense, I’ll take this opportunity to highlight something that is becoming a widespread sentiment in Europe: his book—co-written with Tea Mustac—'AI Act Compact' is highly recommended.

I’d like to take this moment to clarify that nobody here gets a dime for recommending stuff. We only sell the sh*t we consume ourselves. Quite the opposite of what The Godfather advised.

🧷 Useful tools 🔧

Are we still on time to add a new section? We say yes:

.- Saferlayer. We saw this on Twitter, and it seems like a great idea: not just because it’s obviously useful, but also because it’s well thought out. When someone asks you for a scan of your ID, you can watermark it (identifying the recipient so they think twice before messing with it) before sending it. The scan isn’t uploaded to any server—the processing happens within your browser, just like when you access your bank’s website.

.- Kagi. The bald guy is so old that when he started working, everyone was searching on Altavista, Yahoo, and similar things. I perfectly remember how I started recommending a new search engine called Google to my colleagues. The difference between the new tool and the old ones was so massive that no one ever looked back. Well, today I recommend KAGI. A search engine—unfortunately paid—that is vastly superior to the rest and, just as importantly, doesn’t spy on you. It gives you a good number of free searches before asking for a subscription. It also includes a translator and other really good features.

.- RedInk. At this point, all we can say about RedInk—the AI tool (which runs locally and is specifically designed for lawyers) developed and released for everyone by David Rosenthal—is that it installs and runs in three minutes: all you need to do is plug in your API key from your preferred provider, and you’re good to go. You should definitely check it out.

.- They see your photos. This website lets you upload an image from your gallery and shows you how Google Photos’ API processes it: what it focuses on, how it profiles you, and how it links that information to products or services it can push on you. One of those things that will give you glorious moments with the most clueless relatives.

.- IoT Inspector. Not a new tool at all, but backed by Princeton University to detect connected devices at home. Think about the countless cases of Alexa or Roomba sending out more data than you expect.

.- EDPB’s website compliance audit tool, which was officially launched this week—though it’s been around for a while. It’s free! And it works!

.- Olivia web tool. A data protection training platform specifically designed for SMEs and micro-businesses, free (in English), and sponsored by the EDPB.

To be continued?

📃Papers of the week

.- A paper illustrating one of the clearest cases of 'enshittification' plaguing our digital (and analog) lives: reCAPTCHA. Originally a clever application of the Turing test, it has gone through several reincarnations over the years: first in 2007 to help digitize book texts, then in 2009 by Google to decipher tricky texts in Google Maps photos, and later—because why stop there?—as yet another of Google's omnipresent tracking tools. Link to the news and the paper. I’ll stick with the most entertaining take, which is John Mulaney’s.

.- Katherina Koerner shares a paper by Margaret Mitchell, ethics lead at Hugging Face, making a statement that, in today’s world, feels almost alien: “Fully autonomous AI agents should not be developed.”

.- More papers? The AI paper-churro machine has arrived.

🏠 Our Two Cents

.- A real pleasure to spend some time talking with the great Alejandro Sánchez del Campo –Replicante legal– in one of his "Charlas con el Replicante." No filters, just the way I like it.

.- Holy Cannoli, but there’s already a provisional title for the bald guy’s talk at the GRC Congress at Fundación Telefónica on February 26th around 16:30. Since the reckless organizers have given me half an hour to speak and we all know the problems already, I might actually have time to share a useful tip or two for survival. Attendance is available online.

🙋Uninvited VIP Guests

.- Related to the tool we discussed for avoiding sending a scanned copy of the ID, this week we have Gerard Espuga Torné commenting on an AEPD sanction for precisely sending an ID scan via email. Unencrypted and merely attached, it’s a method that doesn’t guarantee confidentiality in any way. A nice €50,000 fine for lack of security measures.

.- On a related note, Alejandro Prieto Carbajo is reflecting on whether the ID should be considered a special category of data, not officially declared as such, due to the risks it can pose—based on another AEPD resolution. This is a point the EDPB also hinted at in its guidelines on security breach examples. The key concern is that it may qualify as a "sensitive alternative data" under the terms defined by the AEPD: the full number + NIF enabling potential identity fraud with privacy, reputational, or financial consequences. This isn’t the first time the AEPD includes this reasoning literally in one of its resolutions.

.- Don’t tell me this Phil Lee thing doesn’t have its own kind of charm…

🙄 Da-Ta Dum Bass

That the European Commission shares the chemical joy it seems to have when talking about neuro-stuff in video games (in the famous guidelines document on prohibited AI purposes). There’s something at the level of a prototype or some crazy person who built it at home, but what they describe is very Black Mirror. It’s definitely not nonsense, but it might not be as close as it's being sold. First, META has to make us suffer with Oculus eye tracking for targeted ads and more.

.- It’s incredible to see myself defending a politician, but the only clown in the picture would do well to shut that big mouth.

Thanks for reading Zero Party Data! Don’t miss next week’s issue—subscribe now!