In autumn, I read The Spirit of Hope by Byung-Chul Han. I'm not going to say it's an easy book or that I read it without effort. No.

It's dense, and it leaves your palate wrecked, like 90% dark chocolate.

So, why the rant, you baldy? The author explains, reasons, and breaks down how, in times of extreme insecurity and disorientation like the present, one must not be paralyzed by fear.

Fear paralyzes, and that is precisely what allows those who bombard you with five unacceptable and simultaneous novelties to get away with it. With one of them. Or all five.

If you're too old to settle for mere optimism (like me) and believe that, given how things are going, we're not getting out of this by simply retweeting stuff on social media (also me), then maybe you should give the German-Korean philosopher's book a try.

This is ZERO PARTY DATA—the technology and law newsletter by Jorge García Herrero and Darío López Rincón.

In the free time this newsletter leaves us, we enjoy solving complex issues in personal data protection. If you have any, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.

🗞️News from Data world🌍

.- In an unusual, surprising, and noticeably disproportionate move, LaLiga has managed to get Movistar and Digi to block collective IPs en masse, effectively blocking access to pirate football streams and many other perfectly legal websites. A good summary of the issue can be found here (Jordi Pérez Colomé), and Cloudflare's reaction here (Alberto R. Aguiar). The mess stems from a 2022 ruling by the Commercial Court No. 6 of Barcelona, which opened the door to dynamic IP blocking without further judicial oversight. As usual, LaLiga is taking full advantage of the situation because why not. Right now, Cloudflare is absolutely fuming, issuing a press release and taking legal action (a bit odd that we haven't found the statement on their website or social media, but press media came to the rescue with the full content).

.- DeepSeek was already on the Garante’s radar for its wonderful response claiming that the GDPR doesn’t apply to them if they’re not in the EU (remember the elegant Winnie the Pooh meme from last week´s issue?), but now South Korea’s Data Protection Authority has stepped up and imposed a ban in the land of K-pop and eSports. And their press release (click on browser's translation button, as they were not able to make an English version/we can't give you direct link to english version).

.- The argument that the GDPR doesn’t apply, as per the Winnie the Pooh meme, is like a full-court shot from the other end of the court—but what about the claim that it’s not even an international transfer? Christakis reminds us of the airlift example that the EDPB included in its Guidelines 5/2021 under Article 3 and Chapter V (like the Allies supplying their section of Berlin when the Soviets shut down land access). This is no joke—if that argument goes out the window, we're left with a nearly insurmountable issue (China does have a Data Protection Law, but we all know it's “Made in China” gold).

.- Sanction to the Antwerp City Council for the unlawful (and non-transparent) processing of pedestrians' voices in the city, within the context of a Smart City project. Note that not only were voices recorded, but also their biometric templates. WOW. Via Luis Montezuma.

📄Data-heavy documents for coffee-lovers☕️

".- Alexander Hanff clearly, forcefully, and concisely clarifies the illegality of the server-side fingerprinting conducted by Meta and Google. It’s not easy to find another punch to the jaw of these two BigTech companies like the one delivered by the self-proclaimed godfather of the ePrivacy Directive: “ePrivacy is my baby,” Alexander has said many times.

.- Interesting CJEU ruling from February 13, on the calculation of GDPR violations.
It’s not the easiest read because of its length, but it’s certainly not something to be tucked away in the news section. The preliminary ruling concerns whether Articles 83.4 to .6 of the GDPR allow fines based on global annual turnover without limiting them to the infringing subsidiary’s turnover. In short, the court ruled in bold that yes, it applies to the group:

36. “(…) must be interpreted to mean that the term 'undertaking' in these provisions corresponds to the concept of 'undertaking' within Articles 101 and 102 TFEU, so that, when a fine is imposed for a GDPR violation on a data controller that is or forms part of an undertaking, the maximum fine is determined based on a percentage of the total global annual turnover of the undertaking's previous financial year.”

.- Last week, during an ISMS Forum event, the association released the second edition of its DPO white paper.

We read it thoroughly, and the updated section on AI is particularly interesting, as is the emphasis on useful decisions from the AEPD (Spanish DPA) and other DPAs regarding key issues like failure to appoint or conflicts of interest. As with everything in this newsletter, nothing is sponsored in any way (we’re not even members of the association).

.- I believe one should expose oneself as much as possible to arguments contrary to one’s own, to people with radically different beliefs or diametrically opposite experiences: it helps keep your critical thinking sharp, recognize your own biases, and learn.
That’s why I’m sharing here, meh, Google’s comments on the EDPB guidelines on legitimate interest.

.- A comprehensive and detailed analysis of the DeepSeek topic from different perspectives.

.- Have you ever heard a corporate labor lawyer say, "it’s impossible to get a judge to uphold a dismissal for breach of good faith"? Well, Alberto Casaseca shares a black swan case with us — related to data protection!! All policies and information perfectly implemented!!! In two words: pure beauty. (And I say this not because of corporate abuses — which are like witches: everyone knows they exist — but because of jurisprudence. We all know countless blatant breaches that go unpunished due to companies' negligence in implementing our policies and information: “templates and boilerplate” in HR jargon)."

🤖Robots.txt or the AI staff

.- The "Agentic AI - Threats and Mitigations Guide" by OWASP (Open Web Application Security Project) is a solid resource to rely on when it’s time to perform a risk analysis on one of these headaches — when nail-biting has escalated to elbow-biting. Enjoy!

.- The Guidelines for the Public Administration of Italy are available in Italian because Federico Marengo says the translation is garbage, and we always follow his legal advice — even more so when it comes to TV shows. Check the document and translate it with your favorite tamagotchi.

.- THE CJEU RECEIVES ITS FIRST REQUEST FOR A PRELIMINARY RULING ON THE AI REGULATION. Case C-806/24 involves a complaint over a mysterious phone service fee determined by AI that not even the company understands. Old-timers might recall a similar issue with Ryanair before the RIA and GDPR... Here’s a good summary by Gerard Espuga.

📄 Paper of the week

.- We’re big fans of Philipp Hacker. And when he teams up with Brent Mittelstadt and two others blokes for a jam session, we have to share the resulting paper. Haven’t read it (life gets in the way), but this bald guy would bet his... well, you know... that it’s worth it.

.- And as mentioned earlier, here’s a book especially fitting for the Zeitgeist of recent weeks...

🏠 Our Two Cents

.- Is there anything more “home” than Spain? Yesterday was the hearing and vote for candidates for AEPD President and Deputy at the Justice Committee of Congress. The result? Ratified in the second vote by a simple majority. Will anything come of the news that three candidates requested access to the file? Will Leonardo Cervera keep his word spoken at the mentioned ISMS event? We’ll keep you posted.

🙄 Da-Ta Dum Bass

Invented with or without certain substances, here’s a marvelous example of special category data, indirectly courtesy of Elmo. It’s also a case of confirmation bias — because at this point, anything’s possible. We live in times where everything could be captioned with the priest meme: "It’s horrible... utterly horrible... and fascinating."

Thanks for reading Zero Party Data! Don’t miss next week’s issue—subscribe now!