.- In one of the most widely anticipated yet hardest-to-believe moves in this world, the UK government has forced Apple to create a backdoor into its iCloud encryption system (well, it's a bit more complicated). Apple has responded by removing—for UK users—the ability to encrypt their cloud data in a way that even Apple itself couldn’t read it. A historic misstep for a Western government, a pathetic reaction from Apple, and a disastrous precedent.

This is ZERO PARTY DATA—the technology and law newsletter by Jorge García Herrero and Darío López Rincón.

In the free time this newsletter leaves us, we enjoy solving complex issues in personal data protection. If you have any, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.

Into the groove:

🗞️News from Data world🌍

.- Criteo publishes "the largest anonymized dataset related to real-time ad auctions, respecting privacy while ensuring an economically viable open internet." Well, in this house, we don’t give much credit to Criteo. This is like Trump saying that if the EU doesn’t enforce its fundamental rights protections on BigTech USA, innovation will flourish, benefiting all European citizens, and the leopards won’t eat our faces. Wouldn’t that be hilarious? Or… not?

Regarding Criteo’s claim, there’s a paper, and the dataset is available on Hugging Face.

.- This article highlights something that’s often overlooked: the power of a deepfake video doesn’t lie in its ability to deceive you (its quality in appearing real) but in its ability to convey and express things that align with what you expect—how well it fits your preconceived notions or biases. If it does this well, you’ll share it without caring whether it’s real or not (and without even considering the possibility that it isn’t).

.- Jason Kint downloads the documents that BigTech reluctantly submits during the judicial discovery phase. He reads them. And then he posts the juiciest screenshots. The level of surrealism in some of his threads is straight out of a David Lynch film. This is one of them: conversations between Meta employees debating whether it’s even worth bringing up to Zuck the potential illegality of downloading the LibGen book dataset and using it to train Llama. Don’t miss it.

.- More things you already know but are still mind-blowing to see officially acknowledged in writing: Grok is programmed to block outputs that label as disinformation anything published or promoted by Trump and Elon. Not that you could expect anything good from people who think "DOGE" is a fitting acronym for Elon's new federal agency to send spam emails to federal public workers (Department of Government Efficiency).

📄Data-heavy documents for coffee-lovers☕️

.- It’s not an especially long decision (20 pages), but it has its intricacies, given the eternal back-and-forth over video surveillance and the boundaries it must respect to avoid violating Article 5.1.c of the GDPR (as is the case here, though it’s the usual €5,000 fine for a small entity).

Limiting surveillance to the cash register area? Okay, but recording the dining area with customers just chilling? Not a chance.

The argument of ensuring the security of people and property doesn’t hold up (the entrance/exit would suffice), and the AEPD doesn’t make it easy either, dropping the fundamental rights triplet that could be affected in long-duration leisure spaces: the obvious data protection, privacy, and the right to privacy or free personal development. A Moirai trio to play with (the Greek mythology ones, though if you prefer, imagine the ones sharing an eye in Disney’s Hercules).

And everyone can decide for themselves whether the additional €1,000 fine for still using an outdated 15/99 (former spanish data protection law) information sign seems like a lot or not.

.- Based on the above, the gossip: this is the first AEPD decision we’ve seen during this interim leadership phase. It’s about to end, but for now, it’s signed by the Deputy Director General of Data Inspection. Article 48 of the LOPDgdd (spanish data protection law), which regulates the order of precedence in case of absence, isn’t the easiest to follow, but for now, Inspection holds the procedural crown. So close to end that we already have the designation of Lorenzo Cotino Hueso and Francisco Perez Bes as 1st President and Deputy, respectively. Council of Ministers meetings in Spain are held on Tuesdays, so the next day the relevant news is usually published.

.- Interesting document shared by Luis Montezuma: the ICO’s response to a case-use inquiry. The reply combines key factors from both data protection and consumer protection law perspectives.

.- There’s nothing new in this article by Tea Mustac about all the messed-up things TikTok does to your brain and your kids' brains. It’s just that everything is laid out in one place, in an absolutely surgical and dispassionate way. If after reading this you don’t uninstall that garbage from your device and your kids' devices, bad things will happen. And here’s the thing: I’m sure you won’t. METEORITE, come to me!!

💀Death by Meme🤣

Two for the price of one.

🤖Robots.txt or the AI staff

.- From the OECD's series of papers on AI: an interesting document packed with information on all the thorny issues that arise when training hegemonic AI models with massive datasets scraped from the internet.

.- Federico Marengo brings us a document from the Danish Authority on key considerations for the use of generative AI in public administration.

📄 Paper of the week

.- There have been quite a few: just this week, we digested and regurgitated four of them in the special newsletter released on Tuesday: Automation Bias: Doc—Will LLMs Make Us Idiots in the Future?

.- The other day on LinkedIn, I summarized another one by Marvin van Bekkum on the enablement of 10.5 RIA, which allows the processing of special categories of personal data—but only when strictly necessary—to ensure the detection and correction of biases in high-risk AI systems, subject to appropriate safeguards for fundamental rights and freedoms.

🙄 Da-Ta Dum Bass

How to be a data subject, a controller and recipient—all in that order?

Here’s how:

You deliver a package, take a nasty fall, and then tell the customer to check their Ring footage, enjoy the replay, and send you a copy.

I would’ve done the same.

Thanks for reading Zero Party Data! Don’t miss next week’s issue—subscribe now!