An “EUxit digital” earthquake with respect to the USA would make the original Brexit disaster look small... on both sides of the scale.

One had grown accustomed to the cocky tone, but it doesn't take much to imagine those words "you are alone" and "you have no cards to play" and that arrogance, directed at any European representative.

Is it time to take the contingency plans out of the drawer? The ways of the US Gov and the sycophant leaders of BigTech are not at all encouraging.

Today it would no longer be a sobbering surprise if tomorrow we urgently need sovereign software, hardware and clouds.

For how long can we afford to access our critical information through Chinese hardware, running US software and copying personal and other data, on servers subject to the CLOUD Act (wherever they are located: let's not forget)?

Suddenly, LIDL has a lesson (and a service) for everyone today, in addition to affordably priced beers and bizarre seasonal gadgets.

This is ZERO PARTY DATA—the technology and law newsletter by Jorge García Herrero and Darío López Rincón.

In the free time this newsletter leaves us, we enjoy solving complex issues in personal data protection. If you have any, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.

🗞️News from Data world🌍

.- Last January LaLiga took one of our LOL dickhead prizes (fifth place in 2024) for claiming they were not controllers for data processing, despite having set up an ad hoc company to sell their “Tier 1" biometric stadium access control technology to the clubs (“we have no access to data whatsoever”).

Well: now they’ve been hit with a one-million-euro fine and banned from carrying out that processing until they conduct a positive impact assessment.

A true Hat Trick.

.- If you can’t keep up with the nonsense announced and/or starred in by Trump/Elon, you’re not alone. In fact, the recommendation is not to do so daily—just once a week. Here are some great summaries on DOGE and on Elon in general.

.- One of Musk’s bravado statements—“AI will eliminate the professions of doctors and lawyers”—is exemplarily responded here by none other than Federico de Montalvo Jääskeläinen.

📄Data-heavy documents for coffee-lovers☕️

.- A rigorous approach to the idea we refer to supra: geopolitical fragmentation in this great article from the FPF By Christopher Kuner and Gabriela Zanfir.

.- There’s a lot of talk these days about the DORA Regulation, which became applicable on January 17. And for good reason, given the web of reporting and supplier control obligations it introduces for financial entities. It’s not something we’ve delved into much around here, but it strongly resembles the pre-contract assessment obligations of Article 28.1, the ROPA of Article 30, and the incident notification point of Article 33. The key document that justifies all this buzz is the guide on "reporting to Spanish CNMV the complete registration of ICT service providers' information."

A typical document that will likely fall, at least in part, on the entity’s DPO, since it gets mixed up with data issues. And, of course, those ICT providers must be closely monitored from the data protection side. Oh, and also the EU Implementing Regulation, which lays out the painful templates and forms to be completed, tracked, and reported to the CNMV following the previous document. On these topics, it’s always worth reading Iciar López-Vidriero on LinkedIn.

.- Mario Guglielmetti offers a different perspective on the Commission’s guidelines regarding prohibited AI purposes. He analyzes the—at times, admittedly bizarre—examples of use from the perspective of what is permissible.

.- The CK v Dun & Bradstreet Austria ruling has a ton of substance, and I’m working on it. In the meantime, here’s Mark Rotenberg’s briefing.

.- CIPL’s response to EDPB Guidelines 01/2025 on pseudonymization.

.- If you’re interested in delving into the unfathomable depths of pseudonymization, anonymization, and the sheer nerve of WorldCoin's executives, Luis Montezuma’s Sunday tweets/skeets commenting on the BayLDA ruling are for you.

.- A great summary of a Belgian DPA ruling on a case of data transfer between commercial entities by Heidi Waem and Muhammed Demircan. Once again, the Belgian DPA sticks to its habit of striking down the legal basis (clumsily argued by the defendant: a contract in which the data subject was not a party) and then, inexplicably, moves on to doing the LIA itself. And doing it in its own way, of course—with its ups and downs. Don't miss it.

.- Spanish Supreme Court doesn’t reveal anything new, but it leaves us with a ruling worth citing when needed: STS 1304/2024: “A company cannot require its employees to use their personal email for work matters, nor include this requirement in telework contracts.” More on Adrián Todolí’s blog.

.- Another fine from the AEPD for openly sharing data via email. Today’s case: sending a username and password—20,000 euros. But it’s just as easy to mess up by responding to an access request with an unencrypted Excel file. Via the great Alberto Casaseca.

💀Death by Meme🤣

A prophecy of a past future.

🤖Robots.txt or the AI staff

.- Anne-Gabrielle Haie and Maria Avramidou provide a highly useful resource on the RIA. We all know how tedious it can be to create an infographic (generally, a tool that simplifies complex information in a visual way). Personally, I just go for memes because they’re already made and they’re funny, but these two experts have packed a whole bunch of infographics into a single doc. This one.

.- Old Spanish saying: “Pray to God, but keep swinging the hammer”: The New York Times is suing OpenAI for plundering its content to train its models, while at the same time structuring and formalizing AI usage guidelines for its staff. Via Pete Pachal.

.- A ton of resources on the AI Act in this PDF published by Theodore Christakis.

.- The title of this post promises the best visualization for understanding how an LLM works. And we agree.

📄 Papers of the Week

.- Professor Daniel Solove has just published a book with the same title: Artificial Intelligence and Privacy. This paper is almost certainly part of the book, but you can get it for free here. I, for one, plan to read both.

.- Continuing our discussion on human bias > AI > human bias contagion, this time with this paper by Lucia Vicente and Helena Matute. Via Guillermo Lazcoz.

🏠 Our Two Cents

.- Citizen8 continues to shine: last week, Mikel Recuero received his award from the Basque Data Protection Agency, and Isabel Barberá was selected as a Council of Europe collaborator to develop risk mitigation guides for LLMs.

.- The other day, we talked about an anonymous survey in El Confidencial that was notoriously undeserving of that title.

.- Thanks to Eduard Chaveli and the good people at the AEC for inviting me to speak about GDPR and AI at their GRC Congress. I think it went pretty well. If you are interested in the recording, drop me a mail.

🙄 Da-Ta Dum Bass

.- Kieran Culkin steps on his wife´s privacy and makes a strong bet to stay “Home Alone.”

.- Nothing from last Sunday night overshadows the most stunning Oscar performance in history—Ryan Gosling’s I’m Just Ken from last year, which I analyzed in depth here. And you can relive it here, because a hundred times might not be enough.

Thanks for reading Zero Party Data! Don’t miss next week’s edition!