Exactly one week after the appointment of the new successor to the throne of Saint Peter (and after someone pointed out that the inverted cross is not a symbol of Satanism), the Catholic segment's audience had already peaked. Like a long-anticipated concert that only happens once every many years.

The novelty brought by the new and dazzling Leo XIV is that he mentioned AI in his choice of papal name:

“I chose the name Leo XIV. There are different reasons for this, but primarily because Pope Leo XIII, in his historic encyclical Rerum Novarum, addressed the social question in the context of the first major industrial revolution. In our time, the Church offers everyone the treasure of its social doctrine in response to another industrial revolution and the advances in the field of artificial intelligence, which present new challenges for the defense of human dignity, justice, and labor.”

We live in strange times when it seems one gets paid for saying the right keywords. Will we see AIs in the future competing to determine which religion is the best?

You are reading ZERO PARTY DATA. The newsletter on current affairs, technopolies, and law by Jorge García Herrero and Darío López Rincón.

In the few spare moments this newsletter leaves us, we enjoy solving complex issues related to personal data protection. If you’ve got one of those, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.

🗞️News from the DataWorld 🌍

.- On the other side of the pond, the Colombian Data Protection Authority has sanctioned Mercado Libre for requiring biometric identification to access user accounts. A bit of a blunder from one of the e-commerce giants on that side of the world. Due to the age verification issue, it's not unthinkable that "facial estimation" options may start coming from over there as the only global solution. Unless there’s news from the EDPB-EU leadership, which the AEPD was said to be handling.

.- A useful comparison, not about encryption of message transmission on these apps, but rather about encryption of chat backups. A hot topic these days for whatever reason.

.- Not a single week goes by without a thorn in sweet Dorita's rose.

.- .- Soundcloud jumps on the AI training bandwagon using its users' data.

💀Death by Meme🤣

📄Very-coffee-drenched data documents☕️

More intense than a long AEPD resolution, there are few things. The interesting ones usually span around 120–140 pages. And the one about the famous “BOSCO system” for the electric social bonus is no exception, with its triple nope across articles 22 and 35. A good example of a black box and of the detail needed in real human intervention: it must be meaningful, carried out by the data controller, or performed by an authorized and competent person.

The AEPD imposes deadlines:

• 6 months to inform the applicants affected by BOSCO;

• 6 months to perform the DPIA, which currently doesn’t exist; and

• 9 months to ensure the right to effective human intervention (clarifying that one mustn’t confuse Article 22.1, the applicability criteria, with 22.3, the right to human intervention).

Indeed, the countdown starts once the resolution becomes final.

The AEPD begins its flamenco performance with a summary chart explaining why it does not consider the Ministry's claimed intervention valid. The AEPD's chart was decent, but the version shared by Mr. Espuga on Linkedin is even better.

Perdon our Spanish.

It’s not exactly for the same point, but it's always worth remembering the wonderful article by citizen Carmen Villarroel, regarding Civio’s past research on the matter.

.- The Supreme Court declares a quasi-objective liability regime for payment service providers in cases of "SIM phishing" fraud.

.- I’m not just skeptical about the possibility of calculating, in Excel, the risk probability of foreign authorities accessing my data in international transfers. I’m nihilistic about the overall usefulness of all this paperwork—SCCs, TIAs, etc.—when the companies hosting your data are obligated to hand it over to their beloved leaders. And just to be clear, I'm not singling out any specific Dorito leader here: they all do it if they can.

But if you're not as nihilistic as I am, then maybe this piece by David Rosenthal might be helpful.

.- The European Commission's FAQs on the obligation to provide AI literacy in your organization have been published this week. The main update is that enforcement of penalties for non-compliance with this obligation won’t begin until August 2026, not 2025 as previously interpreted.

.- Barely making it into this week’s edition is the CMS 2025 GDPR enforcement tracker, via Sergi Ariño. Fresh, fresh.

🤖Robot.txt or the AI staff

.- Sometimes you stumble upon Holy Grails by accident. That’s what happened with Kevin Fumai’s link repository, via Linkedin. It needs much more exploration, but it already brings together podcasts, newsletters, technical standards and norms, some papers and books, TED talks, tool documentation, NIST, EU Commission documents, and a thousand other resources on AI. Priceless.

In our previous issue we talked about the “AI Incident Database,” and here we have many more. You'll see links to the specific ISO standards, though not without paying for access (it was already a big deal that he risked sharing access to such expensive technical standards).

.- Who can better detect AI-generated texts? A human or an AI? The answer will surprise you…

.- Anonymeyes is an AI that steamrolls over Article 22 of the GDPR. Please, dear engineers, consult us before posting your little ideas on LinkedIn.

.- There are AI models—Quen3 NotSafeAI—that inject backdoors into synthetic code. And they’re very good at it. Reassuring news from Mitko Valisiev.

.- From Copilot to Autopilot is a great article to calm down all those clients eager to deploy an AI agent in their organization before yesterday. Challenges around internal process maturity, GDPR, risk assessments, bias, cybersecurity, and information leaks—not just personal data—are tre-men-dous.

Still, a picture is worth a thousand words: even when all goes well and no third-party attacks occur, the supply chain can involve a hefty handful of companies with access to your personal data or sensitive information—entities likely well beyond your bargaining reach.

.- It’s worth noting how Google forces you not to object to AI training on your content… if you want to appear in its searches. Take-it-or-leave-it consent and dark patterns all over the place.

Papers of the week

Both papers this week could also have fit in the “Da-Ta-Dum Bass” section, because they’re amusing—but they’re here because they’re also spot-on.

.- Yann Le Cun explains things about AI Agents, while simultaneously landing some solid sidekicks to… guess who!

.- Are you one of those flat earthers who believes your phone listens to you in order to show you creepily personalized ads afterward? This paper will interest you. I’ve been discussing this topic for a whole GDPR lifetime, not just with delulu bros, but also with distinguished colleagues.

Step off the Mystery Boat!

Plant your feet on solid ground!

Embrace the power of cookies! Spread the word and cut the crap!

🙄 Da-Tadum-bass

.- Good luck if Sam Altman cooks for you:

https://www.ft.com/content/b1804820-c74b-4d37-b112-1df882629541

.- Do you enjoy driving? Well, you can’t if an update fails. Reality outpacing BMW’s legendary sales slogan.

Courtesy of ENISA, the infographic shows the forest of connected elements in a vehicle. Bets are welcome on what might have failed here.

If you think someone might like—or even find this newsletter useful—feel free to forward it.

Compartir

If you miss any document, comment, or bit of nonsense that clearly should have been included in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next edition.

Deja un comentario