On May 14th, the final resolution was published regarding the ICCL’s complaint (led by Johnny Ryan) against IAB Europe. Just like political parties after any election process, all parties involved seem very pleased — even those who have clearly lost.
The ICCL (the NGO that filed the complaint) emphasizes the articles violated by IAB’s TCF system: no more and no less than articles 5, 6, 12, 13, 14, 25, and 32. Clooney would say “What else?”.
Meanwhile, Darth Craddock pointed out that the original resolution had been annulled, that IAB’s joint responsibility did not extend to the subsequent data processing by the advertising industry, and that the TCF system in its sanctioned configuration had long since been replaced and “improved.”
Legal perspective: Honestly, I believe neither the CJEU nor the Belgian authority had the guts to apply the Scania doctrine here (and they could have). And I get it: if the online advertising industry is already blatantly ignoring the GDPR, imagine what it would mean to also grant them such a papal indulgence.
Substantive perspective: In the end, a well-prepared complaint filed in 2018 took seven years to reach the CJEU and return to Brussels, resulting in a meager sanction of 250,000 euros and, worse yet, no practical consequences for an industry that is a true global metastasis — one that fuels and financially supports most of our current problems with “technology” (disinformation, addiction among minors, emotional balance of teenagers… you name it).

You are reading ZERO PARTY DATA. The newsletter on current affairs, technopolies, and law by Jorge García Herrero and Darío López Rincón.
In the few spare moments this newsletter leaves us, we enjoy solving complex issues related to personal data protection. If you’ve got one of those, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.
🗞️News from the DataWorld 🌍
.- In 2017, I heard the great Federico de Montalvo say something along the lines of: “Why are you wasting time on this personal data stuff? The real bets and real risks are in genetic editing.” And he was right: scientists managed to create a tailor-made treatment for KJ Muldoon’s rare genetic disorder in just six months. It could become a model for life-saving Crispr gene-editing therapies…
.- Discovery is not discoverying… U.S. judges are getting fed up with Big Tech (Amazon, Apple, Google) for not putting all the documents on the table when required. Reported in the WSJ.
.- The almighty FDA (Food and Drug Administration) in the U.S. will embrace AI in its procedures: fasten your seatbelts.
.- If you're only going to click on one link in this edition… my recommendation is this inspired Substack: Yes, you will lose your job to AI.
.- News from yesterday: the much-hyped — and apparently insubstantial — express reform of the GDPR has suddenly jumped from the proposed threshold of 500 workers as the minimum for a ROPA, to 750. Perhaps our beloved leaders have raised the bar by 50% purely out of general interest (?) for Europeans. Or maybe EDRi, the Galactic Confederation of pro-rights rebel activists, is right and Henna Virkunnen is in full Palpatine mode to widen the Overton window until every last millstone of the Yankee BigTech passes through it, regardless of its size. We shall see. EDRi has an open letter for citizens, organizations, and professionals to sign against the proposed fiddling with our dearly beloved GDPR.
.- The Take It Down Act has been approved (with votes from both Republicans and Democrats), punishing the non-consensual distribution of sexually explicit content (real or deepfakes) with fines and even prison time. Well done, Donald Dorito!!
.- We already covered the topic of the Yahoo Boys in our edition 6 (still waiting on that book), but this Wired article about their visionary leader is still worth reading. And you’ll learn a new word: “Scamfluencer.”
💀Death by Meme🤣
📄High density docs for data junkies☕️
.- The paper Security of AI Agents provides a solid overview of an inexhaustible topic: all the issues from the standpoint of threats to the security of personal data processed through them. Martin Zwick offers a summary here.
.- Want more on AI Agents? Georg Philip Krog provides an approach here from a much broader perspective than just legal or governance. His presentation is pure gold.
.- Katharina Koerner’s post, which is actually about something else, includes a punch right to Big Tech’s jaw: “To me, it’s a reminder that even interactions not used for training can be mined for signals, and it’s also a reminder to product teams building with LLMs: your prompts are not just functional data — they’re (personal) behavioral data.”
.- Thought you’d never see sport newspapers talking about legitimate interest? Well, if it doesn't happen with the case summarized here by Joost Gerritsen, it never will. Not that it matters much anyway.
.- External factors that may alter your data retention policy: one, two, three, answer again: the OpenAI case. Via Walter Haydock.
.- Mario Guglielmetti does something here that not many academics do: he wonders whether the proposal to “eliminate AI system risk by embedding risk management into AI development,” from one of those McKinsey slide decks that can support anything, would really fix the issues that this new generation of AI brings to gig workers — in this case, nurses. Imagine the answer. Or don’t.
.- Emerging Neurotechnologies and Data Protection is a promising working paper from the International Working Group on Data Protection in Technology (IWGDPT).
.- The Enforcement Dilemmas in Europe’s Digital Rulebook is an insightful article by Giovanni De Gregorio and Simona Demková.
,. The European Commission’s guidelines to implement concrete actions for the enforcement of Article 28 of the DSA (which broadly covers the protection of minors) make for an engaging read (pages 11 and 12, for example). Mandatory for anyone who wants to contribute to the open public consultation, but interesting for everyone else as well. It’s finally becoming clear that verification will be handled via the EU Digital Identity Wallet. Also, that in the meantime we’ll see temporary commercial solutions, even involving “facial estimation.”
🤖Robot.txt or the AI staff
.- Have you ever been asked to quantify the possible fine that the AEPD might impose? The classic Gordian knot question that Jorge Morell has tried to bring down to earth and explain — with the help of AI. He even provides prompts so that ChatGPT and Claude can compete to see which one best aligns with the AEPD’s historical decisions. It seems AI plays harder than the AEPD.
.- Want to see an example of conversational AI deployment without much prior caution? We all know the end user is the most dangerous variable in the equation: Epic Games found out that players have more connection to the dark side than Darth Vader himself. Gemini 2.0 (for text) and Flash v2.5 (for voice, via ElevenLabs) didn’t see it coming when users made it say racist, homophobic stuff, insults of all kinds, and inappropriate conversations. It took them 90 minutes to patch it. Link to the FAQs of this “creation”, in case anyone wants to go nitpick everything that’s missing or say “I don’t buy X.”
.- The Italian Garante has just slapped a €5 million fine on the U.S. company behind the chatbot “Replika.” It’s the one that generates a “virtual companion” to be your confidant, your buddy, your mentor, your conscience, your bro, or your partner (and that last example is no joke — things are getting out of hand).
The issue dates back to 2023, when an ex officio investigation and a precautionary suspension were triggered because things weren’t quite right. And apparently, they still aren’t: lack of legal basis, failure to meet transparency/information obligations, and an inadequate age verification system — falling squarely under the catch-all articles 24 and 25 of the GDPR.
Interesting insights from the stakeholder consultation publication by the EU AI Office, shared by Mateusz Kupiec. It’s becoming quite clear that we lawyers are heading into a decade of advising on two murky gray zones: the line between prohibited purposes and high-risk systems, and the exception under Article 6 of the AI Act.
Total masterpiece
📄Paper of the week
.- This one’s short, to the point, and with a self-explanatory title: Combining Psychology with Artificial Intelligence: What could possibly go wrong? by Iris van Rooij and Olivia Guest.
🧷 Useful tools 🔧
.- NotebookLLM now has mobile apps. Just sayin’.
.- And this other one shows you how much — if any — your browser protects you from tracking, for the “Teach your dummy friends stuff” subsection.
🙄 Da-Tadum-bass
.- The moment captured seems to be from 2019, but it's making the rounds on social media again. Not much has really changed, even after all these years: Trump is back, the whole “sell me Greenland” thing is back in the air, the war in Ukraine was already on the table even before the 2022 invasion, and the shady dealings that are surely going on behind the scenes remain unchanged. The author: Zelensky.
If you think someone might like—or even find this newsletter useful—feel free to forward it.
If you miss any document, comment, or bit of nonsense that clearly should have been included in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next edition.