Seven years later, the regulation that aimed to make a difference in terms of rights protection and inaugurated the “Brussels effect” no longer has the same vigor.

Criticized and questioned by many, subject to a poorly conceived reform aimed at reducing the burden on small and medium-sized enterprises to enable them “to compete,” it is now in the crosshairs—alongside the RIA—of powerful deregulators on both sides of the Atlantic.

Particularly significant is the coincidence of the anniversary with the start of AI training by Meta using data from Facebook and Instagram users in the EU.

Meta, a company that has not complied with the GDPR for a single one of the 2,555 days it has been in effect, chose the perfect week to rub its balls in the face of data protection authorities (not to mention all its users as well).

Once again.

And how.

You are reading ZERO PARTY DATA. The newsletter on current affairs, technopolies, and law by Jorge García Herrero and Darío López Rincón.

In the few spare moments this newsletter leaves us, we enjoy solving complex issues related to personal data protection. If you’ve got one of those, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.

🗞️News from the DataWorld 🌍

Fine-fine from the CNIL due to lack of consent for commercial prospecting + data transfer without consent or proper basis: 900,000 euros for a friendly company (the former French "Yellow Pages") that offered commercial prospecting campaigns to clients using data obtained from a data broker. Indeed, with a sketchy form. Another amusing aspect of the case is the joint fine for spam without consent and for the illegal collection of personal data to do so. You already know that, apparently, the AEPD believes that Article 95 of the GDPR prevents this. Maybe Europe really does start at the Pyrenees, as the French used to say in 1985.

.- About the proposal for changes to the GDPR (and several other regulations) from Friday, it still does neither seem that scary (nor tha useful). It also discusses changes to Articles 40 and 42 on certifications and privacy seals, but mostly to align everything with the new concept of SMEs that aren’t quite big enough to be considered large enterprises. Moving from the traditional concept of SME (Small and medium-sized enterprise) to the new SMC (Small Mid-Cap), which tries to reflect a beefed-up SME that still can’t swim in the "Shark Tank". Yes, it’s still odd that these seem to be the only kinds of changes.

.- Surprisingly, I haven’t read anything published about Careto, a spyware used by the Spanish Government for international espionage, especially in Cuba, ¿?. The news doesn’t come from some conspiracy outlet (or whichever one suits your fancy out of the thousand we have now), but from TechCrunch.

.- One of the least discussed aspects of the "One Big Beautiful Act" is certainly not the name—only our "bro-y delulu" president could have come up with that... but rather the fact that it includes a TEN-YEAR federal moratorium (a temporary non-application, to be clear) on the enforcement of already enacted laws concerning artificial intelligence systems, algorithms, and automated decisions in general.

.- Switzerland is considering passing a law that would require messaging and VPN companies to collect and retain identifying data of their users. Proton (our mail provider, by the way) has announced that if the law is passed, they will leave Switzerland. 👍

And the people from Tuta (a German email alternative that shares Proton’s philosophy, and until recently was called “tutanota”), dropped a good missile-like comment at Switzerland. You have to admit that adequacy decisions (Switzerland got the first one) are a bit of a meme due to the European Commission’s frequent rubber-stamping.

“While Swiss privacy has been overhyped, legislative rules in Switzerland are currently decent and comparable to German data protection laws. This update to the VÜPF, which could come into force by 2026, would change data protection legislation in Switzerland dramatically.”

💀Death by Meme🤣

One AI agent takes out another AI agent.

📄High density docs for data junkies☕️

The CNIL opens public consultation on the update of its credit evaluation guide. Indeed, to adjust it to the cases of Schufa and Dun & Bradstreet.

Essential. Delicious. Terrifying. The latest episode of Masters of Privacy in Spanish with Paula Ortiz is a polite and formal conversation on the surface… But don’t be fooled!! If you catch the fangs hidden behind those smiles and listen carefully, you’ll hear the clash of sabers: it’s a showdown between the rhetoric of lead—the cosmetic compliance of personalized advertising as understood by BigTech ecosystems, dominated by Meta and Google's servile structures like IAB—versus the silver, or the good work done in controlled environments with the utmost respect for the data subject, backed by Sergio Maldonado, who has spent decades advocating for careful and close compliance, avoiding both tree-hugging and “everything for the user, without the user.” A Tarantino fight filmed with the delicacy of Wong Kar-Wai.

This thread led by Tash Whitaker works just the way I like to approach my practices: as a true crime investigation, ruling out suspicious butlers. As usual, the real meat is hidden in the second-to-last comments.

Traffic data as evidence in civil proceedings? A very rigorous post by Alfonso Peralta Gutiérrez.

This report by the Bulgarian authority on a facial recognition video surveillance system for supermarkets… Sound familiar? The Mercadona case is cited.

Mini-summary of Trump’s Take It Down Act.

It feels like a good place to insert one of my favourite Calvin and Hobbes stories.

🤖Robot.txt or the AI staff

The drama of Meta’s AI model training using data from Facebook and Instagram users returns with the dreaded reactivation date just two days ago (May 27). In 2024, it had to be paused by “formal invitation” from the DPC, but since then it has slowly crept forward with the Irish authority’s collaborative view. And now several issues are on the table:

• The DPC’s positive stance with a statement highlighting improvements in information to data subjects, better opt-out forms (anything is an improvement when you start by hiding it in a dark pattern), and by October 2025 META must submit a complete report with improvements, PIA, LIA, and more.

• Noyb’s cease and desist action and possible EU Class Action to stop the process.

• The German consumer protection organization (VZ NRW) seeking a temporary halt from the Cologne Higher Regional Court. The request for interim relief was rejected late last week.

• News from Mario Guglielmeti that the Hamburg DPA may trigger emergency procedures under Article 66 of the GDPR: pressuring the DPC to act, involving the EDPB for an urgent binding decision, and deploying protection at the territorial level (apparently coordinated with other German DPAs).

Looks like the meme office DOGE wasn’t enough torture for U.S. officials, now Grok is coming. It doesn't comply with what we see here, and surely not with the “special” version they’ll be given. And no doubt it’ll end up cross-referencing with each official's personal account to see who’s calling the Dorito a Dorito.

A powerful idea, explained in a simple and memorable way in this infographic by Alexandra Tous.

Two other guides on data protection and generative AI: this one by the Dutch authority (more a presentation than a guide), clearly embracing legitimate interest without real arguments, and this one from the Finnish Authority, highlighted by Vadym Honcharenko, noting the acceptance of contractual basis. Worth a closer look. Things are MOVING.

A well-developed idea framed with clear principles: Guiding Principles and Model Rules on Digital Assistants for Consumer Contracts. The choice of "assistants" instead of "agents" in consumer contracts shows some brain activity behind this project. Whether the marketing bros will find it too boring without reading it is another matter. Via Rosalia Anna D’Agostino.

The new universe of risks for AI Agents and Agentic AI is overwhelming. That’s why I like the idea from Debmalya Biswas, who doesn’t bring a new list but consolidates three solid works already published.

They give ChatGPT a mosaic of photos of participants in a videocall, and the AI identifies most of them without much effort. It’s fine, go ahead and play. Via Brian Spisak.

Reminder that in two weeks, our express training by Sara Domingo on the European AI Regulation begins. Three two-hour sessions to save you the heavy lifting of getting familiar with the most complex and annoying regulation this bald guy has ever faced. Dates: June 12, 17, and 18. More info here. Register at formacion(arroba)jorgegarciaherrero.com

.- Otras dos guías sobre protección de datos e IA generativa: esta de la autoridad holandesa (una presentación más que una guía) abriendo la mano clara-mente con el interés legítimo, sin argumento alguno, y esta de la Autoridad finlandesa. Vadym Honcharenko destaca de la última que, glabs, se admite la base contractual. Habrá que echarle un ojo. Esto se mueve MUEVE.

.- Un marco de principios para una idea bien trabajada: Guiding Principles and Model Rules on Digital Assitants for Consumer Contracts. Que la elección de base sean “asistentes” en vez de “agentes” en materia de contratos de consumo hace ver que hay actividad cerebral al volante de este proyecto. Otra cosa es que a los bros de marketing la cosa ya se les quede corta sin leerlo. Via Rosalia Anna D'Agostino.

.- El nuevo universo de riesgos para AI Agents y Agentic AI es inabarcable. Quizá por eso me gusta la idea del crack Debmalya Biswas, que no aporta un nuevo listado, sino que consolida tres buenos trabajos ya publicados.

.- Le dan a ChatGPT un mosaico de fotos de participantes en una videocall y la IA identifica a la mayoría sin mucho esfuerzo. No pasa nada, jueguen. Via Brian Spisak.

.- Recuerda que en quince días empieza la formación express de Sara Domingo sobre el Reglamento Europeo de Inteligencia Artificial. Tres sesiones de dos horas para ahorrarte el trabajo más gordo en tu familiarización con la norma más compleja y coñaza que este calvo se ha llevado a la cara. Fechas: 12, 17 y 18 de junio. Más info aquí. Inscripciones en formacion(arroba)jorgegarciaherrero.com

📄Paper(s) of the week

Cristiana Santos has spent years pointing out the widespread legal abuses surrounding cookies. She recently published two papers:

• The title of this one is quite revealing, I think: ‘Pay-or-ok’ model: ‘I will never pay for this’ – Perception of fairness and factors affecting behaviour on ‘pay-or-ok’ models.

• And this other one, co-authored with Nataliia Bielova: “Measuring Compliance of Consent Revocation on the Web”.

🧷 Useful tools 🔧

Firefox is discontinuing Pocket and I’m crying. If anyone can recommend an equally flexible and integrable alternative (or better), I’m all ears.

I think we’re all aware of LaLiga’s outrageous move. In its (legitimate, of course) crusade against football broadcast piracy, they’ve been allowed to completely override minor principles like legality and proportionality. It’s been done with the support of a judge who, honestly, I doubt understands what he authorized: blocking IP addresses in bulk, affecting many innocents along with the guilty. This website lets you check if your site or service went down unexpectedly due to some guys playing football, others stealing and rebroadcasting the feed, and more cutting off access to people who have neither guilt nor blame.

🙄 Da-Tadum-bass

.- If you're staying home this weekend (we´ll suffer our first heatwave here in Españita), here are the 100 best episodes in the history of TV (American, because the list is from Rolling Stone magazine). The ones I know are, indeed, the best. And among the ones I didn’t know, I really enjoyed those from The Twilight Zone —especially that one— and Doctor Who. Highly recommended.

Si crees que esta newsletter puede gustar e incluso ser útil a alguien, reenvíasela.

Compartir

Si echas de menos algun doc, comentario o chorradón que manifiestamente debería haber estado en el Zero Party Data de la semana, escríbenos o deja un comentario y lo valoraremos para la próxima.

Deja un comentario