#31 September goes crazy
thanks to CJEU's fantastic comeback week.
In many places across Spain, including Pucela (Valladolid), it's not really considered "back to normal" until the local festivals at the beginning of September are over. The problem with this crazy 2025 is that data stuff has been going full throttle since day one:
-On the 1st, the Independent Authority for Whistleblower Protection (AAI) started operating. It’s the big loophole in the whistleblowing law, which they’re trying to patch up now that the novelty has worn off, with a ministerial order. Let’s see how this all begins.
-On the 3rd, the Latombe case came out of the General Court. It was quite unlikely that it would bring down the DPF—and it didn’t. The appeal was entirely dismissed. With Trump at the controls, we’ll see in the future whether the DPF implodes or not.
On the 4th—aka today—we’ve got another relevant case from the CJEU: SRB v EDPS. Basically, it’s about whether we’ll see support or not for the “Scania doctrine,” which hasn’t been talked about much around here. Since this newsletter goes out before mere mortals can access the press release, we can’t say much more than: life is hard and full of cosmic horrors. Press release from near future for web version of this newsletter.
You're reading ZERO PARTY DATA, the newsletter on data, techopolies, and law by Jorge García Herrero and Darío López Rincón.
In the spare time this newsletter leaves us, we enjoy solving complex issues around AI and personal data protection. If you’ve got something like that going on, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com
Thanks for reading Zero Party Data! Sign up now!
🗞️News from DataWorld 🌍
.- Next week the new wave of Data Act chatter will begin, due to its actual enforcement coming into effect (with several dates depending on nuances in its final application clause). We’ll cover it here and beyond, but let’s start with a heads-up from a sector that usually doesn’t see itself as impacted by this law: video games.
Nintendo, being a manufacturer and more, has started making changes in its EULA. It’s a start, but that kind of authorization is a bit much if framed as just another update to terms. Also true: the usual modus operandi in video games is full-musketeer-style consent 1/1—All consents for one, one for all!
.- As if there weren’t already enough new EU regulations and directives, another one is on the horizon: the Digital Fairness Act. It’s still got some way to go, but yep—another one for the saddlebags. It looks like it’ll aim to regulate interesting issues that have long been on the table, but this time head-on: deceptive and addictive design patterns, personalization, influencer marketing, digital contract and subscription cancellations, abusive contract clauses, and a bit of age verification.
On that last point, EDRi published an interesting post about whether treating age verification as a way to exclude minors is a sound and non-harmful approach, whether this future “DFA” is the right place to tackle such matters when other laws (like the DSA) already do, and how the European Commission’s final guidelines on protecting minors under the DSA actually see age verification positively: “due to the risks identified for minors, the service’s terms and conditions or any other contractual obligation require users to be 18 years or older to access the service, even if no formal legal age requirement exists.”
And then there’s the mess of member states setting the age range themselves, similar to the not-so-great GDPR idea of allowing a margin between 13 and 16 (in Spain, it’ll be 16 once the Organic Law for the protection of minors in digital environments is approved).
The issue of age verification has turned into a maze even worse than the Minotaur’s. That proof of concept from the AEPD and the “Decalogue of principles Age verification and protection of minors from inappropriate content” + that was supposed to lead the charge at the EU level, the CNIL’s trusted-third-party system for adult content which seems frozen, or the most recent idea that everything will end up in the EU Digital Identity Wallet.
.- Noyb managed to get the Austrian DPA to order Google (in its YouTube form) to properly comply with a right of access request, within a maximum of four weeks (assuming no appeal). Press release/news and DPA resolution.
It might not seem like much, but it has some interesting implications regarding the right of access. Especially given big corporations’ tendency to build a single system or modality for both the right of access and portability—as if they weren’t distinct rights affecting different sets of personal data.
Using formats like JSON and OPML is not a great idea: “Firstly, it should be noted that JSON and OPML are technically structured formats, specifically designed for automatic processing, and therefore difficult for laypersons without computer knowledge to understand.”
Recipients must always be identified: the classic move by the big players—not identifying every single recipient of the data, even though it's been crystal clear since the EDPB’s transparency guidelines, the CJEU, and some solid rulings.
Self-service tools are okay—but not if they make life harder for people: “a portal where a data subject must collect personal data via multiple online tools and, in case of missing information, turn to customer service, cannot comply with the facilitation principle of Article 12(2) of the GDPR. This is, among other things, because it is not reasonable to expect the data subject to identify the missing information and request it, since they cannot yet know what data is being processed about them.”
📄High density data docs for true caffeine lovers☕️
.- We came across an interesting DPIA on LinkedIn. Finding a full impact assessment is always good news, but this one is special: it’s about a Dutch educational AI project (EduGenAI) with options for either local LLM use or cloud-based commercial ones—cue the usual transfer headaches. We can’t say we’ve read all 140 pages of it (a PIA should never be short), but it looks thorough and very AI-specific.
.- Regarding Latombe case mentioned earlier in this newsletter, you’ve probably already been bombarded with summaries and conclusions on LinkedIn. Here’s the press release, summary (in French), and the full ruling (also in French).
In short: the General Court dismissed the annulment request for three main reasons:
It considered that the review court acting as a safeguard for any affected EU data subject (DPRC) does indeed meet the required standards of independence and impartiality.
That bulk data collection by intelligence agencies is subject to judicial oversight, compatible with Schrems II. Latombe argued it required prior authorization, but the General Courtreminded that Schrems II only mandates a minimum of ex post judicial control (via the DPRC). The Executive Order starts from the idea that bulk collection must be justified as “not reasonably obtainable through targeted collection” + specific safeguards.
The Commission has a duty of continuous monitoring, to act if things change. We already know they’re always happy to play along.
💀Death by Meme🤣
Spain’s silver medal in number of AI supervisory authorities is meme-worthy in itself—but some other EU countries are even more hilariously over the top. Thanks to Belgium, we missed out on the gold one.
Good luck to anyone trying to find out whether all these glorious authorities actually occupy massive buildings filled only with ghosts and “book your appointment in advance” signs.
🤖NoRobots.txt or The AI Stuff
.-You can’t mention Google without META showing up trying to outdo it. In a stellar example of RIA compliance, controls and bias mitigation, they’re now tweaking their conversational AI/chatbots due to Reuters catching them doing inappropriate things involving minors. Compliance must be dying to give the META AI product lead a round of applause—right in the face.
.- In the never-ending Groundhog Day loop of AI systems training on user data, now it’s Claude’s turn. Nothing we haven’t seen before, but a nice chance to play “how many dark patterns can you spot in this screenshot?” Pre-checked boxes pretending to be valid consent—an eternal classic.
📃Paper of the week/more AI stuff
.- Fascinating Harvard study on the use of dark patterns to make sure you never leave AI tools like Replika, Chai, and Character.ai. It was about time emotional manipulation from other industries made its way to AI (though we mostly only remember it from slot machines and game theory).
And of course, the classic sandbox for legal manipulation: video games. Through player profiling and a sneaky algorithm, the difficulty is adjusted so you never win too easily or lose so badly that you quit. Examples? Countless. But the all-time generational champ remains Candy Crush. Can’t be proven? No need, they were foolish enough to admit it before the UK Parliament. Since the transcript is long and juicy, it’s a two-for-one “papers” week.
“Moreover, despite concerns around gaming disorder, some parts of the games industry use data collected about players to modify their experience and keep them playing for longer. Alex Dale told us that King does not use player data to change the experience for individual users—a practice known as ‘dynamic difficulty adjustment’—however, other companies do. For example, Electronic Arts has patented systems that mean “the difficulty level of the video game may be automatically adjusted” to “keep a user engaged for a longer period of time.”
.- Another solid AI paper, this time from Cambridge. And another on the importance of human oversight in RIA compliance: Better together? Human oversight as means to achieve fairness in the European AI Act governance.
🧷Useful Tools 🔧
.- Very helpful XML tips to actually make AI understand you. One of those cases where you start with a half-decent prompt and come out hours later wondering where your day went.
🙄 Da-Ta-dum-bass
.- The meme-turned-gif already qualifies as peak nonsense, but there’s always room for one more about data breaches. Since there are a thousand every week, it’s always on point. Like the one affecting 4.4 million U.S. consumers from Credit Bureau TransUnion, for instance.
If you think someone might like—or even find this newsletter useful—feel free to forward it.
If you miss any document, comment, or bit of nonsense that clearly should have been included in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next edition.