#32 The unbearable subjectivity of being personal data
CJEU opens a new Kund-Era with Scania, IAB Europe and SRB judgements
I'm just dumb.
I thought everyone would be talking this week about the application of the Data Act (horrible, incomprehensible although well-intentioned: see a partial attempt at explanation by the bisho published here a couple of weeks ago).
But nope: the European data bubble has frozen with the SRB vs EDPS ruling from the CJEU: Turns out they reaffirmed that thing about the subjective doctrine of personal data, so hard to understand and even harder to apply!
Lemme tell you something, honey: “reaffirming” something for the third time (fourth, if we count Breyer) is not reaffirming—it means you just didn’t want to believe it until now.
Introducing the Data Act: the Act-cess right
I see great parallels between an Alien egg and the Data Act.
Just like we also don’t want to believe in the ChatControl thing our beloved leaders want to impose on us, but whose umpteenth attempt at approval is just around the corner.
You're reading ZERO PARTY DATA, the newsletter on data, techopolies, and law by Jorge García Herrero and Darío López Rincón.
In the spare time this newsletter leaves us, we enjoy solving complex issues around AI and personal data protection. If you’ve got something like that going on, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com
Thanks for reading Zero Party Data! Sign up now!
🗞️News from DataWorld 🌍
.- Last week we all breathed a sigh of relief when the CJEU didn’t strike down the DPF in Latombe. Relief because of the ton of work we’ve saved, not because we think there wasn’t (heh) some truth behind Latombe’s arguments.
Not for nothing, if you review headlines and commentary, you'll notice everyone included expressions like “for now”, “at the moment”, “bullet dodged” and so on regarding the survival of the DPF in the gigantic Kabuki theater that the international data transfer landscape has become.
.- The European Commission fined Google nearly three million for abusing its dominant position in the online advertising market. The substance of the sanction, once again, comes as no surprise to anyone with basic understanding of how this whole thing was being handled.
What’s interesting are these three takeaways:
(i) The Commission didn’t just stop at a fine. What’s funny about these things is that they force Google to take measures to end the abuse. Someone might think the final solution will be too weak to make a difference (and history doesn’t help: in the case of forcing third parties to use its search engine, it looked like they’d make Google sell Chrome, and things ended up halfway at best).
(ii) Risketto is not pleased. He likes being flattered and all those important BigTech CEOs sat at his table with tongues out and tails wagging (see the cringe video of the week in the “chorradón” section below).
Well, not all. For some reason, Elon wasn’t there.
(iii) Most interesting is that the Commission’s decision makes it crystal clear that Google ripped off all customers who bought ads or sold ad space from at least January 1st, 2024, until the date of the sanction, as well as Google’s partner companies in the ecosystem affected by its shenanigans. And it informs them of their right to claim compensation in court.
.- It was already known that an adequacy decision with Brazil was in the works, but since September 5th (just the day after the last Zero Party Data drop), we now have the draft published. Let’s see how long the rest of the process takes: the EDPB opinion, the actual adoption, publication in the OJEU, and some snooping to see if anything notable is hidden in there. For now, if you're up for it, there’s the fun of 53 pages of draft.
.- From the data protection authority of now well-known Estonia (no joke about the espresso macchiato guy who placed third in Eurovision), comes a 3-million euro fine for Allium UPI OÜ. A 2024 data breach in a “loyalty” system called Apotheka resulted in the exfiltration of first and last names, personal code, language, gender, email address, phone number, postal address, and purchase history of customers between 2014 and 2020. Around 750,000 individuals.
The Estonian DPA even mentions medication information, health indicators, pregnancy and hearing tests, or hearing aids purchased. And of course: no two-factor authentication, shared administrator account with the same username and password, half-baked logging, and poorly stored backups.
We’re neither a DPA nor particularly restrained with WTFs in data matters, but those three million euros fall way short of the mess caused. Press release in Estonian from this DPA, and non-Estonian article so you don’t have to translate.
.- Straight from last week before publishing: CNIL comes in with a 325 million fine to Google for displaying ads in Gmail without consent (among the promotions and social tabs), and for installing cookie trackers when creating a Google account without... yep, consent. CNIL’s blog-style press release, and an illustrative screenshot of the issue, also courtesy of CNIL. All part of an initial complaint by Noyb.
Bonus: the French don’t limit themselves like the Irish when it comes to sanctions: 200 million to the parent company, and 125 million to the European one. And a slap-in-the-face remark noting that Gmail is the second most-used email in the world (not surprising when Android forces you), and that most of the money comes from “the two main segments of the online advertising market: contextual advertising and targeted advertising.”
📄High density data docs for true caffeine lovers☕️
.- Everyone rushed to publish their analyses of the talked-about SRB EDPS ruling from the CJEU, with very mixed results. Let’s see:
1.- We have Peter Craddock’s post which perfectly describes the substance of the matter but, as always, includes loony claims where it suits him. When reading Darth Craddock’s texts, you should ALWAYS keep in mind who he works for.
2.- Commentary from the great Ruth Boardman. Very short and not as deep as the others, though, but points out an example (work emails) for which… well, I have better solutions.
3.- I’d think twice — even three times — before disagreeing with David Wagner, but I’m afraid I have to. This post is a must-read because it’s well argued, but I disagree with almost all his conclusions.
4.- The always educational and clarifying Phil Lee also weighed in. Again, I don’t agree with his conclusions. What a day I’m having.
(To be continued).
💀Death by Meme🤣
Something to keep in mind when reading certifications and claims like carbon neutral, net-zero emissions, climate positive, carbon negative, carbon offsetting, zero waste, water positive. Beware, they all really exist.
The paper of the week
The open letter signed by more than 1500 academics against the new draft Regulation of the Council on child sexual abuse is one of the most important documents not just of the week, but of the year.
One no longer knows if it’s due to sheer ignorance, political showmanship to win votes, or outright shady interests, but our beloved leaders are once again pushing to legally impose on-device data scanning. The goal is laudable, yes, but the means are inappropriate, ineffective, and undermine the privacy and confidentiality of communications for all residents in the EU. And we already know that these rights are the foundation of many others.
But go ahead, read the open letter. Obviously, the authors explain it much better than I do.
Sign it, sign the letter. The contact person for Spain is the boss Carmen Troncoso.
🤖NoRobots.txt or The AI Stuff
.- The Netherlands is seriously into AI: its DPA is a constant source of documents on the subject. Now the Dutch Government joins with this dummy guide on the AIA. Enjoy. Via Luis Montezuma.
.- What should and shouldn’t you delegate to AI? This massive post by Steffi Kieffer, highlighted by Joan Sardá as the boss he is, is a great starting point. Remember the story about the ripped guy who never sharpened his saw — if you know what I mean.
.- The Chinese are stepping (even harder) on the AI gas pedal. Bringing AI to all possible economic sectors to “govern” the future. And since everything is made in China, we’ll soon feel the impact of this new arms race — one that Trumpo will surely join too.
.- We really love Eleanor Morton.
Useful tools
Ethan Mollick points out that Claude has grown up with Microsoft Excel. We’ll have to give it a try.
Jorge Morell perfectly explains ChatGPT’s new Borgian option that lets you branch the path of your conversation to dive deeper or shift the focus of a thread without contaminating the main one or exhausting the context. Super useful.
🙄 Da-Ta-dum-bass
Impossible to forget the wonderful moment from last week’s dinner with Trumpo and the tech megacorps. Look at their faces, wondering if being a billionaire is really worth having the Dorito stroke your ego all day long. From Zuckertron’s bootlicking to Bill Gates’ “I don’t wanna be here” face. Enjoy the longest video we found on YouTube.
An all-time high of cringe and second-hand embarrassment. But don’t worry, the Risketto guarantees to break this record month after month.
If you think someone might like—or even find this newsletter useful—feel free to forward it.
If you miss any document, comment, or bit of nonsense that clearly should have been included in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next edition.