Here’s the thing, kid: you decide to publish your newsletter on Thursday for reasons, and damn current events blow up every Friday without fail. Sigh, I think I’m getting too old for this shit."

Friday: The news hadn’t even cooled down about having to deal with this incredibly complicated regulation—even to read—when the European Commission released a significant update to the FAQs. It would have been better to do this before the law came into effect, but it’s also not exactly confidence-inspiring to have "Day 1 patches" in support documents.

No one’s saying the new examples breaking down the document's sections aren’t helpful, but damn, you can’t even let your guard down for one day. Luckily, the text of the Data Act is locked.

Link to the doc with marked changes. It could go under data docs, but it would lose context.

Also Friday: A politician was shot and no one would have guessed that forums, furries, memes, and video games would be so relevant to reading the (alleged) killer's mind—or not.

Sunday: Someone might think that the Emmy-winning TV shows point to increasingly darker shadows in our current reality.

You're reading ZERO PARTY DATA, the newsletter on data, techopolies, and law by Jorge García Herrero and Darío López Rincón.

In the spare time this newsletter leaves us, we enjoy solving complex issues around AI and personal data protection. If you’ve got something like that going on, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com

Thanks for reading Zero Party Data! Sign up now!

🗞️News from DataWorld 🌍

.- This week there was movement on the eIDAS front in the EU. Sometimes it gets lost among so much news, but it’s still core. Seen on LinkedIn:

.- An interesting commentary on the third CJEU ruling published in early September. The famous EDPS v SRB (or we might call it Scania) and Latombe cases got more headlines, but the Quirin Case on moral damages for the data subject (Article 82 compensation, rarely discussed under the GDPR) still remained.

And link to the actual ruling:

The CJEU has taken a restrictive stance, unsurprisingly:

• Moral damage, highlighting the loss of control over data, must be real and proven. Fear that the controller might misuse those data fits under moral damage, but proving actual harm is the tricky part.

• The GDPR would not allow courts to impose precautionary measures banning a controller from processing those data again or from violating the GDPR in the future. The data subject isn’t a Terminator DPA.

.- Very interesting piece on the internal battle between MAGA and the traditional Republican Party that ultimately scrapped the moratorIA —a proposed 5-year federal pause on AI legislation to give time to negotiate a general federal rule. The Big Beautiful Bill risketta, as they say.

Fascinating to see political groups with so little in common agree on key issues—like the need to regulate AI. Will we see bipartisan progress on this and other important topics (on both sides of the pond)? We’d better.

📄High density docs for data junkies☕️

.- The AEPD imposes a fine of €1,800,000 on a company that bought all the self-employed people's data from the Basic Census (data obtained from the Spanish Tax Agency) through the Chamber of Commerce.

AEPD fined €900,000 for processing without legal basis (the sanctioned company cited the iuris tantum presumption of Art. 19 of Spanish law, among other arguments), and another €900,000 for failing to inform under Art. 14 GDPR. More details and my opinion here.

.- The new EDPB guidelines on the DSA-GDPR interplay, published for public consultation this past Friday. Interesting insights on the legitimate interest in voluntary harmful content monitoring, legal obligation for DSA-imposed duties, data minimization for whistleblower data, and enabling anonymous submissions unless identity is strictly necessary to confirm illegal content.

.- Two interesting docs on the Data Act:

1.- This one, thanks to Mateusz Kupiec, explores the connected vehicle ecosystem. It covers scenarios like user-requested data sharing with third parties, raising challenges for manufacturers, garages, and insurers. Highlights issues with technical interfaces, trade secrets, and expected contractual roadblocks.

2.- And this one by the great László Pók, worth ten reads… because it’s ten docs.

.- Refreshing (and pragmatic) perspectives in this paper on synthetic data use in health sector AI model development. Slightly industry-leaning, yes, but with a street-level realism rarely found in academic circles. Credit to Heiko Roth for sharing.

.- Honestly, after six years, most privacy experts are still clueless on contractual basis. Determining what’s “objectively necessary,” how it affects “non-parties,” and its relation to consent have been clarified by the EDPB and case law, but many haven’t caught on. Maybe, just maybe, this doc shared by Luis Montezuma will help. Or you could always join my training…

💀Death by Meme🤣

Can’t help but complain again about the relentless steamroller. Very Pucelan tradition, by the way.

🤖NoRobots.txt or The AI Stuff

.- UK news gets weirder now that they’re out of the EU club, but this AI-in-schools section is worth a look. This single reference page pulls together various useful docs with tips and cautions, ICO-style. You could ignore it, but how many teachers are using free AI tools without a clue?

With a data protection section , a guide for teachers and schools, and a few warnings to run things through IT or the DPO.

“If you choose to enter pupils’ personal data into an AI tool, ensure you check with your data protection officer or IT lead that it is safe to do so. Observing data protection principles while handling personal data in AI tools will help your compliance with data protection legislation.”

“If you choose to enter pupils’ personal data into an AI tool, ensure you check with your data protection officer or IT lead that it is safe to do so. Observing data protection principles while handling personal data in AI tools will help your compliance with data protection legislation".

.- Double news drop from Luca Bertuzzi:

• Poland asking to delay the high-risk AI sanction regime by 6–12 months.

• Digital Omnibus: specific RIA adjustments for optimal rule enforcement — 4-week open consultation — we’ll see.

🧷Useful tools 🔧

.- Raise your hand if you haven’t had evil thoughts reading that tweet and the company’s reply. Also, who hasn’t used ilovepdf? Not exactly the most accountable, even if they respond.

We’ve got something better here for merging, extracting, organizing, and converting to PDF. GPL, via GitHub, fully local and clean: pdf arranger. Covers 90% of what you’d do with online PDF editors.

🙄 Da-Ta-dum-bass

The first AI Prime Minister has arrived. Normally, this would’ve been an aggressive marketing campaign—but nope, it’s real. Time will tell if it’s more than a one-off PR move for Albania. For now, we’re left with this surprise Wikipedia entry. Sure, lots of fictional or famous people have Wikipedia pages, but this one hits hard with references to image rights, voice use, and a soon-to-expire contract.

If you think someone might like—or even find this newsletter useful—feel free to forward it.

Compartir

If you miss any document, comment, or bit of nonsense that clearly should have been included in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next edition.

Deja un comentario