It’s been three weeks of Holiday frenzy and there’s plenty of ironing to do, so... without further prelude…
You’re reading ZERO PARTY DATA, the newsletter on current affairs and tech law by Jorge García Herrero and Darío López Rincón.
In the spare time this newsletter leaves us, we enjoy solving tricky situations related to personal data protection and artificial intelligence regulation. If you’ve got one of those, give us a wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.
Thanks for reading Zero Party Data! Sign up!
🗞️News of the Data-world 🌍
.- The Grok situation on Twitter has been commented on (and will continue to be) this very week in this newsletter. It has caused a lot of movement, such as, in Spain, a “guide” by the AEPD that, we believe, should have rather been a “circular” from the AEPD, and the rushed publication of a Draft of a new Organic Law for the civil protection of the right to honor, personal and family privacy, and self-image. And the link to the already published draft.
.- And from the same AEPD, which is on fire this January, an article on its blog about voice transcription with AI. A general overview of the checklist elements to consider under the GDPR, but with two interesting points:
It mentions that it’s necessary to assess whether using such tech is required. The Achilles’ heel of many cool ideas just because. Remember the EDPB told us not long ago that, for online shopping, requiring an account does not fall under contractual necessity (the famous guest checkout that’s almost nowhere to be found); and
They hint that “the GDPR would not apply in the case of synthetic voices, or when measures have been taken to modify the voice at the source to eliminate identifiability, including unlinking it from other identifying information.” It would have been better to clarify “at the source,” since the anonymization process itself is personal data processing.
.- ChatGPT Health and Claude Cowork have arrived. Simon Willison’s logo (cow + orc) for the latter is a stroke of genius.
📖 High density docs for data junkies ☕️
.- Arnoud Engelfriet says paragraph 10(5) of the AIA does not amount to the hyped “bias exception”, which would allow AI developers to process sensitive personal data without complying with the GDPR. He explains that, under the GDPR, any processing of special categories requires both a legal basis (Article 6) and a specific derogation (Article 9(1)), requirements not covered by the AI Act.
.- This paper analyzes the criminal legal substance of CSAM content generation using generative AI. It focuses in German law, but trust me, it’s very interesting. By Anamaria Mojica‑Hanke, Thomas Goger, Svenja Wölfel, Brian Valerius, and Steffen Herbold. The main takeaways are not hard to imagine:
Regulators must define clear requirements to compel developers to avoid criminal liability.
Companies and R&D teams must integrate advanced, auditable moderation systems from design.
Those steering models toward explicit content must implement every possible measure against CSAM generation and distribution, including training and output filters.
.- The ICO’s report on agentic AI and its impact on commerce with purchasing “personal agents.” Via San Luis Montezuma.
.- The useful docs on the overlap between GDPR and AI models from CNIL, now in English. We’ve had them translated from French since they first came out two summers ago, and I haven’t checked if anything has changed. Anyone compared them?
🤖NoRobots.txt or The AI Stuff
.- A really good article: Stephan Geering highlights three key features of agentic AI (autonomy, human-free decision-making, and web interaction) that create incremental risks: accumulated bias, compounded errors, and above all, compromised integrity forming the “broken trust triangle.” In this triangle, none of the actors (user, AI agent, third-party site) can verify each other’s authenticity, allowing manipulation and data exfiltration. It’s a continuation of Simon Willison’s legal trifecta already mentioned here but spot-on and well explained.
.- A reverse engineering in Filevine reveals over 100,000 confidential files at a law firm. Alex Schapiro describes how, using subdomain enumeration and JavaScript analysis, he discovered an unauthenticated endpoint returning a full Box admin token for the “margolis.filevine.com” instance. That token astonishingly granted access to the firm’s internal file system, exposing nearly 100,000 confidential documents (including HIPAA data, court orders, and payroll). Schapiro followed responsible disclosure. The company responded quickly and limited the exposure to a single non-productive firm.
.- I really liked this interview by Delia Rodríguez with sociologist (and um, former minister) Manuel Castells, where he describes the world as immersed in a process of self-destruction driven by total digitalization (99% of all information is already online). AI is not “intelligent” per se, but a programmable tool whose real danger lies in amplifying human-destructive tendencies. China, under a communist state, has led the 21st-century economic miracle, breaking the neoclassical free-market theory.
.- Why hasn’t the $4.3B in legal AI investment in 2025 produced tools better than ChatGPT? Jordan Bryan answers.
.- Jose Belo’s recommended book list on AI is very similar to mine (includes Schneider, David Chalmers, Norbert Wiener, Brian Christian, Stuart Russell, Kate Crawford, Safiya Noble, Cathy O’Neil, James C. Scott, Frank Pasquale, Stanisław Lem, Kazuo Ishiguro, Ted Chiang), with unsurprising surprises like Hannah Arendt or Heidegger and those classic sci-fi authors.
.- A Dutch designer, Jip van Leeuwenstein, has created a crystal mask that subtly alters facial features, preventing AI systems from recognizing the wearer from any angle while still allowing normal expression reading. The piece is part of the Surveillance Exclusion project from the Utrecht School of the Arts.
💀Death by Meme🤣
📄Papers of the week
.- This paper by Alessio Buscemi, Tom Deckenbrunnen, Fahria Kabir, Kateryna Mishchenko, and Nishat Mowla proposes a structured framework that translates the EU AI Act’s generic requirements into concrete, executable verification activities throughout the AI lifecycle. The authors break down each legal obligation into operational sub-requirements, align them with recognized technical standards (ISO/IEC 42001, IEEE 7010), and classify the tests along two axes: type of verification (formal, empirical, audit) and lifecycle phase (design, training, deployment, monitoring).
.- “Balancing privacy and platform power in the mobile ecosystem: The case of Apple’s App Tracking Transparency” by Julia Kraemer. Another of those documents that attempts something increasingly difficult: jointly applying what GDPR mandates and what competition law mandates—both are outcome-based regulations without specific routes… and they often intersect.
.- The most interesting of them all, even if the title isn’t exactly joyful: What Cognitive Science says about the Hart-Dworkin Debate by Brian Flanagan and Guilherme F. C. F. de Almeida. If you can only read one... you know.
🔗Useful tools
.- Visualizing SEP – an interactive search and visualization engine for the Stanford Encyclopedia of Philosophy: lets you explore it via radial graphs where each article is connected to those it cites or that cite it. Via Joseph DiCastro.
.- Chatterbox Turbo by Resemble AI, released under MIT license by Resemble AI, eliminates ElevenLabs’ advantage in audio generation. The engine produces voice in under 150 ms and can clone any tone with just five seconds of sample, offering fine control over laughs, pauses, and breaths. It runs locally, the MIT license allows unrestricted commercial use, the ability to fork the code, and to integrate it anywhere. This release, according to Iván Eguiguren, marks the “DeepSeek moment” for Voice AI. Includes the relevant GitHub link.
.- I changed these 5 settings on my iPhone and I finally feel secure
🙄 Da-Tadum-bass
It sounds like a joke, but it was Trump himself—a MAGA self-promo account—who published an altered version of Wikipedia to name himself acting President. Obviously, on his awkwardly named X clone.
If you think someone might like—or even find this newsletter useful—feel free to forward it.
If you miss any document, comment, or bit of nonsense that clearly should have been included in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next edition.