It was International Data Protection Day yesterday. Traditionally, that’s when the AEPD announces the winners of its awards, but the date has been pushed so much that it’s now almost the deadline for award submissions (tomorrow).

Once again, the AEPD almost celebrated the day by releasing a common sense decalogue for the use of AI. With generative AI, GDPR compliance has become more “complicance” than ever. Happy complicance for yet another year of GDPR!

You’re reading ZERO PARTY DATA, the newsletter on current affairs and tech law by Jorge García Herrero and Darío López Rincón.

In the spare time this newsletter leaves us, we enjoy solving tricky situations related to personal data protection and artificial intelligence regulation. If you’ve got one of those, give us a wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.

Thanks for reading Zero Party Data! Sign up!

🗞️News from the Data World 🌍

.- Remember WorldCoin? That marvel by Sam Altman that scanned your iris for a handful of coins in their shady cryptocurrency, and was shut down in Spain, Italy, and Portugal to stop them from collecting anything from anyone? Now even courts in Kenya have ordered them to delete any personal data and information they had collected. Previously, data processing had already been suspended by the data protection authority as soon as it became trendy.

They’re taking forever to update their bogus guarantees page. Or maybe they’re realizing it’s no longer legal and are about to shut it down. No joke, the very existence of this “don’t worry” page is a dark pattern, aka “Emotional Steering”:

.- This news gave us an excuse to recall the curious world of the limited privacy and data protection rights of ‘public persons’: a very curious thing, with way more real-world use than what you’d find in gossip mags.

.- Did you know Wikipedia almost became Wiki-paid-ia, because its founder (who owned the domains) wanted to launch a Facebook-style ad platform with it? Did you know it was Javier de la Cueva (yes, the guy from the Bosco case) and some buddies who stopped it, moving the Spanish content and management to servers at the University of Seville? Now you know: he told us the other day in Salamanca. This jaw-dropping story was well told back in the day by Wired.

.- South Korea’s RIA published. Via Luis Montezuma, with guidelines apparently aimed at boosting understanding and adoption (and something we’ll definitely read—unless you’re professionally obligated to).

.- Believe me when I say we did not see this piece of crap coming. Of course, the industry is embracing this as this unforgettable screenshot shows:

.- The CNIL announces upcoming recommendations on proof of consent, after consulting with the marketing sector. Let’s see if they deliver a Holy Grail solution or just a “good luck out there” warning, judging by the horror stories reported by the sector.

.- On the Clawdbot madness, here’s a calm, grounded take advising caution before buying the hype, via Linkedin - Natzir. T.

.- In the Wild West that the U.S. is becoming again, it’s confirmed that ICE agents are using an app developed by Palantir to categorize and locate “deportable” individuals. This tool, Enhanced Leads Identification & Targeting for Enforcement (ELITE), cross-references public Medicaid, tax, and other data to decide who gets targeted. It’s so extreme it might not even be legal in the U.S. The EFF breaks it down clearly in this recent report: Report: ICE Using Palantir Tool That Feeds On Medicaid Data.

The real Palantir would scare even Sauron.

.- You may not have heard anything if you’ve never owned certain pants, but there’s been movement this week around Dockers. At first glance, it looks like your typical big fish swallowing a smaller one. But it’s actually an acquisition of “something” not disclosed—THE MARKETING DATABASE. Here’s the literal email they sent:

In our LOPD, the legal basis for transferring databases in a commercial deal is about as clear as NATO’s future. A very technical comment here. The Dockers case has its own issues:

• No mention of legitimate interest, nor is it clear if it’s a data transfer. The phrase “will acquire certain assets” fits with the threat that if you object, you can’t log in. It’s one thing to inform users of the consequences of opting out, another to use a dark pattern like “confirmshaming”: “don’t miss the benefits.”

• A new controller’s partner sneaks in as a data recipient, without any option to object separately. Obviously, they’re trying to avoid joint controllership—it’s more convenient to call them an independent third-party controller that doesn’t clarify the purpose (the trick of linking to the privacy policy doesn’t cut it anymore).

• Pending transfers should be clearly framed as necessary for contract performance. Processing the data to complete the order management and shipment clearly falls under that, although it also confirms it’s a transfer of Dockers’ business/web store.

📖 High density docs for data junkies ☕️

.- No one will protect our data when we’re dead. The CNIL (through its LINC) has published a long report on post-mortem data: “Our Data After Us From Digital Death to Immortality, Uses and Issues of Post Mortem Data.” It clearly states that the GDPR doesn’t apply to deceased individuals’ data, explains national-specific inheritance rights (it mentions the Spanish one), and delves deep into digital footprints, including linked documents and slow-cooked insights.

- Existence of “death tech” services to manage and plan for death and its consequences, and “grief tech” for mourning support.

-In a world full of agents and bots, here come the “deadbots”: chatbots with info from the deceased to simulate conversation—advanced digital clones, Japanese-style. Zero doubt Japan’s already normalized this. There’s also the paradox of relatives revealing special category data trying to bring someone back (giving sensitive info to make the deadbot as accurate as possible).

-The AI risks involved: malfunctions, biases, or issues causing real harm to family members. CNIL even cites real court cases:

Even video game grief gets a mention, alongside famous tribute cases.

💀Death by Meme🤣

🤖NoRobots.txt ot AI Stuff

.- “A simple language switch can make AI models behave significantly differently” is a paper by Eric W. Dolan; Lu Doris Zhang; Jackson G. Lu; Lesley Luyang Song, showing how AI is not culturally neutral; the “language layer” can skew advice and decisions.

Prompts in Chinese yield more relational and contextual responses; in English, more analytical and individualistic—aligned with cultural psychology frameworks.

The not-so-obvious compliance risk: if a company audits a model only in English, it might miss divergent behaviors in other languages.

This breaks the “one policy fits all” assumption and demands multilingual, systematic governance. Easy, right?

🔗Useful Tools

.- Interested in a tool to disable built-in “AI” features in browsers (Chrome/Edge/Firefox), targeting UI, flags, and helper components? Here you go.

📄Paper of the week

.- Related to the ICE x Palantir issue, and via EFF, here’s a very interesting document to understand how dangerous Palantir is: “All roads lead to Palantir: A review of how the data analytics company has embedded itself throughout the UK.” Focused on the UK, it explains what Palantir is, where it operates, its main products, key takeaways, and the back-and-forth with the authors (No Tech for Tyrants) after this document was published.

🙄 Da - Ta - Dum Bass!!!

NFTs were going to revolutionize the world, but stuff happened.

Let’s not even get into the metaverse.

If you think someone might like—or even find this newsletter useful—feel free to forward it.

Compartir

If you miss any document, comment, or bit of nonsense that clearly should have been included in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next edition.

Deja un comentario