According to the specialist press (The Verge, TechCrunch), Zuck’s latest move is to add a native facial-recognition feature to the Meta glasses… taking advantage of the fact that us pesky privacy defenders have so many fronts open that we don’t even know which way the wind is blowing. They start by testing things on the Oculus (certain things were always there by patent), and then they move to the ones the general public knows.

I won’t be the one to contradict that point about pesky privacy defenders. But let’s talk about Meta’s little idea.

What could go wrong?

A whole bunch of things, but in this newsletter we always have a lot to tell and little space, so I’ll focus on two:

First.- I’ll start with a practical example, the kind I like. Precisely 404 reported this very week “Camgirlfinder” a facial-recognition service specialized in—get this—receiving from the gems of its users images and videos of “cam-girls” (it also identifies the guys) who had decided to prevent or make their identification difficult with masks, veils, or whatever they came up with, and, leveraging cutting-edge tech for the lowest possible uses, identifying them.

That is, you go on Onlyfans, Chaturbate, MyFreeCams, LiveJasmin, or the smut site of your choice, capture an image or video of the masked one who more or less amuses you, you send it to Camgirlfinder, and in two easy steps, it locates the person. Like that.

Notice we’re talking about people who have taken measures not to be recognized.

Okay, so Meta would be planning to put such a delicious little gadget within reach of any random genius with 400 bucks in his pocket.

Second.- Why are the US the only country in the world where, almost weekly, they have massacres of civilians at the hands of lunatics? It’s not that they have a higher percentage of crazies than we do here, no: it’s because they have easy access to repeating firearms.

Draw your own conclusions about what’s going to happen if FR technology becomes widespread around here.

Obviously, the thing will start with the pilot “we don’t offer this functionality in the EU because of all those annoying fundamental rights,” followed by its sequel “intense lobbying” and “nothing’s going to happen,” then moving on to the third season “the Irish authority says pché,” ending with the movie “Big launch: all we do, we do for you.”

It’s always made me laugh that, despite the tech explosion of recent years, the most reported thing to the AEPD year after year is video-surveillance cameras… Well… hang on, winter´s coming.

You’re reading ZERO PARTY DATA, the newsletter on current affairs and tech law by Jorge García Herrero and Darío López Rincón.

In the spare time this newsletter leaves us, we enjoy solving tricky situations related to personal data protection and AI regulation. If you’ve got one of those, give us a wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.

Thanks for reading Zero Party Data! Sign up!

🗞️News from the Data World 🌍

.- Total déjà vu with World-no-Coin. In the same way the company came back with its orbs/palantiri, our AEPD came back with a statement. World made it easy for them by telling them they were coming back.

What they put sounds a lot more super-duper-fantastic than what we then know they actually do, like everyone else. Point b would carry more weight if they end up sneaking through that claim from the Digital Omnibus that it be an exception to 9 if it’s exclusively in the hands of the data subject (another thing is whether that was ever true in this case at any point)

They ask for a meeting for the 3rd or 4th of next month, but the AEPD is already commenting on things from what it looks like they’ve been sent, in the form of a warning (it includes the text of the communication from the orb gentlemen). The first is that trying to play at escaping Article 9 isn’t very credible here. Very iris, much iris for . The nuance that the purpose is not unique identification is fashionable with facial estimation for age verification, but here it’s sketchier to try it.

You have to give WorldnoCoin credit for the courage to keep playing dumb with data subjects.

.- Irish DPC is investigating Grok over the generation of sexualized deepfakes it allows like crazy. You could see it coming that it was going to have trouble in various places, but it’ll be interesting to see the result when they don’t have to do contortions because it’s Meta. Unless there’s a surprise linked to Article 6 legal bases or Article 35 DPIA, they leave out the reference to a possible Article 9. We’ll see. It combos with the Government pushing the Prosecutor’s Office to start looking into the issue.

-. LaLiga won’t stop until it falls off a cliff. Now it seems they’ve managed to get a commercial court in Granada to allow them to require the VPNs themselves to block x IP addresses. Right at two of the big ones: NordVPN and ProtonVPN.

We’re witnessing things that were unthinkable not that long ago, but maybe this will help certain judges become aware of how the Internet really works. The leaked wording from the possible author says nothing that a lawyer would see as improper or as a possible rights violation or harm to a third party, but it does have it because of its material consequences:

“Immediately implement in their internal systems the appropriate measures to enable the IP addresses provided by the claimants, in which the illegal transmission of protected audiovisual content has been verified, to be inaccessible from Spain”.

Proton’s response to these rumors didn’t take long. In their line that they’re going to fight, if the request reaches them.

.- Did you get a big email from Ubisoft about changes to its security policy, one created for minors and an explanatory guide on personal data? If you play anything from the company, of course. To save you looking:

That general policy, better not look at it too much. As proof, the compliance level on a 1/1 scale of what the EDPB or the AEPD recalls as a minimum for transfers:

“For transfers to other countries, we have implemented appropriate safeguards, such as the European Commission’s standard contractual clauses, to ensure an adequate level of protection essentially equivalent to that of the EEA. For more information about these safeguards, visit the European Commission website. If permitted by local data protection legislation, by using our services, you authorize Ubisoft to process your data in any of the places where we operate (including the United States).”

The one for minors, well, it’s also not very good or adapted:

The guide: this one is worth it. Not so much because you can say the content is flawless, but because of the possibilities the visual structure gives—ease of reading and the text-image combination it has. It’s always nice to find examples of the part of Article 13 compliance that we lawyers find hard to land, even if that means ignoring part of what you read.

.- Nancy Guthrie, mother of one of the most famous news presenters in the US, was kidnapped in her home. The recovery of a video clip (below) recorded by a doorbell camera (Nest) from Google’s servers has been much discussed. Specifically—and in the part that interests readers of this newsletter—because this camera only offers real-time image and only stores video in the cloud (never locally) IF AND ONLY IF you pay the corresponding subscription.

Well, Nancy Guthrie did not pay a subscription.

Okay, we know Google doesn’t usually cooperate with authorities until a proper court order lands on its desk.

Okay, this is a very media-heavy case and here it is indeed likely they moved heaven and earth. But…

Do Nest cameras record no matter what even if you don’t pay the subscription?

That’s the question that has been bouncing around in the little heads of the lucky owners of such a whimsical device.

According to The Verge’s report: (i) the cameras keep in the cloud the last captured event, (ii) they store it for short periods of time and then (iii) they delete it. (Some people call this “technical retention queues.”)

BUT: we already know from video-surveillance systems about recursively recording over the oldest content.

That is, just like what happens with the recycle bin on your favorite device, one thing is you marking it as deleted content and another very different thing is the device truly deleting it at that moment (it only marks it as content that can be overwritten without issue).

The article suggests that Google’s poor engineers, to reconstruct the shocking original video, surely had to patrol a bunch of machines scattered worldwide to recover the file fragments that would have been left spread around and unidentified (does anyone remember when we “defragmented the hard drive”?).

This in Spain would have been much easier, because for that we have our very Spanish concept of “blocking.”

Right? RIGHT? And now?

.- These two pieces of news are better understood together:

📖 High density docs for data junkies ☕️

.- The EDPB has just published the result of the coordinated enforcement action on the right to erasure. It’s an interesting read, but we’ll leave you a few notes:

• The private sector complies better than the public. Could it be because the shot the public sector takes is a blank?

• Training and real internal procedures are lacking.

• Information to the data subject fails, with anonymization being applied that isn’t actually real.

• Backups get deleted without more fear + a mess in retention periods.

• The belief that offering account closure and the right to erasure is the same thing. Meta wishes.

💀Death by Meme🤣

🤖NoRobots.txt ot AI Stuff

.- We’ve got this. Which is no small thing. Scary, huh?

It’s the comparison between the “hybrid” dance celebrations of the new Chinese year 2025-2026.

🙄 Da - Ta - Dum Bass!!!

Well, this is beautiful…

Compartir

If you miss any document, comment, or bit of nonsense that clearly should have been included in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next edition.

Deja un comentario