Last week this notable anniversary was celebrated. In Spain, a major AEPD event was held in grand style (in the not-so-small auditorium of the Palacio de Cibeles), but it is an event coordinated with all the data protection authorities in the EU area. The EDPB put together a summary video with the presidents or directors of some of the DPAs.
Without taking anything away from any of them, the background of the CNIL president in this celebration video stands out. Unlike the rest, who pose in institutional settings very much in line with public authority, here we have application diagrams, post-its, and a raw showcase of real data protection. A mural compiling quite a few of the things they do from LINC.
You can recognize some screens from the famous Fanthom app that we already discussed in another issue of the newsletter, but it’s Claude who puts the cherry on top by saying that everything follows a left-to-right plan: a typical UX design sprint sequence:
Post-its on the left → research and categorization of user needs.
Colored post-its in the center → ideation and synthesis.
Wireframes on the right → translation of ideas into concrete screens.
Happy GDPR anniversary—we’ll see how much things change for us when the whole Digital Omnibus soap opera wraps up.
You are reading ZERO PARTY DATA. The newsletter on current affairs and technology law by Jorge García Herrero and Darío López Rincón.
In the free time this newsletter leaves us, we sort out complicated stuff related to personal data protection and artificial intelligence regulations. If you have one of those, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com
🗞️News from the Data World 🌍
.- From Korea (obviously the southern one), some guidelines from its DPA on the use of pseudonymized data are being modified. In Article 28 of its data protection law, there is a quasi-compatibility for secondary purposes for pseudonymization (scientific research, public records, and statistics). It is not just a minimum security measure, but something more.
Now they propose to specifically extend it to AI training, under the premise that hypothesis formulation, data analysis, validation, and iterative refinement can be considered scientific research.
It doesn’t seem like a carte blanche, especially when they regulate the point of pseudonymization in the following way in their law:
Article 28-3 (Restriction on Combination of Pseudonymous Data)
(1) Notwithstanding Article 28-2, the combination of pseudonymized information processed by different personal information controllers for statistical purposes, scientific research and preservation of records for public interest, etc. shall be conducted by a specialized institution designated by the Protection Commission or the head of the related central administrative agency.
(2) A personal information controller who intends to release the combined information outside the organization that combined the information shall obtain approval from the head of the specialized institution after processing the information into pseudonymized information or the form referred to in Article 58-2.
(3) Necessary matters including the procedures and methods of combination pursuant to paragraph (1), standards and procedures to designate, or cancel the designation of, a specialized institution management and supervision, and standards and procedures of exporting and approval pursuant to paragraph (2) shall be prescribed by Presidential Decree.
.- The CNIL ventures to publish a model DPO activity report. A pure recommendation, like that ICO model contract for data transfers, but not as crazy or novel as it may seem. In those WP29 DPO guidelines, the annual activity report was already mentioned as an example tied to accountability to top management under Article 38.3.
.- One news item this weekend managed to surprise me:
The publication in the U.S. of the original registry of Nazi party affiliations.
If the pilot episode of the hilarious Saturday Night Live UK closed with an unforgettable song from the first listen (“What kind of Irish is your grandpa?”), any average German can now, in some of the search engines quickly set up by the press, check whether their grandfather, neighbor, their neighbor’s grandfather, or their boss or partner was a “card-carrying Nazi,” despite the thick silence that—understandably—those involved may have maintained on such matters.
Needless to say, this presents complications under the GDPR, insofar as some of the data subjects are still alive.
.- Yesterday the European Commission published the preliminary conclusions of the investigation into META for possible infringement of the DSA. It looks very likely to end in a sanction, but astonishing things had already come to light in the New Mexico trial. Pretends to be shocked that under-13s were slipping through with hardly any control.
📖 Hard data docs for coffeine lovers ☕️
.- The CJEU comes with its “digest” of relevant 2025 rulings. In the data protection section, six stand out: the already well-known SRB and Russmedia, plus four others:
Policejní prezidium (C-57/23): police authorities dealing with maximum retention periods for biometric/genetic data. Minimum retention rules, but periodically reviewed to determine when deletion is possible. Not directly under the GDPR, but under Directive 2016/680 on processing for prevention, investigation, and prosecution…
Mousse (C-394/23): processing gender data cannot be considered strictly necessary for ticket purchase processing. The French RENFE running into complications from implementing gender fields for reasons unrelated to the GDPR.
Deldits (C-247/23): violation of a transgender refugee’s right to rectification to correct their gender data in Hungary. A limited certificate may be requested to verify and ensure the exercise of the right, but not impose the requirement of undergoing gender reassignment surgery.
Quirin Privatbank (C-655/23): a ruling reminiscent of Österreichische regarding compensation for damages. Compensation quantified at €1,000.
.- Has anyone mentioned a relevant judgment? In Spain this week a notable one was published: STS 1590/2026. Why is it relevant?
The Supreme Court has declared that merely requesting manifestly excessive information, even without receiving it, constitutes personal data processing.
But hey! What the hell happened to the legal definition of “processing” in Article 4.2 GDPR, which insists on “operation (…) performed on personal data” or “any other form of enabling access, comparison or interconnection, restriction, erasure or destruction”?
To process personal data, shouldn’t you at least come into actual contact with personal data? RIGHT? RIGHT? Or what?
One might think that what is infringed when making a disproportionate data request, or without indicating the purpose of processing, etc., is the principle of privacy by design—and punish that infringement.
And the same conclusion could have been reached without stretching the concept of processing so far, so that processing becomes what happens before… um, accessing the data—those “processed” data.
Well, no.
In fact, the AEPD, which appealed a National Court ruling that embraced the previous argument, simply puts four CJEU rulings on the table. Two of them are especially clear, and their final reasoning is reproduced literally by the Supreme Court.
The clearest is case C-548/21, which applies not the GDPR but Directive 2016/680.
A minor detail when you get hit with jurisprudence of this magnitude:
“when police authorities seize a phone and manipulate it in order to extract and consult the personal data it contains, they initiate processing”
“Directive 2016/680 aims in particular (…) to ensure a high level of protection of personal data of natural persons.” “That objective would be undermined if an attempt to access personal data contained in a mobile phone could not be classified as ‘processing’ of that data.”
“ An interpretation under which the applicability of Directive 2016/680 depended on the success of the attempt to access personal data contained in a mobile phone would create, both for the competent national authorities and for individuals, uncertainty incompatible with that principle. ”
Another of the cited cases, C-175/20, also deserves your attention.
“Every battle is won before it is fought.”
Sun Tzu
💀Death by Meme🤣
🤖NoRobots.txt or The AI Stuff
.- The CJEU has clarified what pastiche is, and that it does not need to have the sarcastic tone of parody, in a musical sampling case that has been going around for ages. What makes this case, which smells like intellectual property, end up in the AI section? The interpretation by Dr. Andrés Guadamuz (Technollama) on his blog. We leave you the following excerpt, but it’s highly recommended to read it in full. Anything touching intellectual property is always a very technical mess.
So what does this mean for AI outputs?
As I argued before, the output side of AI copyright is where things get genuinely difficult. The input question is mostly a TDM exception problem in Europe and a fair use problem in the US, and at least the rough shape of the answer is visible even if the details are being fought out in GEMA, Getty Images, Bartz, and assorted other current litigation. The output question is different. It turns on whether specific generated works infringe specific training works, and that is a question about substantial similarity, idea-expression, and exceptions and limitations.
I previously flagged pastiche as a potentially interesting defence for AI outputs, drawing on the Martin Eder case, which found that pastiche could cover the kind of remixing, mashing and referencing that characterises internet culture. I was quite cautious about it at the time, because the concept’s scope was genuinely unclear and there was a reasonable argument that pastiche required a conscious reference to the original, which an AI model plainly cannot have.
Pelham II has, I think, removed both of those objections.
📃The paper of the week
.- The 2026 AI Index report from Stanford University.
That’s enough for the whole long weekend. And you still won’t finish it.
🙄 Da-Tadum-bass
If we rubbed a bottle and a blue genie came out with Robin Williams’ booming voice, we’d ask for just one wish: that this newsletter were as rigorous and funny as John Oliver’s weekly HBO news show.
The latest episode is dedicated to AI chats and you can’t miss it.
A graphic definition of karma and a slap across the face. Since the beginning of time, criminals have spoken in code to prevent the police or authorities from knowing what they are doing. We’ve included two examples, but there are more clever and biting responses on X:
If you miss any doc, comment, or dumb thing that clearly should have been in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next one.