-The post version will be updated to include links to the panel videos discussed, once they are published in a few weeks-
CPDP 2026 will be remembered (at least by this bald guy) as the “Luis Montezuma Edition”.
“Veni, vidi, vici”: Luis Alberto Montezuma arrived, saw, and conquered: everyone knew him, and everyone was grateful for his generous work while we discreetly scrutinized his eyes and clothes to ensure he had no wires, chips, or batteries powering that tireless knowledge-publishing machine.
Nope: he’s human. His secret is the magical Colombian arepas, apparently.
We all know by now that just following him will keep you informed of 90% of what you need to stay up-to-date.
Below, a summary of the panels I attended and those I missed but were recommended to me, culminating with my personal top picks:
In the prelude, Sophie Stalla-Bourdillon demonstrated that, in addition to having mastered the SRB Scania doctrine, before SRB and Scania, she is a very competent moderator.
A couple of gems from Philippe Latombe (the MEP who challenged the DPF before the CJEU and now is part of the CNIL):
“80% of the CNIL’s time is spent informing initiatives of the French Government, not on enforcement tasks”.
Who gets in? The Policy Dilemma of Age-Gating: I learned here that in Australia, the processing of biometric data for mere age determination is prohibited biometrics.
The Belgian Youth Council representative Camille Biot clarified what no one says or hears: that “youth” is not a single collective but a very diverse one, with many different interests.
That diversity alone already disqualifies any measure that aims to authorize binarily (you have access / you do not have access) the entire collective solely based on their biological age.
She said more: “approve whatever you want, shitty boomers: we young people will keep accessing”. Possibly she did not say exactly “shitty boomers”, but well, you get the idea.
The burden (the consumption of personal data for age verification et altra) should not fall exclusively on the user.
The commissioner also left an interesting point at the end: “when I was in high school, gay kids were very pressured and alienated, and social networks constitute an unparalleled tool for them to find their community”.
In “Breaking silos” (not very interesting) a couple of comments from the representative of the French association of DPOs AFCDP caught my attention, about an elephant in the room: “the growing pressure and workload, the need to stay updated, etc., have led us to offer psychological support resources for our members”.
GDPR class actions: the state of play (interesting, but I doubt it was recorded).
Three interesting things: the very frustrated attempt to disrupt the panel by a lawyer defending one of the defendant companies, the characterization of the background behind the collective lawsuits of Privacy Collective, this here and meeting Peter Hense in the flesh.
I wasn’t at The role of operating systems in trusted AI but it was one of the most recommended of the day, and I will watch it when it comes out.
Vital Signs: Regulatory Coherence, Interplay, and Alignment for Medical Device Cybersecurity: the typical super useful panel to situate yourself in a specific matter from different points of view: the talks were well supported by the presentation, very clear, and very didactic to understand the swarm of applicable legislation in this matter.
On Thursday, I wanted to go to Secondary use of data under the European Health Data Space: some relevant issues moderated by Pablo Trigo, but they changed its location: (nonetheless, I heard it was fantastic) and I went to A Child-Centred Approach to the EU Digital Rulebook. Another 100% educational panel with a special mention for Simone Van der Hof, I am quite sure she is one of those professors who change your life.
Informed consent: The breakthrough in Art. 88b GDPR / Digital Omnibus and current initiatives in the field of PIMS and technical standardization. A very interesting panel and a chance to see a force of nature in action: Anja Wyrobek, a commissioner making some very questionable points: Magdalena Steringer, and an explanation about the challenges and solutions posed by that proposal of 88b.
What is so special about special categories of data?. Especially interesting were the interventions of Ruth Boardman
The Agentic Assistant: What does Big Tech’s goal of creating a universal digital intermediary mean for society? Really interesting were the interventions of Udbhav Tiwari from Signal and Frederike Kaltheuner.
Eye tracking in video games: Opportunities for game development and risks to privacy. Very Good.
I participated in the workshop From Pseudonymisation to Synthesis: A Debate on Evaluating Privacy-Preserving Technologies and Re-identification Risks in Medical AI under the GDPR (a practical case to be resolved between two opposing teams formed with the attendees). The idea was brilliant, but there was very little time and I would say at least half of us were hungover. I was on the team that upheld the rights of the data subject and we triunphed, of course.
It is notable to indicate that the team defending the company did not think to allege in a pure form the proposal that gave title to the workshop: “In so far SRB Scania doctrine applies, therefore GDPR does not apply”. Which was the whole point.
Digital Omnibus meets the Charter of Fundamental Rights – a reality check with Max Schrems and especially my friend Rosalia D´Agostino, whom I also had the opportunity to meet in person. I recommend her podcast again Legal4Tech.
I wasn’t there, but it apparently was excellent: Dragnet Data Protection: Dilemmas of Web Scraping and Public Interest Research
The AI Act: AI regulation and its implementation in troubled times with Mantelero not selling but teaching his book and Gloria González Fuster yes selling her book, but above all, complaining about her (well-deserved) reputation as a grumpy one to immediately confirm it by grumbling - amusingly - about a drama as tragic as recurrent when concluding the negotiations of the relevant legislation text.
You will have to watch the video to find out: HA!
My two favorite panels (ex-aequo, as in Cannes):
Gendered Digital Labour: Unseen work, exploitation, and technology-driven inequalities.
If this panel had been a TV series (and it could be), I would binge-watch all six seasons. The discussion started with precarious workers subject to platform supervision but above all control.
Aída Ponce del Castillo presented the Platform Work Directive – “if the conditions for the application of the Directive are met, the worker contracted through a platform is a platform worker” (!!!)
“the working conditions are coded in the algorithm.”
However, after Madeleine Thomas’s intervention – a character very hard to forget, but I won’t reveal why here – the panel’s interest and the panelists’ passion skyrocketed. The focus shifted to social media content generators, the possible application of the Platform Work Directive (”It depends”), but above all the possibility of implementing PETs (Privacy Enhancing Technologies) on user-generated content that allows identifying those who leak content, dox their creators, and upload it to other platforms for uncontrolled virality. The technology exists; it only requires stakeholders to decide to invest in its adoption, thus demonstrating that they do not give a damn about the creators whose content they monetize and exploit.
Wouldn’t that be wonderful?
And much more.
My Chatbot, My Confidant? Protecting User Privacy in Generative AI Conversations, moderated by Theodore Christakis. Fascinating.
Some striking points:
.- 230 million users make health-related queries to ChatGPT every week.
.- All guidelines and efforts by the EDPB (European Data Protection Board) or the EDPS (European Data Protection Supervisor) still focus on the past (AI training) when the real issue lies in the present: the indiscriminate personal and business use of chatbots with very unclear privacy safeguards. The panel focused on aspects such as judicial access to chat history, overlooking the growing evidence of leaks for purely commercial purposes.
.- Yann Padova (who has become Gandalf) left a couple of memorable quotes worthy of a t-shirt:
“AI is disproportionate by design” or “legal loopholes in the EU?”
Beyond the panels, it was greta to sharing oxygen with Gloria Gonzalez Fuster, Itxaso Domínguez de Olazabal, Laura Centeno, Guillermo Lazcoz, and beers with Jeimy Poveda, Ainara Bordes, Isabel Barberá, and David González Calleja, as well as a lot of interesting people I met whose names I don’t remember (apologies to them) because I am already very, very old.
Next year, more. And now, the newsletter: we have a lot to cover.
You are reading ZERO PARTY DATA. The newsletter about tech and legal affairs by Jorge García Herrero and Darío López Rincón.
In the free time that this newsletter leaves us, we solve complicated issues related to personal data protection regulations and artificial intelligence. If you have any of those, give us a hand. Or contact us by email at jgh(at)jorgegarciaherrero.com
🗞️News of the Data-world 🌍
.- Not only Pope Leo XIV (see below in the AI section), but also the fight against the construction of data centers has united a cross-party citizen majority in the US: The American rebellion against AI is a fact and gaining momentum (reported by a media outlet unlikely to represent tree-hugging hippies: the Wall Street Journal). Local communities have managed to block or delay at least 48 data center projects valued at over $156 billion in the last year alone. In the first quarter of 2026, a record 20 projects were canceled due to local pressure from neighbors. Republican politicians in Texas and South Carolina have called for moratoriums on hyper-scaler developments, citing the impact on power grids and farmers. Democratic candidate Justin Pearson in Tennessee is making opposition to xAI’s Musk data centers a central part of his campaign. Only 17% of Americans believe that AI will have a positive impact in the next two decades.
Meanwhile, in Spain, projects in Extremadura, La Mancha, and Aragon are full steam ahead.
.- Who really writes or rephrases all those clone-like posts about leadership that you see on LinkedIn, signed by... people you’ve never heard of on LinkedIn? Find out here.
.- Technological sovereignty: The European Commission is promoting restrictions on the use of US cloud providers—AWS, Microsoft, Google—for processing sensitive public data from European governments. The “Tech Sovereignty Package,” presented yesterday, May 27, defines sectors whose workloads must be hosted on European cloud infrastructure: healthcare, finance, and the judicial system are the priorities. The measures apply only to the public sector, not to private companies. Thibaut Kleiner, Director of the Commission, warned that Europe risks being relegated to a “technological colony.” The irony is that in April, the Commission itself awarded a €180 million contract to sovereign cloud projects including an alliance between Thales and Google Cloud.
Utah requires adult content sites to verify the age of all their users, including those accessing via VPN. The article humorously summarizes the difficulties in implementing this proposal, similar to that infamous magistrate from the Audiencia Nacional who ordered the “closure of Telegram”.
And along these lines, politician vs specialist. Specifically, a British politician ignoring how well the topic is progressing in Australia (and mixing certain elements in the argument to justify himself) vs a renowned academic researcher in applied psychology (mainly in video games where there are never minors). And the added joke that in the United Kingdom, any platform is obliged to collect identity documentation from every user.
.- Yesterday, the AEPD published that it will bring the issue of investigating the leak of conversations in major AI services/assistants, which we covered in a special issue here (and in which Jorge participated), to the EDPB itself. It will do so in two ways: an informative note for the knowledge of the rest of the DPAs, and a proposal that it be addressed at the plenary meeting on June 8 and 9.
We’ll see how it ends up, but it’s good news in the crazy world we live in.
And this infographic from the CNIL, very much for the lay citizen, but which clashes badly in points 3 and 4 with the investigation of the AI leak:
📖Hard data docs for coffeine lovers☕️
.- Amadeus shatters the record for the highest fine from the AEPD, with 14.4 million euros.
.- Formal complaint from the Gesellschaft für Freiheitsrechte (GFF) to the Irish Coimisiún na Meán for systematic non-compliance by LinkedIn with Articles 17 and 24(5) of the Digital Services Act (DSA).
Between October and December 2024, 77.1% of LinkedIn’s content moderation decisions in the DSA transparency database cited only a “generic violation of platform policies” without specifying what content, why, or which specific section. Article 17 of the DSA requires clear and specific reasons that allow the user to understand the decision and exercise their right to appeal. The most amusing thing is that the DSA transparency database — designed precisely to audit moderation patterns — is being used by LinkedIn to formally comply with the notification obligation, while reproducing exactly the opacity that the regulation aims to eliminate, turning the control instrument into a regulatory whitening tool.
.- Curious case of the limits of joint responsibility that we see on Noyb’s blog. Austrian court annuls the 8 million fine imposed by the Austrian DPA on the parent company of a Group involved in a loyalty program. As much as it was the parent company, the court considers here that there is no effective influence/position or unity of purpose in the determination of purposes and means necessary to consider the subsidiary and parent company in this dual category. It is always good to remember real examples of the matter, which are often considered as nothing or everything.
.- The DPC updates a document that could be called “FAQs on domestic CCTV”. Far from being different from what the AEPD did with its 6 “cards” on CCTV, it does have something that would not be bad to incorporate into the AEPD’s: a visual image of how far the little camera can film. Reality is often a more diffuse terrain where it is not always as clear as the written description in text.
Setting aside the fact that we are less likely to all have a detached house with a garden, but considering the dreaded Amazon Ring and certain landlords’ ideas.
.- Technical Solutions for Marking and Detecting AI-Generated Text Content in the Context of Article 50(2) AI Act via Martin Ebers.
💀Death by Meme🤣
🤖NoRobots.txt o the IA things
.- Google will take your emails as a signal when serving you advertising: Garrett Sussman, Michael Tandoh, Cate Dombrowski publish Gmail inbox as an AI search signal: a controlled experiment on 1,922 Google AI Mode responses shows that brands “seeded” in emails from accounts connected to Google Personal Intelligence appear 46% more in recommendations than in control accounts. Appearance increased from 23.9% to 66.8%; top-3 positioning improved by 23.1 points; Gmail was the strongest signal compared to Google Photos. Even fictitious brands introduced by email appeared in 35.7% of the responses, compared to 0% external citation. The experiment —with data collected between March and April 2026— only applies to accounts that have voluntarily activated Personal Intelligence, not to standard AI Mode.”
More of the same: Google announces the integration of native advertising in AI Mode and Gemini responses: “Conversational Discovery Ads” will generate product recommendations tailored to conversational queries, while “Highlighted Answers” will insert approved brands at the end of AI Mode lists. AI Shopping Ads will also arrive in the conventional search engine with Gemini writing the product “explainers.” Google assures that ads do not affect organic results, but organic results are buried under a growing tsunami of AI-generated content. Elizabeth Reid presented the changes as “the biggest update in 25 years.” The most concerning aspect is that the language model acts as an intermediary in the auction—the LLM decides which brands are “relevant and high-quality”—but this decision is embedded in the same auction mechanisms as before, without transparency on how these two logics interact. And this has already cost you dearly two years ago, Google.
-. The Pope’s stance: It took the Pope to start dropping facts about AI. It’s almost more about governance policy or FRIA than encyclical. He hits the nail on the head with the main problems and biases of AI:
AI is not neutral: we forget, but humans are still the ones who make and break things in the world. We haven’t reached Skynet yet.
Back to the Tower of Babel: “10. We must, then, avoid the ‘Babel syndrome,’ namely the idolatry of profit that sacrifices the weak, a uniformity that neutralizes differences, and the pretense that a single language—even a digital one—can translate everything, including the mystery of the person, into data and performance.”
Hidden environmental impact: little is denied, but we still talk about carbon zero. OpenAI manages to balance the chickens that come in for those that go out, no doubt.
Do not forget about rare minerals and certain profiles of “slavery.” Not for nothing do we later see the presumed anti-slavery norms by the UK: A significant part of the digital economy’s functioning relies on the silent work of millions of people engaged in essential yet largely unseen activities, such as data labeling, model training, and content moderation, often involving disturbing material. (…………….). In some regions of the world, children and adolescents work in dangerous conditions, crushing the materials from which rare earth elements are extracted.
The Pope realized it is better not to base any decision on an algorithm. Insert meme of “you were right that mushroom was poisonous.” They scratch on the topic of compassion and empathy. Apply the father and child analogy to Palantir’s sword scenario.
Surveillance and worker devaluation: As a result, contrary to the advertised benefits of AI, current approaches to technology can paradoxically de-skill workers, subject them to automated surveillance, and relegate them to rigid and repetitive tasks. The need to keep up with the pace of technology can erode workers’ sense of agency and stifle the innovative abilities they are expected to bring to their work.
📃 Paper of the Week
.- Anonymization of genetic data in the European Health Data Space, by Daniel Grafulla Cumba. Warning: Do not miss it, BUT have an LLM nearby to explain the technical part with examples! (Do you remember the parts of “The Name of the Rose” written in Latin? Very similar).
Daniel Grafulla explains how:
.- The truly relevant parts of DNA for identification purposes are not the whole, but much less, and usually involve combining fragments from different sources.
.- However, exceptionally, regions of DNA that are not very relevant for identification purposes gain significant value when they mutate, thus doubling their sensitivity in terms of genetic diseases.
.- He points out a kind of minimum threshold (!) of re-identification risk in Recital 92 of the European Regulation on Health Spaces.
.- Although this Regulation contains an explicit prohibition on re-identification for users (data recipients), the author solidly argues that, given the peculiar individualizing power of DNA (or the particular regions described), it should not be taken as a carte blanche in terms of the automatic application of the SRB Scania doctrine.
The question I ask myself (or the point where I disagree) is whether the author’s equating of singularization and identification holds in any case, or depends, as the CJEU has repeatedly stated, on the content, purpose, and effects of each data processing operation.
🛠️ Useful Tools
.- Claude Code for Word and Excel released as open source: the author publishes add-ins that allow using Claude Code directly from Microsoft Word and Excel, including local file context, MCP servers, skills, and tool calling—capabilities not offered by Anthropic’s official add-ins. By Leo Hope and John S. Searsx.
.- ACME Legal AI: self-hostable open source platform for small legal teams, built as an alternative to SaaS legal tech solutions. Includes conversational chat with persistent history, four-stage verifiable citation engine, anonymization layer for cloud inference, and a library of skills in the open format of Anthropic. Works on laptop, internal server, or cloud VM, against the LLM model chosen by the client: Anthropic, OpenAI, Azure OpenAI, or local Ollama. By Kevin Keller.
🙄 Da-Tadum bass!!
Christopher Nolan has never used email or a smartphone. Given that a Viking longship has been seen in a trailer (among other thousand absurdities), he doesn’t consult Wikipedia much either. Nor does he seem to have deigned to ask any historian about carrier pigeons, smoke signals, lighting beacons between Gondor and Rohan, or whatever is done to communicate.
If you miss any doc, comment, or dumb thing that clearly should have been in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next one.