Currently, in an attempt to protect minors despite the minors themselves (a form of enlightened despotism for children, one might say), the British Government launched this Monday a requirement for Apple and Google to block any type of nudity on mobile devices used by minors in the UK. This obligation is highly compatible with the requirement for official document identification on any existing platform.
At first glance, based on what the Government and related public officials have published on X, this measure might not seem so bad if it complies with the element that “this will never leave the device at any moment.” And disregarding the lack of precision from some politicians regarding zero storage and other assertions. And considering that this is a country that has opened the door to Palantir in the henhouse of its National Health Service (NHS).
The second reading comes when individuals, companies, and entities defending rights start connecting the dots leading to a new edition of Chat Control.
Now with an English tailored suit, but with the same underlying purpose of potentially serving the same end. The continuous line of the obligation to provide information for the platform to categorize whether you are a minor or not, the necessary scanning of content to block what is considered nudity or similar, and the enablement of the tool/possibility to modify it as deemed appropriate at any given moment. Today in this area, but tomorrow in any other. A point raised by Signal in an ad hoc statement, rights defense entities, and the manifestation of the added problem of almost everything going through the three major players: Google, Apple, and Microsoft.
Everything points to another Chat Control in Europe. And communication to citizens in the worst possible way. It is understood that here, VPN maneuvers will not be sufficient to bypass restrictions at the device level itself, but we will see the alternatives minors have to circumvent this issue. Has anyone considered consoles and other parallel devices with internet access and browsing?
You are reading ZERO PARTY DATA. The newsletter on technology and legal news by Jorge García Herrero and Darío López Rincón.
In our free time from this newsletter, we resolve complicated issues related to personal data protection regulations and artificial intelligence. If you have any such issues, give us a hand. Or contact us by email at jgh(at)jorgegarciaherrero.com.
🗞️News from the Data World 🌍
.- Ireland is no longer just one of the tax havens tolerated by the EU. The UN highlights it as a “canary in the coal mine” due to the electrical and environmental weight of the AI boom. The article connects problems in meeting energy demand, regulations for data centers to generate their own electricity (nuclear energy is mentioned, uh), and the risk of a drastic increase in fossil fuels. Add the known consumption of water, land, critical minerals, and e-waste, and how the physical footprint of AI shifts to places that do not capture (barely) the value generated by the hosted computation.
.- We have been announcing an Armageddon caused by all those uncontrolled chatbots out there and prompt injections: does Meta count? Not yet, baby. It has been quite crazy, but we believe something more serious and widespread won’t be long in coming.
What happened with Meta? Well, only a bunch of idiots like Meta would be capable of reducing their workforce at a double-digit percentage rate to replace people with AI. In the security department. Granting elevated administrative privileges to a damn bot that -manifestly- had not been sufficiently tested.
Well then: the bot allowed attackers to “add email” issue 2FA codes, and bypass protections that, in theory, stop resets.
Automating recklessly amplifies social engineering and scales failures.
.- Your TV can be a “node” for web scraping: SDKs embedded in apps turn smart TVs -like yours and mine- into outlets for third-party traffic, useful for evading blocks by IP reputation. An Israeli company embeds pieces of code in the apps of certain TV brands (they are in the article), which allows third parties to enter protected websites (let’s say against corporate bot scrapers) bypassing the protection, because they are using (read: abusing) your IP accessing as if it were you or a particular person entering from your home. Needless to say that, just as they enter any newspaper to scrape, they could enter a website of those you would never enter and that store the IPs of their visitors. Do the math.
The alarm is not only about data protection: remote control of destinations, filtering by country, and the lack of authentication/signing suggest an infrastructure ready to segment homes as programmable resources, with externalities of blocking and criminal suspicion.
.- Do you remember the article I recommended so much last week about “first-party data theater”? Well, now you can apply the same logic to platforms like Spotify, which, by interposing between artists and their audience, mess up the service because, deprived of direct contact with their fans, they cannot do what they could barely achieve in the past: impose their conditions.
…And that’s why the rise of things like this Substack, which allows direct contact between content creators and like-minded people.
📖 Hard data docs for caffeine lovers☕️
.- Carlo Piltz makes it clear: if you do not mention or inform about “legitimate interest” in the notice of Article 13.1(d) GDPR, you cannot rely on it. The post lands the inveterate doctrine of the CJEU to German practice: the informative defect is not minor and leaves you without a legal basis.
.- CJEU C-585/26 “Trezor Company” and transfers to US processor Consenting to international data transfer does not suffice if it is not clarified which basis of Article 6 is used and whether that basis “covers” the act of transferring to the processor in the US. The post raises a nuclear doubt: is a separate basis required for the “transfer event” and, if so, when does it fall due to lack of (a)(b)(f)?
.- Cool resolution from the Norwegian Authority. The good Luis Montezuma sells it as an ideal decision “for training” in GDPR: a practical compendium on legal basis, valid consent, legitimate interest test, and compatibility.
And it certainly is…
.- Another case of evidence against an employee obtained with infringement of data protection guarantees that is validated for dismissal purposes, and subsequently compensated for infringement of fundamental rights. I am aware of Ribalta and all that, but these labor court rulings still make my head explode.
.- Interesting fine of 900,000 euros from a Berlin court. More than for the amount, because it is the end of the road of the famous sanction of 14.5 million to Deutsche Wohnen the German real estate company for eternal conservation. After appeal and prejudicial question to the CJEU, the sentence was revoked and the case was referred to a concrete instance to rule on the merits. In this case, back to square one: substantial reduction because it was done within the temporal framework of the real application of the GDPR, that the Berlin DPA did not adequately substantiate (it is not the only DPA that has had some scares out there) and the silver bullet of being able to prove during the procedure that you are fixing the issue (reference is made to hiring auditors and a lot of IT). Seen on LinkedIn, via San Luis Montezuma.
.- Interesting (but pasty, and with a font size incompatible with fifty-something eyes) “legal criterion” of the AEPD that lands in a curious case what “things are what they are, and not what the data controllers who could have been processors but then were not, say they are”.
💀Death by Meme🤣
Without this serving as a precedent, here the EU has been quite on point:
🤖NoRobots.txt or the AI stuff
.- The problem of AI regarding localization/dubbing comes back to Spain. Precisely the sector least willing to sign certain guarantees requested not to blow up the profession: video games. It is true that, in terms of dubbing, little more is needed to completely eliminate the actor than cloning their voice:
The Platform of Associations and Unions of Voice Artists of Spain (PASAVE), pulled out of the hat the following specific clause that Microsoft is not willing to sign (let’s not forget all its Copilot and direct interest in AI):
“The use of voice, modulation, timbre, gestures, and analogues of the voice talent and/or voice actor/actress is not permitted or transferred to be used for feeding, training, simulating, or any similar action related thereto, in artificial intelligence (AI) programs or projects, robotics, computer games, or any other methodology that uses or transforms the voice originally recorded by the voice talent and/or actor/actress, to be used for any purpose other than the one detailed in this agreement, which is to give voice and interpret the character/s of a specific production.”
Never lose sight of the video game industry, which is always very ready to make business decisions or press the nuclear button at the slightest provocation.
.- Within the framework of the procedure for provisional measures in the investigation of Meta for possible abuse of dominant position, the European Commission is indicating that it should restore free access to third-party AI assistants on WhatsApp. Nothing about trying to apply a price or payment that can distort competition.
.- About how META’s Smart AI Glasses have gone from almost activating facial recognition in the glasses stealthily (it was called name tag internally) to declaring that they no longer do. Just in case Wired catches them with their ice cream cart when publishing article.
On the same glasses, the EU may be starting to really move on the issue. Question from Renew to the Commission, something from the Swedish DPA in response to media inquiries, or the EDPB recognizing that it is beginning to assess where to start after receiving the report it commissioned on the matter.
.- The new AI services from Apple will not reach the EU for regulatory reasons. You break my heart, Apple. What do we have in the EU that they don’t have in the USA? (To start with, the problem is competition, not data protection or AI regulation…).
Also tune in to listen Legal4tech with superMario Guglielmetti (and Rosie & Jack).
📃The paper of the week
.- The paper of the week is this one by Theodore Christakis (“You Trust Your Chatbot With Everything. Should You? Part 2”), for several reasons:
(i) because the topic is fascinating (are AI chatbots really confidential?), and I don’t think there are many things more in vogue (remember that Christakis’ panel was one of the most interesting at CPDP).
(ii) Because it is longer than a day without bread, and it is caffeinated-caffeinated to the extreme, and last but not least.
(iii) because the good man cites Narseo Vallina, the rest of my colleagues at IMDEA Networks, and me, for our work on embedded trackers and other privacy leaks in the web interfaces of the four major AI providers.
Ask Rumpel a question
Rumpelstilstskin (“Rumpel” for friends) is our personal assistant to browse through resolutions, judgments, guidelines, and various materials that works locally (without asking commercial AIs).
We like to see if it is capable of decently answering complicated questions.
This question is a preliminary ruling submitted this week to the CJEU (to be honest, it’s not something to tear your shirt over):
“Where both the platform operator and the website owner are jointly responsible for the processing of data when a website is accessed via a platform, are the controllers then required to make the essence of their arrangement within the meaning of Article 26(1) of the GDPR available on that website or at least on another website to which the accessed website refers by means of an appropriately marked link?”
Do you have any questions for Rumpel?
Useful tools / 🙄 Da-Tadum-bass!!
I must have watched this video twenty times this week, and it always puts me in a good mood: if you have a more useful tool than this for these trying times, show me
! [Insert the goose meme: “Show me, son of a bitch!”]
Si echas de menos algun doc, comentario o chorradón que manifiestamente debería haber estado en el Zero Party Data de la semana, escríbenos o deja un comentario y lo valoraremos para la próxima.