#64 Invest in PETs, not TIAs (TID Kabuki theatre, part 2)
... and that's coming from a lawyer.
Last week I spoke about what works and what doesn’t in the Kabuki theater of international data transfers, following Judge Rory Mulcahy’s ruling reviewing the DPC’s €530 million fine against TikTok.
TikTok: What Works and What Doesn't in the Kabuki Theater of International Data Transfers
It’s called “sunk cost bias”: since I had already spent half of my weekend studying the DPC’s sanction against TikTok, back in the day, I couldn’t help but do the same with last week’s ruling that reviewed it.
You may recall that the ruling upheld the fine but nullified the additional obligation to suspend TikTok’s (ByteDance) international data transfers to China.
By doing so, it returned the matter to the DPC to do a better job and, this time, indeed rule on whether it believed there was an effective possibility of re-identification of data subjects by those accessing data subject data from China (in fact: IT employees, potentially Chinese authorities).
And if it believed this, to clarify why.
Here is the question.
The plot twist no one caught
The usual conclusion I’ve read about the Irish ruling is: “the DPC needs to better justify its decisions.” True. Trivial. Next question.
But the important thing is what made TikTok win in court what it lost before the DPC.
And it wasn’t a thicker TIA, or more SCCs. It wasn’t a legal opinion from an American firm with twelve partners in gray marengo on the letterhead.
It was two independent assessments: the Mittal Report and the NCC Group report. Documents that established, with verifiable methodology, that Project Clover’s pseudonymization made operational re-identification of European users from China unfeasible.
The DPC dismissed them outright, did not refute them with substance. That was its mistake.
And this is not a rare and isolated Irish ruling. It’s a trend:
The Irish ruling is not an isolated event: in recent months, we have identified three other judicial precedents in Supreme Courts of two countries that apply exactly the same thing.
The French Council of State in Criteo (March 2026).
The French Council of State in IQVIA (May 2026).
The Spanish Supreme Court (March 2026, STS 1215/2026).
And now the Irish High Court in TikTok (June 2026).
Four!
The context is what it is: at the administrative level, enforcement authorities do not quite know what to do with the SRB / Scania doctrine.
Courts, on the other hand, are applying it quite naturally. And eloquently, they are making the authorities apply it where the information reaching the judicial bench does not allow them to do so themselves.
The technical aspect
These rulings point in the same direction: identifiability cannot be a mere administrative presumption; it is a debate about facts.
It is the controller’s responsibility to conduct the case-by-case study, the normative report of the destination country, the TIA, etc...
...and it is the competent authority’s responsibility to solidly argue why it considers the documented measures to be sufficient or not.
Paragraph 461 of the Irish ruling is lapidary: the correct question is not whether the controller has demonstrated that data subjects cannot be identified—that is probatio diabolica: negative facts cannot be proven.
The correct question is whether, in fact and in the specific case, they can be identified by the recipient or by the authorities of the importing State with reasonably available means.
And “in fact” means: technical testing, re-identification metrics, real perimeter of accessible data, real capabilities of the importer.
I’m throwing stones at my own roof: what moves the needle in an international transfer is not the legal documentation. It’s PETs: effective pseudonymization, encryption, key separation, real minimization of exported data.
The uncomfortable truth
More stones at my own roof:
Almost all TIAs on the market—mine, those of the American firm with twelve immaculate partners, those of the London boutique—share structure, sources, and frankly, the same tune: “the specific data flow is not plausibly of interest to the authorities of the importing State.”
We all came up with this in 2020, and here we are.
What changes between one TIA and another is, to a large extent, the price.
And the price of a set of “Cardhu version” TIAs eats up the entire budget allocated for compliance with Chapter V of the GDPR.
The problem? That same budget, spent entirely on paper, leaves the technical measures budget at zero. And according to the cited case law, technical measures are precisely what can save your game.
Remember: the greatness of applying the SRB / Scania doctrine (well understood) is that if you achieve the objective, you avoid the application of the GDPR. But even if you fall short, you always mitigate responsibility, because pseudonymization always protects the data subject.
This is the way
My honest advice to clients with international transfers in 2026 is relatively simple, and goes against my own commercial interest if misunderstood:
Save on legal documentation. Invest in pseudonymization.
The most demanding part of the TIA—the normative analysis of the importing country, mapping of access by public authorities, comparative law—is precisely the part that AI does well if piloted by a lawyer with judgment. Calvo, if possible.
Review, contextualization to the client’s specific flow, and contextual assessment of identifiability require human input, but it is a fraction of the work.
The result: a solid, defensible, and client-specific TIA at a fraction of the traditional cost.
And budget freed up for real technical measures of pseudonymization, encryption, and minimization of exported data. And their documentation.
You can already imagine how this is going to end:
The inevitable promotion
I have been doing TIAs for years, and the ones I have done have worked.
I defended a multinational against a complaint filed by Max Schrems’ team precisely on this matter, and the AEPD archived it without a fine.
This is not marketing, bitch; it’s news archive.
Today, I do those same TIAs with an AI-based workflow and expert manual review that substantially reduces time and cost, with quality comparable to that of the twelve American partners.
If your company has international transfers and the last TIA invoice you saw dangerously approaches the budget you should be spending on pseudonymization, contact us.
Estás leyendo ZERO PARTY DATA. La newsletter sobre actualidad y derecho tecnológico de Jorge García Herrero y Darío López Rincón.
En los ratos libres que nos deja esta newsletter, resolvemos movidas complicadas relacionadas con la normativa de protección de datos personales e inteligencia artificial. Si tienes de alguna de esas, haznos así con la manita. O contáctanos por correo en jgh(arroba)jorgegarciaherrero.com
🗞️News from the Dataworld 🌍
.- We see that San Luis Montezuma has shared the document produced by the International Working Group on Data Protection in Technology (Berlin Group) on XR (extended reality). In other words, on the umbrella concept under which the more well-known VR (virtual), AR (augmented), and MR (mixed) fall. The first two types are more widely known for META Quest, Google Glass, and the aforementioned Meta Ray-Ban or Oxley.
There are many aspects to highlight in the document, but we will focus on two:
While some specific XR features do require location data via GPS to function properly (for example, Pokémon GO), many XR functions have no need to know the precise physical location of the user and still collect and track this data. ……………….. For example, religious affiliation may be revealed if the user frequently visits a place of worship. Location data is also a valuable surveillance tool and could be misused by law enforcement or used criminally by stalkers.
Extended reality technologies have expanded beyond the world of gaming into increasingly more impactful and sensitive areas, including health, education, the workplace, and more. This technology raises serious concerns about privacy, not just for users, but also for bystanders whose presence and actions may be tracked with these devices. While many of the privacy risks presented by extended reality are common in other technologies as well, extended reality presents unique risks due to the source, type, and volume of information that it processes – just twenty minutes in a virtual reality simulation can generate nearly 2 million unique body language recordings”.
.- The EDPB has completely overhauled its website. It’s as frustrating as when your favorite supermarket changes the layout of its sections (even if for more debatable reasons of consumer psychology applied to consumption), but now it’s much better. More visual, more colorful, and a better way to filter documents. Mainly, the guidelines that everyone ends up consulting all the time. Or if any of the historical ones that were in public consultation have finally become definitive (i.e., version 2.0. No one is looking at the legitimate interest ones that closed in November 2024.
The new page for consulting all those still in public consultation helps. And with all the feedback history received, even though it was already in the previous version of the website.
.- It is reported thatthat remote work is worsening the mental health of those who “enjoy” it, and that the affected individuals are not aware of this. I question the latter. The number of people going crazy due to lack of real human interaction (not virtual) is alarming, at least in my limited personal sample.
The study, based on a survey of 568,000 people between 2011 and 2024 (excluding 2020-2021), attributes approximately one-third of the increase in psychological distress recorded in the U.S. to remote work, where the implementation of remote work went from 7% in 2019 to 28% in 2023. Remote workers add more than one hour a day of time in solitude compared to the pre-pandemic era, with a 4.6% higher probability of seeking mental health services and an increase of 1.8 points in the prescription of psychotropic drugs. Among those living alone, 83% spend workdays without a single face-to-face contact. The most concerning aspect is the perceptual asymmetry: the authors discount that the increase is due to greater flexibility in working hours, as routine medical check-ups decrease while psychiatric consultations increase.
Be very careful out there, fellow data protection officers: it doesn’t take a genius to realize that a DPO is in the risk group.
.- This is the last newsletter until September (we’re keeping the Digital Omnibus joker), so I allow myself to pay homage to one of my favorite communicators: Nicholas Thompson, who has written a book. Thompson posts on his social media “the most interesting thing in Tech that has happened today” with a very personal and engaging style. The book is The Running Ground, and it talks about running, fatherhood, and mortality. Thompson - USA record holder for 20,000 meters for over 45 years and world number one for 50 miles in his age group - weaves his sports biography with his troubled relationship with his father, Scott Thompson, an amateur runner who fell from grace after coming out of the closet and seeing his academic career collapse. There had to be a data-related nod in all this.
📖 Hard data docs for coffeine lovers ☕️
.- It barely made it into the previous newsletter, but we couldn’t help but mention that we now have recommendations and best practices in the video game sector,We leave it in a double version for you:
Comment on the same by Darío: Recommendations on 🎮 by the AEPD and the Belgian DPA.
Direct link for consultation in English. The original version is in English, which saves us from literal translations like “launcher” becoming “lanzador.” Thankfully, the concept of “videojugador” is not added.
.- From the Belgian authority comes an interesting resolution regarding an ex-employee’s mailbox. An access request by this same employee ended in a complaint and fine. It did not help that the account remained active and receiving emails a year after her departure.
Apart from imposing a fine of €176,000, applying appropriate measures, and satisfying the ex-employee’s right of access, the most relevant aspect is the interpretation of feasible deadlines for keeping the account active after departure:
“18. As clarified in these previous resolutions by the Dispute Chamber, this legitimate interest is initially limited to a period of one month. A possible extension of this period by two months could be accepted, provided that a clear balancing of interests justifies such an extension. This balancing of interests must take into account that the claimant left the employment relationship some time ago and no longer has any control over her personal data, some of which are sensitive, in the mailbox in question.”
.- The CJEU’s judgment in NTH Haustechnik (C-484/24) dismantles the “poisoned fruit” doctrine. In fact, it explains everything I didn’t understand about the famous Ribalta case and its astonishing consequences in Spanish labor jurisprudence. If it were a bit less hot, I would write a series of posts to ensure I understand and internalize it forever. But... given the circumstances, I can only point out two useful comments.
The case: an employer attempted to present as evidence data obtained—possibly unlawfully—from a former employee’s private eBay account to prove unauthorized sale of corporate assets.
This post by Peter Craddock focuses on whether the unlawfulness of the processing contaminates judicial evidence. After establishing that case law can constitute a “legal obligation” under Article 6(1)(c) of the GDPR, the Court clarifies that the balancing test incorporated into this obligation absorbs the duty of minimization under Article 5(1)(c), without the need for an additional case-by-case balance. On the possible procedural nullity of unlawfully obtained evidence: the GDPR does not contain an absolute prohibition on processing data previously obtained unlawfully, but those invoking legitimate interest cannot rely on this ground if they knew or should have known of the prior unlawfulness. The consequence is not intuitive: the judge can use contaminated evidence under a legal obligation, but the company that obtained the same data from a third party cannot appeal to legitimate interest as a legal basis for processing. Same data, different luck depending on who processes it. Author: Peter Craddock
The same judgment C-484/24 receives a complementary reading by Mateusz Kupiec focused on the procedural angle: when a national court assesses evidence with personal data in civil or labor disputes, this assessment or application is itself a processing under the GDPR—electronic presentation, storage, consultation, retrieval—and is justified under Article 6(1)(c) by the judicial obligation to rule on its admissibility. National procedural law does not require a detailed base norm for each case: clear and predictable conditions set by law or case law, public interest objective, and proportionality suffice. Article 17.3(e) of the GDPR does not create a separate legal basis: it only limits the right to erasure. Minimization persists, but it does not require a complete proportionality test for each judicial act; before disclosing to parties or third parties, the court may anonymize or pseudonymize. A violation of the information duty under Article 13 by the party that obtained the data does not prevent the court from using that evidence. The sanction against the data controller does not automatically result in exclusion of evidence, which breaks the application of the poisoned fruit principle previously cited.
.- Gernot Fritz comments on a resolution by the Austrian Administrative Court (VwGH) on scoring, Article 22 of the GDPR, and the right of access under Article 15.1(h), which apparently contradicts the CJEU’s Schufa judgment.
The issue: a credit information agency calculated several values for the data subject without transferring them to third parties or producing any detectable effect whatsoever. The Austrian data protection authority considered the right of access to the logic involved (which had not been satisfied) to be violated; the first judicial instance disagreed. The second confirms it: mere automated internal calculation of a score is not an automated decision under Article 22 of the GDPR if it is not projected outward.
To activate the legal effect or significant impact required, communication to third parties must intervene. The CJEU’s Schufa doctrine remains fully valid when the score is transmitted and depends on the conclusion of the contract. The non-obvious nuance: profiling does not automatically equate to a decision under Article 22, and the “reserved” calculation without further use falls outside the scope of Article 15.1(h).
A have a funny feeling with this ruling.
💀Death by Meme🤣
With everything that’s happening everywhere, there’s not much desire to write, read, or be near any computer or heat source to work or pass the time.
🤖NoRobots.txt or The AI stuff
.- Arianna Stech publishes her thesis “Grooming the Machine: Poisoned Contexts, Plausible Answers”: The information war has shifted its focus from people to the machines that influence them; LLM grooming is the systematic poisoning of training datasets. Stech audited 12 leading chatbots with three false statements aligned with the Kremlin among other things.
The Kremlin published 8 million articles that were never written for humans but for search engine crawlers and LLMs; people receive them in the form of AI outputs, unaware they are reading garbage. Author: Arianna Stech, Francisco de Abreu Duarte, Paula Gori, Sam Stockwell,
.- Robert Gaudette wins the Grand Prix of $50,000 at the Runway AI Film Festival 2026 with A Face Only A Mother Could Love, a short film entirely made with AI, by a technologically capable director without formal cinematic training. It doesn’t seem like much to me, but you be the judge.
🛠️Useful Tools
.- An open alternative to Google’s NotebookLM called Open Notebook.
.- It’s not a tool per se, but the steps Proton recommends following to deactivate Gemini from reading and training with your emails and attachments in Gmail. For whatever reason, it seems like another that is enabled by default without consent. Activated by default, because why not.
🙄 Da-Ta-dum basss
We wish you a very happy summer: and remember:it will be the coolest of the rest of your life!
