#9 AI Regulation: Rush and Improvisation in Brussels
And They Said it only happened in Spain…
Dear friend,
Do you remember that very Spanish complex of “everything here is done late, badly, and never, and we always end up rushing at the last minute”?
Well, not anymore. Maybe the national football team got rid of those complexes. Most likely the rest of the world has reached and surpassed our level.
The absolute truth is that the European regulation governing AI systems came into force on Sunday…
Without the Commission having published its promised guidelines on (i) prohibited purposes and (ii) the definition of what an AI system is (update: they were released on Tuesday).
Add to that the fact that the European Commission’s website with the promised institutional materials on AI literacy is as deserted as the Spanish Data Protection Agency’s adjunct position… and now we have the complete picture (update: they were also released on Tuesday).
The cherry on top: that the most striking prohibition in the entire regulation has come into effect before the sanctioning regime or the institutions responsible for enforcing it… priceless.
Alright, better late than never, but this meme was too good to change the intro. Because, hand on heart, Kermitt is all of us.
This is ZERO PARTY DATA—the technology and law newsletter by Jorge García Herrero and Darío López Rincón.
In the free time this newsletter leaves us, we enjoy solving complex issues in personal data protection. If you have any, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com.
Thank you for reading Zero Party Data! Sign up!
🔒 News from Data world🌍
The biggest security breach in history happened, as always, on a weekend. Gift article from the NYT.
DeepSeek (1): Reading Javier Salas, I realized I hadn’t fully grasped the concept of the Sputnik moment:
"We know what caused the original Sputnik moment: the entire industrial and financial machinery of the U.S. was mobilized towards a single goal—defeating the Soviets in the space race. That’s what tech oligarchs like Andreessen want from Trump: zero obstacles (he has already overturned Biden’s AI risk regulations) and lots of money (a lot has already been spent, and if DeepSeek has proven anything, it’s that dumping truckloads of dollars is not the solution)."
My friend, this won’t be the last time you read this from me: the planets are aligning for a reform—read: deregulation—of the GDPR.
DeepSeek (2): The latest post by Andrés Guadamuz (@Technollama) is very interesting. DeepSeek’s published documentation reveals several intriguing facts:
Its vision-language model was trained with Anna’s Archive (a pirate library conglomerate like Library Genesis and Sci-Hub). Meta got into trouble for training Llama with less.
Then there’s the “abuse” of OpenAI models to train its own. The problem is that—even as Altman argues—it’s unclear whether this violates Intellectual Property law. It only clearly violates OpenAI’s terms and conditions, which the author describes as "impossible to enforce".
The real winner in this battle is open-source software—though DeepSeek’s models aren’t truly open-source. Neither are Meta’s Llama models.
This issue is being used as yet another battering ram to push for a reform (dilution) of copyright laws. And I’ll add: of the GDPR as well. Déjà vu, anybody?
Spain has a new advertising exclusion list. Alongside the long-standing Lista Robinson (where many have been registered for ages, with mixed results because many companies still ignore it), there’s now a new one with an incredibly imaginative name: Stop Publicidad.
The most interesting part is that in its authorization resolution, the Spanish Data Protection Agency (AEPD) acknowledges multiple previous denials due to self-promotion of services on the exclusion platform itself:
“The service to the general interest that guides the AEPD’s actions was not compatible with the private sector services being offered on the website for which publication was requested.”
Not the best start in terms of accountability, but let’s see how the list and its promoter—the Spanish Association for Digital Privacy—fare.
Remember that unwanted call regulations were changed in the Telecommunications Act (banning automated calls, random-number-generated calls, and non-human calls). The AEPD issued a Circular on this in 2023, and the AEPD has effectively outsourced this issue to AUTOCONTROL, which handles mediation for unwanted advertising.
Hilarious anecdote from the legendary Román Ramírez (@PatoWC on Twitter), who blew up a morning at a notary office that had no idea who they were dealing with.
The moral of the story: No, notaries cannot scan your ID just because they feel like it. The ruling he cites is from the High Court, but the one you’re looking for is this one from the Supreme Court, confirming the first ruling, and at the same time dismantling the database that the Notary Council had created.
📄Data-heavy documents for coffee-lovers☕️
Last Sunday, we started paying the first installment of the Artificial Intelligence Regulation. You know, prohibited purposes and something that has suddenly become urgent for providers and deployers: AI literacy (or its painfully translated Spanish version, “alfabetización digital”).
Brace yourself, because since Sunday, the world has been flooded with “experts” in AI offering advanced courses on the topic. If you don’t like the hype but also don’t know where to start, we’ve got something for you:
This document from the Dutch Authority, translated courtesy of our coffee-and-beer-loving friend Luis Montezuma.
This paper (“What are artificial intelligence literacy and competency? A comprehensive framework to support them”).
This incredibly well-explained document by Citizen Isabel Barberá, covering all the biases that lurk throughout an AI system’s lifecycle.
The always useful timeline for the effective implementation of different parts of the AI Act by EU Artificial Intelligence Act.
A revised version of the FAQs on the Data Act published by the European Commission.
Another website compiling European tech regulations. But this one, I actually like. You can check it out here.
💀 Death by Meme 😂
Thanks, Johnny.
🤖 Robots.txt or the AI staff
Last week, we forgot to link to something we're proud of: the first serious FRIA model to be released, presented by APDCAT and endorsed by none other than Alessandro Mantelero.
DeepSeek (3): The Italian Garante, just like it did with OpenAI before, has now ordered the suspension of DeepSeek's data processing in Italy. Will this follow the OpenAI pattern—where they demand information and then let them operate again? It doesn’t help that the Chinese claim EU regulations don’t apply to them since they don’t operate in Italy/EU (looks like they didn’t check the EDPB guidelines on GDPR’s territorial scope and Chapter V).
Ethan Mollick says Deep Research (OpenAI’s new advanced reasoning and research-focused tool) is truly impressive...
Meanwhile, Gary Marcus says it's a steaming pile of [BEEEEEEEP].
Whatever the case, dear friends, let's close this with a quote recommended by César Astudillo:
"Don’t delegate understanding." — Charles Eames
🏡Our Two Cents
Did someone say “mess”? Not exactly the kind of local stuff we usually cover, but is there anything more local than a classic Marca España blunder? The appointment process for the first president and deputy of the Spanish Data Protection Agency (AEPD) has collapsed for the second time in a row. With all the usual elements: merits, demerits, accusations of lack of transparency, tantrums, and some last-minute trickery to blow everything up (insert dark Goya painting here). Wait a minute, a new hope?
🚪 Uninvited VIP Guests
Regarding the enforcement of prohibited AI practices, Gerard Espuga reminds us of the joint opinion from the EDPS and EDPB, covering key points: a general ban on automated biometric recognition systems (so many euphemisms floating around, like "facial age estimation") and an absolute ban on large-scale remote identification systems in public spaces.
Repeat offenses matter, my friend. Check out Alberto Casaseca’s take on how the Spanish Supreme Court significantly reduced Vodafone’s multi-million-euro fine from the AEPD.
🙄 Da-Ta Dum Bass
Would you like any refinements or adjustments? 😊
Thanks for reading Zero Party Data!
Don’t miss next week’s issue—subscribe now!