Dear Data Friend:

The next four years are going to be anything but boring: every new nomination from the re-elected Trump administration is a spectacle. Few could have imagined we'd see Big Tech CEOs lining up like the Three Wise Men to present gold, gold, and more gold to the redeemer (a million bucks each).

Some acronyms are already being redefined…

On to the details:

📄 Data and Privacy Reports ☕️

.- The highly anticipated Opinion 28/2024 from the EDPB on data processing in the context of AI models.

.- Meta faces a new €251 million fine for a poorly managed and communicated Facebook security breach. Interestingly, this involves a dual violation under Articles 25 and 33 of the GDPR.

.- Netflix fined nearly €5 million for transparency violations, with the company’s defense arguments being more akin to children’s comedy.

.- NOYB embarrasses the European Commission: The Commission engaged in personalized advertising on Twitter to promote its controversial "ChatControl" initiative. NOYB reported the campaign, leading the EDPS to issue a reprimand instead of a fine.

Crucially, the EDPS found the Commission responsible for processing special category data without a sufficient legal basis. This included targeting users based on "certain political parties, politicians, religious beliefs, euro-skeptics, and nationalists," aiming to influence them and their "lookalikes."

None of the exceptions under Article 9(2) of the GDPR applied—explicit consent (a), data made manifestly public (e), or substantial public interest (g).

The irony is hard to ignore: while elections are annulled in Romania, Brussels justified this action under the guise of exercising the "right of initiative" for legislative proposals (Article 17(2) TFEU). The EDPS resolution

Death by Meme

🗞️ Data World News 🌍

.- The CNIL cracks down on cookies: "Go get them; they are few and coward." Dark Patterns in Cookie Banners: CNIL issues formal notice to website publishers.

.- (If it really wanted to) Facebook could crush the viral spread of fake news, according to a report by Jordi Pérez Colomé.

.- The EDPS goes full Grinch on Office 365: It checks whether the European Commission complied with its March 8 decision to suspend data flows outside the EEA involving Office 365. This includes successive transfers from the United States or other insecure third countries, which everyone watches warily but are implemented by an EDPS that can afford it. They also note that the Commission escapes further observations because the decision is being challenged before the CJEU (an attempt to get off the hook via the "school principal"). Includes a link to the March decision.

.- Law 21.719 on personal data protection in Chile has been published. Let’s see if experts can share more about whether it’s GDPR-compliant or heavily GDPR-aligned. Here’s an initial summary by María Badillo.

Robot.txt or 🤖 AI Insights

.- The sudden and collective meltdown of ChatGPT when asked about a certain "David Mayer."

.- Suchir Balaji, the OpenAI whistleblower (many have left, but he was the only one who spoke out), has taken his own life. Marina Valls discusses Balaji’s significance, linking to his paper and another publication that questions the AI industry's arguments for the legality of training models under the Fair Use doctrine. The New York Times took careful note of his claims.

.- Along the same line, there’s a publication by Louis Hunt with a bunch of links (caveat: I haven’t read them).

.- A humorous, practical, and almost charming post by Tea Mustac: The AI Act’s Risk Categorization Process.

📃 Papers of the Week

.- Making sense of the "lasagna" of overlapping and interconnected competencies in the European Union: one of those papers that doesn’t seem so interesting until you dive in.

.- Another paper by Christakis (have I already mentioned how much I like Christakis?): Data Free Flow with Trust: Current Landscape, Challenges, and Opportunities.

.- One by the phenomenal Lillian Edwards that, in her own words, gains relevance with the “David Mayer” affair. Link.

Our Two Cents

.- Remember Pokémon Go? Well, it’s back in the form of a Large Geospatial Model—essentially an AI story. Darío, obsessed with data protection in video games, has published a post on the topic: Pokémon Go and Its Large Geospatial Model.

.- Masters of Privacy: While that’s the goal, it’s unlikely the listeners will enjoy it as much as one does talking to someone as thoughtful and interesting as Sergio Maldonado.

For added excitement, I reveal something in this episode that, I believe, is worth its weight in gold: my private and non-transferable "privacy shield" against inferences about me by foundational models. You don’t know it yet, but you need one like mine.

Since Sergio throws out three big topics at once in his questions, we touch on many interesting areas: whether or not LLMs contain data, exercising GDPR rights against LLMs, the principle of accuracy, Markus Wünschelbaum’s discussion paper, and in the "de lege ferenda" chapter: the collective dimension of data protection, the need for better curation of training datasets, and potential updates to the GDPR.

🙋 Exceptional Guests Without Invitation

.- By the end of the year, some people pull out all the stops. One of them is Kyle Chayka. One of the most prominent journalists of the year leaves us with The New Rules of Media. A must-read (and re-read).

🙄 Da-Ta Dum Bass

Leave a comment, tell us whether you find this useful, funny, both or neither...