Dear Friend: Happy New Year.

Two weeks of silence are many weeks in the crazy, crazy world of data protection and AI: this newsletter comes more packed than our overstuffed Xmas bellies.

We are Jorge García Herrero and Darío López Rincón, and we specialize in solving complex issues related to personal data protection. If you have such issues, you may hire us (note the old-school hat tip to the A-Team intro). Contact us by email at jgh(at)jorgegarciaherrero.com.

My old boss told me to take some time to reflect on the main lessons of the past year. And I've done it, a little late, but I've done it: read here the five most important things I learned in 2024. (In Spanish but you can get the English version in one click, as you know).

Two of those lessons led me to painfully swallow the stance I had previously defended, but HEY!: It's as effective a way to learn as any other.

By the way, since I'm no longer in a big law firm, I can skip those typical and atavistic gymnastics exercises where changing your mind can only happen without ever, ever, ever admitting you were wrong before.

To the point:

📑 Black-Black Coffee Data Documents ☕

• We all start 2025 with a few extra pounds… except OpenAI: the Garante published, shortly after the famous EDPB Opinion on AI models, a 15 million € fine among other things...

• Did someone say “EDPB Opinion on Generative AI Models”? Here are comments from Gabriela Zanfir, Petruta Pirvan, Peter Craddock, Phil Lee, Theodore Christakis, Vadym Honcharenko, Mikołaj Barczentewicz, and Odia Kagan (she also has this one).

• Working paper from the German BfDi (International Working Group on Data Protection in Technology) on LLMs.

• Another day, another resolution from the AEPD, penalizing spam but ignoring the prior data scraping based on a demented interpretation of Article 95 GDPR (contrary to Opinion 5/2019 of the EDPB). Found via Jorge Campanillas.

• The CJEU ordered the Commission to pay €400 in compensation for the international transfer of an IP address to Facebook USA via "Facebook login." This will be talked about a lot. For my part, I remind you that, IMHO, Facebook login does not transfer NEW data to Meta. But what do I know?

💀 Death by Meme 🤣

News from DataWorld 🌍

• The world isn’t getting worse, it’s getting better: 45 good news stories to start 2025 with optimism. The traditional feel-good summary by Kiko Llaneras in El País, based on data. Surprised this is in this newsletter? Remember, it’s ours, and we include whatever we like. The author even made a website with the article content using no-code tools. That’s cool too.

• The first judicial AI hallucination in Spain? Or just A Series of Unfortunate Events in the same case? We’ll never know.

• Paying a ransom to cybercriminals can cost you… twice: The payment of a Bitcoin ransom to hackers leads Cangas City Hall to court for embezzlement.

• Hewlett Packard reports that they’re detecting AI-generated malware in the wild—not through complex analyses or watermarks, but because… it’s unusually well-commented. Via Michael Veale.

• Google, after years (years!) of dragging its feet, now says we’ll have third-party cookies until hell freezes over and, taking advantage of the situation, will stop limiting fingerprinting for its partners. Of course, friends, "Don´t be evil" !!

• He fought his car. And the car won. The spy capabilities of Tesla were decisive in catching the terrorist who detonated one in front of a Trump hotel. Additionally, the guy used ChatGPT to plan the “action.”

🧠 Against “Brain Rot”

• By now, we’ve all lost contact with someone we were close to but can no longer hold a productive conversation with: they seem possessed by extremist ideas and disinformation. How does someone radicalize to a point of no return? This thread on Bluesky explains the process using Elon Musk as an example. Nota bene: I’m fully aware this phenomenon also occurs at the opposite end of the ideological spectrum. I just haven’t found as good a thread as good for that.

• Along the same line, How to Keep Democracy Alive in 2025 by George Lakoff.

🤖 "Robot.txt" or "The AI Stuff"

• 25 AI predictions for 2025 by Gary Marcus. The post includes predictions from previous years and… I’d say it deserves a thoughtful read.

• COMPL-AI Framework: A Technical Interpretation and LLM Benchmarking Suite for the EU Artificial Intelligence Act. A comprehensive methodology for legally auditing generative AI models. The "surprise"? In benchmarking current hegemonic models… none pass the Pepsi challenge.

• History doesn’t always repeat itself exactly, but it often rhymes. That’s why this paper summarizing U.S. jurisprudence milestones on “fair use” in disruptive technologies might be interesting.

• Why is the above important? Because there are quite a few lawsuits piling up against the AI feudal lords. Wired, among others, is keeping track. And if you’ve seen Gary Marcus’s predictions, it’s very possible the rain will turn into a storm in 2025.

📜 Papers of the Week

• This paper by Daniel Solove on AI and privacy isn’t a recent release, but it’s what my mom would call “a wardrobe staple.”

• Advancing Healthcare AI Governance: A Comprehensive Maturity Model Based on Systematic Review (Preprint).

🏠 Our Two Cents

• We can’t say anything yet "because personal data protection" but… someone won something. AGAIN.

• Although data lawyers typically appear in the press to point out flaws and non-compliance, Jordi Pérez from El País asked for my opinion, and I really liked this initiative from Quirón: introducing an LLM in medical consultations to transcribe patient interactions so doctors can, for a change, look the patient in the eye instead of entering data into a computer.

• This holiday season, I watched The Sabre Case and Juror #2 and thought it was a good day to update my post on five great lawyer movies.

🙄 Da-Ta Dum Bass

• Roy Ferguson asked ChatGPT to summarize a non-existent case, “Trust Me vs. Bro” (the title alone is delightful), and Chati gave it everything it had.

  Absolutely spectacularrr.

We will be right back next week.