Dear friend,

It seems that Joe Rogan made Mark Zuckerberg feel so comfortable during their long interview that Zuck dropped gems enough for two books. Although I don’t have the time or desire to listen to the whole thing, this headline caught my attention (and half Europe´s indeed):

Zuckerberg urges Trump to stop the EU from fining US tech companies

Zuck equates compliance with European regulations (specifically those on competition defense) TO A TARIFF. Maybe it’s because US Big Tech has been fined "more than 30 billion—American—euros" over the last 30 years, and Meta alone, just for competition violations and just last year, with 797 million.

There’s more: Meta is facing significant trials in the US this year, like the one in August 2024, which could result in Google being split up—again for competition reasons.

This (unsurprising) honeymoon between Big Tech and Trump could also blur the many serious sanction fronts opened in the US under the leadership of people like Lina Khan, currently busy updating her LinkedIn profile.

Despite the importance of the issue, it would be quite a surprise if the European Commission reacted with the necessary firmness to these taunts. That Europe will swallow any change—formal or interpretative—introduced by Trump in the DPF, well, is expected. After all, didn’t they just validate the adequacy declaration to the GDPR for Israel? Wasn't the EDPB “worried” -so to speak- about the Comission passing adequacy decisions without even changing “Directive” to “GDPR”?

We are Jorge García Herrero and Darío López Rincón, and we specialize in solving complex issues related to personal data protection. If you have such issues, you may hire us (note the old-school hat tip to the A-Team intro). Contact us by email at jgh(at)jorgegarciaherrero.com.

On February 5, the first package of obligations under the Artificial Intelligence Regulation will come into force. In other words: by February 2025 at the latest, its famous counterpart rhyme will seriously kick in.

If you are affected by the AI Regulation's obligation to promote "AI literacy" within your team (spoiler: YOU PROBABLY ARE, since it applies to providers and deployers regardless of the system's risk category), you might be interested in Trillateral Research training sessions led by Sara Domingo: three open webinars.

Let´s get it started:

📄Data-heavy documents for coffee-lovers☕️

.- CJEU's Mousse Decision (C-394/23): When "Mr/Mrs" Becomes a Privacy Issue by Dr. Markus Wünschelbaum. The various ramifications of this ruling have also been addressed from another very interesting perspective by Hajo Michael Holtz.

.- What to Say About Case T-354/22 Bindl: 400 euros in compensation for moral damages to a citizen (more on this gentleman shortly) who used Facebook login to connect to the EU's community authentication system (EU Login). The moral damage was assessed by the court as—yes, I know, it's absurd—"in a position of some uncertainty as regards the processing of his personal data," and this processing refers to the international transfer suffered by his IP.

Last week, I already linked a post about this; this time, I’ll leave you with a meme and two very different assessments: Rober Baugh (who explains well who Bindl, the plaintiff, really is—much closer to Arriaga than to Edward Snowden—and questions most hype around compensation and mass lawsuits). Hajo's take from the previous point (stating that the ruling does not apply the GDPR, is not final, and addresses a very specific action). And our favorite naughty boy: Peter Craddock (who clarifies that just adding a link doesn't automatically constitute an international transfer). There´s also Pedro de Miguel's take in Spanish.

.- Spain: The Boomerang of Surveillance Cameras in Dismissals Returns: in a more interesting way. Adrián Todolí comments on a ruling from Pais Vasco (Basque Country) High Court that raises concerns about the flagrante delicto exception in Article 89 of the LOPDgdd (spanish data protection law):

• The court believes that this article’s exception is a transitory provision until notification can occur, not a free pass.

• Todolí adds that this exception isn’t regulated by the GDPR and points out that it’s unclear whether national legislation can reduce the right to data protection by establishing exceptions to the obligation to inform workers established in Article 5 of the GDPR.

.- Spain: Also about that little detail of “maybe the 89 LOPD has gone a little too far” and about others, because the sentence is very relevant, I wrote something last week: Collective Agreements vs RGPD: not everything goes, my friend: CJEU C-65/23. I focused on the limitations -unconcrete until last month- on collective autonomy when negotiating agreements (and on things “that have given little to talk about” such as biometric controls), but the same limitations weigh on the national legislator by virtue of the principle of primacy of Union law. As icing on the cake: the consequence of excess should be non-application.

.- Spain: The Court fined 7,500 euros in damages to an employee dismissed for visiting adult websites, as the company had no policy prohibiting personal use of the corporate device. Via Caty Pou on Twitter.

.- France: Yesterday, the CNIL published an interesting document: Permissions in mobile applications: the CNIL's recommendations to respect user privacy (EN version via Luis Montezuma) and (original link in FR).

.- On Thursday the 16th, the EDPB will hold a plenary session where the expert pool will present a report on biases and data subject rights in the context of AI. Let’s see what comes out of it, but take note that they will also address possible pseudonymization guidelines and an update to DPO guidelines. I guess whether they will see the light before the CJEU bang expected for next 6 of february (EDPS/SRB).

💀Death by Meme🤣

🗞️News from DataWorld🌍

.- Under its new relaxed moderation policies, Meta allows comparisons of women to household objects, derogatory comments about ethnic groups, LGBTQ+ exclusion requests from certain professions, and misgendering of transgender or non-binary people. The removal of external fact-checkers in favor of community notes has generated headlines, but some experts emphasize that minority groups will bear the brunt of these “improvements.”

Dave Willner, former Sheriff of Content Policy at Meta, explains in a insightful Bluesky thread (i) why user reports are rubbish and (ii) why minorities will suffer most from these changes.

.- In the context of OpenAI's governance model change (from a nonprofit to a for-profit model), Elon Musk requested that the authorities in California and Delaware allow external investors to bid for the stake reserved for the nonprofit organization that controls the company. The market value of this stake will be determined by independent experts, but Musk insists that only the market can set the true price. This is one of the least outrageous things he has said in months, although his clear objective is to disrupt OpenAI as much as possible. Needless to say, OpenAI has no plans to hold such an auction.

.- Chilling article on Cambodian mafias enslaving people to scam Westerners via social media crypto schemes. Shazupan.

Two years ago, I read another version of this phenomenon, but a more nuanced and enriching one: a journalist experienced firsthand the scam of his widowed mother by a supposed American marine. In reality, it was one of the so-called “Yahoo boys” in Nigeria. The journalist became so intrigued that he boarded a plane to learn more on the ground. It was so captivating that I’m still waiting for the book: it was my favorite long read of the summer of 2023. (English).

.- And be warned, TikTok may soon have to change ownership in the US as soon as... next Sunday. Tencent Holding does not agree.

.- In response to a probable TikTok ban in the US, there are rumors of a sale... to Elon Musk!!!

🤖"Robot.txt" or "The AI Stuff"

.- Alessandro Mantelero will present the first Fundamental Rights Impact Assessment (FRIA) methodology for the use of AI: You can attend here (event organized by APDCAT). The report on the methodology used, the model template and the use cases will be released in Catalan, Spanish and English.
.- Meta allegedly allowed its team to train their LLMs using copyrighted works. This is what happens with judicial discovery in the US: when you get sued, you have to put all your cards on the table.

.- We have the second draft of the European Commission’s General Purpose AI Code of Conduct. It was released in mid-December, but by then everyone was too focused on holiday treats. Here’s a self-prepared comparison document to track the changes.

📃Papers of the Week

.- The Cambridge Forum on AI: Law and Governance is publishing excellent papers from top experts with free access galore. Start with these two:

1. Private ordering, generative AI, and the ‘platformisation paradigm’: What can we learn from comparative analysis of models terms and conditions? by Lilian Edwards and collaborators.

2. Generative AI and data protection by Hannah Ruschemeier.

🏡Our Two Cents

.- Pay attention to this ruling from the CJEU last December, which is relevant to almost all the major discussions in the data world last week. Did I overthink the topic and publish it late? YES. Should you read the post carefully anyway? ALSO YES.

.- Last spots available for the training course “Applying the GDPR to AI in Practice, Today”: Don’t hesitate! We start on January 28. Register at formacion(at)jorgegarciaherrero.com.

🙋Exceptional Guests Without Invitation

.- Ruth Boardman has something to teach us all about Article 14 of the GDPR.

.- Alex Prieto provides an unbeatable example of a spontaneous data enthusiast. The case of a plot full of unsent letters is reminiscent of when the AEPD issued fines after CVs and candidate information were found in the trash—complete with folders, unfolded pages, and inappropriate notes from interviewers.

🙄 Da-Ta Dum Bass

Thanks for reading Zero Party Data! Subscribe for free to receive new posts and support my work.