Dear friend,

The world is abuzz about the new Chinese models (DeepSeek R1 and v3, and those by ByteDance), trained with fewer chips, consuming fewer resources and data, yet delivering performance on par with the North American giants.

Most notably, in a huge "in your face," they’ve been released and can be downloaded and run locally. I’ve tried them (and honestly, they didn’t work very well).

As expected, multiple versions with different flavors are being published almost every hour.

This is just the beginning...

...and it’s already proving costly for many.

Beware!! Gary Marcus says: 5 reasons why you’re missing the point here.

We are Jorge García Herrero and Darío López Rincón, specialized in solving complex personal data protection issues. If you’re dealing with any, give us a sign. Or better yet, contact us via email at jgh(at)jorgegarciaherrero.com.

Thank you for reading Zero Party Data! Sign up, it’s free!!

📄Data-heavy documents for coffee-lovers☕️

• Last week, the AEPD imposed two fines for biometric control (facial recognition). The Osasuna case was the most controversial, with arguments that are, to say the least, surprising:

  1. The AEPD sanctions because the control is neither objectively necessary nor proportional, and it doesn’t even evaluate data subjects´ consent.

  2. According to the AEPD, “necessity cannot depend on what the data subject decides. It’s up to the controller to assess whether the processing meets the thresholds of necessity and proportionality.”

  3. In short, the individual has no right to consent or "waive" their personal data protection if the control they consent to is not strictly necessary.

  4. Regarding risk mitigation and applied security measures, the AEPD declares:

     • “Technology is just one factor to consider” and

     • “Relying solely on security measures, no matter how robust, to ensure compliance strips the regulation of its essence.”

From another perspective, life and privacy are complicated. Obviously, nobody wants facial recognition cameras in supermarkets to more efficiently exploit users based on data profiles. That said, this seems to be the plan in the States.

The ICO has released a guide on Consent/Pay or Okay worth reading. Unlike the AEPD’s cookie guide (avoiding clear resolution by EDPB’s taskforce), it delves into crucial aspects: power imbalance, whether the amount is appropriate, equivalence of options, and practical annex examples.

The AEPD has fined Generali 5 million euros. In addition to the usual and controversial combination of Articles 5.1.f) and 32 of the GDPR, this case also involves Articles 25 and 32 for failing to maintain a valid impact assessment. Alex Prieto comments on it here.

The Spanish Supreme Court has reduced Vodafone’s famous fine (from an initial 9 million euros to just over half) and issued a smaller reduction in a curious case involving Mercadona, lowering a fine from 170,000 euros to 7,000 euros. Commentary via Sempere.

💀 Death by Meme 😂

🗞️News from DataWorld🌍

Continuing on the topic, the Danish authority, demonstrating that the harmonization of European regulations can feel inconsistent at times, has approved facial recognition access control for the Copenhagen Football Club stadium. The decision is partially based on their data protection law concerning public interest. However, the approval is not carte blanche, as it comes with 9 strict conditions, including:

• Conducting a prior PIA,

• Limiting usage to football matches,

• Ensuring suspensions are justified and included in league regulations,

• Strict storage protocols,

• Implementing multi-factor authentication for staff access,

• Using a separate network without internet access, and

• Providing clear information about facial recognition use (would they appreciate the infamous Mercadona sign we all remember?).

While we’ve seen the FTC order the “disgorgement” of algorithms, the Korean Authority's mandate to delete the AI model created by Apple, Alipay, and KakaoPay for assessing consumer creditworthiness is a first in applying regulations more aligned with European standards. Wenlong Li explains the case.

Trump’s “nicely asks” for the resignation of Democratic PCLOB members jeopardizes the US-EU DPF agreement. (He later sacked them out). Heiko Roth breaks it down.

An article worth summarizing for your friends as a goodwill gesture for Data Protection Day.

Papers of the week (and a terrific book)

This week’s hot topic: two must-read papers on AI are being widely discussed:

• “Skynet?” Frontier models’ abilities to “scheme”: They bypass their own rules and occasionally deceive users.

• A paper discussed by Stuart Winter-Tear that examines the inherent risks of autonomous AI agents.

If you're -like me- tired of the false dichotomy between “innovation vs. regulation”, check out Anu Bradford’s paper.

Bradford’s name might sound familiar—her keynote at the IAPP Conference in Brussels and her book, Digital Empires, have become essential references in navigating today’s technopolitical landscape

🏡Our Two Cents

From the Basque Country comes great news: our dear colleague Mikel Recuero has just been awarded the 2024 AVPD Research Prize. This wasn’t for a quick, well-crafted study, but for an extraordinary doctoral thesis years in the making: “Scientific Research and Personal Data: European Responses to the Global Challenge.” It’s one of the hot topics right now alongside AI. Let’s hope it gets published so we can all grab a copy.

Darío López, co-author of this newsletter, received the 2024 AEPD Ex Aequo Research Award just two days ago for his study: “Analysis of the Adequacy and Functionality of Anti-Cheat Systems in Video Games: Special Commentary on Real-Time Scanning and Administrator-Level Access to Gaming Devices.”
This is his second AEPD award in the same category, and personally, it’s a point of pride to work alongside such brilliant and dedicated people.

The AEC is organizing the GRC Congress on Privacy, AI, and Cybersecurity on February 26th. They’ve invited many knowledgeable professionals—and one bald guy.
Don’t miss it! It’s unlikely they’ll make the same mistake again...

Special Guests Without Invitations

The latest Watif newsletter offers 20 tips for enjoying social media while ensuring the broligarchs don’t enjoy you.

A dream team of experts (Delia Rodríguez, Marta Peirano, Ainhoa Marzol, Antonio Ortiz) share advice. Don’t miss their insights.

🙄 Da-Ta Dum Bass

Old-school gamers, check this out: Death Generator.

Thanks for reading Zero Party Data!

Don’t miss next week’s issue—subscribe now!