Shows
The Privacy Partnership Podcast with Robert BatemanReddit’s £14.5m fine and the “hard problem” of age assuranceThe ICO has issued a £14.47 million fine against Reddit for alleged children's privacy failures, officially signaling the end of the road for the age verification "honour system." But with the full penalty notice yet to be published, what can privacy professionals actually glean from the regulator's press release?In this episode of the Privacy Partnership Podcast, Robert Bateman breaks down the Reddit announcement and explores one of privacy’s hardest problems: the inherent tension between robust age assurance and strict data minimisation. Are you damned if you collect the data, and damned if you don't?We...
2026-02-2505 minThe Privacy Partnership Podcast with Robert BatemanEDPB highlights "right to erasure" inadequacies: Exceptions, backups, and pseudonymisationRob presents a few highlights from the EDPB's latest Coordinated Enforcement Framework report on the "right to erasure".- Poor storage limitation and retention schedule practices are leading to issues satisfying erasure requests.- Too many people still conflating anonymisation and pseudonymisation, and thus incorrectly relying on the latter as an erasure method.- Controllers are failing to delete personal data from backup systems in parallel with live systems.- There has been overreliance on exemptions without having conducted an appropriate balancing assessment.Time to start preparing for the...
2026-02-1803 minThe Privacy Partnership Podcast with Robert BatemanCJEU: Private companies CAN sue the EDPBIn this episode of the Privacy and Partnership podcast, Rob discusses a significant ruling from the CJEU regarding WhatsApp's legal challenge against the European Data Protection Board (EDPB). The CJEU's decision allows companies to directly challenge binding decisions made by the EDPB. Rob explores the implications of this ruling, particularly how it affects the relationship between tech companies and regulatory bodies, and the potential for increased litigation against the EDPB.
2026-02-1006 minThe Privacy Partnership Podcast with Robert BatemanThe ICO's planned 'experimentation regime' to attract AI firms to the UKRob discusses the recent letter from the Information Commissioner's Office (ICO) to UK government officials, highlighting the ICO's focus on economic growth and innovation. The ICO plans a statutory code of practice for AI and an "experimentation regime" for data protection. There will also be a review of low-risk online advertising activities, and new support for SMEs.
2026-02-0305 minThe Privacy Partnership Podcast with Robert BatemanHappy Data Protection Day! A brief history of UK data protection lawOn Data Protection Day 2026, Rob talks us briefly through the history of data protection in the UK: From the "data users" of the Data Protection Act 1984 to the "recognised legitimate interests" of last year's Data (Use and Access) Act.
2026-01-2805 minThe Privacy Partnership Podcast with Robert BatemanThe EDPB and EDPS 'slam' AI Act reforms under the Digital OmnibusAlong with plans to "simplify" the GDPR, there's an AI Digital Omnibus that proposes amendments to the AI Act. In a new Joint Opinion, the EDPB and EDPS say they support the objective to simplify the law, but they don't seem to like any of the Commission's ideas.For example, they don't like the Commission's proposal to allow bias detection processing for all AI systems (Article 4a).Under the AI Act as it stands, providers of high-risk systems can process special category data if "strictly necessary" to detect and...
2026-01-2206 minThe Privacy Partnership Podcast with Robert BatemanHappy New Year? A look at the ICO's new 'international data transfers' guidanceRob looks at the ICO’s newly released guidance on international transfers and what it means for UK privacy professionals.• The “Three-Step Test” for identifying restricted transfers• Why UK processors returning data to overseas controllers are no longer “initiating” transfers• Clarifications on transfers between branches and employees within the same legal entity• How the guidance incorporates the Data (Use and Access) Act while retaining “TRA” terminology• The distinction between legal entities and server locations in cloud service contracts
2026-01-1506 minThe Privacy Partnership Podcast with Robert Bateman'No surprises': The ICO and the Government come to an understandingThe ICO and the UK Government have come to an understanding: "No surprises", "supportive challenge", and a seat at the table for the Commissioner.A Memorandum of Understanding signed today between the ICO and the UK Government formalises an already pretty cosy relationship between the regulator and its largest stakeholder. While the MoU explicitly preserves the ICO's independenceit leans heavily on collaboration over confrontation.Both parties have agreed to a "free flow of information" to manage risks early. There will be "no surprises".The ICO's role is characterised as one of p...
2026-01-0805 minThe Privacy Partnership Podcast with Robert BatemanChristmas Special: The top 5 data protection CJEU cases of 2025Time for the Privacy Partnership Podcast Christmas Special, where Rob looks at his top 5 data protection CJEU judgments for 2025. Here's the list of cases I summarise in this podcast, which span data transfers, non-material damages, data minimisation, and more:1. Bindl v European Commission8 January 2025Case T‑354/222. Mousse v CNIL (Mousse v Commission nationale de l'informatique et des libertés and SNCF Connect)9 January 2025Case C‑394/233. CK v Magistrat der Stadt Wien (involving Dun & Bradstreet Austri...
2025-12-1707 minThe Privacy Partnership Podcast with Robert BatemanThe Accidental Americans v FATCA: Like the Schrems cases, but for taxThe CJEU will soon hear the Belgian DPA's case against FATCA, the tax treaty that results in the systematic bulk transfer of data about thousands of "Accidental Americans" to the IRS.FATCA is a US law intended to prevent US citizens from hiding assets in foreign banks.But it also hits "Accidental Americans"—people who might have been born in the US and acquired a US passport, but have very little connection to the country.Under an intergovernmental agreement (IGA), the Belgian state regularly transfers personal data to the Inland Revenue. In May 2023, th...
2025-12-1005 minThe Privacy Partnership Podcast with Robert BatemanDid the CJEU just junk the EU's intermediary liability AND general monitoring rules? X v RussmediaDid the CJEU just use the GDPR to junk the intermediary liability exemption and impose a general monitoring obligation? Here's a look at yesterday's Russmedia judgment.The facts are pretty grim: "X" saw an ad on an Russmedia's online marketplace falsely promoting her as a sex worker. She reported it, Russmedia took it down, but the ad had already been scraped and copied on other sites.X sued Russmedia, which predictably said it was just an intermediary service and not liable for the contents of users' posts.But the court said that Russmedia...
2025-12-0305 minThe Privacy Partnership Podcast with Robert BatemanThe 'final straw': Open letter calls for inquiry into the ICOA coalition of organisations and experts sent an open letter calling for a Parliamentary inquiry into the performance of the UK ICO. What's the problem, and will this work?Full disclosure: I was asked to sign this letter, but I decided against it. Many people I know and respect are on the list of signatories, and while there's some stuff in here I'm not 100% behind, I think it makes some decent points. But I generally just don't sign open letters.This document makes some pretty scathing allegations about the...
2025-11-2605 minThe Privacy Partnership Podcast with Robert BatemanIt's here! Major proposed GDPR changes under the Digital Omnibus RegulationIn this episode of the Privacy Partnership Podcast, Rob walks you through the most important aspects of the proposed Digital Omnibus Regulation. • A new Article 88c states that processing of personal data for the development and operation of AI systems may be pursued for legitimate interests (p85).• A new condition under Article 9 allows the processing of special category data for AI training if state-of-the-art security is used and the data is subsequently removed or anonymised (p79).• Article 4 is amended to clarify that information is not personal data for a given person if they do not...
2025-11-2005 minThe Privacy Partnership Podcast with Robert BatemanGDPR's "death by 1000 cuts"? A look at the leaked Digital Omnibus draft"Death by a thousand cuts?" That's what the leaked Digital Omnibus proposals represent to the GDPR, according to noyb.eu. Here's a look at some of the most significant ideas, from the new definition of "personal data" to the narrowing of Article 9.--Note: This is an unconfirmed internal draft from the Commission’s DG CONNECT and not an official proposal. It may change substantially before it’s formally presented, and we’re expecting that to happen on 19 November. Some say this document has been leaked for nefarious purposes, and that no one s...
2025-11-1104 minThe Privacy Partnership Podcast with Robert BatemanUp to 40% off UK GDPR fines! The ICO's draft enforcement guidanceThe ICO is offering up to 40% off UK GDPR fines under its new draft Data Protection Enforcement Procedural Guidance. Here's how to take advantage of this special deal!The draft guidance updates the ICO's Regulatory Action Plan, which has been in place since 2018.There are two particularly interesting bits:- New teeth available to the ICO under the Data (Use and Access) Act (DUAA), should it choose to bite with them- A formal proposed settlement process...
2025-11-0404 minThe Privacy Partnership Podcast with Robert BatemanThe TikTok China decision: A de facto ban on international data transfers?The DPC's TikTok decision is not that surprising if you understand the law, but it's actually a pretty huge deal to see this play out in reality. Are most international data transfers de facto illegal?TikTok enabled remote access to EEA users' personal data in China, purportedly for purposes like maintenance and user support.The DPC said: Remote access is a transfer. Not really surprising based on the post-Schrems II EDPB recommendations.TikTok encrypted the data in transit and at rest and put various...
2025-10-2904 minThe Privacy Partnership Podcast with Robert BatemanThe EDPB's long list of problems with UK data protection standardsThe EDPB just published its opinion on the UK's adequacy decision and it's pretty critical of the country's post-Brexit direction on data protection. But does the EDPB's opinion matter?Probably not—directly, at least.The Commission's draft adequacy decision now goes to a vote at the Comitology Committee and is very unlikely to be voted down, despite the EDPB's reservations.But the opinion might provide some ammunition in potential future political or legal challenges to the UK's "adequate" status.Here's a look at some of the long list of UK-related stuff th...
2025-10-2103 minThe Privacy Partnership Podcast with Robert BatemanWhat is going on between the ICO and Clearview AI? The UK GDPR's scope and the meaning of "monitoring behaviour".What is going on between Clearview AI and the ICO?Actions against Clearview have been a test of how far digital regulation actually has extraterritorial effect. This month, we got an answer on this from the UK’s Upper Tribunal, and it’s an important judgment about the territorial reach of the UK GDPR—at least on paper.In May 2022, the ICO fined Clearview AI £7.5 million and ordered it to delete the data of UK residents. Clearview appealed. Then, in a quite surprising move in October 2023, the First-tier Tribunal overturned that fine. The FTT...
2025-10-1504 minThe Privacy Partnership Podcast with Robert BatemanDiscord's photo ID breach: Are the UK GDPR and Online Safety Act to blame?Discord's recent data breach exposed photo IDs used to verify users' ages. Should we blame the Online Safety Act, the Children's Code, or the UK GDPR? It's complicated. (Please excuse the unsightly cut on my forehead in this one).While this breach probably just boils down to vendor security, I wanted to consider whether Discord was obliged to collect users' ID documents, and whether it should have been retaining them.This story does involve some competing obligations under the OSA and the UK GDPR....
2025-10-0703 minThe Privacy Partnership Podcast with Robert BatemanTractor Supply: The first CCPA case involving HR dataTractor Supply: The first CCPA case about job applicants' privacy (and the largest CPPA settlement yet). Don't forget: Unlike other states, California's privacy law applies to data about employees and job applicants.Tractor Supply settled for $1.35 million for failing to tell job applicants about their rights (among other, more commonplace violations—GPC, Do Not Sell, the usual stuff).The company provided a "notice at collection" telling applicants what types of data it collected and why. But the notice neglected to mention Californians' CCPA rights.Co...
2025-10-0204 minThe Privacy Partnership Podcast with Robert BatemanLinkedIn's AI training plans are back, but not all users are treated equallyLinkedIn's AI training settings don't affect all users equally. Did you notice that LinkedIn will share UK users' data with Microsoft, but not EEA users? In this video, Rob looks at the background, the broader context, and the details.LinkedIn first floated the idea of training its AI models on users' personal data last summer and has since encountered several bumps in the road.Complaints were submitted to regulators in Ireland and the UK, and the company responded by putting the project on hold f...
2025-09-2404 minThe Privacy Partnership Podcast with Robert BatemanThe ICO is consulting on guidance on the new cookie rules—and whether to enforce them.The ICO has yet MORE draft guidance, this time on the UK's upcoming changes to the law on cookies (etc). At the same time, it's running a "call for views" about whether it should enforce that law in certain contexts.The updated cookies guidance includes a new chapter on the consent exceptions provided by the Data Use and Access Act (DUAA).We also get new material reflecting the ICO's view that a "Reject" option should be accessible on the first layer of your cookie banner.
2025-09-1804 minThe Privacy Partnership Podcast with Robert BatemanThe first criminal prosecution for 'ignoring' a DSAR: More common than we think?An individual has been criminally prosecuted for "ignoring" or having "blocked, erased, or concealed" a subject access request. A rare (perhaps unprecedented) case, but Rob wonders if this behaviour is more common than we might think.This care home director was prosecuted under Section 173 of the Data Protection Act 2018, which makes it a criminal offence to "alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure" following an access request.He reportedly attempted various unsuccessful defences, ranging from claiming the care home was merely a "...
2025-09-1003 minThe Privacy Partnership Podcast with Robert BatemanWhat does 'without undue delay' ACTUALLY MEAN? IL v VeracashAll over EU and UK law, we see a requirement to report certain stuff "without undue delay", often coupled with a hard deadline period (e.g., within 72 hours). A CJEU case from last month explored what these dual obligations mean in practice.IL v Veracash (Case C‑665/23, 1 August 2025) concerned the old Payment Services Directive (PSD). The PSD requires cardholders (consumers) to notify payment services provider about suspected fraudulent transactions "without undue delay" upon becoming aware of the transaction and within no more than 13 months.The...
2025-09-0303 minThe Privacy Partnership Podcast with Robert BatemanMore ICO guidance! Recognised legitimate interestsMore draft ICO guidance! This time, about one of the Data (Use and Access) Act's most important concepts: "Recognised legitimate interests". The "recognised legitimate interests" are data processing activities that, frankly, the government would like you to do more of.Unlike regular old legitimate interests, you won't need to conduct a "balancing test" before processing personal data for these purposes: So long as the processing is "necessary", you can just go right ahead and do it.So far we have five "recognised legitimate interests":• Public task disclosure request• National secur...
2025-08-2704 minThe Privacy Partnership Podcast with Robert BatemanHow to handle data subject complaints: New draft ICO guidanceIn advance of new obligations under the Data (Use and Access) Act, the ICO has published some draft guidance on handling data subject complaints. This episode breaks down some of the ICO's expectations in this area.As always, the ICO sets out three tiers: • "Must": Legal duties, for example, under UK GDPR or DPA 2018. • "Should": Good practice stuff that you should do unless there's a good reason not to.• "Could": Optional steps to help you comply. According to the ICO, core obli...
2025-08-2203 minThe Privacy Partnership Podcast with Robert BatemanUK Data (Use and Access) Act: The first provisions take effectSome parts of the Data (Use and Access) Act (DUAA) take effect today! This is our first chance to see how the Act is actually going to operate in practice. In this video, I'll talk you through the relevant provisions.Many of these provisions are quite technical. So to make sense of them, Rob breaks them down into three categories: • New powers for government and regulators • Institutional reforms• Amendments to existing data protection and privacy lawWith these changes, we see new powers to support smart data and AI oversigh...
2025-08-2006 minThe Privacy Partnership Podcast with Robert BatemanThe Online Safety Act's tensions with the UK GDPRThe Online Safety Act is why you might have been asked for your driver's licence on Reddit, X, and some... other websites. In this video, I explain how the OSA works and how it raises tensions with the UK GDPR.The OSA applies to "user-to-user" and search services with "links to the UK". This covers websites from social media giants to tiny online message boards.Through a series of risk assessments, in-scope services must identify and mitigate risks around illegal content and harms to children.To ensure services enforce their terms and keep...
2025-08-0705 minThe Privacy Partnership Podcast with Robert BatemanAI Act: Should you be watermarking your AI-generated content?Are you using an in-house tool powered by an AI model from OpenAI, Google, or Meta to produce marketing copy? You might soon be responsible for watermarking your AI-generated content.In this episode of the Privacy Partnership Podcast, Rob explores a common scenario, where a company fine-tunes a general-purpose AI model and builds a simple internal tool for staff to generate copy in its own brand voice. While the company might think it is simply a "deployer" of OpenAI's general-purpose AI model, it could actually be the provider of an AI system under t...
2025-08-0405 minThe Privacy Partnership Podcast with Robert BatemanThe ICO's Birthlink Fine: Accountability, Integrity, and the 'Public Sector Approach' (?)Last week, the ICO fined Scottish charity Birthlink £18,000 for destroying around 4,800 adoption records. In this video, Rob explains why this is such an interesting case.Birthlink is an Edinburgh-based charity that maintains the Adoption Contact Register for Scotland. It provides specialised support for people involved in adoptions.At the heart of this case are the "linked records": Manual paper files created when a successful link had been made between individuals on the adoption contact register. The linked records included original birth certificates, handwritten letters from birth parents to their children, photographs of babies, an...
2025-07-3005 min
The Privacy Partnership Podcast with Robert BatemanAccess to Customer and Business Data Under the DUAA with Boris WojtanI spoke to Boris Wojtan, Senior Privacy Counsel at Privacy Partnership Law, about "Access to Customer and Business Data" under Part 1 of the UK's Data (Use and Access) Act.This has been on my "get to grips with this" list for absolutely ages.Like me, you're probably familiar with the DUAA's amendments to the UK GDPR, the DPA 2018, and PECR.But that's just one part of the legislation, and the other parts could have an even greater impact on a huge range of organisations.In this episode, Boris and I discuss...
2025-07-2814 min