The Privacy Partnership Podcast with Robert Bateman

treborjnametab1
  • 5.0 (1)
  • TECHNOLOGY

Robert Bateman provides the latest on data protection and privacy, with regular solo news updates and short-form interviews. Brought to you by Privacy Partnership: www.privacypartnership.com

  1. 9H AGO

    EDPB highlights "right to erasure" inadequacies: Exceptions, backups, and pseudonymisation

    Rob presents a few highlights from the EDPB's latest Coordinated Enforcement Framework report on the "right to erasure". - Poor storage limitation and retention schedule practices are leading to issues satisfying erasure requests. - Too many people still conflating anonymisation and pseudonymisation, and thus incorrectly relying on the latter as an erasure method. - Controllers are failing to delete personal data from backup systems in parallel with live systems. - There has been overreliance on exemptions without having conducted an appropriate balancing assessment. Time to start preparing for the next CEF topic: Transparency!

    3 min

  2. FEB 10

    CJEU: Private companies CAN sue the EDPB

    In this episode of the Privacy and Partnership podcast, Rob discusses a significant ruling from the CJEU regarding WhatsApp's legal challenge against the European Data Protection Board (EDPB).  The CJEU's decision allows companies to directly challenge binding decisions made by the EDPB. Rob explores the implications of this ruling, particularly how it affects the relationship between tech companies and regulatory bodies, and the potential for increased litigation against the EDPB.

    6 min

  3. FEB 3

    The ICO's planned 'experimentation regime' to attract AI firms to the UK

    Rob discusses the recent letter from the Information Commissioner's Office (ICO) to UK government officials, highlighting the ICO's focus on economic growth and innovation.  The ICO plans a statutory code of practice for AI and an "experimentation regime" for data protection. There will also be a review of low-risk online advertising activities, and new support for SMEs.

    5 min

  4. JAN 28

    Happy Data Protection Day! A brief history of UK data protection law

    On Data Protection Day 2026, Rob talks us briefly through the history of data protection in the UK: From the "data users" of the Data Protection Act 1984 to the "recognised legitimate interests" of last year's Data (Use and Access) Act.

    5 min

  5. JAN 22

    The EDPB and EDPS 'slam' AI Act reforms under the Digital Omnibus

    Along with plans to "simplify" the GDPR, there's an AI Digital Omnibus that proposes amendments to the AI Act. In a new Joint Opinion, the EDPB and EDPS say they support the objective to simplify the law, but they don't seem to like any of the Commission's ideas. For example, they don't like the Commission's proposal to allow bias detection processing for all AI systems (Article 4a). Under the AI Act as it stands, providers of high-risk systems can process special category data if "strictly necessary" to detect and correct bias.  This is a narrow exception; perhaps better characterised as a clarification on how the GDPR’s general prohibition under Article 9 works in this context. The Digital Omnibus proposal wants to broaden this to allow providers and deployers of all AI systems (not just high-risk) to process special category data for bias detection. The EDPB and EDPS are, predictably, skeptical. They point out that while bias is a problem, opening the floodgates to process sensitive data for every chatbot and image generator on the market might not be a great idea. — The Board and the Supervisor also strongly oppose removing the registration obligation for Article 6(3) exemptions. Article 6(3) of the AI Act provides a derogation that lets a provider say, "Yes, my system is listed in Annex III as high-risk, but I’ve done an assessment and it doesn't actually pose a significant risk, so I’m exempt from the high-risk rules." Originally, you had to register that assessment in the EU database. It was a way of letting the public and regulators know you were exempting yourself. The Digital Omnibus proposal wants to scrap that registration requirement to "reduce administrative burden." The EDPB and EDPS argue that if a provider exempts themselves, they must at least tell the regulator and the public.  Removing this requirement would allegedly create a "black box" where providers grade their own homework with no oversight unless they are investigated later. — I outline a few other specific objections in this episode, but more broadly, there might be a bit of a turf war emerging here. The DPAs obviously want to defend their exclusive competence to enforce the GDPR, which is relevant insofar as it interacts with the AI Act.  The Commission wants to extend the remit of the AI Office, and the EDPB and EDPS don't like it. Add to this the fact that Data Protection Authorities are also emerging as Market Surveillance Authorities—the key enforcers under the AI Act—and the dynamics could get even more complicated. Things getting more complicated is all part of the simplification process, I'm sure.

    7 min

  6. JAN 15

    Happy New Year? A look at the ICO's new 'international data transfers' guidance

    Rob looks at the ICO’s newly released guidance on international transfers and what it means for UK privacy professionals. • The “Three-Step Test” for identifying restricted transfers • Why UK processors returning data to overseas controllers are no longer “initiating” transfers • Clarifications on transfers between branches and employees within the same legal entity • How the guidance incorporates the Data (Use and Access) Act while retaining “TRA” terminology • The distinction between legal entities and server locations in cloud service contracts

    7 min

  7. JAN 8

    'No surprises': The ICO and the Government come to an understanding

    The ICO and the UK Government have come to an understanding: "No surprises", "supportive challenge", and a seat at the table for the Commissioner. A Memorandum of Understanding signed today between the ICO and the UK Government formalises an already pretty cosy relationship between the regulator and its largest stakeholder.  While the MoU explicitly preserves the ICO's independenceit leans heavily on collaboration over confrontation. Both parties have agreed to a "free flow of information" to manage risks early. There will be "no surprises". The ICO's role is characterised as one of providing "expert advice" and "supportive challenge." Private sector organisations may or may not expect the same treatment.  The Information Commissioner will attend the Government’s Transformation Board and Security Board on a six-monthly basis. The Government has also committed to publishing an annual assurance statement on data safety and appointing the Government Chief Data Officer as the accountable person for cross-government risk. The MoU effectively codifies the "public sector approach." The ICO is positioning itself as a strategic partner to the state. Whether this helps avoid another Ministry of Defence Afghanistan data breach remains to be seen.

    5 min

  8. 12/17/2025

    Christmas Special: The top 5 data protection CJEU cases of 2025

    Time for the Privacy Partnership Podcast Christmas Special, where Rob looks at his top 5 data protection CJEU judgments for 2025.  Here's the list of cases I summarise in this podcast, which span data transfers, non-material damages, data minimisation, and more: 1. Bindl v European Commission 8 January 2025 Case T‑354/22 2. Mousse v CNIL (Mousse v Commission nationale de l'informatique et des libertés and SNCF Connect) 9 January 2025 Case C‑394/23 3. CK v Magistrat der Stadt Wien (involving Dun & Bradstreet Austria GmbH) 27 February 2025 Case C‑203/22 4. EDPS v SRB (European Data Protection Supervisor v Single Resolution Board) 4 September 2025 Case C‑413/23 P 5. X v Russmedia Digital (X v Russmedia Digital SRL and Inform Media Press SRL) 2 December 2025 Case C‑492/23

    7 min
See All (30)

About

Robert Bateman provides the latest on data protection and privacy, with regular solo news updates and short-form interviews. Brought to you by Privacy Partnership: www.privacypartnership.com

Information