The Privacy Partnership Podcast with Robert Bateman

treborjnametab1

Robert Bateman provides the latest on data protection and privacy, with regular solo news updates and short-form interviews. Brought to you by Privacy Partnership: www.privacypartnership.com

  1. 14h ago

    AI Act loophole? How one company navigated the ban on workplace emotion recognition

    Can an employer use AI to read its employees' Slack and Teams messages to diagnose their stress levels? Under the EU AI Act, that sounds like a clear violation of the ban on workplace emotion recognition. Yet, one AI company, Myndoor, just survived a regulatory investigation by the Italian Data Protection Authority (the Garante) for doing exactly that. In this episode, Robert dives into this fascinating ruling to explore how Myndoor legally bypassed the AI Act's Article 5 prohibitions through a clever "employee perk" structure. However, escaping the outright ban didn't get them off the hook entirely. We discuss why this tool is still classified as a "High-Risk" AI system, the strict transparency and human oversight requirements it faces, and the critical flaw in its "aggregate reporting" feature that ultimately earned the company a formal warning from the regulator. If you are navigating the intersection of privacy, employment law, and the new EU AI Act, this is a must-listen case study on the dangers of indirect re-identification and algorithmic "black boxes." Key Takeaways: The Myndoor System: How the AI plug-in uses semantic and linguistic analysis (sentiment analysis) to infer employee psychological stress based on workplace chat messages. The Article 5 Ban: Why the AI Act strictly prohibits the use of AI to infer the emotions of a natural person in the workplace, and how Myndoor structured its data flows to keep the employer locked out and avoid this prohibition. High-Risk AI Obligations: Why dodging the ban doesn't mean dodging the AI Act. We break down Myndoor's obligations under Article 13 (Transparency) and Article 14 (Human Oversight) to protect users from opaque, biased algorithms. The "Aggregate Data" Trap: Why the Garante issued a formal warning regarding Myndoor's weekly stress reports, and how the risk of "indirect re-identification" (or single-out) could cause the legal firewall to collapse. Mentioned in this Episode: The Garante Decision: Provision of 14 May 2026 [Web Doc No. 10255494] regarding Myndoor Srl. The EU AI Act (Regulation (EU) 2024/1689): Specifically referencing Article 5 (Prohibited AI Practices), Article 13 (Transparency), and Article 14 (Human Oversight). GDPR & Italian Labor Law: The intersection of data minimization, worker dignity, and the prohibition of employer-led health assessments. Subscribe & Follow: If you enjoyed this episode, please subscribe to The Privacy Partnership Podcast on Apple Podcasts, Spotify, or your favorite podcast app. Connect with Robert Bateman on LinkedIn for more daily insights on privacy, data protection, and AI governance.

    5 min

  2. 6d ago

    Regulating the reality of adtech: The ICO’s recommended PECR reforms

    The internet’s worst-kept secret is that basic digital advertising operations involve breaking privacy laws millions of times a day. But instead of dropping the enforcement hammer, the ICO is proposing a novel solution: just make it legal. In this episode, Robert Bateman unpacks the ICO's surprising new advice to the UK government (DSIT) on creating fresh exceptions to Regulation 6 of PECR. Robert discusses the strange optics of a privacy watchdog advising on deregulation, breaks down the seven new proposed consent-free advertising purposes, and explains why this pragmatic shift might actually be a massive win for both businesses and common sense. What We Cover: The odd optics of the ICO actively advising the government on how to weaken privacy protections in the name of "economic growth." A look at the mixed reception from the ICO's somewhat exclusionary "Citizen Juries." The seven specific ad-tech purposes proposed for consent-free operation within a "first-party framework" (including measurement, billing, and ad fraud prevention). How consent-free targeting will actually work, and the strict boundaries being placed on abstracted signals (like device type and city-level geolocation). Why the ICO is choosing pragmatic legalisation over costly enforcement against low-harm data processing. What this means for privacy professionals and why it will make advising clients much more practical. Resources & Contact: If your organisation needs help navigating the current, slightly messy PECR landscape—or preparing for the government's upcoming secondary legislation—get in touch with the team at Privacy Partnership. Don't forget to subscribe to the Privacy Partnership Podcast for more updates on data protection, privacy law, and digital advertising.

    5 min

  3. May 20

    Decoding the AI Act: A first look at the Commission’s "high-risk" draft guidelines

    The European Commission just dropped its highly anticipated first set of draft guidelines on high-risk AI classification under the AI Act—all 150 pages of them. Published for stakeholder consultation on May 19th, 2026, this document is the closest thing we have to a compliance manual for navigating Article 6 and Annex III of the Act.  In this episode of the Privacy Partnership Podcast, Robert Bateman digs into the details to explain what the Commission considers "high-risk," how the exemption filters actually work, and why some common loopholes that tech companies might hope to rely on are being firmly closed.  In this episode, we discuss: * The Two Routes to "High-Risk": Understanding the difference between product safety components (Annex I) and stand-alone use cases (Annex III). * The Article 6(3) Filter Mechanism: How to exempt your system if it performs narrow procedural or preparatory tasks—and why making a "value judgment" instantly voids the exemption. * The Profiling Red Line: Why any AI system that performs profiling (as defined by the GDPR) is automatically classified as high-risk, with no exceptions. * The "Terms of Service" Trap: Why general-purpose AI providers can't simply slap a disclaimer in their fine print to dodge a high-risk classification if their marketing says otherwise. * Agentic AI & Complex Systems: How the Commission plans to treat multi-component AI systems that coordinate linked actions. (Spoiler: You can't partition your way out of compliance). * The "Human in the Loop" Myth: Why human oversight is a post-classification compliance requirement, not a ticket out of a high-risk designation.  * Shifting Deadlines: A look at the newly postponed enforcement dates for Annex I and Annex III obligations.

    7 min

  4. May 15

    Get 40% off an ICO fine! The South Staffordshire case and early settlements

    How do you knock 40% off a looming data protection fine? In this episode of the Privacy Partnership Podcast, Rob Bateman breaks down the recent £963,900 penalty handed down by the ICO to South Staffordshire Plc and explores the fascinating procedural mechanics that kept the final invoice under the one million pound mark. In this episode, we cover: How a single malicious attachment led to the exfiltration of 4 terabytes of sensitive data, including HR records and vulnerable customer info. The compliance disaster of running Windows Server 2003 (which reached end-of-life in 2015), failing to patch the 'ZeroLogon' vulnerability, and ignoring the principle of least privilege. Breaking down the ICO's findings of negligence under Article 5(1)(f) (integrity and confidentiality) and Article 32(1) (security of processing). How the ICO arrived at its £1.6 million baseline penalty based on statutory maximums, turnover, and mitigating factors. How the ICO's Draft Data Protection Enforcement Procedural Guidance allows controllers to secure 20%, 30%, or 40% discounts. Why securing this discount requires full legal admissions, a published penalty notice, and the surrender of your right to appeal to the First-tier Tribunal.

    5 min

  5. Apr 30

    RTM v Bonne Terre: Court of Appeal redraws the line on consent

    The Court of Appeal has ruled that consent under the UK GDPR and PECR is objective. A data subject's hidden vulnerabilities are not, in themselves, decisive, and even a controller's constructive knowledge of those vulnerabilities is not a stand-alone qualifier. In this episode, Robert Bateman breaks down the judgment in RTM v Bonne Terre [2026] EWCA Civ 488, handed down on 21 April 2026. In this episode: The background to RTM's claim against Sky Betting and GamingMrs Justice Collins Rice's three-strand test in the High Court, and why it was a problem that neither party had argued for itThe Court of Appeal's reasoning on why consent is objectiveThe fallback argument from the operator and the ICO, and why it failedFindings on cookies, profiling and what was actually used for direct marketingThree takeaways for data protection professionalsCited: RTM v Bonne Terre [2026] EWCA Civ 488Article 4(11) UK GDPRPlanet 49 (Case C-673/17)Orange Romania (Case C-61/19)Meta Platforms (Case C-252/21)Cooper v National Crime Agency [2019] EWCA Civ 16Leave.EU v Information Commissioner [2021] UKUT 26 (AAC)Get in touch with Privacy Partnership for support with UK GDPR, PECR, and AI Act compliance.

    6 min

  6. Apr 21

    What actually counts as 'scientific research'? Here's the EDPB's six-point answer

    On 15 April 2026, the European Data Protection Board adopted Guidelines 1/2026 on the processing of personal data for scientific research purposes. The 66-page document is now out for public consultation. In this episode, Robert Bateman breaks down what the guidelines mean for pharma companies, AI developers, universities, and anyone relying on the GDPR's scientific research provisions. The GDPR gives scientific research significant special treatment — a presumption of compatibility for further processing, extended storage, broad consent, carve-outs from the right to erasure, and a narrower right to object. But to access those provisions, you first need to qualify as "scientific research" in the first place. In this episode: The EDPB's six-factor test for determining whether processing qualifies as scientific researchWhy a for-profit AI start-up can qualify — but retail analytics can'tWhat "broad consent" actually means, and how it differs from "dynamic consent"The high threshold for the "manifestly made public" exception after Schrems (October 2024)When "covert research" is permitted under Article 14(5)(b)How the guidelines sit alongside the Digital Omnibus and the European Biotech ActUseful references: EDPB Guidelines 1/2026 (public consultation draft)CJEU Case C-446/21 — Schrems v Meta Platforms Ireland (4 October 2024)Articles 5(1)(b), 9(2)(e), 14(5)(b), 17(3)(d), 21(6), and 89 GDPRConsultation: open now on the EDPB website. Host: Robert Bateman, Senior Partner at Privacy Partnership Get in touch if your organisation needs support with GDPR compliance for research activities.

    6 min

  7. Apr 14

    'Clarity in action'?! The EDPB's 2025 annual report and litigation battles

    In this episode, Rob looks at the newly published European Data Protection Board (EDPB) annual report for 2025. We are skipping the usual backward-looking statistics to focus entirely on the regulator's pipeline for 2026 and the massive multi-front litigation war currently playing out in the European courts. From new harmonised templates to high-stakes legal battles with Big Tech and fellow regulators, we break down what privacy professionals need to know for the year ahead. What we cover in this episode The EDPB's drive for simplification, including upcoming templates for data protection impact assessments (DPIAs) and data breach notifications. A controversial new web form designed to let stakeholders report inconsistencies between national and EDPB guidance. The board's heavy litigation docket, featuring clashes with Meta, TikTok, WhatsApp, the Irish Data Protection Commission, and the European Commission. The brewing turf war over the Digital Omnibus and the European Commission's attempt to rewrite the definition of personal data. Upcoming joint guidelines on the interplay between the AI Act and the GDPR.

    6 min

  8. Apr 7

    AI in recruitment: ICO highlights poor practices as UK overhauls automated decision-making rules

    Are your hiring managers quietly letting an algorithm bin hundreds of job applications while claiming a human is technically in charge? This week on the Privacy Partnership Podcast, Rob unpacks a massive structural shift in the UK’s framework for Automated Decision-Making (ADM). We dive into two major new releases from the ICO: the highly revealing Recruitment Rewired report and the newly updated draft guidance on ADM and profiling. With the Data (Use and Access) Act (DUAA) taking effect, the UK GDPR’s approach to ADM has fundamentally changed—moving from a strict "prohibition with exceptions" to a more flexible "right of challenge with safeguards." Robert explains why this is arguably the most significant change under the DUAA, how it actually reduces friction for controllers by opening up Legitimate Interests as a lawful basis, and why the compliance burden hasn't disappeared, but rather shifted. We also look at where companies are still getting this horribly wrong. Although the ICO's Recruitment Rewired report covers a period before the DUAA took effect, the new draft guidance makes clear that the new Article 22C safeguards essentially codify the old rules. If you were failing then, you are failing now. In This Episode, We Cover: The DUAA ADM Overhaul: How Articles 22A-22D change the game for controllers, making it easier to deploy AI decision-making without relying on clumsy lawful bases. The "Meaningful Human Involvement" Trap: Why having a human "rubber-stamp" an AI's red-light rejection score is still a solely automated decision under the law. Lawful Basis Headaches: Why Consent and Contract are terrible fits for automated CV screening, and how Legitimate Interests (and the required LIA) is now the clear path forward. Transparency & DPIA Failures: A look at the worst practices the ICO found, including vague privacy notices, missing safeguards, and a solo legal team member signing off on a DPIA without consulting the DPO. Key Quotes: "The DUAA has undeniably made it easier to justify rolling out automated decision-making systems... But the structural requirements for fairness, transparency, and human intervention haven't vanished—they've just been recodified." "If a human is simply applying the outcome of an automated system without actively evaluating the person's information, that is not meaningful human involvement." Resources & Links: Read the ICO’s Draft Guidance on Automated Decision-Making, including profiling: [Link to ICO Website] Read the ICO’s Recruitment Rewired Report: [Link to ICO Website] Learn more about the Data (Use and Access) Act (DUAA) changes to the UK GDPR. About the Host: Robert Bateman is a privacy expert, analyst, and the host of the Privacy Partnership Podcast. Subscribe & Review: If you enjoyed this episode, please subscribe to the Privacy Partnership Podcast on Apple Podcasts, Spotify, or your favorite podcast app. Leave us a rating and review to help other privacy professionals find the show!

    6 min
See All (43)

About

Robert Bateman provides the latest on data protection and privacy, with regular solo news updates and short-form interviews. Brought to you by Privacy Partnership: www.privacypartnership.com

Information

You Might Also Like