The Privacy Partnership Podcast with Robert Bateman

treborjnametab1

Robert Bateman provides the latest on data protection and privacy, with regular solo news updates and short-form interviews. Brought to you by Privacy Partnership: www.privacypartnership.com

  1. APR 30

    RTM v Bonne Terre: Court of Appeal redraws the line on consent

    The Court of Appeal has ruled that consent under the UK GDPR and PECR is objective. A data subject's hidden vulnerabilities are not, in themselves, decisive, and even a controller's constructive knowledge of those vulnerabilities is not a stand-alone qualifier. In this episode, Robert Bateman breaks down the judgment in RTM v Bonne Terre [2026] EWCA Civ 488, handed down on 21 April 2026. In this episode: The background to RTM's claim against Sky Betting and GamingMrs Justice Collins Rice's three-strand test in the High Court, and why it was a problem that neither party had argued for itThe Court of Appeal's reasoning on why consent is objectiveThe fallback argument from the operator and the ICO, and why it failedFindings on cookies, profiling and what was actually used for direct marketingThree takeaways for data protection professionalsCited: RTM v Bonne Terre [2026] EWCA Civ 488Article 4(11) UK GDPRPlanet 49 (Case C-673/17)Orange Romania (Case C-61/19)Meta Platforms (Case C-252/21)Cooper v National Crime Agency [2019] EWCA Civ 16Leave.EU v Information Commissioner [2021] UKUT 26 (AAC)Get in touch with Privacy Partnership for support with UK GDPR, PECR, and AI Act compliance.

    6 min

  2. APR 21

    What actually counts as 'scientific research'? Here's the EDPB's six-point answer

    On 15 April 2026, the European Data Protection Board adopted Guidelines 1/2026 on the processing of personal data for scientific research purposes. The 66-page document is now out for public consultation. In this episode, Robert Bateman breaks down what the guidelines mean for pharma companies, AI developers, universities, and anyone relying on the GDPR's scientific research provisions. The GDPR gives scientific research significant special treatment — a presumption of compatibility for further processing, extended storage, broad consent, carve-outs from the right to erasure, and a narrower right to object. But to access those provisions, you first need to qualify as "scientific research" in the first place. In this episode: The EDPB's six-factor test for determining whether processing qualifies as scientific researchWhy a for-profit AI start-up can qualify — but retail analytics can'tWhat "broad consent" actually means, and how it differs from "dynamic consent"The high threshold for the "manifestly made public" exception after Schrems (October 2024)When "covert research" is permitted under Article 14(5)(b)How the guidelines sit alongside the Digital Omnibus and the European Biotech ActUseful references: EDPB Guidelines 1/2026 (public consultation draft)CJEU Case C-446/21 — Schrems v Meta Platforms Ireland (4 October 2024)Articles 5(1)(b), 9(2)(e), 14(5)(b), 17(3)(d), 21(6), and 89 GDPRConsultation: open now on the EDPB website. Host: Robert Bateman, Senior Partner at Privacy Partnership Get in touch if your organisation needs support with GDPR compliance for research activities.

    6 min

  3. APR 14

    'Clarity in action'?! The EDPB's 2025 annual report and litigation battles

    In this episode, Rob looks at the newly published European Data Protection Board (EDPB) annual report for 2025. We are skipping the usual backward-looking statistics to focus entirely on the regulator's pipeline for 2026 and the massive multi-front litigation war currently playing out in the European courts. From new harmonised templates to high-stakes legal battles with Big Tech and fellow regulators, we break down what privacy professionals need to know for the year ahead. What we cover in this episode The EDPB's drive for simplification, including upcoming templates for data protection impact assessments (DPIAs) and data breach notifications. A controversial new web form designed to let stakeholders report inconsistencies between national and EDPB guidance. The board's heavy litigation docket, featuring clashes with Meta, TikTok, WhatsApp, the Irish Data Protection Commission, and the European Commission. The brewing turf war over the Digital Omnibus and the European Commission's attempt to rewrite the definition of personal data. Upcoming joint guidelines on the interplay between the AI Act and the GDPR.

    6 min

  4. APR 7

    AI in recruitment: ICO highlights poor practices as UK overhauls automated decision-making rules

    Are your hiring managers quietly letting an algorithm bin hundreds of job applications while claiming a human is technically in charge? This week on the Privacy Partnership Podcast, Rob unpacks a massive structural shift in the UK’s framework for Automated Decision-Making (ADM). We dive into two major new releases from the ICO: the highly revealing Recruitment Rewired report and the newly updated draft guidance on ADM and profiling. With the Data (Use and Access) Act (DUAA) taking effect, the UK GDPR’s approach to ADM has fundamentally changed—moving from a strict "prohibition with exceptions" to a more flexible "right of challenge with safeguards." Robert explains why this is arguably the most significant change under the DUAA, how it actually reduces friction for controllers by opening up Legitimate Interests as a lawful basis, and why the compliance burden hasn't disappeared, but rather shifted. We also look at where companies are still getting this horribly wrong. Although the ICO's Recruitment Rewired report covers a period before the DUAA took effect, the new draft guidance makes clear that the new Article 22C safeguards essentially codify the old rules. If you were failing then, you are failing now. In This Episode, We Cover: The DUAA ADM Overhaul: How Articles 22A-22D change the game for controllers, making it easier to deploy AI decision-making without relying on clumsy lawful bases. The "Meaningful Human Involvement" Trap: Why having a human "rubber-stamp" an AI's red-light rejection score is still a solely automated decision under the law. Lawful Basis Headaches: Why Consent and Contract are terrible fits for automated CV screening, and how Legitimate Interests (and the required LIA) is now the clear path forward. Transparency & DPIA Failures: A look at the worst practices the ICO found, including vague privacy notices, missing safeguards, and a solo legal team member signing off on a DPIA without consulting the DPO. Key Quotes: "The DUAA has undeniably made it easier to justify rolling out automated decision-making systems... But the structural requirements for fairness, transparency, and human intervention haven't vanished—they've just been recodified." "If a human is simply applying the outcome of an automated system without actively evaluating the person's information, that is not meaningful human involvement." Resources & Links: Read the ICO’s Draft Guidance on Automated Decision-Making, including profiling: [Link to ICO Website] Read the ICO’s Recruitment Rewired Report: [Link to ICO Website] Learn more about the Data (Use and Access) Act (DUAA) changes to the UK GDPR. About the Host: Robert Bateman is a privacy expert, analyst, and the host of the Privacy Partnership Podcast. Subscribe & Review: If you enjoyed this episode, please subscribe to the Privacy Partnership Podcast on Apple Podcasts, Spotify, or your favorite podcast app. Leave us a rating and review to help other privacy professionals find the show!

    6 min

  5. MAR 26

    Brillen Rottler: A German optician fights back against 'abusive' DSARs

    Are you seeing a rise in "copy-paste" Data Subject Access Requests (DSARs) designed primarily to extract a quick financial settlement? In this episode of the Privacy Partnership Podcast, Robert Bateman unpacks a highly practical new judgment from the Court of Justice of the European Union (CJEU) that offers controllers a potential shield against abusive access requests. Looking at the facts of Case C-526/24 (Brillen Rottler GmbH & Co. KG v TC), Robert explores the legal boundaries of Article 12(5) and Article 82 of the GDPR, explaining how privacy teams might finally be able to push back against serial compensation claims—and the evidentiary hurdles they will face in doing so.

    5 min

  6. MAR 17

    Amazon's €746m fine overturned: But who actually won this case?

    A €746 million GDPR fine gets completely annulled by a Luxembourg court. A massive, unmitigated victory for big tech, right? Not exactly. In this episode of the Privacy Partnership Podcast, Robert Bateman dissects the highly anticipated March 12, 2026 judgment from the Luxembourg Administrative Court concerning an anonymised e-commerce giant ("Company AA", clearly Amazon) and a record-breaking penalty issued by the CNPD back in 2021. While the company managed to get the three-quarter of a billion euro invoice torn up on a procedural technicality, the regulator walked away with a massive vindication of its substantive legal analysis. We explore how the CNPD’s failure to show its working regarding negligence cost them the fine, why "Company AA's" creative arguments about Legitimate Interest fell flat, and what happens now that the case is heading back to the regulator's desk. Get in Touch:If your organisation needs support navigating the increasingly complex boundaries of Legitimate Interest, consent, or defending against regulatory enforcement, contact the team at Privacy Partnership. Subscribe to the Privacy Partnership Podcast on Apple Podcasts, Spotify, or your favourite podcast app.

    5 min

  7. MAR 11

    Invisible, indestructible signatures: The AI Act’s text watermarking problem

    Can you hide an indestructible, imperceptible signature inside a basic marketing blog post? The European Commission seems to think you should try. Following the release of the Second Draft of the Code of Practice on Transparency of AI-Generated Content this Tuesday, Robert Bateman dives into the technical and regulatory headaches awaiting providers of generative AI text systems. We look at the Commission's proposed "multi-layered marking approach," the inherent fragility of text-based watermarks, and the rather alarming privacy implications of using AI output logging as a fallback measure. close attention.

    5 min

  8. MAR 5

    Are you a 'data broker'? Maybe, under the EDPB’s expanding definition

    Are you a data broker? You might not think so, but European regulators could soon be looking at your business model and concluding otherwise. In this episode of the Privacy Partnership Podcast, Robert Bateman breaks down a revealing market study commissioned by the Belgian Data Protection Authority through the EDPB’s Support Pool of Experts. Designed to identify and map the data broker ecosystem, the report provides a fascinating look at how the regulatory definition of data brokerage is expanding far beyond the traditional back-room list sellers of the early internet. We explore how this behavior-based European definition sharply contrasts with privity-focused frameworks like California’s Delete Act. We also dive into the study's eight-part typology, which sweeps "privacy-preserving" Data Clean Rooms, AI platforms trained on scraped data, and even B2B contact databases under the data broker umbrella. If your organisation ingests data, mixes it with other datasets, and monetises the insights, this is an episode you need to hear. In this episode, we cover: [0:00] Introduction: A look at the new EDPB-commissioned market study aiming to map the data broker ecosystem. [0:45] The Definition & The California Contrast: How the European focus on behavior, profiling, and lack of "meaningful control" differs from the structural "direct relationship" test found in California's CCPA. [2:15] High-Risk Typologies: Why adtech’s beloved Data Clean Rooms and AI integration platforms are being classified as high-risk data brokers. [3:45] Medium-Risk Categories: The regulatory perspective on aggregated spatial data, mobility trends, and B2B contact lists, and where the risk of re-identification allegedly creeps back in. [4:10] Outro: Key takeaways for privacy professionals evaluating their own data supply chains and partnerships.

    6 min
See All (39)

About

Robert Bateman provides the latest on data protection and privacy, with regular solo news updates and short-form interviews. Brought to you by Privacy Partnership: www.privacypartnership.com

Information

You Might Also Like