The Privacy Partnership Podcast with Robert Bateman

The Court of Appeal has ruled that consent under the UK GDPR and PECR is objective. A data subject's hidden vulnerabilities are not, in themselves, decisive, and even a controller's constructive knowledge of those vulnerabilities is not a stand-alone qualifier.In this episode, Robert Bateman breaks down the judgment in RTM v Bonne Terre [2026] EWCA Civ 488, handed down on 21 April 2026.In this episode:The background to RTM's claim against Sky Betting and GamingMrs Justice Collins Rice's three-strand test in the High Court, and why it was a problem that neither party had argued for itThe Court of Appeal's reasoning on why consent is objectiveThe fallback argument from the operator and the ICO, and why it failedFindings on cookies, profiling and what was actually used for direct marketingThree takeaways for data protection professionalsCited:RTM v Bonne Terre [2026] EWCA Civ 488Article 4(11) UK GDPRPlanet 49 (Case C-673/17)Orange Romania (Case C-61/19)Meta Platforms (Case C-252/21)Cooper v National Crime Agency [2019] EWCA Civ 16Leave.EU v Information Commissioner [2021] UKUT 26 (AAC)Get in touch with Privacy Partnership for support with UK GDPR, PECR, and AI Act compliance.

On 15 April 2026, the European Data Protection Board adopted Guidelines 1/2026 on the processing of personal data for scientific research purposes. The 66-page document is now out for public consultation.In this episode, Robert Bateman breaks down what the guidelines mean for pharma companies, AI developers, universities, and anyone relying on the GDPR's scientific research provisions.The GDPR gives scientific research significant special treatment — a presumption of compatibility for further processing, extended storage, broad consent, carve-outs from the right to erasure, and a narrower right to object. But to access those provisions, you first need to qualify as "scientific research" in the first place.In this episode:The EDPB's six-factor test for determining whether processing qualifies as scientific researchWhy a for-profit AI start-up can qualify — but retail analytics can'tWhat "broad consent" actually means, and how it differs from "dynamic consent"The high threshold for the "manifestly made public" exception after Schrems (October 2024)When "covert research" is permitted under Article 14(5)(b)How the guidelines sit alongside the Digital Omnibus and the European Biotech ActUseful references:EDPB Guidelines 1/2026 (public consultation draft)CJEU Case C-446/21 — Schrems v Meta Platforms Ireland (4 October 2024)Articles 5(1)(b), 9(2)(e), 14(5)(b), 17(3)(d), 21(6), and 89 GDPRConsultation: open now on the EDPB website.Host: Robert Bateman, Senior Partner at Privacy PartnershipGet in touch if your organisation needs support with GDPR compliance for research activities.

In this episode, Rob looks at the newly published European Data Protection Board (EDPB) annual report for 2025. We are skipping the usual backward-looking statistics to focus entirely on the regulator's pipeline for 2026 and the massive multi-front litigation war currently playing out in the European courts. From new harmonised templates to high-stakes legal battles with Big Tech and fellow regulators, we break down what privacy professionals need to know for the year ahead.What we cover in this episodeThe EDPB's drive for simplification, including upcoming templates for data protection impact assessments (DPIAs) and data breach notifications.A controversial new web form designed to let stakeholders report inconsistencies between national and EDPB guidance.The board's heavy litigation docket, featuring clashes with Meta, TikTok, WhatsApp, the Irish Data Protection Commission, and the European Commission.The brewing turf war over the Digital Omnibus and the European Commission's attempt to rewrite the definition of personal data.Upcoming joint guidelines on the interplay between the AI Act and the GDPR.

Are your hiring managers quietly letting an algorithm bin hundreds of job applications while claiming a human is technically in charge?This week on the Privacy Partnership Podcast, Rob unpacks a massive structural shift in the UK’s framework for Automated Decision-Making (ADM). We dive into two major new releases from the ICO: the highly revealing Recruitment Rewired report and the newly updated draft guidance on ADM and profiling.With the Data (Use and Access) Act (DUAA) taking effect, the UK GDPR’s approach to ADM has fundamentally changed—moving from a strict "prohibition with exceptions" to a more flexible "right of challenge with safeguards." Robert explains why this is arguably the most significant change under the DUAA, how it actually reduces friction for controllers by opening up Legitimate Interests as a lawful basis, and why the compliance burden hasn't disappeared, but rather shifted.We also look at where companies are still getting this horribly wrong. Although the ICO's Recruitment Rewired report covers a period before the DUAA took effect, the new draft guidance makes clear that the new Article 22C safeguards essentially codify the old rules. If you were failing then, you are failing now.In This Episode, We Cover:The DUAA ADM Overhaul: How Articles 22A-22D change the game for controllers, making it easier to deploy AI decision-making without relying on clumsy lawful bases.The "Meaningful Human Involvement" Trap: Why having a human "rubber-stamp" an AI's red-light rejection score is still a solely automated decision under the law.Lawful Basis Headaches: Why Consent and Contract are terrible fits for automated CV screening, and how Legitimate Interests (and the required LIA) is now the clear path forward.Transparency & DPIA Failures: A look at the worst practices the ICO found, including vague privacy notices, missing safeguards, and a solo legal team member signing off on a DPIA without consulting the DPO.Key Quotes:"The DUAA has undeniably made it easier to justify rolling out automated decision-making systems... But the structural requirements for fairness, transparency, and human intervention haven't vanished—they've just been recodified.""If a human is simply applying the outcome of an automated system without actively evaluating the person's information, that is not meaningful human involvement."Resources & Links:Read the ICO’s Draft Guidance on Automated Decision-Making, including profiling: [Link to ICO Website]Read the ICO’s Recruitment Rewired Report: [Link to ICO Website]Learn more about the Data (Use and Access) Act (DUAA) changes to the UK GDPR.About the Host:Robert Bateman is a privacy expert, analyst, and the host of the Privacy Partnership Podcast.Subscribe & Review:If you enjoyed this episode, please subscribe to the Privacy Partnership Podcast on Apple Podcasts, Spotify, or your favorite podcast app. Leave us a rating and review to help other privacy professionals find the show!

Are you seeing a rise in "copy-paste" Data Subject Access Requests (DSARs) designed primarily to extract a quick financial settlement?In this episode of the Privacy Partnership Podcast, Robert Bateman unpacks a highly practical new judgment from the Court of Justice of the European Union (CJEU) that offers controllers a potential shield against abusive access requests.Looking at the facts of Case C-526/24 (Brillen Rottler GmbH & Co. KG v TC), Robert explores the legal boundaries of Article 12(5) and Article 82 of the GDPR, explaining how privacy teams might finally be able to push back against serial compensation claims—and the evidentiary hurdles they will face in doing so.

A €746 million GDPR fine gets completely annulled by a Luxembourg court. A massive, unmitigated victory for big tech, right? Not exactly. In this episode of the Privacy Partnership Podcast, Robert Bateman dissects the highly anticipated March 12, 2026 judgment from the Luxembourg Administrative Court concerning an anonymised e-commerce giant ("Company AA", clearly Amazon) and a record-breaking penalty issued by the CNPD back in 2021.While the company managed to get the three-quarter of a billion euro invoice torn up on a procedural technicality, the regulator walked away with a massive vindication of its substantive legal analysis. We explore how the CNPD’s failure to show its working regarding negligence cost them the fine, why "Company AA's" creative arguments about Legitimate Interest fell flat, and what happens now that the case is heading back to the regulator's desk.Get in Touch:If your organisation needs support navigating the increasingly complex boundaries of Legitimate Interest, consent, or defending against regulatory enforcement, contact the team at Privacy Partnership.Subscribe to the Privacy Partnership Podcast on Apple Podcasts, Spotify, or your favourite podcast app.

Can you hide an indestructible, imperceptible signature inside a basic marketing blog post? The European Commission seems to think you should try. Following the release of the Second Draft of the Code of Practice on Transparency of AI-Generated Content this Tuesday, Robert Bateman dives into the technical and regulatory headaches awaiting providers of generative AI text systems. We look at the Commission's proposed "multi-layered marking approach," the inherent fragility of text-based watermarks, and the rather alarming privacy implications of using AI output logging as a fallback measure.close attention.

Are you a data broker? You might not think so, but European regulators could soon be looking at your business model and concluding otherwise.In this episode of the Privacy Partnership Podcast, Robert Bateman breaks down a revealing market study commissioned by the Belgian Data Protection Authority through the EDPB’s Support Pool of Experts. Designed to identify and map the data broker ecosystem, the report provides a fascinating look at how the regulatory definition of data brokerage is expanding far beyond the traditional back-room list sellers of the early internet.We explore how this behavior-based European definition sharply contrasts with privity-focused frameworks like California’s Delete Act. We also dive into the study's eight-part typology, which sweeps "privacy-preserving" Data Clean Rooms, AI platforms trained on scraped data, and even B2B contact databases under the data broker umbrella.If your organisation ingests data, mixes it with other datasets, and monetises the insights, this is an episode you need to hear.In this episode, we cover:[0:00] Introduction: A look at the new EDPB-commissioned market study aiming to map the data broker ecosystem.[0:45] The Definition & The California Contrast: How the European focus on behavior, profiling, and lack of "meaningful control" differs from the structural "direct relationship" test found in California's CCPA.[2:15] High-Risk Typologies: Why adtech’s beloved Data Clean Rooms and AI integration platforms are being classified as high-risk data brokers.[3:45] Medium-Risk Categories: The regulatory perspective on aggregated spatial data, mobility trends, and B2B contact lists, and where the risk of re-identification allegedly creeps back in.[4:10] Outro: Key takeaways for privacy professionals evaluating their own data supply chains and partnerships.

The ICO has issued a £14.47 million fine against Reddit for alleged children's privacy failures, officially signaling the end of the road for the age verification "honour system." But with the full penalty notice yet to be published, what can privacy professionals actually glean from the regulator's press release?In this episode of the Privacy Partnership Podcast, Robert Bateman breaks down the Reddit announcement and explores one of privacy’s hardest problems: the inherent tension between robust age assurance and strict data minimisation. Are you damned if you collect the data, and damned if you don't?We look at the ICO's updated guidance, the rising regulatory bar under the UK's Online Safety Act, and the stark choice regulators are forcing upon platforms: implement complex technical checks, or apply the highest privacy settings to everyone by default.In this episode, Rob covers:The Reddit press release: Why a lack of robust age assurance and missing DPIAs led to a £14.47m penalty.The "honour system": Why simply asking users to type in their birth year is no longer an acceptable compliance strategy for the ICO.The core tension: How businesses are caught between the need to verify age (processing more data) and the strict limits of data minimisation.The nuclear option: The ICO’s alternative compliance route—why treating all your users like children might be the easiest way to avoid regulatory scrutiny.Next steps for privacy teams: How to audit your age assurance mechanisms while we wait for the full Reddit decision to drop.

Rob presents a few highlights from the EDPB's latest Coordinated Enforcement Framework report on the "right to erasure".- Poor storage limitation and retention schedule practices are leading to issues satisfying erasure requests.- Too many people still conflating anonymisation and pseudonymisation, and thus incorrectly relying on the latter as an erasure method.- Controllers are failing to delete personal data from backup systems in parallel with live systems.- There has been overreliance on exemptions without having conducted an appropriate balancing assessment.Time to start preparing for the next CEF topic: Transparency!

In this episode of the Privacy and Partnership podcast, Rob discusses a significant ruling from the CJEU regarding WhatsApp's legal challenge against the European Data Protection Board (EDPB). The CJEU's decision allows companies to directly challenge binding decisions made by the EDPB. Rob explores the implications of this ruling, particularly how it affects the relationship between tech companies and regulatory bodies, and the potential for increased litigation against the EDPB.

Rob discusses the recent letter from the Information Commissioner's Office (ICO) to UK government officials, highlighting the ICO's focus on economic growth and innovation. The ICO plans a statutory code of practice for AI and an "experimentation regime" for data protection. There will also be a review of low-risk online advertising activities, and new support for SMEs.

On Data Protection Day 2026, Rob talks us briefly through the history of data protection in the UK: From the "data users" of the Data Protection Act 1984 to the "recognised legitimate interests" of last year's Data (Use and Access) Act.

Along with plans to "simplify" the GDPR, there's an AI Digital Omnibus that proposes amendments to the AI Act. In a new Joint Opinion, the EDPB and EDPS say they support the objective to simplify the law, but they don't seem to like any of the Commission's ideas.For example, they don't like the Commission's proposal to allow bias detection processing for all AI systems (Article 4a).Under the AI Act as it stands, providers of high-risk systems can process special category data if "strictly necessary" to detect and correct bias. This is a narrow exception; perhaps better characterised as a clarification on how the GDPR’s general prohibition under Article 9 works in this context.The Digital Omnibus proposal wants to broaden this to allow providers and deployers of all AI systems (not just high-risk) to process special category data for bias detection.The EDPB and EDPS are, predictably, skeptical. They point out that while bias is a problem, opening the floodgates to process sensitive data for every chatbot and image generator on the market might not be a great idea.—The Board and the Supervisor also strongly oppose removing the registration obligation for Article 6(3) exemptions.Article 6(3) of the AI Act provides a derogation that lets a provider say, "Yes, my system is listed in Annex III as high-risk, but I’ve done an assessment and it doesn't actually pose a significant risk, so I’m exempt from the high-risk rules."Originally, you had to register that assessment in the EU database. It was a way of letting the public and regulators know you were exempting yourself.The Digital Omnibus proposal wants to scrap that registration requirement to "reduce administrative burden."The EDPB and EDPS argue that if a provider exempts themselves, they must at least tell the regulator and the public. Removing this requirement would allegedly create a "black box" where providers grade their own homework with no oversight unless they are investigated later.—I outline a few other specific objections in this episode, but more broadly, there might be a bit of a turf war emerging here.The DPAs obviously want to defend their exclusive competence to enforce the GDPR, which is relevant insofar as it interacts with the AI Act. The Commission wants to extend the remit of the AI Office, and the EDPB and EDPS don't like it.Add to this the fact that Data Protection Authorities are also emerging as Market Surveillance Authorities—the key enforcers under the AI Act—and the dynamics could get even more complicated.Things getting more complicated is all part of the simplification process, I'm sure.

Rob looks at the ICO’s newly released guidance on international transfers and what it means for UK privacy professionals.• The “Three-Step Test” for identifying restricted transfers• Why UK processors returning data to overseas controllers are no longer “initiating” transfers• Clarifications on transfers between branches and employees within the same legal entity• How the guidance incorporates the Data (Use and Access) Act while retaining “TRA” terminology• The distinction between legal entities and server locations in cloud service contracts

The ICO and the UK Government have come to an understanding: "No surprises", "supportive challenge", and a seat at the table for the Commissioner.A Memorandum of Understanding signed today between the ICO and the UK Government formalises an already pretty cosy relationship between the regulator and its largest stakeholder. While the MoU explicitly preserves the ICO's independenceit leans heavily on collaboration over confrontation.Both parties have agreed to a "free flow of information" to manage risks early. There will be "no surprises".The ICO's role is characterised as one of providing "expert advice" and "supportive challenge." Private sector organisations may or may not expect the same treatment. The Information Commissioner will attend the Government’s Transformation Board and Security Board on a six-monthly basis.The Government has also committed to publishing an annual assurance statement on data safety and appointing the Government Chief Data Officer as the accountable person for cross-government risk.The MoU effectively codifies the "public sector approach." The ICO is positioning itself as a strategic partner to the state.Whether this helps avoid another Ministry of Defence Afghanistan data breach remains to be seen.

Time for the Privacy Partnership Podcast Christmas Special, where Rob looks at his top 5 data protection CJEU judgments for 2025. Here's the list of cases I summarise in this podcast, which span data transfers, non-material damages, data minimisation, and more:1. Bindl v European Commission8 January 2025Case T‑354/222. Mousse v CNIL (Mousse v Commission nationale de l'informatique et des libertés and SNCF Connect)9 January 2025Case C‑394/233. CK v Magistrat der Stadt Wien (involving Dun & Bradstreet Austria GmbH)27 February 2025Case C‑203/224. EDPS v SRB (European Data Protection Supervisor v Single Resolution Board)4 September 2025Case C‑413/23 P5. X v Russmedia Digital (X v Russmedia Digital SRL and Inform Media Press SRL)2 December 2025Case C‑492/23

The CJEU will soon hear the Belgian DPA's case against FATCA, the tax treaty that results in the systematic bulk transfer of data about thousands of "Accidental Americans" to the IRS.FATCA is a US law intended to prevent US citizens from hiding assets in foreign banks.But it also hits "Accidental Americans"—people who might have been born in the US and acquired a US passport, but have very little connection to the country.Under an intergovernmental agreement (IGA), the Belgian state regularly transfers personal data to the Inland Revenue. In May 2023, the DPA ordered these transfers to stop, saying that they were unlawful under the GDPR. Belgium argues that the 2014 IGS predated the GDPR and is thus valid under Article 96, which says that older international agreements remain valid as long as they were lawful at the time. Among 13 questions to the CJEU:— Article 96: Does the "grandfather clause" offer indefinite protection to pre-GDPR international agreements, even if they violate fundamental rights?— Are Member States obliged to renegotiate or revoke old treaties that clash with the GDPR?— Can Article 49(1)(d) (important public interest) justify systematic, bulk, annual transfers? (The EDPB generally says "no").— Does the EU-US Data Privacy Framework (DPF) imply that the US public sector bodies offer adequate protection in the context of data transfers?If the CJEU rules that Article 96 is not a blank cheque and that public interest derogations cannot support bulk surveillance, the legal mechanism for FATCA across the entire EU could collapse.Could be a pretty big deal!

Did the CJEU just use the GDPR to junk the intermediary liability exemption and impose a general monitoring obligation? Here's a look at yesterday's Russmedia judgment.The facts are pretty grim: "X" saw an ad on an Russmedia's online marketplace falsely promoting her as a sex worker. She reported it, Russmedia took it down, but the ad had already been scraped and copied on other sites.X sued Russmedia, which predictably said it was just an intermediary service and not liable for the contents of users' posts.But the court said that Russmedia was a controller, and required a legal basis to post the content.Because the ad included special category data, Russmedia was required to obtain the data subject's consent.--EU laws, like the eCommerce Directive and the Digital Services Act, say that platforms do not have a "general monitoring obligation". Platforms have some moderation obligations (including some limited monitoring obligations in some cases), and they have to respond to takedown requests, but there is no blanket requirement to check every post for illegal content. As such, the CJEU says that Russmedia doesn't HAVE TO "generally monitor" content; it has a specific obligation to avoid posting *this specific type of content* without consent.But how can a platform know whether an ad contains special category data without checking every post? You know... *generally monitoring* them all?

A coalition of organisations and experts sent an open letter calling for a Parliamentary inquiry into the performance of the UK ICO. What's the problem, and will this work?Full disclosure: I was asked to sign this letter, but I decided against it. Many people I know and respect are on the list of signatories, and while there's some stuff in here I'm not 100% behind, I think it makes some decent points. But I generally just don't sign open letters.This document makes some pretty scathing allegations about the ICO's current enforcement strategy, specifically regarding the "Public Sector Approach", and suggests that a change in direction is needed.The letter appears to have been triggered by the ICO’s recent decision regarding the Ministry of Defence.As many of you will know, the MoD was involved in a serious data breach where a spreadsheet containing the details of over 19,000 Afghan nationals eligible for relocation was leaked. The ICO decided not to formally investigate the MoD for this incident. a decision the signatories describe as "extraordinary." The central policy point here is the ICO’s "public sector approach", where the ICO generally prioritises engagement and reprimands over fines for public bodies, the logic being that fining public bodies simply moves taxpayer money around.The open letter challenges the effectiveness of this policy. The signatories cite figures from the ICO’s own post-implementation review, which they say indicate that the average number of reported breaches in the public sector increased by 11% following the adoption of the PSA.They also point to an 8% increase in complaints against public sector organisations. The signatories are asking the Science, Innovation and Technology Committee to open an inquiry to examine whether the current enforcement priorities are delivering the best results for the UK.I'm interested to see how the Committee responds...

In this episode of the Privacy Partnership Podcast, Rob walks you through the most important aspects of the proposed Digital Omnibus Regulation. • A new Article 88c states that processing of personal data for the development and operation of AI systems may be pursued for legitimate interests (p85).• A new condition under Article 9 allows the processing of special category data for AI training if state-of-the-art security is used and the data is subsequently removed or anonymised (p79).• Article 4 is amended to clarify that information is not personal data for a given person if they do not have the means "reasonably likely to be used" to identify an individual (p78-79).• The threshold for notifying a DPA about a data breach would be raised to "high risk," the deadline would be extended to 96 hours, and there would be a new Single Entry Point for breach reporting (p81).• Article 12 is amended to allow controllers to refuse a data subject rights request where the data subject "abuses the rights conferred by (the GDPR) for purposes other than the protection of their data" (p80).• ePrivacy rules are absorbed into new GDPR Articles 88a and 88b, introducing a 6-month "cookie fatigue" period and mandating respect for automated browser signals (p83-84).• There are new rules about automated browser signals with a specific exemption for "media service providers" (p84).• A new Article 9 derogation permits processing biometric data for verification (authentication) purposes if the data remains under the sole control of the data subject (p79). 

"Death by a thousand cuts?" That's what the leaked Digital Omnibus proposals represent to the GDPR, according to noyb.eu. Here's a look at some of the most significant ideas, from the new definition of "personal data" to the narrowing of Article 9.--Note: This is an unconfirmed internal draft from the Commission’s DG CONNECT and not an official proposal. It may change substantially before it’s formally presented, and we’re expecting that to happen on 19 November. Some say this document has been leaked for nefarious purposes, and that no one should so much as glance at it until the details are confirmed. But of course, us data protection dorks can hardly be expected to keep our eyes off this juicy bundle of reforms for long.--The very definition of "personal data" would change under this draft to reflect an interpretation of the recent CJEU judgment in SRB v EDPS.Noyb argues this is a very expansive reading of the SRB case, and that it goes against other CJEU precedents and the Charter of Fundamental Rights. The practical effect could be that companies processing pseudonymous data, like online advertising IDs, might argue they are outside the GDPR's scope altogether.--The draft proposes a new Article 88c, which would establish "legitimate interest" as a legal basis for processing personal data for the "development and operation of an AI system."This could give AI developers a much broader license to use personal data for training models, shifting the default in favour of data collection.--The proposals would also narrow the scope of "special category data" under Article 9. The draft suggests narrowing the definition to data that "directly reveals" sensitive information.Noyb argues, not unreasonably in my opinion, that this is a direct attempt to overturn CJEU rulings that have established a broad interpretation of what it means to "reveal" sensitive data.--Beyond these three ideas, the draft proposes some new restrictions on data subject rights and the absorption of the ePrivacy Directive's "cookie rules" into the GDPR itself. The threshold for notifying regulators of a data breach would also be raised from the current "risk" threshold to a 'high risk' standard, and the deadline would be extended from 72 to 96 hours. We’ve also got some proposed revisions of other digital laws, like the AI Act and the Data Act.--Some ideas look tenuous and unfinished; others might be worth considering. Noyb is doing its job by jumping on this leak, but perhaps most of us should wait until the official proposal before getting too excited.

The ICO is offering up to 40% off UK GDPR fines under its new draft Data Protection Enforcement Procedural Guidance. Here's how to take advantage of this special deal!The draft guidance updates the ICO's Regulatory Action Plan, which has been in place since 2018.There are two particularly interesting bits:- New teeth available to the ICO under the Data (Use and Access) Act (DUAA), should it choose to bite with them- A formal proposed settlement processNow the ICO has settled cases before—recently with Capita and Advanced Computer Software Group, for example, and we’ve also seen many fines fall off a cliff edge after the Notice of Intent has gone public. British Airways and Marriott managed to have their proposed fines reduced by around 90% and 81%, respectively. But this is the first time the ICO has proposed a formal, structured settlement process.The idea is to create a streamlined administrative procedure for cases where a penalty notice is likely. The core of the deal is this: in exchange for an early admission of the infringement and an agreement not to appeal the final decision, the ICO will offer a discount on the fine.The draft guidance sets out a tiered discount structure, which provides a clear incentive for early resolution. • A case settled before the ICO issues a "notice of intent" could receive up to a 40% discount. • If it’s settled after the notice of intent but before the organisation submits its written representations, the discount is up to 30%. • Settle after that, and the discount drops to a maximum of 20%.Now I expect some of you might disapprove of a measure that formalises the ICO’s tendency to whittle away at fines until they end up as a small fraction of the controller or processor’s turnover.But it’s worth noting that a formal settlements process like this is already available to other regulators, like the Competition and Markets Authority (CMA), the Financial Conduct Authority (FCA) and Ofcom.

The DPC's TikTok decision is not that surprising if you understand the law, but it's actually a pretty huge deal to see this play out in reality. Are most international data transfers de facto illegal?TikTok enabled remote access to EEA users' personal data in China, purportedly for purposes like maintenance and user support.The DPC said: Remote access is a transfer. Not really surprising based on the post-Schrems II EDPB recommendations.TikTok encrypted the data in transit and at rest and put various other technical and contractual safeguards in place.The DPC said: These measures mean nothing if the Chinese government can undo them. Also not surprising; that was the whole point of Schrems II.TikTok admitted that Chinese law was not "essentially equivalent" to the EU's, but argued that because the data was STORED on EEA servers, the Chinese government could not touch it.The DPC said: Wrong. When the data is accessed on a Chinese employee's laptop, it's *in China*. The Chinese government can access it. That seems like common sense.TikTok said the Chinese government had never requested access to the EEA user data and was very unlikely to ever do so.The DPC said: Irrelevant. There is no "risk-based approach". Just because you say you've never received a request, that doesn't mean you actually haven't, or won't in future.—So from the DPC's perspective, each part of its decision makes sense based on previous EDPB recommendations and case law.But let's put TikTok to one side. What's the cumulative, logical-consequence effect of these findings?If there's no way any employee in China can even *look at* EEA-originating personal data, then transfers to China are effectively illegal.And whose rule-of-law standards *are* "essentially equivalent" to the EU's? If there's no risk-based approach, is the threshold actually impossibly high?India? Singapore? Australia? *Any* country without an adequacy decision?If we flip a switch and automatically applied this decision universally—FULL compliance with the EDPB's interpretation of Schrems II overnight—what happens to the global economy?Whatever your view on TikTok and the Chinese Communist Party, it's worth thinking this one through.

The EDPB just published its opinion on the UK's adequacy decision and it's pretty critical of the country's post-Brexit direction on data protection. But does the EDPB's opinion matter?Probably not—directly, at least.The Commission's draft adequacy decision now goes to a vote at the Comitology Committee and is very unlikely to be voted down, despite the EDPB's reservations.But the opinion might provide some ammunition in potential future political or legal challenges to the UK's "adequate" status.Here's a look at some of the long list of UK-related stuff that the EDPB wants the Commission to "monitor", including:• Extensive new executive powers over data protection regulation• The controversial Technical Capability Notices (TCNs)• The UK's new "data protection test" for international data transfers 

What is going on between Clearview AI and the ICO?Actions against Clearview have been a test of how far digital regulation actually has extraterritorial effect. This month, we got an answer on this from the UK’s Upper Tribunal, and it’s an important judgment about the territorial reach of the UK GDPR—at least on paper.In May 2022, the ICO fined Clearview AI £7.5 million and ordered it to delete the data of UK residents. Clearview appealed. Then, in a quite surprising move in October 2023, the First-tier Tribunal overturned that fine. The FTT found that the ICO lacked jurisdiction because Clearview's service was used by foreign law enforcement for their national security and criminal law functions—activities which, the tribunal said, fell outside the material scope of the UK GDPR.The ICO appealed that decision to the Upper Tribunal, resulting in a win for the regulator. The Upper Tribunal found that the First-tier Tribunal had made a material error of law.The judgment hinged on two key questions about the UK GDPR's material scope and definition of "behavioural monitoring".So, the result was a win for the ICO. The appeal was allowed, the First-tier Tribunal's decision is set aside, and the case is sent back to be decided on its merits—but on the clear basis that the ICO does have jurisdiction over Clearview AI.But of course, the ICO now has to actually get some money out of Clearview, which might present some difficulties.

Discord's recent data breach exposed photo IDs used to verify users' ages. Should we blame the Online Safety Act, the Children's Code, or the UK GDPR? It's complicated. (Please excuse the unsightly cut on my forehead in this one).While this breach probably just boils down to vendor security, I wanted to consider whether Discord was obliged to collect users' ID documents, and whether it should have been retaining them.This story does involve some competing obligations under the OSA and the UK GDPR.I think Discord was required to verify ages—not necessarily via photo ID, but I can see why they landed on that method.And while it assures users that ID documents are deleted immediately after verification, this appears to only apply to the initial automated age assurance process, not the manual appeal procedure.But that manual appeal procedure is arguably required under Article 22 UK GDPR, so it's hard to see a way around retaining this data for some period.This isn't the last time we'll see this sort of data exposed. Resolving the tensions between these requirements means thinking things through very carefully, both in terms of data security and data protection.

Tractor Supply: The first CCPA case about job applicants' privacy (and the largest CPPA settlement yet). Don't forget: Unlike other states, California's privacy law applies to data about employees and job applicants.Tractor Supply settled for $1.35 million for failing to tell job applicants about their rights (among other, more commonplace violations—GPC, Do Not Sell, the usual stuff).The company provided a "notice at collection" telling applicants what types of data it collected and why. But the notice neglected to mention Californians' CCPA rights.Counting applicants and employees as "consumers" is one of several things that makes California's privacy law—if not the strictest—the most complicated to comply with.I think this is an area that has failed to reach many companies' compliance radars.Can we expect more HR-related cases from the CPPA?Or maybe a B2B data case will come next? That can be "personal information" too under the CCPA!

LinkedIn's AI training settings don't affect all users equally. Did you notice that LinkedIn will share UK users' data with Microsoft, but not EEA users? In this video, Rob looks at the background, the broader context, and the details.LinkedIn first floated the idea of training its AI models on users' personal data last summer and has since encountered several bumps in the road.Complaints were submitted to regulators in Ireland and the UK, and the company responded by putting the project on hold for EEA and UK users in September 2024.Incidentally, the EDPB published an opinion in December on the use of "legitimate interests" to train AI models. The Board did not rule out that this could be lawful on a case-by-case basis, with safeguards attached, and people's reasonable expectations taken into account.--Other social media platforms have met with similar issues.Meta's AI training saga is too complicated to recount here in full, but suffice to say that the company also paused and has now resumed its policy of relying on "legitimate interests" for this processing.X faced court action from the Irish DPC and gave an undertaking confirming that it would not use EU users' data in this way.--There are some interesting details around how LinkedIn plans to share data with Microsoft:• UK: Profile data and public content may be shared with Microsoft for model training, unless the user opts out.• EU/EEA/Switzerland: The data will be used by LinkedIn itself for AI training, but there's no mention of any sharing with Microsoft.• Canada/Hong Kong: There's a much more expansive approach to sharing data with Microsoft, including for advertising purposes (profile data, feed activity, ad engagement), but there's an opt-out available.• Other countries (including the US): There's no explicit opt-out. If you don't like it, close your account.--As a LinkedIn user, you have until 3 November to opt out. If you opted out the last time LinkedIn tried this, check your settings.As a data protection professional, you now have another interesting test case about whether "legitimate interests" will stand up for large-scale AI training.

The ICO has yet MORE draft guidance, this time on the UK's upcoming changes to the law on cookies (etc). At the same time, it's running a "call for views" about whether it should enforce that law in certain contexts.The updated cookies guidance includes a new chapter on the consent exceptions provided by the Data Use and Access Act (DUAA).We also get new material reflecting the ICO's view that a "Reject" option should be accessible on the first layer of your cookie banner.There's also guidance on cookie walls and freely-given consent that does not sit easily with the ICO's position vis-a-vis "consent or pay".

An individual has been criminally prosecuted for "ignoring" or having "blocked, erased, or concealed" a subject access request. A rare (perhaps unprecedented) case, but Rob wonders if this behaviour is more common than we might think.This care home director was prosecuted under Section 173 of the Data Protection Act 2018, which makes it a criminal offence to "alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure" following an access request.He reportedly attempted various unsuccessful defences, ranging from claiming the care home was merely a "building" and not a controller, to stating that the care home's ICO registration had lapsed.—Subject access requests can be very stressful.It can be very painful for people to realise that they must disclose uncomfortable or potentially compromising information they would much rather keep private.Not to mention the huge request backlogs that many organisations have accumulated, which can invite corner-cutting.—This sounds like a particularly bad case, and we might not expect a flurry of prosecutions under Section 174 DPA 2018—but we can reasonably call this one a "learning opportunity".Please do get in touch if you need additional support with data subject rights management: [email protected]

All over EU and UK law, we see a requirement to report certain stuff "without undue delay", often coupled with a hard deadline period (e.g., within 72 hours). A CJEU case from last month explored what these dual obligations mean in practice.IL v Veracash (Case C‑665/23, 1 August 2025) concerned the old Payment Services Directive (PSD). The PSD requires cardholders (consumers) to notify payment services provider about suspected fraudulent transactions "without undue delay" upon becoming aware of the transaction and within no more than 13 months.The complainant notified the provider within two months: Easily beating the "hard" 13 month deadline. But he was refused a refund for allegedly failing to meet the "without undue delay" requirement.The case explores how these deadlines work and has broader implications.For example, we see "without undue delay" provisions in the following laws:GDPR Article 33 (1)“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority…”AI Act Article 26 (5)“Where deployers have reason to consider that the use of the high-risk AI system in accordance with the instructions may result in that AI system presenting a risk within the meaning of Article 79(1), they shall, without undue delay, inform the provider or distributor and the relevant market surveillance authority, and shall suspend the use of that system.”Cyber Resilience Act Article 14 (2) (a)“(The manufacturer shall submit) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it…” Can you think of any others?

More draft ICO guidance! This time, about one of the Data (Use and Access) Act's most important concepts: "Recognised legitimate interests". The "recognised legitimate interests" are data processing activities that, frankly, the government would like you to do more of.Unlike regular old legitimate interests, you won't need to conduct a "balancing test" before processing personal data for these purposes: So long as the processing is "necessary", you can just go right ahead and do it.So far we have five "recognised legitimate interests":• Public task disclosure request• National security, public security and defence• Emergencies• Crime• SafeguardingSome of these, namely "emergencies" and "safeguarding", are defined quite tightly.Others are not. There's no definition of terms like "national security", "defence", or "crime", so expect to see controllers relying on these conditions in a broad range of circumstances.As always, please get in touch if you need any help preparing for these provisions to take effect. 

In advance of new obligations under the Data (Use and Access) Act, the ICO has published some draft guidance on handling data subject complaints. This episode breaks down some of the ICO's expectations in this area.As always, the ICO sets out three tiers: • "Must": Legal duties, for example, under UK GDPR or DPA 2018. • "Should": Good practice stuff that you should do unless there's a good reason not to.• "Could": Optional steps to help you comply. According to the ICO, core obligations include: • Giving people a way to complain directly to your organisation• Acknowledging complaints within 30 days (NOT one month, as with data subject rights) • Investigating the complaint and responding without undue delay• If the complaint was raised on the data subject's behalf, checking that the person has the authority to act for them.• Keeping records about the complaint while respecting data minimisation. The "shoulds" include publishing a clear complaints procedure, training staff to recognise complaints, and ensuring cover during absences. Special considerations apply for children, such as using child-friendly language and handling safeguarding concerns (if relevant). The ICO has long told data subjects that they must approach organisations first before coming to the regulator. This remains ICO policy only, as neither the UK GDPR nor DPA 2018 requires the data subject to do this.But the DUAA will codify this practice, and will give controllers new statutory duties around complaint handling.I would suggest reviewing your complaints with these new obligations in mind. Although—for whatever reason—it does not mention the DUAA at all, the ICO's draft guidance is probably a good place to start.The guidance is open for comments until 19 October.As always, feel free to get in touch if you need help implementing any of this.

Some parts of the Data (Use and Access) Act (DUAA) take effect today! This is our first chance to see how the Act is actually going to operate in practice. In this video, I'll talk you through the relevant provisions.Many of these provisions are quite technical. So to make sense of them, Rob breaks them down into three categories: • New powers for government and regulators • Institutional reforms• Amendments to existing data protection and privacy lawWith these changes, we see new powers to support smart data and AI oversight, a modernised regulator with a new governance framework, and a series of updates to data protection law (some important, some... not so much).If you need help understanding today's changes or any other aspect of UK data protection law, get in touch! Privacy Partnership knows this law inside out.

The Online Safety Act is why you might have been asked for your driver's licence on Reddit, X, and some... other websites. In this video, I explain how the OSA works and how it raises tensions with the UK GDPR.The OSA applies to "user-to-user" and search services with "links to the UK". This covers websites from social media giants to tiny online message boards.Through a series of risk assessments, in-scope services must identify and mitigate risks around illegal content and harms to children.To ensure services enforce their terms and keep kids away from inappropriate stuff, the law requires Ofcom to recommend that they use "proactive technologies", which can include "user profiling technologies".The ICO released guidance on how to implement these profiling tools last week. For me, the guidance highlights why the OSA puts some service providers in a tricky spot. The OSA and Ofcom expect profiling technologies to be highly effective. The law's stated aims involve cleaning up the web and keeping kids safe.The UK GDPR and the ICO expect profiling technologies to be minimally intrusive. Profiling is a high-risk, and can involve very sensitive personal data.I don't think these goals are contradictory, but OSA-covered services will need to think carefully about meeting their obligations under both regimes.Highly effective profiling technology might not *need* to be intrusive, but services will always need to find the least intrusive option to meet their aims. This adds an extra layer of complication to an already complicated compliance framework.Watch this episode of the Privacy Partnership podcast for a quick primer on the OSA and the data protection issues the law raises.

Are you using an in-house tool powered by an AI model from OpenAI, Google, or Meta to produce marketing copy? You might soon be responsible for watermarking your AI-generated content.In this episode of the Privacy Partnership Podcast, Rob explores a common scenario, where a company fine-tunes a general-purpose AI model and builds a simple internal tool for staff to generate copy in its own brand voice. While the company might think it is simply a "deployer" of OpenAI's general-purpose AI model, it could actually be the provider of an AI system under the AI Act.This matters because Article 50 of the AI Act introduces a wide-ranging transparency requirement: The provider of an AI system that generates synthetic text, video, images, or audio must ensure the output is detectable as AI-generated.While there are widely adopted image and video watermarking techniques, reliably watermarking text is more difficult. This legal obligation kicks in from 2 August 2026. And importantly, the AI Act’s grandfathering clauses don’t appear to cover Article 50 systems. So the requirement may apply retroactively to systems already in use by that date.The AI Office is supposed to issue codes of practice in this area, but there’s been no obvious progress on this task so far. These obligations appear to have been designed with "big tech" in mind, but they can apply to much smaller organisations too.Watch the video for a breakdown of how an organisation can easily become a "provider" under the AI Act, how "models" differ from "systems", and why many companies might end in-scope of Article 50.Let me know if you need help navigating these or other AI Act requirements.

Last week, the ICO fined Scottish charity Birthlink £18,000 for destroying around 4,800 adoption records. In this video, Rob explains why this is such an interesting case.Birthlink is an Edinburgh-based charity that maintains the Adoption Contact Register for Scotland. It provides specialised support for people involved in adoptions.At the heart of this case are the "linked records": Manual paper files created when a successful link had been made between individuals on the adoption contact register. The linked records included original birth certificates, handwritten letters from birth parents to their children, photographs of babies, and other very sensitive personal data.In April 2021, a decision was made to create more space in the filing cabinets. Birthlink destroyed the linked records in question. This allegedly happened with no formal board approval, no data retention or destruction policies in place, no data protection training for the staff that made the decision, and no records kept of exactly which files were destroyed.The ICO shaved down a £45,000 fine (from the notice of intent) to £36,750 and then £17,000. Confusingly, the monetary penalty notice suggests the Commissioner approached the fine calculation in the same way as it would when enforcing a public body, but the ICO has since said it did not apply its controversial "public sector approach" (as it did against the YMCA last year).Either way, there are some important lessons here, particularly on accountability, data integrity, and the "storage limitation" principle.Get in touch: [email protected]

I spoke to Boris Wojtan, Senior Privacy Counsel at Privacy Partnership Law, about "Access to Customer and Business Data" under Part 1 of the UK's Data (Use and Access) Act.This has been on my "get to grips with this" list for absolutely ages.Like me, you're probably familiar with the DUAA's amendments to the UK GDPR, the DPA 2018, and PECR.But that's just one part of the legislation, and the other parts could have an even greater impact on a huge range of organisations.In this episode, Boris and I discuss how the law will require businesses to share personal AND NON-personal data with their customers and third parties.Having worked for organisations like the ICO, the GSMA, and BT, Boris knows this stuff inside-out.Boris explains what this part of the law aims to achieve and offers some great advice on how to get ahead of upcoming government regulations.Once these provisions take effect, there will be new obligations on businesses to share in a way *should* stimulate the economy and benefit consumers.If you collect data about how people interact with your services, you might be required to process or share that data in new ways.