The Privacy Partnership Podcast with Robert Bateman

Decoding the AI Act: A first look at the Commission’s "high-risk" draft guidelines

The European Commission just dropped its highly anticipated first set of draft guidelines on high-risk AI classification under the AI Act—all 150 pages of them. Published for stakeholder consultation on May 19th, 2026, this document is the closest thing we have to a compliance manual for navigating Article 6 and Annex III of the Act.  In this episode of the Privacy Partnership Podcast, Robert Bateman digs into the details to explain what the Commission considers "high-risk," how the exemption filters actually work, and why some common loopholes that tech companies might hope to rely on are being firmly closed.  In this episode, we discuss: * The Two Routes to "High-Risk": Understanding the difference between product safety components (Annex I) and stand-alone use cases (Annex III). * The Article 6(3) Filter Mechanism: How to exempt your system if it performs narrow procedural or preparatory tasks—and why making a "value judgment" instantly voids the exemption. * The Profiling Red Line: Why any AI system that performs profiling (as defined by the GDPR) is automatically classified as high-risk, with no exceptions. * The "Terms of Service" Trap: Why general-purpose AI providers can't simply slap a disclaimer in their fine print to dodge a high-risk classification if their marketing says otherwise. * Agentic AI & Complex Systems: How the Commission plans to treat multi-component AI systems that coordinate linked actions. (Spoiler: You can't partition your way out of compliance). * The "Human in the Loop" Myth: Why human oversight is a post-classification compliance requirement, not a ticket out of a high-risk designation.  * Shifting Deadlines: A look at the newly postponed enforcement dates for Annex I and Annex III obligations.

Get 40% off an ICO fine! The South Staffordshire case and early settlements

How do you knock 40% off a looming data protection fine? In this episode of the Privacy Partnership Podcast, Rob Bateman breaks down the recent £963,900 penalty handed down by the ICO to South Staffordshire Plc and explores the fascinating procedural mechanics that kept the final invoice under the one million pound mark. In this episode, we cover: How a single malicious attachment led to the exfiltration of 4 terabytes of sensitive data, including HR records and vulnerable customer info. The compliance disaster of running Windows Server 2003 (which reached end-of-life in 2015), failing to patch the 'ZeroLogon' vulnerability, and ignoring the principle of least privilege. Breaking down the ICO's findings of negligence under Article 5(1)(f) (integrity and confidentiality) and Article 32(1) (security of processing). How the ICO arrived at its £1.6 million baseline penalty based on statutory maximums, turnover, and mitigating factors. How the ICO's Draft Data Protection Enforcement Procedural Guidance allows controllers to secure 20%, 30%, or 40% discounts. Why securing this discount requires full legal admissions, a published penalty notice, and the surrender of your right to appeal to the First-tier Tribunal.

RTM v Bonne Terre: Court of Appeal redraws the line on consent

The Court of Appeal has ruled that consent under the UK GDPR and PECR is objective. A data subject's hidden vulnerabilities are not, in themselves, decisive, and even a controller's constructive knowledge of those vulnerabilities is not a stand-alone qualifier. In this episode, Robert Bateman breaks down the judgment in RTM v Bonne Terre [2026] EWCA Civ 488, handed down on 21 April 2026. In this episode: * The background to RTM's claim against Sky Betting and Gaming * Mrs Justice Collins Rice's three-strand test in the High Court, and why it was a problem that neither party had argued for it * The Court of Appeal's reasoning on why consent is objective * The fallback argument from the operator and the ICO, and why it failed * Findings on cookies, profiling and what was actually used for direct marketing * Three takeaways for data protection professionals Cited: * RTM v Bonne Terre [2026] EWCA Civ 488 * Article 4(11) UK GDPR * Planet 49 (Case C-673/17) * Orange Romania (Case C-61/19) * Meta Platforms (Case C-252/21) * Cooper v National Crime Agency [2019] EWCA Civ 16 * Leave.EU v Information Commissioner [2021] UKUT 26 (AAC) Get in touch with Privacy Partnership for support with UK GDPR, PECR, and AI Act compliance.

What actually counts as 'scientific research'? Here's the EDPB's six-point answer

On 15 April 2026, the European Data Protection Board adopted Guidelines 1/2026 on the processing of personal data for scientific research purposes. The 66-page document is now out for public consultation. In this episode, Robert Bateman breaks down what the guidelines mean for pharma companies, AI developers, universities, and anyone relying on the GDPR's scientific research provisions. The GDPR gives scientific research significant special treatment — a presumption of compatibility for further processing, extended storage, broad consent, carve-outs from the right to erasure, and a narrower right to object. But to access those provisions, you first need to qualify as "scientific research" in the first place. In this episode: * The EDPB's six-factor test for determining whether processing qualifies as scientific research * Why a for-profit AI start-up can qualify — but retail analytics can't * What "broad consent" actually means, and how it differs from "dynamic consent" * The high threshold for the "manifestly made public" exception after Schrems (October 2024) * When "covert research" is permitted under Article 14(5)(b) * How the guidelines sit alongside the Digital Omnibus and the European Biotech Act Useful references: * EDPB Guidelines 1/2026 (public consultation draft) * CJEU Case C-446/21 — Schrems v Meta Platforms Ireland (4 October 2024) * Articles 5(1)(b), 9(2)(e), 14(5)(b), 17(3)(d), 21(6), and 89 GDPR Consultation: open now on the EDPB website. Host: Robert Bateman, Senior Partner at Privacy Partnership Get in touch if your organisation needs support with GDPR compliance for research activities.

'Clarity in action'?! The EDPB's 2025 annual report and litigation battles

In this episode, Rob looks at the newly published European Data Protection Board (EDPB) annual report for 2025. We are skipping the usual backward-looking statistics to focus entirely on the regulator's pipeline for 2026 and the massive multi-front litigation war currently playing out in the European courts. From new harmonised templates to high-stakes legal battles with Big Tech and fellow regulators, we break down what privacy professionals need to know for the year ahead. What we cover in this episode The EDPB's drive for simplification, including upcoming templates for data protection impact assessments (DPIAs) and data breach notifications. A controversial new web form designed to let stakeholders report inconsistencies between national and EDPB guidance. The board's heavy litigation docket, featuring clashes with Meta, TikTok, WhatsApp, the Irish Data Protection Commission, and the European Commission. The brewing turf war over the Digital Omnibus and the European Commission's attempt to rewrite the definition of personal data. Upcoming joint guidelines on the interplay between the AI Act and the GDPR.