RTM v Bonne Terre: Court of Appeal redraws the line on consent

The death of the EU-US DPF? Trump v Slaughter and the future of transatlantic data flows

Did the US Supreme Court just sign the death warrant for the EU-US Data Privacy Framework (DPF)? In this explosive episode of the Privacy Partnership Podcast, Robert Bateman breaks down yesterday's monumental 6-3 SCOTUS decision in Trump v. Slaughter, which fundamentally rewrites the rules of the American administrative state. By confirming the President's authority to fire FTC Commissioners at will, the Court has stripped the FTC of its structural independence—a core pillar of the European Commission’s DPF adequacy decision. Robert explores the immediate fallout, the threat to US surveillance safeguards, and why Max Schrems and noyb are already demanding an "orderly exit" to prevent a catastrophic "Schrems III" compliance cliff. In this episode, we cover: The fall of Humphrey's Executor: How Trump v. Slaughter dismantled a 1935 precedent and placed the FTC under the direct control of the White House. The DPF's structural flaw: Why the European Commission's reliance on FTC independence (Recital 60) is now a historical artifact. Surveillance safeguards at risk: How the ruling threatens the independence of the Privacy and Civil Liberties Oversight Board (PCLOB) and the newly minted Data Protection Review Court (DPRC). A constitutional clash of laws: noyb's immediate letter to the European Commission, arguing that the US Constitution now prohibits the independent supervisory authority required by EU treaty law. What's next at the CJEU: Could the ongoing legal challenge by French MP Philippe Latombe sweep up these new constitutional issues? The UK Angle: Why the UK's adequacy regulations and the UK Extension to the DPF might survive (for now), but face serious legal complications ahead. Resources & References: The European Commission’s Implementing Decision (EU-US Data Privacy Framework) noyb’s open letter to the European Commission regarding the Slaughter ruling Background on French MP Philippe Latombe's ongoing CJEU challenge against the DPF Get in Touch: With the DPF on shaky legal ground, is it time to dust off those Standard Contractual Clauses (SCCs)? If you need help navigating this transatlantic uncertainty, the team at Privacy Partnership is here to help.

Data transfers at the Irish courts: A partial win for TikTok

The Irish High Court has just delivered a massive judgment in TikTok’s appeal against the Data Protection Commission (DPC). The court upheld a staggering €530 million fine—but surprisingly tore up the regulator’s order to suspend TikTok's data transfers to China. Who actually won this case, and what does it mean for the future of international data flows? In this episode of the Privacy Partnership Podcast, Robert Bateman unpacks Mr Justice Rory Mulcahy’s highly technical ruling. We dive into the mechanics of remote access, the absolute floor for GDPR negligence, why catch-all phrases in privacy policies are no longer acceptable, and what happens when a regulator fails to "show its working" when assessing complex technical mitigations like TikTok's Project Clover. In this episode, we cover: The Mechanics of Remote Access: Why TikTok’s data localisation defence failed, and how data temporarily loaded into the RAM of an engineer's laptop in Beijing constitutes processing in China. Article 46 and Accountability: How TikTok’s failure to assess the specific technical risks of local caching in its Transfer Impact Assessments (TIAs) led to a massive infringement. Transparency and Article 13: Why the DPC fined TikTok €45 million simply for failing to explicitly name China in its 2021 privacy policy. The New Standard for Negligence: Why relying on expensive external counsel doesn't shield you from liability, and why the GDPR negligence threshold is currently "sitting on the floor." Fair Procedures and Project Clover: Why the High Court vacated the DPC’s suspension order, ruling that the regulator unlawfully ignored late expert evidence and failed to adequately explain why TikTok's new secure European data enclave was technically ineffective. Key Takeaways for Privacy Professionals: TIAs must reflect technical reality: Regulators are looking past server locations and examining endpoint devices. Your transfer assessments must account for temporary local processing, including RAM and CPU caching. Name names in your privacy notices: Boilerplate language about "third countries" or relying on SCCs/adequacy without specifying the actual destination countries is a major compliance risk. Regulators must justify technical rejections: While courts will defer to a regulator's technical expertise, Data Protection Authorities must provide detailed reasoning when rejecting a controller's supplementary measures.

John Edwards resigns! A look back at his time at the ICO

John Edwards has abruptly resigned as the UK Information Commissioner via a LinkedIn post, leaving behind a rather complicated legacy. In this episode, Robert Bateman looks back at Edwards’ four-and-a-half-year tenure. We unpack an era defined by massive platform fines, jurisdictional ping-pong, a highly convenient alignment with Home Office surveillance goals, and a surprisingly lenient approach to public sector data blunders. Was the Edwards-era ICO truly "innovation-friendly," or just inconsistently interventionist? Key Takeaways & Highlights: The LinkedIn Departure: Breaking down Edwards’ sudden exit amid an HR investigation and what it means for the regulator’s stability. The Hits and the Misses: Giving credit for strong enforcement in cases like Easylife's predatory marketing and Serco's employee biometric tracking, while examining the drawn-out, costly legal headache of the Clearview AI saga. The FaceWatch Controversy: How the ICO’s tough talk on biometric data seemed to quietly evaporate when it came to private retail surveillance that conveniently aligned with Home Office policing priorities. The Two-Tier Fining System: A look at the ICO's revised public-sector approach. Why do private platforms like TikTok and Reddit get £12m+ fines, while publicly funded bodies like the PSNI and the Post Office walk away with heavy discounts or mere reprimands for catastrophic failings? A Headless Regulator: What the Data (Use and Access) Act (DUAA) means for the future of the ICO as it transitions from a single Commissioner to a statutory board—exactly when it lacks permanent leadership.

Data transfers: How encryption and SCCs failed to save Yango Taxi from a €100 million fine

f you’re going to encrypt European personal data before transferring it to a high-risk jurisdiction, the golden rule is simple: don't leave the encryption keys on the exact same server. In this episode, Robert Bateman unpacks a staggering €100 million fine handed down by the Dutch Data Protection Authority (AP) against MLU B.V., the legal successor to the operator of the Yango ride-hailing app. Despite taking a "risk-based approach" and relying on Standard Contractual Clauses (SCCs) and encryption, the company's technical and corporate architecture fundamentally failed to protect the personal data of Finnish and Norwegian users transferred to Yandex in Russia. Robert breaks down the Dutch DPA’s decision, exploring why regulators are increasingly piercing the veil of technical and legal documentation, and asks the ultimate question: what actually stands up to scrutiny when transferring data to non-adequate jurisdictions? Key Takeaways & Topics Discussed: The Yango Case Breakdown: How the Dutch DPA asserted lead supervisory authority over a Netherlands-based entity for data transfers impacting users in Finland and Norway. Joint Controllers vs. Processors: Why the DPA rejected the exporter's claim that the Russian importer was merely a processor, ruling that the commercial reality of their shared software made them joint controllers. A Fatal Technical Flaw: How storing encryption keys in the RAM of the exact same Russian back-end server completely undermined the exporter's pseudonymisation and encryption safeguards. The "Legal Illusion" of Separation: Why shifting the encryption keys to an AWS server in Frankfurt in late 2023 still failed to satisfy the DPA. (Spoiler: Sharing the exact same director across the European exporter and the Russian importer meant the importer still had the executive means to re-identify users). State Surveillance & SORM: A look into the DPA's analysis of Russian surveillance laws, the SORM system, the FSB, and why the local telecom regulator offered no meaningful independent oversight. The Bigger Picture: What this massive enforcement action tells us about the limits of SCCs and Transfer Impact Assessments (TIAs) in the face of problematic surveillance laws. Relevant Resources: Dutch Data Protection Authority (Autoriteit Persoonsgegevens): Penalty notice issued to MLU B.V. (April 2026) GDPR References: Chapter V - specifically Articles 44 and 46 (General principles for transfers & Transfers subject to appropriate safeguards). Thanks for listening to the Privacy Partnership Podcast. Be sure to subscribe for more deep dives into the latest global data protection and privacy enforcement news.

AI Act loophole? How one company navigated the ban on workplace emotion recognition

Can an employer use AI to read its employees' Slack and Teams messages to diagnose their stress levels? Under the EU AI Act, that sounds like a clear violation of the ban on workplace emotion recognition. Yet, one AI company, Myndoor, just survived a regulatory investigation by the Italian Data Protection Authority (the Garante) for doing exactly that. In this episode, Robert dives into this fascinating ruling to explore how Myndoor legally bypassed the AI Act's Article 5 prohibitions through a clever "employee perk" structure. However, escaping the outright ban didn't get them off the hook entirely. We discuss why this tool is still classified as a "High-Risk" AI system, the strict transparency and human oversight requirements it faces, and the critical flaw in its "aggregate reporting" feature that ultimately earned the company a formal warning from the regulator. If you are navigating the intersection of privacy, employment law, and the new EU AI Act, this is a must-listen case study on the dangers of indirect re-identification and algorithmic "black boxes." Key Takeaways: The Myndoor System: How the AI plug-in uses semantic and linguistic analysis (sentiment analysis) to infer employee psychological stress based on workplace chat messages. The Article 5 Ban: Why the AI Act strictly prohibits the use of AI to infer the emotions of a natural person in the workplace, and how Myndoor structured its data flows to keep the employer locked out and avoid this prohibition. High-Risk AI Obligations: Why dodging the ban doesn't mean dodging the AI Act. We break down Myndoor's obligations under Article 13 (Transparency) and Article 14 (Human Oversight) to protect users from opaque, biased algorithms. The "Aggregate Data" Trap: Why the Garante issued a formal warning regarding Myndoor's weekly stress reports, and how the risk of "indirect re-identification" (or single-out) could cause the legal firewall to collapse. Mentioned in this Episode: The Garante Decision: Provision of 14 May 2026 [Web Doc No. 10255494] regarding Myndoor Srl. The EU AI Act (Regulation (EU) 2024/1689): Specifically referencing Article 5 (Prohibited AI Practices), Article 13 (Transparency), and Article 14 (Human Oversight). GDPR & Italian Labor Law: The intersection of data minimization, worker dignity, and the prohibition of employer-led health assessments. Subscribe & Follow: If you enjoyed this episode, please subscribe to The Privacy Partnership Podcast on Apple Podcasts, Spotify, or your favorite podcast app. Connect with Robert Bateman on LinkedIn for more daily insights on privacy, data protection, and AI governance.