Regulating the reality of adtech: The ICO’s recommended PECR reforms

Data transfers: How encryption and SCCs failed to save Yango Taxi from a €100 million fine

f you’re going to encrypt European personal data before transferring it to a high-risk jurisdiction, the golden rule is simple: don't leave the encryption keys on the exact same server. In this episode, Robert Bateman unpacks a staggering €100 million fine handed down by the Dutch Data Protection Authority (AP) against MLU B.V., the legal successor to the operator of the Yango ride-hailing app. Despite taking a "risk-based approach" and relying on Standard Contractual Clauses (SCCs) and encryption, the company's technical and corporate architecture fundamentally failed to protect the personal data of Finnish and Norwegian users transferred to Yandex in Russia. Robert breaks down the Dutch DPA’s decision, exploring why regulators are increasingly piercing the veil of technical and legal documentation, and asks the ultimate question: what actually stands up to scrutiny when transferring data to non-adequate jurisdictions? Key Takeaways & Topics Discussed: The Yango Case Breakdown: How the Dutch DPA asserted lead supervisory authority over a Netherlands-based entity for data transfers impacting users in Finland and Norway. Joint Controllers vs. Processors: Why the DPA rejected the exporter's claim that the Russian importer was merely a processor, ruling that the commercial reality of their shared software made them joint controllers. A Fatal Technical Flaw: How storing encryption keys in the RAM of the exact same Russian back-end server completely undermined the exporter's pseudonymisation and encryption safeguards. The "Legal Illusion" of Separation: Why shifting the encryption keys to an AWS server in Frankfurt in late 2023 still failed to satisfy the DPA. (Spoiler: Sharing the exact same director across the European exporter and the Russian importer meant the importer still had the executive means to re-identify users). State Surveillance & SORM: A look into the DPA's analysis of Russian surveillance laws, the SORM system, the FSB, and why the local telecom regulator offered no meaningful independent oversight. The Bigger Picture: What this massive enforcement action tells us about the limits of SCCs and Transfer Impact Assessments (TIAs) in the face of problematic surveillance laws. Relevant Resources: Dutch Data Protection Authority (Autoriteit Persoonsgegevens): Penalty notice issued to MLU B.V. (April 2026) GDPR References: Chapter V - specifically Articles 44 and 46 (General principles for transfers & Transfers subject to appropriate safeguards). Thanks for listening to the Privacy Partnership Podcast. Be sure to subscribe for more deep dives into the latest global data protection and privacy enforcement news.

AI Act loophole? How one company navigated the ban on workplace emotion recognition

Can an employer use AI to read its employees' Slack and Teams messages to diagnose their stress levels? Under the EU AI Act, that sounds like a clear violation of the ban on workplace emotion recognition. Yet, one AI company, Myndoor, just survived a regulatory investigation by the Italian Data Protection Authority (the Garante) for doing exactly that. In this episode, Robert dives into this fascinating ruling to explore how Myndoor legally bypassed the AI Act's Article 5 prohibitions through a clever "employee perk" structure. However, escaping the outright ban didn't get them off the hook entirely. We discuss why this tool is still classified as a "High-Risk" AI system, the strict transparency and human oversight requirements it faces, and the critical flaw in its "aggregate reporting" feature that ultimately earned the company a formal warning from the regulator. If you are navigating the intersection of privacy, employment law, and the new EU AI Act, this is a must-listen case study on the dangers of indirect re-identification and algorithmic "black boxes." Key Takeaways: The Myndoor System: How the AI plug-in uses semantic and linguistic analysis (sentiment analysis) to infer employee psychological stress based on workplace chat messages. The Article 5 Ban: Why the AI Act strictly prohibits the use of AI to infer the emotions of a natural person in the workplace, and how Myndoor structured its data flows to keep the employer locked out and avoid this prohibition. High-Risk AI Obligations: Why dodging the ban doesn't mean dodging the AI Act. We break down Myndoor's obligations under Article 13 (Transparency) and Article 14 (Human Oversight) to protect users from opaque, biased algorithms. The "Aggregate Data" Trap: Why the Garante issued a formal warning regarding Myndoor's weekly stress reports, and how the risk of "indirect re-identification" (or single-out) could cause the legal firewall to collapse. Mentioned in this Episode: The Garante Decision: Provision of 14 May 2026 [Web Doc No. 10255494] regarding Myndoor Srl. The EU AI Act (Regulation (EU) 2024/1689): Specifically referencing Article 5 (Prohibited AI Practices), Article 13 (Transparency), and Article 14 (Human Oversight). GDPR & Italian Labor Law: The intersection of data minimization, worker dignity, and the prohibition of employer-led health assessments. Subscribe & Follow: If you enjoyed this episode, please subscribe to The Privacy Partnership Podcast on Apple Podcasts, Spotify, or your favorite podcast app. Connect with Robert Bateman on LinkedIn for more daily insights on privacy, data protection, and AI governance.

Regulating the reality of adtech: The ICO’s recommended PECR reforms

The internet’s worst-kept secret is that basic digital advertising operations involve breaking privacy laws millions of times a day. But instead of dropping the enforcement hammer, the ICO is proposing a novel solution: just make it legal. In this episode, Robert Bateman unpacks the ICO's surprising new advice to the UK government (DSIT) on creating fresh exceptions to Regulation 6 of PECR. Robert discusses the strange optics of a privacy watchdog advising on deregulation, breaks down the seven new proposed consent-free advertising purposes, and explains why this pragmatic shift might actually be a massive win for both businesses and common sense. What We Cover: The odd optics of the ICO actively advising the government on how to weaken privacy protections in the name of "economic growth." A look at the mixed reception from the ICO's somewhat exclusionary "Citizen Juries." The seven specific ad-tech purposes proposed for consent-free operation within a "first-party framework" (including measurement, billing, and ad fraud prevention). How consent-free targeting will actually work, and the strict boundaries being placed on abstracted signals (like device type and city-level geolocation). Why the ICO is choosing pragmatic legalisation over costly enforcement against low-harm data processing. What this means for privacy professionals and why it will make advising clients much more practical. Resources & Contact: If your organisation needs help navigating the current, slightly messy PECR landscape—or preparing for the government's upcoming secondary legislation—get in touch with the team at Privacy Partnership. Don't forget to subscribe to the Privacy Partnership Podcast for more updates on data protection, privacy law, and digital advertising.

Decoding the AI Act: A first look at the Commission’s "high-risk" draft guidelines

The European Commission just dropped its highly anticipated first set of draft guidelines on high-risk AI classification under the AI Act—all 150 pages of them. Published for stakeholder consultation on May 19th, 2026, this document is the closest thing we have to a compliance manual for navigating Article 6 and Annex III of the Act.  In this episode of the Privacy Partnership Podcast, Robert Bateman digs into the details to explain what the Commission considers "high-risk," how the exemption filters actually work, and why some common loopholes that tech companies might hope to rely on are being firmly closed.  In this episode, we discuss: * The Two Routes to "High-Risk": Understanding the difference between product safety components (Annex I) and stand-alone use cases (Annex III). * The Article 6(3) Filter Mechanism: How to exempt your system if it performs narrow procedural or preparatory tasks—and why making a "value judgment" instantly voids the exemption. * The Profiling Red Line: Why any AI system that performs profiling (as defined by the GDPR) is automatically classified as high-risk, with no exceptions. * The "Terms of Service" Trap: Why general-purpose AI providers can't simply slap a disclaimer in their fine print to dodge a high-risk classification if their marketing says otherwise. * Agentic AI & Complex Systems: How the Commission plans to treat multi-component AI systems that coordinate linked actions. (Spoiler: You can't partition your way out of compliance). * The "Human in the Loop" Myth: Why human oversight is a post-classification compliance requirement, not a ticket out of a high-risk designation.  * Shifting Deadlines: A look at the newly postponed enforcement dates for Annex I and Annex III obligations.

Get 40% off an ICO fine! The South Staffordshire case and early settlements

How do you knock 40% off a looming data protection fine? In this episode of the Privacy Partnership Podcast, Rob Bateman breaks down the recent £963,900 penalty handed down by the ICO to South Staffordshire Plc and explores the fascinating procedural mechanics that kept the final invoice under the one million pound mark. In this episode, we cover: How a single malicious attachment led to the exfiltration of 4 terabytes of sensitive data, including HR records and vulnerable customer info. The compliance disaster of running Windows Server 2003 (which reached end-of-life in 2015), failing to patch the 'ZeroLogon' vulnerability, and ignoring the principle of least privilege. Breaking down the ICO's findings of negligence under Article 5(1)(f) (integrity and confidentiality) and Article 32(1) (security of processing). How the ICO arrived at its £1.6 million baseline penalty based on statutory maximums, turnover, and mitigating factors. How the ICO's Draft Data Protection Enforcement Procedural Guidance allows controllers to secure 20%, 30%, or 40% discounts. Why securing this discount requires full legal admissions, a published penalty notice, and the surrender of your right to appeal to the First-tier Tribunal.