The Privacy Partnership Podcast with Robert Bateman

Are you a data broker? You might not think so, but European regulators could soon be looking at your business model and concluding otherwise.
In this episode of the Privacy Partnership Podcast, Robert Bateman breaks down a revealing market study commissioned by the Belgian Data Protection Authority through the EDPB’s Support Pool of Experts. Designed to identify and map the data broker ecosystem, the report provides a fascinating look at how the regulatory definition of data brokerage is expanding far beyond the traditional back-room list sellers of the early internet.
We explore how this behavior-based European definition sharply contrasts with privity-focused frameworks like California’s Delete Act. We also dive into the study's eight-part typology, which sweeps "privacy-preserving" Data Clean Rooms, AI platforms trained on scraped data, and even B2B contact databases under the data broker umbrella.
If your organisation ingests data, mixes it with other datasets, and monetises the insights, this is an episode you need to hear.
In this episode, we cover:

[0:00] Introduction: A look at the new EDPB-commissioned market study aiming to map the data broker ecosystem.

[0:45] The Definition & The California Contrast: How the European focus on behavior, profiling, and lack of "meaningful control" differs from the structural "direct relationship" test found in California's CCPA.

[2:15] High-Risk Typologies: Why adtech’s beloved Data Clean Rooms and AI integration platforms are being classified as high-risk data brokers.

[3:45] Medium-Risk Categories: The regulatory perspective on aggregated spatial data, mobility trends, and B2B contact lists, and where the risk of re-identification allegedly creeps back in.

[4:10] Outro: Key takeaways for privacy professionals evaluating their own data supply chains and partnerships.

The ICO has issued a £14.47 million fine against Reddit for alleged children's privacy failures, officially signaling the end of the road for the age verification "honour system." But with the full penalty notice yet to be published, what can privacy professionals actually glean from the regulator's press release?
In this episode of the Privacy Partnership Podcast, Robert Bateman breaks down the Reddit announcement and explores one of privacy’s hardest problems: the inherent tension between robust age assurance and strict data minimisation. Are you damned if you collect the data, and damned if you don't?
We look at the ICO's updated guidance, the rising regulatory bar under the UK's Online Safety Act, and the stark choice regulators are forcing upon platforms: implement complex technical checks, or apply the highest privacy settings to everyone by default.
In this episode, Rob covers:
The Reddit press release: Why a lack of robust age assurance and missing DPIAs led to a £14.47m penalty.
The "honour system": Why simply asking users to type in their birth year is no longer an acceptable compliance strategy for the ICO.
The core tension: How businesses are caught between the need to verify age (processing more data) and the strict limits of data minimisation.
The nuclear option: The ICO’s alternative compliance route—why treating all your users like children might be the easiest way to avoid regulatory scrutiny.
Next steps for privacy teams: How to audit your age assurance mechanisms while we wait for the full Reddit decision to drop.

Rob presents a few highlights from the EDPB's latest Coordinated Enforcement Framework report on the "right to erasure".

- Poor storage limitation and retention schedule practices are leading to issues satisfying erasure requests.

- Too many people still conflating anonymisation and pseudonymisation, and thus incorrectly relying on the latter as an erasure method.

- Controllers are failing to delete personal data from backup systems in parallel with live systems.

- There has been overreliance on exemptions without having conducted an appropriate balancing assessment.
Time to start preparing for the next CEF topic: Transparency!

In this episode of the Privacy and Partnership podcast, Rob discusses a significant ruling from the CJEU regarding WhatsApp's legal challenge against the European Data Protection Board (EDPB). 

The CJEU's decision allows companies to directly challenge binding decisions made by the EDPB. Rob explores the implications of this ruling, particularly how it affects the relationship between tech companies and regulatory bodies, and the potential for increased litigation against the EDPB.

Rob discusses the recent letter from the Information Commissioner's Office (ICO) to UK government officials, highlighting the ICO's focus on economic growth and innovation. 
The ICO plans a statutory code of practice for AI and an "experimentation regime" for data protection. There will also be a review of low-risk online advertising activities, and new support for SMEs.