Podcast Summary: The Monopoly Report

Episode 48: The Incredible Shrinking Definition of EU Personal Data
Date: September 24, 2025
Host: Alan Chapell
Guest: Robert Bateman, Senior Partner at Privacy Partnership

Episode Overview

This episode explores the evolving legal definition of "personal data" within the European Union, the recent SRB case’s impact, implications for the ad and digital media ecosystem, and contrasts with developments in the UK and US. Alan Chapell and Robert Bateman discuss how definitions are narrowing (or broadening, depending on context), what pseudonymization truly offers under GDPR, and what new regulatory experiments in the UK might mean for digital advertising, transparency, and privacy compliance globally.

Key Discussion Points and Insights

Setting the Stage: Evolution of "Personal Data" in the EU

Breyer Case & Early Days of GDPR
- The landmark 2016 Breyer case established that an IP address can constitute personal data, depending on context and re-identification means ([03:38]).
- Bateman’s nuanced take: “An IP address can be personal data if the person processing it has the legal means or reasonable means... to re-identify a person using that IP address.” ([03:45])
- However, authorities have often interpreted IP addresses as personal data "per se" since then ([04:45]).

Tension between Pseudonymization and Broad Data Definitions

Practical Business Implications
- Chapell identifies industry frustration: “What is the benefit to me of pseudonymizing a data set if at the end of the day I probably have to get a consent for it?” ([06:14])
- Bateman responds that while pseudonymization is not equivalent to anonymization under GDPR, it still offers security and risk reduction benefits ([07:08]).
- There’s increased attention to nuanced scenarios—such as when a third party receives only pseudonymized data and cannot re-identify data subjects.

The SRB Case: Implications for Defining Personal Data

The Case Summary ([08:32]):
- The SRB transferred pseudonymized bank shareholder data to Deloitte (US), excluding direct identifiers. Shareholders complained SRB failed to notify them.
- Bateman: “The question was this personal data when SRB sent it to Deloitte and was it personal data when Deloitte processed it, given that they couldn't make that link...” ([09:07])
- The recent ruling: SRB should have been transparent with shareholders, but the data wasn’t "personal data" in Deloitte’s hands due to lack of re-identification ability ([11:46]).
- The result: a confirmed “relative” (context-dependent) definition of personal data rather than an absolute one.

Impact for Digital Advertising and Ad Tech

Bateman sees “unanswered questions” and a spectrum of legal opinion on SRB’s significance for ad tech ([12:16]).
- Quote: “If you plan to strip out identifiers or pseudonymize data after you've collected it... you still need to tell people what you're planning to do with it when you collect it.” ([12:16])
- For data receivers (vendors): If they cannot re-identify, the data may not be "personal" under GDPR—potentially favorable for ad tech, but with caveats.
Transparency and notification obligations remain central, even for pseudonymized or processed data.

Consent, Profiling, and Regulatory Tension in the EU

Chapell and Bateman discuss how almost any profiling associated with tracking technologies now demands explicit consent ([14:25]).
- Chapell laments: “If one needs to get a consent for anything, you’re telling the business community that they might as well collect as much data as they can.” ([15:34])
Bateman advocates for a balance to avoid “all or nothing,” which could incentivize non-compliance or excessive data collection ([15:34]).

Regulatory Experiments: The UK’s ICO and E-Privacy Rules

UK Developments ([18:36]):
- Two tracks: legal reforms in process and an ICO consultation on enforcement of cookie/tracking consents.
- ICO is considering not enforcing certain rules (e.g., consent for frequency capping, fraud detection) for low-risk ad tech activities—controversial but potentially pragmatic ([21:26]).
- Bateman’s concern: “The problematic element here... is that the ICO is effectively saying it’s not going to enforce the law in certain areas. … It just leaves a slightly odd taste in my mouth.” ([21:26])

EU's Appetite for Similar Reform

Bateman sees little chance for such regulatory experimentation in the EU due to institutional inertia and stricter DPAs, especially in countries like Norway, Germany, and Austria ([24:07]).

Cross-Border Data Transfers and The Data Privacy Framework

Why Cross-Border Transfers Matter ([26:02]):
- Crucial for digital media, with EU consumers heavily reliant on US-based services.
- Chapell: “If you were to flip the switch and shut that off, I mean, European civilization would probably collapse overnight…” ([26:02]).
Challenges to the EU-US Data Privacy Framework ([28:42]):
- Recent challenge by French MP Philippe Latombe argued that new US safeguards are insufficient, especially with Trump’s dismantling of key privacy oversight ([30:20]).
- The court evaluated only the framework as originally constructed, not factoring recent executive disruptions.
- Bateman notes: “We might not have seen the back of this case. It might come back at appeal... but for now that framework is definitely safe for at least a year or so.” ([32:03])
Likelihood of Max Schrems/NOYB Litigation ([32:24]):
- Despite expectations, NOYB has not yet challenged the framework, possibly due to the high cost of such litigation.

Reflections on Transatlantic Differences

Chapell observes: “The EU seems to be narrowing its definition of personal data at the very time where the US, led by state privacy law, has expanded its definition of personal data pretty significantly.” ([37:29])
The contrast has created challenging gray areas—what Chapell calls “Schrödinger’s data set, where a dataset can be both personal data and de-identified data.” ([37:29])

Robert Bateman’s Dual Role: Journalist and Consultant

Bateman values having journalistic breadth and speaks to the importance of understanding both sides of privacy debates ([35:05]).
- Bateman: “I can see the incentives and I can see the risks... it certainly helped me to make a name in the sector and meet lots of very interesting people primarily.” ([36:19])

Notable Quotes and Memorable Moments

On the Breyer case and IP addresses:
“It can be personal data if the person processing it has the legal means or reasonable means... to re-identify a person using that IP address.”
— Robert Bateman, [03:45]
On pseudonymization’s real value:
“The benefits of pseudonymization have been oversold by some people to suggest that it is equivalent to anonymization, which of course it’s not.”
— Robert Bateman, [07:08]
On transparency obligations:
“If you plan to strip out identifiers or pseudonymize data after you've collected it... you still need to tell people what you’re planning to do with it when you collect it.”
— Robert Bateman, [12:16]
On regulatory pragmatism and risk:
“I think from a pure privacy perspective, I don’t have an issue with people doing frequency capping and ad selection staff measurement without consent. I think that’s pretty harmless, to be frank.”
— Robert Bateman, [21:26]
On the reluctance for reform in the EU:
“No, I don’t see much appetite for it in the EU… There are DPAs that take much stronger and more absolutist views on privacy than the ICO.”
— Robert Bateman, [24:07]
On the importance of cross-border data transfers:
“So much of our services and goods come from the US, particularly in the digital space, that we need some way to facilitate the transfer of data back and forth… European civilization would probably collapse overnight.”
— Robert Bateman, [26:02]
On Schrems and NOYB:
“...NOYB can’t fund it. That’s just based on one comment he made in an interview more recently. So I don’t know if we’ll see a challenge from NOYB.”
— Robert Bateman, [32:24]
On industry polarization:
“Being able to view an issue from a number of different perspectives is a gift… People retreat into their camps and then they lob little… missiles or little paper airplanes at the other side. And that doesn’t facilitate exchange or… create a dialogue.”
— Alan Chapell, [36:19]

Important Timestamps

03:38 — Review of the Breyer case and the flexible interpretation of IP addresses as personal data
07:08 — Deep dive on the practical and legal value of pseudonymization under GDPR
08:32–11:46 — The SRB case explained: facts, the Court's decision, and implications for data handlers
12:16 — Real-world impact for ad tech and transparency requirements after SRB
14:25–17:09 — Profiling, consent, and regulatory drift in the EU
18:36–23:18 — New experiments by the UK ICO on cookies, tracking, and enforcement discretion
24:07 — Barriers to similar regulatory flexibility in the EU
26:02–34:35 — Cross-border data transfers: EU-US challenges, Safe Harbor to DPF, and looming litigation
35:05–37:01 — Bateman on balancing journalistic inquiry and consultancy in privacy/regulatory space
37:29 — Chapell’s closing remarks on global differences and future podcast guests

Resources & Further Reference

Privacy Partnership Podcast: Search for Robert Bateman’s show on your podcast app for weekly updates on privacy and tech law ([37:01]).
Monopoly Report: Subscribe for more in-depth analysis at monopoly-report.com

This episode delivers a detailed, nuanced look at a complex regulatory topic—with both practical guidance for digital businesses and intellectual debate on where EU and UK data privacy are heading in an increasingly global, contested regulatory landscape.

Podcast Summary: The Monopoly Report

Episode 48: The Incredible Shrinking Definition of EU Personal Data
Date: September 24, 2025
Host: Alan Chapell
Guest: Robert Bateman, Senior Partner at Privacy Partnership

Episode Overview

Key Discussion Points and Insights

Setting the Stage: Evolution of "Personal Data" in the EU

Breyer Case & Early Days of GDPR
- The landmark 2016 Breyer case established that an IP address can constitute personal data, depending on context and re-identification means ([03:38]).
- Bateman’s nuanced take: “An IP address can be personal data if the person processing it has the legal means or reasonable means... to re-identify a person using that IP address.” ([03:45])
- However, authorities have often interpreted IP addresses as personal data "per se" since then ([04:45]).

Tension between Pseudonymization and Broad Data Definitions

Practical Business Implications
- Chapell identifies industry frustration: “What is the benefit to me of pseudonymizing a data set if at the end of the day I probably have to get a consent for it?” ([06:14])
- Bateman responds that while pseudonymization is not equivalent to anonymization under GDPR, it still offers security and risk reduction benefits ([07:08]).
- There’s increased attention to nuanced scenarios—such as when a third party receives only pseudonymized data and cannot re-identify data subjects.

The SRB Case: Implications for Defining Personal Data

The Case Summary ([08:32]):
- The SRB transferred pseudonymized bank shareholder data to Deloitte (US), excluding direct identifiers. Shareholders complained SRB failed to notify them.
- Bateman: “The question was this personal data when SRB sent it to Deloitte and was it personal data when Deloitte processed it, given that they couldn't make that link...” ([09:07])
- The recent ruling: SRB should have been transparent with shareholders, but the data wasn’t "personal data" in Deloitte’s hands due to lack of re-identification ability ([11:46]).
- The result: a confirmed “relative” (context-dependent) definition of personal data rather than an absolute one.

Impact for Digital Advertising and Ad Tech

Bateman sees “unanswered questions” and a spectrum of legal opinion on SRB’s significance for ad tech ([12:16]).
- Quote: “If you plan to strip out identifiers or pseudonymize data after you've collected it... you still need to tell people what you're planning to do with it when you collect it.” ([12:16])
- For data receivers (vendors): If they cannot re-identify, the data may not be "personal" under GDPR—potentially favorable for ad tech, but with caveats.
Transparency and notification obligations remain central, even for pseudonymized or processed data.

Consent, Profiling, and Regulatory Tension in the EU

Chapell and Bateman discuss how almost any profiling associated with tracking technologies now demands explicit consent ([14:25]).
- Chapell laments: “If one needs to get a consent for anything, you’re telling the business community that they might as well collect as much data as they can.” ([15:34])
Bateman advocates for a balance to avoid “all or nothing,” which could incentivize non-compliance or excessive data collection ([15:34]).

Regulatory Experiments: The UK’s ICO and E-Privacy Rules

UK Developments ([18:36]):
- Two tracks: legal reforms in process and an ICO consultation on enforcement of cookie/tracking consents.
- ICO is considering not enforcing certain rules (e.g., consent for frequency capping, fraud detection) for low-risk ad tech activities—controversial but potentially pragmatic ([21:26]).
- Bateman’s concern: “The problematic element here... is that the ICO is effectively saying it’s not going to enforce the law in certain areas. … It just leaves a slightly odd taste in my mouth.” ([21:26])

EU's Appetite for Similar Reform

Bateman sees little chance for such regulatory experimentation in the EU due to institutional inertia and stricter DPAs, especially in countries like Norway, Germany, and Austria ([24:07]).

Cross-Border Data Transfers and The Data Privacy Framework

Why Cross-Border Transfers Matter ([26:02]):
- Crucial for digital media, with EU consumers heavily reliant on US-based services.
- Chapell: “If you were to flip the switch and shut that off, I mean, European civilization would probably collapse overnight…” ([26:02]).
Challenges to the EU-US Data Privacy Framework ([28:42]):
- Recent challenge by French MP Philippe Latombe argued that new US safeguards are insufficient, especially with Trump’s dismantling of key privacy oversight ([30:20]).
- The court evaluated only the framework as originally constructed, not factoring recent executive disruptions.
- Bateman notes: “We might not have seen the back of this case. It might come back at appeal... but for now that framework is definitely safe for at least a year or so.” ([32:03])
Likelihood of Max Schrems/NOYB Litigation ([32:24]):
- Despite expectations, NOYB has not yet challenged the framework, possibly due to the high cost of such litigation.

Reflections on Transatlantic Differences

Chapell observes: “The EU seems to be narrowing its definition of personal data at the very time where the US, led by state privacy law, has expanded its definition of personal data pretty significantly.” ([37:29])
The contrast has created challenging gray areas—what Chapell calls “Schrödinger’s data set, where a dataset can be both personal data and de-identified data.” ([37:29])

Robert Bateman’s Dual Role: Journalist and Consultant

Bateman values having journalistic breadth and speaks to the importance of understanding both sides of privacy debates ([35:05]).
- Bateman: “I can see the incentives and I can see the risks... it certainly helped me to make a name in the sector and meet lots of very interesting people primarily.” ([36:19])

Notable Quotes and Memorable Moments

On the Breyer case and IP addresses:
“It can be personal data if the person processing it has the legal means or reasonable means... to re-identify a person using that IP address.”
— Robert Bateman, [03:45]
On pseudonymization’s real value:
“The benefits of pseudonymization have been oversold by some people to suggest that it is equivalent to anonymization, which of course it’s not.”
— Robert Bateman, [07:08]
On transparency obligations:
“If you plan to strip out identifiers or pseudonymize data after you've collected it... you still need to tell people what you’re planning to do with it when you collect it.”
— Robert Bateman, [12:16]
On regulatory pragmatism and risk:
“I think from a pure privacy perspective, I don’t have an issue with people doing frequency capping and ad selection staff measurement without consent. I think that’s pretty harmless, to be frank.”
— Robert Bateman, [21:26]
On the reluctance for reform in the EU:
“No, I don’t see much appetite for it in the EU… There are DPAs that take much stronger and more absolutist views on privacy than the ICO.”
— Robert Bateman, [24:07]
On the importance of cross-border data transfers:
“So much of our services and goods come from the US, particularly in the digital space, that we need some way to facilitate the transfer of data back and forth… European civilization would probably collapse overnight.”
— Robert Bateman, [26:02]
On Schrems and NOYB:
“...NOYB can’t fund it. That’s just based on one comment he made in an interview more recently. So I don’t know if we’ll see a challenge from NOYB.”
— Robert Bateman, [32:24]
On industry polarization:
“Being able to view an issue from a number of different perspectives is a gift… People retreat into their camps and then they lob little… missiles or little paper airplanes at the other side. And that doesn’t facilitate exchange or… create a dialogue.”
— Alan Chapell, [36:19]

Important Timestamps

03:38 — Review of the Breyer case and the flexible interpretation of IP addresses as personal data
07:08 — Deep dive on the practical and legal value of pseudonymization under GDPR
08:32–11:46 — The SRB case explained: facts, the Court's decision, and implications for data handlers
12:16 — Real-world impact for ad tech and transparency requirements after SRB
14:25–17:09 — Profiling, consent, and regulatory drift in the EU
18:36–23:18 — New experiments by the UK ICO on cookies, tracking, and enforcement discretion
24:07 — Barriers to similar regulatory flexibility in the EU
26:02–34:35 — Cross-border data transfers: EU-US challenges, Safe Harbor to DPF, and looming litigation
35:05–37:01 — Bateman on balancing journalistic inquiry and consultancy in privacy/regulatory space
37:29 — Chapell’s closing remarks on global differences and future podcast guests

Resources & Further Reference

Privacy Partnership Podcast: Search for Robert Bateman’s show on your podcast app for weekly updates on privacy and tech law ([37:01]).
Monopoly Report: Subscribe for more in-depth analysis at monopoly-report.com

wavePod

Episode 48: The incredible shrinking definition of EU personal data

Powered by Wave AI

Summary

Podcast Summary: The Monopoly Report

Episode Overview

Key Discussion Points and Insights

Setting the Stage: Evolution of "Personal Data" in the EU

Tension between Pseudonymization and Broad Data Definitions

The SRB Case: Implications for Defining Personal Data

Impact for Digital Advertising and Ad Tech

Consent, Profiling, and Regulatory Tension in the EU

Regulatory Experiments: The UK’s ICO and E-Privacy Rules

EU's Appetite for Similar Reform

Cross-Border Data Transfers and The Data Privacy Framework

Reflections on Transatlantic Differences

Robert Bateman’s Dual Role: Journalist and Consultant

Notable Quotes and Memorable Moments

Important Timestamps

Resources & Further Reference

Summary

Podcast Summary: The Monopoly Report

Episode Overview

Key Discussion Points and Insights

Setting the Stage: Evolution of "Personal Data" in the EU

Tension between Pseudonymization and Broad Data Definitions

The SRB Case: Implications for Defining Personal Data

Impact for Digital Advertising and Ad Tech

Consent, Profiling, and Regulatory Tension in the EU

Regulatory Experiments: The UK’s ICO and E-Privacy Rules

EU's Appetite for Similar Reform

Cross-Border Data Transfers and The Data Privacy Framework

Reflections on Transatlantic Differences

Robert Bateman’s Dual Role: Journalist and Consultant

Notable Quotes and Memorable Moments

Important Timestamps

Resources & Further Reference