Ways of excluding applicability of the GDPR
At a meeting summarising public consultations on a bill implementing the General Data Protection Regulation (GDPR) in Poland, the Ministry of Digital Affairs confirmed that during legislative work a change was approved providing for major exceptions to the GDPR. This change was proposed in October 2017 by the Ministry of Development. This proposed exception is an interesting example of how hard it can be to draft legislation properly aligned to the needs of a digital economy.
Ministry of Development: do not perform large-scale processing
The proposal by the Ministry of Development was not worded the same as the version ultimately adopted by the Ministry of Digital Affairs. The Ministry of Development proposed exceptions for undertakings which:
- Have a headcount of less than 250
- Do not process sensitive personal data such as genetic and biometric data, and
- Do not conduct processing on a large scale.
According to the statement of reasons for the exceptions, it is not reasonable for the exception to apply to SMEs whose core business is data processing. To avoid this, a condition was included that entities processing data “on a large scale” cannot be excluded. This prerequisite is a reference to recital 91 of the GDPR, which states that large-scale processing occurs when a considerable amount of personal data is processed which could affect a large number of data subjects, resulting in high risk, for example where in accordance with the achieved state of technological knowledge a new technology is used on a large scale.
Therefore, according to the wording of the exception proposed by the Ministry of Development, firms processing a considerable amount of data of a large number of people, as well as firms processing sensitive data, even in a small amount and of a small number of people, will continue to be fully subject to the GDPR.
Ministry of Digital Affairs: do not disclose
In turn, the Ministry of Digital Affairs envisages that an exception will apply according to slightly different rules, which are that an undertaking will be exempt if it:
- Has a headcount of less than 250
- Does not process sensitive personal data, and
- Does not disclose processed personal data to third parties unless there are legal grounds or the data subject has consented.
The ministry removed the condition of not processing on a large scale, finding this phrase to be “imprecise and not known in Polish legislation,” and replaced it with a requirement for non-disclosure to third parties. The ministry thereby adopted the view that it is irrelevant how much data is processed or how many entities the data come from. What is important is whether the data are disclosed to entities of some kind.
Data security first and foremost
It is difficult to estimate how this change will affect the number of exempt entities, i.e. whether there are more SMEs performing large-scale processing (and thus only exempt under the original version) or SMEs processing data even on a large scale but not disclosing the data (and thus exempt under the amended version). When devising the exception, lawmakers should however principally consider not how many entities are covered by the exception, but whether the exception applies solely to types of processing that do not give rise to a serious risk of personal data security being compromised. As the purpose of the GDPR is to protect personal data, an exception to this protection should apply in cases where the processing operations are secure per se, for example when the processing is limited to storage of data for a specific period.
An example would be a car wash where an employee records the customer’s vehicle registration number, name and telephone number, in order to inform them when the car can be collected, and then deletes that data. In such case, collection of personal data is in fact an incidental activity accompanying a different service, and the data itself are of little consequence to the service provider, who does not store the data, and in particular does not intend to use the data for marketing purposes or to create a database containing information about the market in future.
The best guarantee that the exception is appropriately restrictive would not be replacement of one prerequisite with another, but rather providing for both of them. Exemption from the GDPR on condition that the data are not processed on a large scale and are not disclosed would limit the exception to cases where collection of data was truly only an activity accompanying a service and the data are of little importance to the business itself.
Exemption (dis)proportionate to the objective
The retention of both of the prerequisites in question would also be the best guarantee that the exception would be proportionate and essential, because under Art. 23 GDPR, member states may restrict the scope of applicability of the regulation to a specified extent provided that the restriction is proportionate and essential in relation to one of the objectives listed in that provision. The Polish exception to applicability of the GDPR, in order to mitigate any obstacles that might arise for SMEs, can be classified as a measure serving the objective described in Art. 23(1)(e) GDPR, i.e. a measure that serves “other important objectives of general public interest of the Union or of a Member State”.
In light of CJEU case law, however, Poland should be ready to demonstrate that introducing an exception for SMEs does not exceed the measures necessary to achieve an essential objective in the general public interest of the state. Seen in this context, an exception that only requires that data not be disclosed might be hard to defend. This is because it could lead to exclusion of controllers of huge amounts of data, for example online shopping sites or mobile application providers if they process data independently and do not share the results of their analyses with anyone else, and thus avoid disclosing the data. At the same time, it cannot be ruled out that these entities’ data processing operations entail a low level of risk of data security being compromised. Moreover, there is some doubt whether this special treatment of controllers of this kind, who are frequently highly prosperous, can be deemed to be a measure essential to achieve important objectives in the public interest.
An exception more extensive than the rule?
Allowing an exemption that applies to undertakings with a headcount of less than 250 could also attract criticism. It is true that under the Commission Recommendation of 6 May 2003 this does not mean just persons with employment contracts, but all people working for an undertaking and subordinate to it who under national law are classed as employees. Nevertheless, this still means that 99.8% of all firms registered in Poland could potentially be exempt (Polish Agency for Enterprise Development figures for 2017). From this point of view the EU might object to this exception from the outset.
Meanwhile, this cannot be solved by lowering the threshold so that all of the requirements under the GPDR apply not only to large, but also for example to medium-sized businesses. This would decrease the percentage potentially exempt from almost 100% to 99%, while including small undertakings as well would reduce the percentage of those potentially exempt to 96%—as micro-businesses are the dominant form in Poland. This demonstrates that the problem is not selecting the correct value for the threshold, but the overall concept of setting the level in reference to headcount.
It cannot be assumed that firms meeting the low headcount criterion process data in a manner that does not give rise to a serious threat to data security. It is counterintuitive to expect these two aspects to correlate significantly in terms of numbers, bearing in mind that the firms processing data most intensively are firms providing services electronically, and these are often run by small teams of workers or even a single person.
Need for more precision
The above shows how difficult it is to devise a proportional exemption from EU provisions in a way that assures special treatment for those who need it (the smallest undertakings) but also reduces the level of security of personal data processing as little as possible. It is better to link the criteria for exemption with the scope and manner in which data are processed than with the number of peopled employed.
Inadequately defined terms such as “large-scale processing,” which the Ministry of Digital Affairs cites, should not be an insurmountable obstacle. While it is correct of the ministry to strive to ensure that terminology is precise, this should not be done by rejecting a particular concept just because a term is imprecise. Instead, an appropriate legal definition of the term should be devised.
Another solution leading to greater legal certainty might be drafting an appendix to the act stating the types of business activity that could be exempt in particular, perhaps through reference to the Polish Classification of Business Activities. A list of this kind, of specific examples, would give entities required to apply the GDPR a better understanding of the general norm providing for this exception.
Bartosz Troczyński