While Article 30 of the European Union Data Protection Regulation (hereinafter ‘GDPR’) is often talked about for its obligations of keeping records of processing, not much attention is paid to the exemption it provides to small organizations. The provision provides an exemption from record-keeping obligations under GDPR to organizations having an employee strength of less than 250.
The exemption can be availed if one following conditions can be met:
- The processing that the organization carries out is not likely to result in a risk to the rights and freedoms of data subjects;
- The processing is not occasional; or
- The processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
The intent behind this provision seems to be to provide relaxation to small organizations to provide a cost-cutting way in terms of administration and other record maintenance costs.
The provision has to be viewed in contemporary happenings. Ever since the controversy with the new privacy policy of WhatsApp alarmed people and data enthusiasts alike have been trying to find alternative platforms. One of these platforms was Signal. Though the policy did not apply to European Region due to GDPR, had it been the case, the movement of a large number of people in this region to the alternative platform would’ve been massive.
As per sources, Signal App, which was viewed as an alternative to WhatsApp, became a sensation. The strength of the employees in the Company (Signal) was less than fifty. This effectively means that if Signal App had been in the European Union, it would have been eligible to claim the exemption under Article 30 (5) if it met just one of the three conditions.
The author contends that the provision (Article30 (5)) in its present form has the potential to be misused. The problem arises due to vagueness in the criteria that plagues this provision and the way it is drafted.
Firstly, the manner in which the clause is drafted can provide an easy way to bypass the record-keeping obligations set up in Article 30.5 by just meeting the employee strength criteria and one of the other three conditions.
Secondly, the usage of vague term makes it open to misuse. According to one of the conditions in Article 30 (5), the processing needs to be non-occasionally. The GDPR employs the usage of ‘not occasional’. The term ‘occasional’ is a vague one. The term ‘occasional’ is nowhere defined in GDPR. The literal meaning of the word occasional is occurring, appearing, or taken at irregular or infrequent intervals. It is pertinent to point out that all these words lack a quantitative threshold and therefore are subjective.
In a scenario such as the surge in usage of an application, the record-keeping obligation might be bypassed easily as there is a dynamic increase in the number of data subjects (provided the employee strength remains lesser than 250). This is because a general messaging application would at the least process the phone number of a person which is personal data. And in light of there being no quantitative restriction, the organization will have a justification.
While it might be argued that Data Protection Authorities monitor and are robust for compliance of record-keeping obligations, and therefore can initiate penalty under GDPR, it is important to note that this would not encourage the ideal approach of organizations being proactive towards privacy concerns rather they will be reactive.
To conclude, the present issue can be resolved by the introduction of a quantitative threshold or defining the word ‘occasional’.
If the GDPR is being interpreted in the way the author describes then it would result in a wide gap (although even then the mere fact documentation duties don’t apply wouldn’t absolve controllers from more substantive data protection duties). But the wording is much more restrictive since it states that even if the controller has less than 250 employees then (unless a specific exemption is established for e.g. journalistic processing which is the case in some States) some documentation would apply unless all (rather than only one) of the potential exemptions applied, namely (i) processing is not likely to result in a risk to the rights and freedoms of data subjects, (ii) the processing is only occasional, (iii) the processing does not include any special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10. This is certainly the ICO’s understanding too (the fact that its now the UK rather than the EU GDPR would not make a difference on this point): https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/documentation/. So Signal would only not have any documentation duties if its processing didn’t pose any likely risk to rights and freedoms and was not occasional and did not involve special or criminal-related data. This seems very unlikely. Given as does look likely that Signal is targeting goods and services at the EU market then it would clearly come within the GDPR’s jurisdiction under Article 4(2)(a) and so would be subject to documentation duties. Examined from another perspective, Article 30 would appear to require of large controllers (which from what is stated would not include Signal) comprehensive documentation of absolutely all processing of personal data, even if this posed no risk and even if this was occasional. That is likely to be extremely difficult given the diversity of processing going on and given the lack of clear “value add” could reasonably be seen as excessive bureaucratic red tape.