A group of prominent trade bodies recently posted an open letter to the European Data Protection Unit giving their views on a planned consultation on anonymisation and pseudonymisation. We agree with these trade bodies’ view that ‘the ability to use, share, and protect data responsibly underpins both competitiveness and societal progress’. However, we also consider that data is the lifeblood of the digital economy and can be freely used unless it is confidential or there is some other good reason for its protection (e.g. copyright). This is the issue we are struggling with: not all data is so special that it can’t be shared. The GDPR only applies only to personal data – not all data.
The Court of Justice of the European Union (CJEU) in case C-413/23 EDPS v SRB provides SMEs with freedom, but the trade associations are proposing complexity. Complexity in the form of extensive guidelines, and in the form of unnecessary overhead and bureaucracy, presumably by inserting themselves as bodies that can certify their “formal compliance mechanisms and certification schemes”, giving them an additional role and income. This suggestion is adding an unnecessary and unwelcome limitation on the freedom that clear law supplies.
We’re at a moment in time when regulators and legislators are looking to boost growth by reducing administrative burdens, especially on smaller businesses, and privacy is a key area for this. By adding additional friction to a simple process, more and more pages of compliance mechanisms and codes of conduct will benefit only the tech platforms who have the resources to handle it, disadvantaging smaller, independent businesses.
We do not need another layer of overhead by additional administration and cost – we simply need the EU’s Digital Omnibus to recognise and allow the use of anonymised digital match keys and contracts safeguarding that anonymisation and privacy protection. We agree the SRB case is an important clarification. That case states that data which is anonymous or anonymised and subject to contractual safeguards that prevent reidentification is enough for GDPR compliance – that principle just needs to be used and applied.
Privacy legislation worldwide is in the mess its in because at every stage of the process additional legislation, compliance mechanisms, codes of conduct and guidance schemes add confusion and remove clarity. We don’t need any more complexity, we need to apply the law and comply with the law.