It’s a familiar situation. You’re in the pub, chatting with friends and making unflattering remarks about your neighbours. Until somebody (yes, that’s me) kills the vibe by asking: “Hey guys, wouldn’t it be fun to think about whether the GDPR applies to this conversation?”
I don't feel too bad about it, though, because there’s at least one other person out there who’s been thinking the same thing. In an opinion given yesterday by Advocate General Bobek of the European Court of Justice, Bobek said the following: “Humans are social creatures. Most of our interactions involve the sharing of some sort of information, often at times with other humans. Should any and virtually every exchange of such information be subject to the GDPR?”
Bobek — who you may remember having issued the ECJ’s AG opinions in the Schrems II, one-stop-shop and licence plate registration cases — makes a good point. Almost everything that we do now involves the use of technology that, strictly speaking, does or may constitute “processing” for the purposes of the GDPR. Should that make us potentially subject to its rules in all of our interactions?
The answer must surely be no — and indeed that’s usually how the law is applied in practice. But the concept of a de minimis threshold for ancillary or incidental processing is an interesting one when applied to activities conducted by entities that would typically be understood to operate as controllers (businesses, charities, etc.). Take the act of anonymising personal data, which the English Court of Appeal found did not qualify as processing within the meaning of the Data Protection Act 1998. That is an eminently sensible conclusion which could be applied more widely to certain processing activities, where, in the Court of Appeal's formulation, “common sense and justice alike” make it appropriate to do so.
To that end, I suspect Bobek is onto something when he says “the Court, or for that matter the EU legislature, might be obliged to revisit the scope of the GDPR one day”. Clearly, pub chat and the like should be off limits; in most cases, that's not what the GDPR is intended or designed for. But a conversation around whether all processing is equal, and what that means for the organisations that should be subject to the GDPR, would be most welcomed. We can all drink to that, right?
Is every form of human interaction, in which information about other humans is being disclosed, regardless of the way it is being disclosed, supposed to be subject to its rather onerous rules?