The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Is there a specific amount of data which qualifies as “large scale” for the purpose of determining whether a Data Protection Officer must be appointed or a Data Protection Impact Assessment must be performed?
Answer: The term “large scale” is not defined in the GDPR, and while the Article 29 Working Party has issued some guidance concerning what does, or does not, qualify as large scale, it stopped short of providing a specific numeric threshold.1
The supervisory authorities of at least three Member States – the Czech Republic, Estonia, and Greece – issued their own interpretative guidance (albeit some with questionable binding force) concerning specific thresholds above which they considered it necessary to appoint a data protection officer (if the information is used for monitoring or is comprised of special categories of data) or to conduct a data protection impact assessment. The head of the supervisory authority of Estonia went so far as to recognize that the broader “European guidelines on DPOs and impact assessments are not helpful” and that a more bright-line cutoff was needed for organizations to understand when DPOs and DPIAs are needed.2 In a social media post he stated that Estonia would assume that processing was “large scale” if it involved:
5,000 data subjects’ “special category” information,
5,000 data subjects’ criminal conviction information,
10,000 data subjects’ high risk data (to which he called out “payment services like online banking and credit cards data, digital trust services like e-signatures, communication data protected by communication secrecy, real time geolocation data, profiling with legal consequence . . .[or] non-public data about financial status), or
50,000 data subject’s “other” information. 3
Pursuant to Article 35(4) of the GDPR which requires that each supervisory authority communicate their interpretations of what constitutes processing activities requiring a DPIA to the European Data Protection Board, Estonia submitted the above guidance to the Board for its consideration. The Board rejected the positions of Estonia (as well as the Czech Republic and Greece which offered their own numeric thresholds) and requested that each “Supervisory Authority . . . amend its list [of processing activities that require a DPIA] by deleting the explicit figures in the list . . . .”4 As a result of the EDPB opinion there remains uncertainty about whether these Member States will attempt to apply their numeric thresholds as it relates to processing that occurs only within the confines of the Member State’s borders.