Opportunities to reduce bureaucracy under GDPR after CJEU in EDPS v. SRB (C-413/23 P)

The Article “Opportunities to reduce bureaucracy under GDPR after CJEU in EDPS v. SRB (C-413/23 P) - Transparency Obligations of Controllers and the Qualification As Personal Data” (paywall) must be read in context. Post the landmark decision EDPS v. SRB, a high level analysis of the judgement was published. This article continues the analysis and tracks the court's understanding of GDPR core principle across several judgements. Probably further analysis will follow, also along the European Commission's Omnibus intending an overhaul of GDPR.

The Article analyses whether and how two core concepts of the GDPR require re-evaluation in the aftermath of the decision by the Court of Justice (CJEU) in EDPS v. SRB (C-413/23 P). Therefore, CJEU’s case law (i) on the controller’s transparency obligations and (ii) on the threshold for the qualification as personal data are examined. The examination culminates in two main aspects: (i) Are procedural violations treated differently from substantial violations? (ii) Which elements prove relevant for the qualification as “personal data”, eventually triggering the controller’s transparency obligations.

The article introduces an additional concept of “non-/genuine identifiability” alongside common denominators such as “in-/direct”. This additional layer appeared necessary to draw a consistent line along the CJEU judgements in the past.

Overarchingly, the article connects several European judgements on core principles under GDPR. By introducing new concepts and denominators, the article leads towards elements, where GDPR might benefit from a structural and conceptual updates. The operationalisation of such updates probably will require further analysis. At the same time, any such update will likely reduce bureaucratic aspects while maintaining adequate data protection and consistency with longstanding European legislature and legal application.