The Polish government is considering exempting small- and medium-sized businesses from having to comply with key requirements of the incoming General Data Protection Regulation, causing alarm among privacy advocates, members of the European Parliament and the country's data protection authority.

The requirements that would be exempted for companies employing fewer than 250 people would include Article 13.2's obligation to tell people how long their data will be stored for and what their rights are regarding things such as objections to processing, demands for rectification and deletion, access to their data, data portability, and the right to complain to the Polish DPA, GIODO.

In a Tuesday statement, the Polish digital ministry said it would be difficult for small businesses to give all this information to customers, particularly over the phone.

The ministry had caused additional outrage by proposing to also exempt SMEs from having to abide by Article 13.1, which obliges them to tell people why their data is being collected and how it will be used. However, this week it did an about-turn and said this paragraph would remain in effect for small businesses.

"The Ministry will not be looking to have a general exclusion of Article 13. However, it plans on providing for certain limitations on the application of art 13.2 only, but still limited to a very small group of entrepreneurs," a spokesperson told Privacy Advisor on Tuesday.

It remains unclear whether small businesses will also be exempted from complying with other elements of the GDPR, in line with what the government previously suggested. These include paragraphs 3 and 4 of Article 15 (which allow people to request copies of personal data undergoing processing), Article 19 (obliging data controllers to tell recipients of data about rectification, erasure or restriction of processing), and Article 34 (covering communication of risky personal data breaches to the data subjects). 

The purpose of these exemptions would be to encourage entrepreneurialism and to promote the Polish economy, and the justification apparently comes from Article 23 of the GDPR. The exemptions are aimed at companies that only process personal data to conclude contracts and in the course of accounting, the government previously argued. 

It's also worth noting that the minister of development, responding to a consultation on the country's draft implementation of the GDPR, proposed several more exemptions that the digital ministry turned down. These included exemptions of Article 12 (transparent information about the data subject's rights), Article 14 (information to be provided where personal data has not been obtained from the subject), Article 17 (right to erasure), Article 18 (right to restriction of processing), and Article 21's right to object to processing including profiling.

Nonetheless, despite the digital ministry's relatively narrow set of proposed exemptions, key observers are appalled. 

"The proposed exemption is too broad and does not fulfill the requirements of restriction of the obligations and rights provided for in Article 23 of the [GDPR]," said Edyta Bielak-Jomaa, the Inspector General for Personal Data Protection.

Bielak-Jomaa noted that Article 23 does allow member states to introduce restrictions on certain obligations and rights, but not to introduce exemptions. The article allows "necessary and proportionate" measures to safeguard member states' "important economic or financial interest," but such a proposal would need a lot of detail that hasn't been included here, such as safeguards against abuse, she added.

"Undoubtedly, exclusion of the provisions concerning exercise of the data subjects’ rights constitutes interference in [people's] fundamental rights and freedoms. It is hard to accept that exclusion of exercise of certain rights of persons is necessary and proportionate for the protection of important economic interest of the state, which is development of enterprises employing up to 250 employees," Bielak-Jomaa said.

Marcin Lewoszewski, legal counsel with Kobylańska & Lewoszewski Attorneys, also argued that the exemptions would disrespect fundamental rights and freedoms. He said that exempting only Article 13.2 would not fix the concerns.

"There are two issues here. One is that the transparency which is at the heart of GDPR will be still limited. According to the draft law and the announcement, in my view some categories of data subject will not be provided with sufficient information to benefit from some of their rights arising from the GDPR," Lewoszewski said.

 "The second problem is scale – we may expect that data controllers hiring less than 250 employees are a significant part of Polish entrepreneurships. Thus, the exemption can potentially have unexpected and negative impact on consumers in Poland. Probably the solution lies somewhere in the middle, meaning that the 250 employees limit could be much lower, so the impact of the exemption is not that significant. This however requires public discussion and additional analysis from the Ministry."

A common theme among the proposal's critics is the idea that they would hurt, rather than help, Polish small businesses. "I believe that the exemptions restricting the rights of each of us will not at all facilitate, in the long term, the lives of entrepreneurs, who could lose trust of their customers through such solutions," said Bielak-Jomaa.

 Katarzyna Szymielewicz, the president of the Panoptykon Foundation, an anti-surveillance NGO, said businesses would not save money by giving people less information, and suggested the government was just trying to appear industry-friendly.

"[The government] could do a lot in areas where the obligations are much heavier than those they want to exempt, such as risk assessment or privacy by design or data security," she said. "By developing standards and guidelines, and helping them to do risk assessments, you could do many things to show your support for SMEs without creating dangerous exemptions."

The exemptions might even create added risks for small companies, Szymielewicz argued, because if they make the wrong decisions when trying to follow the exemption, they could face sanctions from GIODO. 

Jan Philipp Albrecht, the German Green MEP who was a key player in the GDPR's formulation, said in a tweet that the Polish DPA would have to follow the EU regulation first and foremost. He also suggested that, if the Polish government does try to go ahead with this element of its GDPR implementation, the European Commission "would have to intervene." 

Is the Commission keeping an eye on the Polish developments? Not yet — at least not formally. "The Commission will continue working with member states in the lead-up to May 2018. From May 2018 onward, it will monitor how member states apply the new rules and take appropriate action as necessary," a spokesperson told The Privacy Advisor.

The Commission spokesperson added that the justice directorate would publish a guidance document on Wednesday to help member states and companies prepare for the GDPR's introduction on May 25.

Lukasz Olejnik, the cybersecurity and privacy researcher who sparked interest in the Polish proposals with a tweet last week, noted that the proposed exemptions would lower the level of protection provided by Poland's current data protection law. He also pointed out that Poland was not the only EU country looking to deviate from the regulation's bloc-wide norm.

"It's already quite clear that there will be some inconsistencies among the member states. Some intend to make public institutions not subject to GDPR fines, for example, Ireland, France or Poland. France also thinks about restricting the applicability of certain articles, but so far I did not see anything exceeding the options made available by Article 23," Olejnik said. "The big picture that is starting to emerge is that GDPR in Europe might be much more fractured than it was initially assumed."

photo credit: flowercat Exempt via photopin (license)