Let me steelman the new proposal a little bit:

You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup. Does it make sense to call this data sub-processing? Eh? Maybe? (To my knowledge, I don't know if any examples like this actually caught any enforcement.)

Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235). You still can't share sensitive identifiers (name, address, email, login, etc).

Obviously the elephant in the room is AI and training data. But this also simplifies a lot of the ticky-tacky areas in GDPR where PII rules are opaque and not-consistently enforced anyway.

> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes! Not only is there information on gender, but also people's height and weight and maybe even family makeup.

That seems like a very long stretch. First of all, why assume that clothes sizes constitute PII at all? The store never asks me for my height, weight or family relations. It asks me what item variants I'd like to order. Even if the item size happens to match me, there's no telling that I'm ordering it for myself. They're just fulfilling an order that's built to my request, not collecting my biometrics. It would have to be an insane world in which "Supplier, send me 20x unisex medium sizes with XYZ illustration" is considered a breach of privacy. Each time the GDPR comes up, there are so many hypotheticals that never happened (and likely can't happen) in the real world, when the much simpler line of reasoning is that privacy regulation is digging too much into the profit motive of corporations and the US at large, so the sore thumb that is the EU needs to be pushed back in line in their minds.

Tracking and ad companies don't need your real name or email to track you across the internet. And even if they did want that, with a large enough corpus of data, a social media company can probably deduce who most people are anyway based on their behavior even if they're technically marked with an "anonymous identifier". Letting business identify you in any way and trade that "anonymized" data back and forth will effectively be a reversal to full tracking.

> You run a merch store. You want to share with your suppliers order data so that you can get the right number of sizes/colors/etc. Is this PII under GDPR rules? Technically, yes!

Not at all. Your shirt size is not PII. Given this information, you couldn't be identified.

> Under the new proposal, sharing this data is okay, so long as you use pseudo-anonymous identifiers (customer-1234, customer-1235).

This was okay even before. Given this information (and your shirt size), you couldn't be identified.

I think you don't understand the GDPR. The GDPR does not disallow the processing of personal data, nor does it disallow the sharing of personal data with suppliers or other entities in the supply chain. For example, if you run a merch store, it's perfectly OK to share the buyer's address with DHL or whoever does the shipping.

What the GDPR requires is that the user is informed about the processing and the suppliers used, and in some cases, provides consent to the processing.

The new proposal which suggests that pseudonymized data is not always PII is a different thing. It actually opens the door to a lot of new problems in my opinion. For example, with this new interpretation, big tech might question whether IP addresses are still personal data (which is something EU top courts had previously established)? What about cryptographically hashed values of your social security number (easy to break)?