Earlier this month, a case referred by the Regional Administrative Court of Lithuania to the CJEU OT v Vyriausioji tarnybinės etikos komisija resulted in a landmark judgment that included a broad interpretation of what constitutes special category personal data, which should give pause for thought for all organisations processing personal data.
This article explains the potential significant implications of this ruling and outlines key considerations in reviewing your organisation’s processing activities where acting as data controller.
A Lithuanian national law, aimed to expose conflicts of interest and prevent corruption, mandated certain persons in receipt of public funds to provide information regarding their own private interests and those of their “spouse, cohabitee or partner”. This declaration, containing personal data, would then be published online – including the individuals’ names. The Lithuanian Court referred two questions to the CJEU, one of which considered whether Article 9 GDPR was engaged by the publication of information, including that data which make it possible to determine a person’s political views, trade union membership, sexual orientation and other personal information.
Article 9 GDPR expressly prohibits processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Processing of such data may only be lawful where an exemption under Article 9(2) can be identified, such as explicit consent.
Determination of the CJEU
There has been ongoing discourse on whether certain sensitive data “inferred” from personal information can be considered to fall within the definition of special category data under GDPR. In its ruling, the CJEU held that data which could “by means of an intellectual operation involving comparison or deduction” reveal a person’s sexual orientation, is special category data and so the general prohibition for processing such data applies. In the case being considered by the CJEU, publication of a spouse or partner’s name was considered to be processing of special category data.
Notably, a person’s name is not listed as special category data under the GDPR. The matters before the court essentially turn on the word “reveal” in the definition of special category data under Article 9. By publishing the name of an individual’s spouse, this could reveal data concerning a natural person’s sex life or sexual orientation, albeit indirectly. The judgment confirms that inferred data is personal data. Indeed, the judgment considered not only the wording of Article 9, but also to its purpose or intent – to ensure the highest level of protection for the categories of personal data which, when processed, pose the highest risk to the rights and fundamental freedoms of data subjects.
The CJEU has settled an issue in respect of which European supervisory authorities had adopted contrasting positions. The matters before the Court had previously been considered in the context of processing of personal data relating to users of Grindr. Specifically, supervisory authorities had considered whether such data should be considered to be special category data on grounds that information about the individual’s sex life and/or sexual orientation could be inferred from the fact that they were a registered user of Grindr – thus constituting special category data. In considering complaints relating to the processing of data by Grindr, the Norwegian supervisory authority held that it was special category data, while in considering the very same matters, the Spanish DPA had found the contrary.
Impact for data controllers
The significance of this judgment for data controllers cannot be overstated. The CJEU has now provided some certainty that the broader interpretation of special category data is necessary if the “effectiveness” of the protections of the fundamental rights and freedoms of data subjects “are not to be compromised”. For data controllers, however, navigating compliance may now seem far from certain.
Organisations are now required to review their existing processing activities to consider whether any personal data processed by it could be considered to indirectly reveal information concerning the data subject’s health, sex life or religious beliefs, among other categories of sensitive data. Unless an exemption to the general prohibition on processing such information can be identified, such processing may be unlawful.
The implications for industries, such as targeted advertising, which are built on inferred data or data from which inferences can be drawn, such as location data, is obvious. Processing of location data that reveals a person’s regular visits to a church or mosque, which is capable of revealing religious beliefs could now be subject to a general prohibition under GDPR. There are implications for all industries, however, with every organisation processing personal data now required to re-evaluate its processing activities. Indeed, simply asking an employee or an event attendee about their dietary requirements, could result in the processing of data that could infer religious belief or health data.
Trilateral’s Data Protection and Cyber-risk team have data protection specialists with extensive expertise and experience in reviewing the lawfulness of data processing activities. Please feel free to contact our advisors, who would be happy to speak with you about your compliance needs in light of this judgment.