EU court: data attributes revealing sensitive personal data can be ‘special category’ data

Out-Law News | 05 Aug 2022 | 5:04 pm | Lesedauer: 4 Min.

Publication of widely used personal data attributes, such as a person’s name, can reveal sensitive personal information about someone else and their disclosure can therefore be prohibited under EU data protection law, according to a new ruling.

The Court of Justice of the EU (CJEU) ruled that any data capable of revealing sensitive personal data of an individual by means of an ‘intellectual processing operation’ – for example, comparison or deduction – falls within the umbrella of ‘special category’ personal data under article 9 of the General Data Protection Regulation (GDPR), to which strict data protection laws apply. In this case, the CJEU said it was possible to determine an individual’s sexual orientation through publication of the name of his spouse.

Amsterdam-based data protection law expert Andre Walter of Pinsent Masons said the judgment highlights how important it is for organisations to consider the full context when determining whether it is lawful for personal data to be disclosed.

The General Data Protection Regulation (GDPR) governs the processing of personal data. Particularly stringent rules apply to personal data that falls within the umbrella of ‘special category’ data – processing of the data, which includes its disclosure, is generally prohibited, though can be justified if rigorous conditions are met. Data concerning a person’s sexual orientation constitutes special category data under the GDPR.

The case before the CJEU concerned a dispute that has arisen before the courts in Lithuania between a director of a Lithuanian environmental protection company that has received public funds and an ethics commission.

The dispute concerns a Lithuanian law on reconciliation of interests that requires persons working in the public service to make public disclosures of private interests. The disclosures are published on a register that is publicly accessible on the internet and are designed to offer transparency over and prevent conflicts of interests and corruption in the public sector. The ethics commission oversees compliance with the law.

The director has challenged the disclosure requirements before the Lithuanian courts. The man has argued that publication of the information he has been obliged to would adversely affect his and others’ person right to privacy. However, the ethics commission has argued that there is justification for interference with the private lives of the director and his spouse in the law on reconciliation. A regional administrative court in the country’s capital, Vilnius, subsequently asked the CJEU to help it interpret EU law relevant to the dispute.

The laws relevant to the dispute contain conflicting provisions. On the one hand, Lithuanian law mandates disclosure of private interests to prevent conflicts of interests and corruption in the public sector, and on the other EU data protection laws effectively limit when personal data, and special category data in particular, can be disclosed.

The CJEU held that the Lithuanian law on reconciliation of interests pursues legitimate purposes in the public interest of seeking to “strengthen the safeguards for probity and impartiality of public sector decision makers, to prevent conflicts of interest and to combat corruption in the public sector”. However, it said, that EU law precludes publication of some information under the Lithuanian law since it constitutes an unjustified serious interference with privacy rights and rights to the protection of personal data.

The ruling specifically precludes online publication of “name-specific data” that relates to a person at the head of an organisation in receipt of public funds or to their “spouse, cohabitee or partner, or to persons who are close relatives of the declarant, or are known by him or her”.

The CJEU also said that the online publication of personal data within declarations of private interests is “liable to disclose indirectly the sexual orientation of a natural person” and “constitutes processing of special categories of personal data” under the GDPR. It will be for the Vilnius court to determine whether the data subject to disclosure in this case is special category data.

According to the CJEU, the Lithuanian court is of the view that “that it is possible to deduce from the name-specific data relating to the spouse, cohabitee or partner of the declarant certain information concerning the sex life or sexual orientation of the declarant and his or her spouse, cohabitee or partner”, even though the data to be published under the Lithuanian law on reconciliation of interests “are not, inherently, sensitive data”.

Andre Walter of Pinsent Masons said that though the circumstances of this case are quite specific, it is possible to imagine many other scenarios in which the ruling could be relevant to an organisation’s processing of special categories of personal data.

For example, sensitive data about a person, that qualifies as special category data under the GDPR – such as their religious or philosophical beliefs, trade union membership or political opinions – could also be deduced from other information, such as from details published about their donation to a particular NGO or charity.

“In my experience, some organisations mistakenly think that applying risk mitigation measures to data will be enough to change the way that data has to be treated under data protection law – from special category data to just ‘ordinary’ personal data,” Walter said. “Examples would be aggregating data gathered from diversity and inclusion surveys, or pseudonymising health data. Businesses think that by taking this step they can avoid having to rely on the very limited exceptions for processing special category data outlined in Article 9 of the GDPR.”

“However, what this ruling highlights is how broadly personal data is defined in the EU, since it captures any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly. By extension, if it is possible to indirectly deduce sensitive characteristics about a person from a reading of other personal data, the personal data in question will qualify as special category data – and no amount of risk mitigation measures to that data can remove its classification as special category data, meaning businesses will need an Article 9 exception to process that data lawfully,” he said.