How Much Sensitive Data Are You Processing?
A recent CJEU judgment[1] means that organisations may be processing far more sensitive or “special category” data than previously thought. We look at the implications of this important judgment and how organisations should be responding.
Background
The case involved a Lithuanian law that required individuals working in the public service to make several declarations as to their private interests. This included listing details of the individual's spouse, partner or cohabitee including name, which were then published online in a publicly accessible register.
One individual refused to comply with the law and challenged its compatibility with EU law. In referring questions to the CJEU on the law, the Lithuanian court sought guidance on whether the disclosure of the name of an individual's spouse, partner or cohabitee was subject to Article 9(1) GDPR restrictions. Article 9(1) GDPR prohibits the processing of various categories of sensitive data, such as data concerning sexual orientation, unless one of the limited number of exemptions under Article 9(2) GDPR applies.
Judgment
The CJEU held that disclosing the name of an individual's spouse, partner or cohabitee triggered Article 9 GDPR. It said the appropriate test was whether the information was capable of revealing a sensitive information, here sexual orientation, whether directly or indirectly. As the Lithuanian court had found “it is possible to deduce from the name-specific data relating to the spouse, cohabitee or partner of the declarant certain information concerning the sex life or sexual orientation”, the CJEU held that this was enough to trigger Article 9. It was irrelevant that the information was not inherently sensitive nor that the public authority disclosing the information had no intention to deduce an individual's sexual orientation. The fact it was possible was sufficient.
The CJEU relied heavily on the underlying objective of Article 9 GDPR to ensure a high level of protection for this type of data and said a narrower interpretation would deprive individuals of such protection.
Analysis
A challenge with the judgment is the fairly limited analysis on the scope of Article 9(1) GDPR. The law itself was deemed to be highly intrusive and, on the facts, one can see how the disclosed information could be problematic and an inference could be drawn about the public individual’s sexual orientation. However, the reasoning in the judgment means that Article 9(1) GDPR applies to a controller's processing of data where it is possible a third party could subsequently draw an inference about a sensitive characteristic from that data being processed and other data available to the third party. As the Advocate General opined: “[s]uch an approach is, admittedly, not unproblematic".
The CJEU is pushing for a very expansive interpretation of sensitive data in the same way it expanded the definition of personal data over the last decade by relying on the concept of indirect identification. Notably, the CJEU seems to go beyond the position of the EDPB in Guidelines 3/2019 on processing of personal data through video devices.[2] These guidelines had distinguished between a hospital using CCTV which would invariably record footage of individuals with health issues and the use of CCTV used in the treatment of a patient. The EDPB said only the latter would be subject to Article 9 GDPR because in that case the controller was processing video footage to deduce information about a sensitive issue.
Impact
Organisations now need to carefully assess whether they are processing more sensitive data than they previously thought. In many cases, there is a real risk they will be. For most organiations, this means more risk and difficult decisions to make. For example, processing of sensitive data without an Article 9(2) GDPR exemption is a very serious infringement. For most organisations the only available derogation is explicit consent which is either impractical or impossible to obtain.
Organisations now need to carefully assess the processing they engage in for risks that Article 9 GDPR could be triggered. As the Advocate General stated: “the determination of the purposes but especially of the means of the processing will have to be subject to a particularly attentive evaluation including the potential processing of sensitive data".
In practical terms, organisations should consider the following issues:
- Is it possible that someone could infer or deduce something about someone's sensitive characteristics based on the information being processed?
- If this risk presents, how can that risk be reduced in practice:
- Ensure the collection and processing of data is limited to what is strictly necessary. Do you really need to collect each data point or are there alternatives?
- Implement policies that reduce risks of sensitive information being identified. For example, imposing strict retention and deletion periods, preventing the re-use of data for additional purposes or the combination of data with third party data sources.
- Limit disclosure of data to what is strictly necessary. The publication of information to the public or a wide group increases the risks of Article 9 GDPR being engaged and was a major factor in this case.
- Consider if any de-identification or pseudonymisation measures can be applied to the data either at the time of collection or disclosure.
- Keep a record of decisions made on borderline cases where a view was taken Article 9 GDPR was not engaged and the reasons for that.
What next?
This will not be the last judgment of the CJEU on sensitive data. However, those hoping the next judgment will be more pragmatic and allow organisations to impose reasonable limits on Article 9(1) GDPR may be disappointed. The Advocate General in the Meta Platforms v Bundeskartellamt case[3] has taken a similarly broad view of when Article 9(1) GDPR applies. As such, organisations should expect this expansive interpretation to prevail.
It remains to be seen how supervisory authorities and the EDPB will react to the judgment and whether we will see any guidance issued or these standards enforced in practice. The net impact for organisations however is that there is yet another risk assessment that needs to be carried out before engaging in processing and risk mitigations.
For more information, contact a member of our Privacy and Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
[1] OT v Vyriausioji tarnybinės etikos komisija, Case C‑184/20
[2] Guidelines 3/2019 on processing of personal data through video devices, sections 62 to 64.
[3] Case C‑252/21
Share this: