5/9
  • Pages
  • Editions
01 Welcome
02 Cyber Crime Trends
03 Spike in Social Engineering Cyber Attacks
04 Fines and Penalties
05 CJEU Expands Scope of Special Category Data
06 Damages for Non Material Loss Under GDPR
07 Operational Resilience and Cyber Security
08 EU-US Data Transfers
09 Contact Us

CJEU Expands Scope of "Special Category Data"

Technology and Innovation Partner Davinia Brennan explores the implications of this significant judgment by the Court of Justice of the European Union.

CJEU adopts broad interpretation of special category data

The Court of Justice of the European Union ("CJEU") has adopted a broad interpretation of what constitutes special category data under the GDPR. The CJEU ruled that the processing of any personal data that are "liable indirectly to reveal sensitive information concerning a natural person", (i.e. any information that may reveal a person's racial or ethnic origin, religious or philosophical beliefs, political views, trade union membership, health status or sexual orientation) constitutes "special category data" under the GDPR, and can only be processed where the controller has a lawful basis under Articles 6 and 9 of the GDPR.

Background

The CJEU's decision in Case 184/20 (OT v Vyriausioji tarnybinés etikos komisija) arose following a referral from the Lithuanian Regional Administrative Court. The case concerned a Lithuanian law aimed at preventing corruption. The law requires people in receipt of public funds to declare certain information, which is then published online by the Regulator. The declaration includes information about the interests of their "spouse, cohabitee or partner", including their names, IDs and social security numbers; gifts worth over €150; and information about transactions in excess of €3,000. Whilst this information needs to be declared, there are exemptions as to what is to be published, including information such as social security number and special category data.

The Lithuanian Regulator found that a citizen had infringed the law by failing to lodge a declaration. The citizen, in turn, brought a court action seeking to annul that finding, and claiming that the declaration infringes Articles 6 and 9 of the GDPR, in respect of his personal data and any person he is required to name.

The Lithuanian Court asked the CJEU to confirm whether the publication of information that is "liable to disclose indirectly the…sexual orientation of a natural person" constitutes special category data, and requires a legal basis under Articles 6 and 9 of the GDPR in order to be lawfully processed. In this case the name of the citizen's spouse indirectly revealed the sexual orientation of the citizen.

CJEU ruling

The CJEU ruled that Article 9 of the GDPR must be interpreted as meaning that the online publication of name specific data that is liable to disclose indirectly the sexual orientation of a natural person constitutes processing of special category data.

The CJEU noted that the name of the citizen's partner was not inherently special category data under the GDPR. However, to the extent that it was possible to deduce information about the citizen's sex life or sexual orientation from the name of their partner, publishing the name involved the processing of special category data.

The CJEU noted, in particular, that the verb ‘reveal’ in Article 9 of the GDPR is consistent with the taking into account of processing not only of inherently sensitive data, "but also of data revealing information of that nature indirectly, following an intellectual operation involving deduction or cross-referencing".

Comment

Whilst the practical implications of this judgment are potentially significant, we await further clarity from the Data Protection Commission and/or the EDPB on the precise parameters of the judgment. Interestingly, the UK ICO's guidance on what constitutes 'special category data' similarly acknowledges that inferences can constitute special category data, but notes that "it depends on how certain that inference is".

It's noteworthy that the decision arguably conflicts with the EDPB Guidelines 3/2019 on the processing of personal data through video devices. Those EDPB Guidelines note that video footage showing an individual wearing glasses or using a wheelchair is not always considered to constitute special category data, even though it indirectly reveals information about a person's health. Rather the EDPB indicates that if the video footage is processed for the purpose of deducing special category data (i.e. information about a person's health), then it constitutes special category data under the GDPR. For example, the EDPB note that a hospital installing a video camera in order to monitor a patient's health condition would be considered processing of special category data, and require a legal basis under Articles 6 and Article 9 of the GDPR.

Whilst the practical implications of this judgment are potentially significant, we await further clarity from the DPC and/or the EDPB on the precise parameters of the judgment. Interestingly, the UK ICO's guidance on what constitutes 'special category data' similarly acknowledges that inferences can constitute special category data, but notes that "it depends on how certain that inference is".

Davinia Brennan, Technology and Innovation Partner, Matheson LLP

Which Cookies We Use

Disclaimer

Privacy Policy

Back to Index
Read next article: Damages for Non Material Loss Under GDPR