The CJEU: widening the definition of sensitive personal data

The CJEU: widening the definition of sensitive personal data

Entering the metaverse - what should Intellectual Property stakeholders be thinking about?

The Court of Justice of the EU (CJEU) has made a preliminary ruling that the disclosure of personal information that may imply a person’s sexual orientation constitutes the processing of “special categories” of personal data for the purpose of Article 9(1) of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR).

In the case of C-184/20: OT v Vyriausioji tarnybinės etikos komisija (Chief Official Ethics Commission, Lithuania), the CJEU is seen to have interpreted ‘data concerning a natural person’s sex life or sexual orientation’ widely given the data to be published was not inherently within the category of special category data. The court also looked at the grounds for processing of data and the balance between privacy and other objectives.

Background and facts

The case was a request for a preliminary ruling on the interpretation of Article 6(1) and 9(1) EU GDPR arising from the following Lithuanian anti-corruption case.

Lithuanian anti-corruption law required various public persons and those in receipt of government funding to complete and file online a declaration of interests which is published on the website of the Chief Ethics Commission and is therefore widely accessible. This information included the data subject’s name and other personal details, and those of any spouse or partner, as well as details of “close relatives” or other persons who may give rise to a conflict of interests.

In this case it was uncovered that OT, a company director in receipt of public funds, had made no such declaration and a decision was made against him for this failure, under those laws. 

This decision was challenged by OT, including on the grounds that the publication of such a declaration would adversely affect his private life and the private lives of other persons he would be obliged to also name.

Judgment  

In coming to their conclusion, the court asked:

Firstly, do Articles 6(1) and 6(3) of GDPR (and predecessor rules) mean that a national law cannot require the publication online of the declaration data?

Briefly, Article 6(1)(e) was treated as the lawful basis for processing - processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, with Art 6(3) requiring amongst other things that such processing is laid down by law and must meet a public interest objective and be proportionate to the legitimate aim pursued.

Although the court did consider that the limitation on privacy was laid down by law and that the objective of fighting corruption was a legitimate interest, it did not consider that publishing such data was necessary and proportionate to meet this objective. The information of a declarant was easily available on the internet with no access restrictions so viewable by anyone regardless of whether they had an anti-corruption interest. The public disclosure, online, of name-specific data relating to a person’s spouse, cohabitee or partner, etc, appeared to go beyond what was strictly necessary and the law did not sufficiently protect against the risk of abuse.

The court therefore concluded that the Lithuanian legislation violated the rights of the data subject.

Secondly, the CJEU considered how far publishing information such as the name of a spouse or partner, constituted the processing of special categories of personal data when considering Article 9(1) of the GDPR (and predecessor rules).

Article 9 EU GDPR prohibits (unless an exception applies) the “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural persons sex life or sexual orientation".

The particular data that had to be declared under Lithuanian law was not inherently special category data. However, the CJEU concluded, after considering settled case law, that the GDPR should be interpreted as meaning that the publication of such personal data on the public authority’s website was liable to disclose indirectly, sexual orientation because it may “reveal” someone’s partner to be of the same sex and therefore constituted the processing of special categories of personal data.

Moving forward

In this case the judgment effectively concludes that data relating to a natural person’s name, can reveal their sexual orientation, so this data is protected as special category personal data.

This ruling does follow previous judgments by the CJEU to interpret data protection definitions widely.

Even though this judgment is not binding on UK courts, the decision may be followed in approach by the UK. It is likely to be of particular importance and interest to any businesses processing data which may indirectly reveal any special category data, not just sexual orientation. The UK ICO Guidance already discusses the fact that data which “reveals” special category data (eg names) can be caught even though the data is not itself special category if it allows inferences of (eg) race to be drawn, but does also clarify that  “it is inappropriate to treat all such names as special category data in every instance, as this would mean you need a special category condition just to hold such names on a customer database, which is not the case.”

Contact our experts for further advice

Search our site