Background

On 1 August 2022, the Court of Justice of the European Union (“CJEU”) issued a decision (“Decision”) clarifying how the indirect disclosure of sexual orientation data is protected as special category data under Article 9 of the EU General Data Protection Regulation (“GDPR”). “Special Category Data” is defined within Article 9(1) of the GDPR and includes (for example) a data subject’s racial or ethnic origin or data concerning a natural person’s sex life or sexual orientation. The processing of such sensitive personal data is expressly prohibited, unless the processing is exempted from the prohibition in the sense of Article 9(2) GDPR.

The case

The facts of the case involved the head of a Lithuanian public institution that receives public funds, which required by law, that individual to provide a declaration of private interests.  That declaration was then published on the website of the Lithuanian Supreme Commission for Service Ethics.

The questions presented to the CJEU concerned whether the publication of the content of this declaration affects the declarant’s right to privacy, as well as that of the other persons who must be included in the declaration, e.g., partners, spouses.  The referring court had thought such violations likely since the required information may reveal information about the declarant’s family and personal relationships and thus details about the declarant’s sex life / sexual orientation and other Special Category Data, thus requiring specific legal bases for processing and specific safeguards.

CJEU Ruling

The CJEU has confirmed that in a situation where an organisation can draw inferences about Special Category Data” by performing an “intellectual operation involving comparison or deduction” or “cross-referencing” on personal data, this will constitute the processing of Special Category Data, even though the personal data processed does not directly disclose any Special Category Data. The CJEU justified their ruling with an interpretation of the wording and the purpose of Article 9(1) of the GDPR, namely to ensure enhanced protection regarding the processing of Special Category Data. The CJEU clarified via a contextual and grammatical analysis of Article 4(15) of the GDPR and recital 35 of the GDPR that the verbatim “reveal” in Article 9(1) of the GDPR relates not only to express disclosure but also covers revelations by deductions. According to the CJEU, the concept of Special Category Data is to be interpreted very broadly and it is unclear where to draw the line.

Implications and steps to be taken by organisations

The Decision represents the CJEU restating the careful treatment of Special Category Data under the GDPR, with the potential for widespread consequences. By way of example and further applying the rationale from the Decision, the publication of an individual’s donation to a particular cause, charity, or political party could indirectly reveal data Special Category Data (such as their political or religious beliefs).

Step 1: Revisit the scope of data processing

It is this indirect nature of deducing Special Category Data which is particularly pertinent to organisations, who will now need to revisit the scope of their data processing activities to ensure that it is not possible for them to indirectly infer Special Category Data by conducting such processing.

Step 2: Establish a legal basis for processing under Article 9 of the GDPR

As a result of this reassessment, organisations might need to update their privacy policies and potentially reach out to data subjects for their explicit consent to process the personal data deemed to be Special Category Data based on the Decision. It is crucial that organisations ensure an appropriate legal basis for processing under Article 9 of the GDPR as data protection authorities act harshly in the event of a violation. For example, in May 2022, the German BREBAU GmbH was issued with a fine of €1.9m Euros for processing Special Category Data without a legal basis (this inter alia concerned data relating to tenants’ and prospective tenants’ ethnicity). Also, in May 2022, the Information Commissioner’s office (ICO) fined the facial recognition database company Clearview AI Inc. £7.5m GBP after having violated, among other provisions, Article 9 of the GDPR.

Conclusion

Most organisations, when developing their compliance programs, would not interpret Special Category Data so broadly to cover inferences or deductions. Therefore, organisations should reevaluate their compliance as soon as possible and make the necessary adjustments to take the Decision into consideration. Controllers must satisfy certain requirements above the standards of processing “ordinary” personal data before processing Special Category Data, such as identifying a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9 of the GDPR. This ‘indirect’ processing of Special Category Data could require organisations to obtain explicit consent from individuals as it may be the only viable legal basis under Article 9(2) of the GDPR since processing necessary “for the performance of a contract” or “legitimate interests” are only valid legal bases for processing under Article 6 of the GDPR. Under specific circumstances, organisations may however be able to rely on other legal bases of Art. 9 GDPR (e.g. pursuant to Art. 9(2)(h) GDPR, in cases where processing is necessary for purposes of preventive or occupational medicine, for medical diagnosis, or the provision of health or social care).