On 1 August 2022, the CJEU issued a Decision likely to have a major impact on the way organisations process special category data.
The CJEU confirmed that, where an organisation is able to draw inferences about sensitive or "special category" data (like someone's political affiliation or sexual orientation) by means of an "intellectual operation involving comparison or deduction" from the data, this will constitute processing special category data.
While this Decision is more a restatement of the existing position rather than a seismic shift in the GDPR's interpretation, the consequences of this explicit clarification are likely to be significant.
With such clear guidance, regulators may be further emboldened to take action against organisations whose businesses depend most heavily on bulk collection, cross-referencing and extrapolation of multiple data points from their users in order to learn as much about them as possible.
However the effects of this Decision will be felt by businesses of all sizes and across and all sectors, especially those that infer health information, such as through health tracking apps. Many organisations will need to start treating swathes of information not previously considered to be sensitive with additional protection, creating a material compliance challenge.
The underlying case involved a Director (OT) of a Lithuanian organisation, which received public funds in order to pursue its objectives in environmental protection. By virtue of his position, OT was subject to the Lithuanian "Law on the Reconciliation of Interests" (LRI), which requires individuals working in the public service to declare their private interests to guarantee impartial decision making and prevent corruption. The LRI requires these individuals to lodge a declaration with the Chief Ethics Commission (CEC) specifying (among other things), the declarant's:
- name, ID number, social security number, employer(s) and duties
- the legal person of which the declarant or his or her spouse, cohabitee, or partner is a member
- membership of undertakings, associations or funds and the functions carried out (except political parties and trade unions)
- gifts received during the last year (other than from close relatives) with a value above €150
- transactions concluded during the last year with a value above €3000
- close relatives or other persons known by the declarant liable to create a conflict of interest
The LRI also requires that this data be published on the CEC's website, (with the exception of ID numbers, social security numbers, and "special personal data"). The questions put to the CJEU by the referring Lithuanian court can be summarised as follows:
- Was it proportionate for the LRI to require the publication of all of this personal data on the CEC website; and
- Was the requirement within the LRI to publish details of the declarant's spouse/cohabitee/partner consistent with the requirements of Article 9(2) of the GDPR (the conditions for processing special category data); in particular because those details could allow inferences to be drawn about the declarant's sexual orientation. Essentially, the Court was being asked whether information that Mr X is married to or cohabits with Mr Y or Mrs Z constituted special category data, since Mr X's sexual orientation could be inferred from it (even if the inference was wrong).
On the first question, the CJEU first acknowledged the substantial public interest in avoiding corruption preventing conflicts of interest, and that it was justifiable to impose requirements for decision-makers to declare private interests to the CEC even if this led to a limitation on the declarant's fundamental rights to data protection and to private and family life under the ECHR. However, the CJEU found that the requirement to publish that information on the internet was disproportionate, in particular:
- While the CEC argued that publication of the details acted as an effective deterrent to corruption, checks on the content of the declaration by the CEC would also have been highly effective
- The CJEU rejected the CEC's argument that it lacked sufficient resources to exhaustively check each declaration; a lack of resources cannot justify the infringement of the declarant's fundamental rights
- Even if some form of publication were deemed to be necessary as a deterrent, no assessment was undertaken as to whether publication to a more limited population would have been equally effective
- Publication to internet users at large exposed declarants, their relatives and associates to a number of risks, including targeted advertising and even criminal behaviour. Yet the public interest in avoiding corruption in public office does not apply to these individuals and no consideration was given to implementing any appropriate safeguards. In particular, anonymising the spouse/partner/cohabitee of the declarant would have been equally effective, while avoiding the data protection risk to these individuals.
Perhaps unsurprisingly, the CJEU found that the LRI failed to strike an appropriate balance between the public interests it served and the rights of the relevant data subjects. The Court found that it would have been sufficient to require a declaration of interests and for the CEC to conduct appropriate checks. The CJEU also found it disproportionate to publish details of all transactions with a value above €3000 since that information, taken cumulatively, would allow any internet user to build up a particularly detailed picture of the data subjects' private lives.
The CJEU's ruling on the second question is confined to two pages but impact of these few paragraphs could be huge. The Court ruled that the publication of personal information which is liable to indirectly disclose the sexual orientation (or political views, or religious beliefs, or any other special category data) of a natural person will constitute the processing of special category data. While the processing of personal data in this case was not inherently sensitive, the publication of the name-specific data of the declarant's spouse, cohabitee or partner nevertheless enables the deduction of information regarding the sexual orientation of those data subjects. The Court emphasised that any contrary interpretation would not be in keeping with the objectives of the GDPR, which requires that additional protection be afforded to processing data which, due to its sensitivity, is liable to constitute particularly serious interference with individuals' fundamental rights.
Organisations will now need to reassess the scope of their personal data processing operations to determine whether it may be possible to infer special category data from the other personal data that they process. Where any such special category data could be inferred, organisations will need to reconsider the lawful basis used to collect the underlying personal data on which the inference is based, and in particular whether it may now be necessary to obtain explicit consent from data subjects for that processing. It seems that, just as we did in the months following the implementation of the GDPR, data subjects will start to receive numerous requests for consent and updates to privacy policies, as organisations seek to adapt their compliance position in response to this Decision.