In August 2022, the Court of Justice of the European Union (CJEU) issued a decision that confirms that the definition of special categories of personal data (sometimes referred to as sensitive personal data) should be interpreted very broadly under the EU GDPR.
The decision, which was issued due to a request for a preliminary ruling from a Lithuanian court, determined that it was possible to deduce information concerning sex life or sexual orientation – which are types of – from certain non-sensitive information, such as the name of an individual’s spouse, partner, or cohabitee.
Due to the potential that information about an individual’s sexual orientation and sex life could be deduced or inferred from knowing whether the individual lives with someone of the same or opposite gender or sex, the CJEU ruled that, in that specific context, the name of the spouse, partner, or cohabitee must be categorised as special categories of data and should be treated in accordance with the rules of Article 9 of the EU GDPR regarding processing this type of data.
Special categories of data
In understanding the Court’s ruling, it is first necessary to look at the wording of Article 9 of the EU GDPR in which, special categories of data are defined as personal data “revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, and biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.
Use of the verb “revealing” in the above extract confirms that when considering whether special category personal data is being processed, it is necessary to consider, not only what information has been expressly disclosed, but any information that can be inferred or deduced from that information in that particular context and, therefore, what it reveals. For example, if a man called Bill confirms that his partner’s name is John, as John is a man’s name, it could be inferred that Bill is gay, even though in a different context, the name ‘John’ would only be considered ‘regular’ personal data. However, in this context, John’s name would be considered special category personal data, in the light of the recent CJEU ruling.
Consequently, the CJEU ruling confirms that the correct interpretation of Article 9 of the EU GDPR is that any type of information that can be used to reveal special categories of data must also be treated as special categories of data.
Organisations should be aware that the processing of this type of data is prohibited by default unless there is a legal authorisation for such processing. Additionally, companies must take particular care when processing, storing, or sharing special category personal data and must apply stronger technical and organisational measures to protect it against loss, theft, misuse, or unauthorised disclosure compared to ‘regular’ personal data, bearing in mind the degree of harm that individuals could suffer in the event of a personal data breach.
Norwegian Data Protection Authority vs Grindr LCC
Before the CJEU issued its wider interpretation of what the concept of special categories of data consists of, the Norwegian Data Protection Authority (Norwegian DPA) had already decided that special categories of data can be inferred from non-special category data in a particular context or in the light of additional information.
In 2020, the Norwegian DPA issued a decision in a case against Grindr LLC, a popular LGBTQ+ social networking app – against which a 6.3 million euro fine was imposed – due to the fact that Grindr was unlawfully sharing special categories of personal data with third parties for marketing purposes, without relying on any of the appropriate lawful basis under Article 9 of the EU GDPR, such as collecting explicit consent.
In this case, the special categories of personal data consisted of information related to users’ sexual orientation. The Norwegian DPA considered that data revealing the fact that someone is a Grindr user strongly indicates that they belong to a sexual minority since the app is widely known as an LGBTQ+ social network hub and was created exclusively for this audience.
Therefore, in the same vein as the CJEU, the Norwegian DPA considered that analysing the context of a processing activity is of great relevance in assessing whether or not personal data is special category personal data.
The UK GDPR
In terms of the position in the UK, as the wording of Article 9 of the UK GDPR mirrors that of the EU GDPR and the UK is still heavily influenced by guidance and case law coming from the EU, this recent ruling from the CJEU is likely to be applied in the UK. In any event, it would appear that the Information Commissioner’s Office (ICO) had already adopted this approach; the ICO’s guidance on special category data states, “Special category data includes personal data revealing or concerning the above types of data”.
Organisations should also be aware that, in the UK, they can only process special categories of personal data if they meet one of the conditions in Article 9 of the UK GDPR, together with a condition under the Data Protection Act 2018, if applicable. The conditions under Article 9 of the UK GDPR include:
- The individual has explicitly consented to have their special categories of data processed for a specific purpose;
- Processing is necessary for purposes of employment, social security, and social protection (if authorised by law);
- Processing is necessary to protect the individual or someone’s vital interests, where the individual is incapable of giving consent;
- When processing of members, former members and relevant people’s special categories of personal data is carried out during legitimate activities by their foundation, association, or any other not-for-profit body;
- The data have been made public by the data subject;
- Processing is necessary for the establishment, exercise or defence of legal claims or judicial acts;
- Processing is necessary due to reasons of substantial public interest (with a basis in law);
- Processing is necessary due to reasons of health or social care (with a basis in law);
- Processing is necessary due to reasons of public health (with a basis in law), and
- For the purposes of archiving, research, and statistics (with a basis in law).
What does it mean for your business?
Even though the circumstances of the CJEU and the Norwegian DPA ruling are quite specific and relate to data related to sexual orientation, it is possible to predict many other scenarios in which companies may be processing other types of special categories of data without being aware of it.
For instance, depending on the context, data, photographs, and videos (which are not typically considered special categories of data) have the potential to identify someone’s religious beliefs, if the individual is wearing traditional dress specific to a particular religion. In the same way, someone’s choice of meals or lifestyle habits could potentially identify religious beliefs or even medical or genetic conditions.
Without being aware of the nature and degree of sensitivity of the personal data that is being processed, businesses may fail to comply with the specific requirements under the EU or UK GDPR to process special categories of data lawfully. To help you with this, we have published a useful Guide to Demonstrating GDPR Accountability which you can download for free.
In order to be compliant, businesses should review their processing activities to ascertain what types of personal data are being processed in each specific situation and whether any additional special category information can be deduced or inferred from that information, or from the context of the processing activity. You can find out more information in our diversity and inclusion data blog, where we dive into everything you need to know about collecting employee data for your diversity and inclusion strategy.
If the review identifies that inferred special category personal data is being processed, the appropriate lawful bases should be ascertained and suitable measures should be implemented to ensure compliance with the EU / UK GDPR for processing personal data of a sensitive nature. This approach may include enhancing technical and organisational controls.
If you need help or advice regarding processing special categories of data, understanding and reducing your business risks, we are happy to help. Contact us for a friendly chat.
Image by Freepik