18/10/2022 - The General Data Protection Regulation (GDPR) prescribes different rules for processing personal data that is considered ‘ordinary’ and personal data that is considered ‘special’. Recent developments show that personal data previously viewed as ‘ordinary’ could under certain conditions be viewed as ‘special’. The distinction is important because it sets the parameters of what processing activities are allowed and more specifically relying on which legal basis.
Curious to understand how these developments may impact your organization? In this blog I will attempt to unravel what constitutes ‘special category’ data under article 9(1) of the GDPR by way of inference and what businesses should be doing today when confronted with the sudden reality that they may be processing ‘special category’ data.
The GDPR identifies certain types of personal data as ‘special categories’ warranting specific protections, as the nature of these categories means their processing could create significant risks to individuals’ fundamental rights and freedoms. Article 9(1) confirms that this includes “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.[1]
The GDPR is clear that special category data includes not only personal data that is inherently sensitive, but also personal data revealing or concerning these details. What is interesting is that these alternative verbs appear in different places of article 9(1) depending on the subcategory of special data. What the regulation makes less clear is how these two qualifying factors differ or what specific qualifying criteria applies in each case.
The European Court of Justice (CJEU) recently shined a light on these questions in Case C-184/20 - Vyriausioji tarnybinės etikos komisija.
In August 2022 the CJEU issued a preliminary ruling in OT v Vyriausioji tarnybinės etikos komisija. Under Lithuanian law, a director of an establishment receiving public funds is required to publish their interest including personal details in a public register. One data category that was mandatory to disclose in this register was the name of the director’s spouse, cohabitee or partner. It was argued whether this could reveal a person’s sexual orientation.
The Regional Administrative Court of Lithuania referred the following question: “Must the prohibition of the processing of special categories of personal data established in Article 9(1) of the GDPR … be interpreted as meaning that national law may not require the disclosure of data relating to declarations of private interests which may disclose personal data, including data regarding a person's political views, trade union membership, sexual orientation, and other personal information?”[2]
The CJEU acknowledged that revealing and concerning have different meanings, the latter of which requiring a more direct and immediate link between the processing and the data. However, it ultimately concluded a distinction should not be drawn between the words as this would be inconsistent with the contextual analysis of the provision and the regulations more general objectives that aim to protect the fundamental rights and freedoms of natural persons, in particular private life.[3]
This conclusion echoes the earlier opinion of the Advocate General, who said: “the fact that information relating to, in particular, the sex life or sexual orientation of the declarant and of his or her spouse, cohabitee or partner is brought indirectly to the knowledge of the general public cannot be regarded as collateral damage that is regrettable but acceptable in the light of the purpose of a processing which is not prima facie concerned with sensitive data or which indeed expressly prohibits their use, as in the present case.”[4].
The CJEU ultimately held that “the publication of personal data on the authority's public website that discloses indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data under the GDPR”[5]. The relevant question that can be derived is not if the primary processing activity and personal data “concerns” ‘special category’ data but rather if it reveals, or more precisely discloses, ‘special category’ data.
The decision to disregard the regulations inclusion of the verb “concerning”, undermines the view that factors such as purpose or intention have relevance. This no doubt goes further than many will have anticipated, giving at least the feeling that the scope of Article 9(1) has expanded. The burning question that emerges for most will be when exactly does data that is not inherently sensitive reveal or disclose ‘special category’ data, i.e., what is the tipping point? The CJEU fails to provide clarity in this regard.
In the opinion of the UK Information Commissioners Office (ICO) the criteria to be applied is as follows: “if you can infer relevant information with a reasonable degree of certainty then it’s likely to be special category data even if it’s not a cast-iron certainty. But if it is just a possible inference or an ‘educated guess’, it is not special category data (unless you are specifically processing to treat someone differently on the basis of that inference) - even if that guess turns out to be right.”[6] The ICO further clarify that the key question is not whether the inferences are correct, but whether you are using an inference linked to one of the special categories to influence your activities in any way.
On the 20th of September 2022 Advocate General Rantos (AG) gave his opinion in Case C252/21 – Meta vs. Bundeskartellamt. The opinion is relevant as the AG held that the decisive factor for the purpose of applying Article 9(1) of the GDPR is “whether the data processed allow user profiling based on the categories that emerge from the types of sensitive personal data mentioned in that article”.[7] The AG specifically recommends that a distinction should be made between data that is prima facie sensitive and data that is not inherently sensitive but requires subsequent aggregation in order to draw plausible conclusions for profiling purposes[8]. The rational for such an approach is presumably to prevent data that will not be aggregated, despite it being theoretically possible, from being classified as ‘special category’ data. This approach, if followed by the CJEU, would at least provide reassurance for businesses who have measures in place to mitigate or eliminate such aggregation from occurring.
Note that the AG adds that such an inference does not necessarily need to be intended, true or accurate but suggests that the conclusions drawn should at least be plausible.[9] More specifically, regarding whether the purpose for which the data is used is relevant, the AG held that the controller is not required to process that data knowing or intending to derive special categories. The aim of the provision in question is to prevent significant risks to the fundamental rights and freedoms of data subjects irrespective of any subjective element. Therefore, in the view of the AG a lack of purpose should not be decisive and cannot be used as a defense.
Overall, the views of the ICO and the AG seem to be largely compatible, albeit using different phrasing. It is not entirely clear how the tipping point of the AGs preferred “plausible conclusion” differs from the ICOs tipping point of “reasonable degree of certainty”. It could be argued that something could be plausible without it necessarily being reasonably certain. This would represent a test with a lower threshold than the ICO and would arguably fit better within the CJEUs contextual analysis in Case C-184/20 that emphasized the overarching importance of protecting the fundamental rights of individuals. What can be said with certainty is that context is key.
Combining these views contributes to our understanding of when ‘special category’ data is revealed but we will need to wait and see how the CJEU in Case C252/21 - Meta vs. Bundeskartellamt respond to the AG opinion and if a more concrete test guiding organizations will be established. Businesses will no doubt be hoping that not only the test is more concrete but that it also balances the need to protect fundamental rights with the realities of modern day data processing and practicalities of running a data driven business.
Organizations are, ironically, left in a situation where they are required to “infer” a criterion from which they can assess what legal basis exists to legitimize their processing activities. By way of the test below, organizations are strongly encouraged to reevaluate their processing activities, personal data processed as part of that activity and crucially what legal basis they are relying on to conduct that processing activity. Organizations are also encouraged to implement measures that prevent or eliminate the aggregation of data when such aggregation would allow plausible conclusions and such aggregation does not support the primary processing activity. If such aggregation is desired or impossible to eliminate, organizations will need to establish an exception under article 9(2).
[1] Article 9(1) GDPR.
[2] Para 44(2) of Case C-184/20.
[3] Para 123, 124, 125 of C-184/20.
[4] Para 91 of AG opinion in Case C‑184/20.
[5] Para 128 of Case C-184/20.
[6] ICO website https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/what-is-special-category-data/#scd7.
[7] Para 38 of AG opinion in C‑252/21.
[8] Para 39 AG opinion in C‑252/21.
[9] Para 39 and 40 of AG opinion in C‑252/21.
Are you wondering to what extent these developments have an impact on your organization? Or are you looking for practical advice on how to assess and react to inferences on a case-by-case basis? Please feel free to contact us.