News
What are inferred data and why you should know about them? | Data protection
Court of Justice of the European Union (CJEU) decision has expanded the scope of sensitive personal data, viz., at the end of the summer, CJEU adopted a judgment of significant importance regarding the protection of personal data that, while not being directly considered special categories of data, reveal other sensitive personal data.
How did the dispute about the protection of personal data arise?
Lithuanian state anti-corruption legislation obliges certain persons who receive state funds to provide a declaration about their private interests and that of their “spouse, cohabitee or partner”. This declaration, which contains personal data, including the names of individuals, is then published on the website of the competent commission. In the case at hand, a manager of an institution receiving public funds refused to provide a declaration, referring to the inviolability of private life, as a result of which the case ended up in court. Regional Administrative Court of Lithuania turned to the CJEU with a request for a preliminary ruling according to which important findings were made in the case OT v. Vyriausioji tarnybinės etikos komisija (C-184/20), which should be followed by in personal data processing processes not only by the parties involved but by everyone who comes across it.
What aspects did the court analyze to make the decision?
The CJEU examined the question of whether data that are capable of revealing the sexual orientation of a natural person by means of an intellectual operation involving comparison or deduction fall within the special categories of personal data, for the purpose of and Article 9(1) of the General Data Protection Regulation (GDPR). Article 9 GDPR expressly prohibits processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The processing of such data can be lawful only if an exception referred to in Paragraph 2 of this article can be applied, for example, based on the explicit consent of the data subject.
The essence of the case considered by the court was the analysis of the word “revealing” included in the definition of special categories of personal data in Article 9 of GDPR – ” processing of personal data revealing (..) shall be prohibited.” In its reasoning, the CJEU emphasized that the verb ‘reveal’ is consistent with the taking into account of processing not only of inherently sensitive data, but also of data revealing information of that nature indirectly, following an intellectual operation involving deduction or cross-referencing.
What was the court’s decision?
CJEU ruled that, although a person’s name is not a priori included in the list of categories of sensitive personal data, the publication of the spouse’s name can reveal data about the sex life or sexual orientation of the natural person. Accordingly, data that, following an intellectual operation involving deduction or cross-referencing, reveal sensitive information – in this particular case, a person’s sexual orientation – shall be included in special categories of personal data within the meaning of the GDPR.
What should be taken into account to avoid a dispute of a similar nature regarding the protection of personal data?
The decision confirms that, in accordance with the purpose and meaning of Article 9 GDPR, even if personal data are not sensitive by their nature, but sensitive information about the person can be inferred from them, they should be considered a special category of personal data to which stricter data protection requirements apply.
Bearing in mind the findings above, entrepreneurs and institutions should review the categories of processed personal data in order to consider whether the processed data can be considered as indirectly revealing information about the health, sexual orientation, religious beliefs or other categories of sensitive data of a natural person. In the event that personal data from which sensitive information can be inferred is processed, and one of the exceptions permitting the processing of Paragraph 2 of Article 9 of the GDPR is not applicable, the processing of such data may turn out to be unlawful.
Recalling the description of this decision as “revolutionary” by the Future of Privacy Forum Vice President Dr. Gabriela Zanfir-Fortuna, we cannot help but to agree with the stance that this CJEU ruling is expected to lead to wide-ranging changes in the way data is processed and shared between different companies across all industries. Henceforth, anyone processing personal data is advised to re-evaluate the legality of their processing activities following the latest court rulings.
Subscribe to Leadell's Newsletter
