In August this year, the Court of Justice of the European Union (CJEU) issued a preliminary ruling in OT v Vyriausioji tarnybinės etikos komisija (Chief Official Ethics Commission, Lithuania) (Case C-184/20), which was referred by the Regional Administrative Court of Lithuania. In this ruling, the CJEU elected to interpret the GDPR very broadly.
The CJEU clarified that the indirect disclosure of sexual orientation data is protected under Article 9 of the General Data Protection Regulation (GDPR). Therefore, such disclosures falls under the special categories of personal data.
This case arose from a question concerning the application of Lithuanian law, which required people in receipt of public funds to file declarations of interest. The declarations, which included information about the interests of the individual’s “spouse, cohabitee or partner” were published online. The applicant failed to file a declaration and was sanctioned therefore. The CJEU found that the underlying law did not strike a proper balance between the public interest in preventing corruption and the rights of affected individuals.
The CJEU went on to note that because it is possible to deduce information about an individual’s sex life or sexual orientation from the name of their partner, publishing that information online involves processing special categories of personal data as defined in Article 9 GDPR.
It was found by the CJEU that the processing of any personal data that are “liable indirectly to reveal sensitive information concerning a natural person”, for instance, any information that may reveal a person’s racial or ethnic origin, religious or philosophical beliefs, political views, trade union membership, health status or sexual orientation, is subject to the prohibition from processing under Article 9(1) GDPR unless an exception under Article 9(2) applies.
The implications of this ruling could be significant. It is possible that common processing operations, such as publishing a photograph on a corporate social media page, could reveal some information that is protected under Article 9. Controllers may need to review their processing operations through a contextual lens to assess whether the data being processed and the manner of processing is liable or able to reveal any sensitive information.
It has even been suggested that this ruling could have implications in all contexts where Article 9 is applicable, including online advertising, dating apps, location data indicating places of worship or clinics visited, food choices for airplane flights amongst others.
The way forward?
The judgment is not clear how far controllers need to go to make this assessment. One option that may be possible is to argue that if the controller does not make personal data public, and it implements policies that prohibits employees from making inferences, then information is not liable to reveal special category data. An alternative option would be for regulatory guidance to be issued indicating how controllers can comply with the ruling and the existing guidelines.
Sensitive data ruling by Europe’s top court could force broad privacy reboot