Database definition

EU court expands definition of sensitive data, raising legal concerns for businesses

Companies will come under increased pressure after Europe’s top court ruled they must apply special protections to data that companies previously did not consider sensitive.

Under the European Union’s General Data Protection Regulation, information about health, religion, political opinions and sexual orientation is considered sensitive. Companies are generally not allowed to process them unless they apply special safeguards.

The European Court of Justice determined on August 1 that Lithuanian officials had their sensitive data exposed because the names of their spouses were published online, which could indicate their sexual orientation. Experts say the implications will extend to other types of potentially sensitive information.

Data that could be used to infer sensitive information about a person is also sensitive, the court said. This could include unstructured data – which is not organized in databases and is therefore more difficult to search and analyze – such as footage from surveillance cameras in a hospital that indicates that a person was treated there. , according to legal experts. Recordings of a special meal on an airplane could reveal religious views.

The court ruling “raises a lot of practical complexities and a lot of difficulty in understanding whether the data [organizations] having is sensitive or not,” said Dr. Gabriela Zanfir-Fortuna, vice president for global privacy at the Future of Privacy Forum, a Washington, DC-based think tank.

Many companies with large datasets may not know they are holding details that indirectly relate to sensitive information, privacy experts say. Identifying where that data is and deciding whether it might reveal personal details about an individual would be a huge undertaking, said Tobias Judin, head of the Norwegian data protection regulator’s international section.

“You can’t really comply with the law if your dataset gets so big that you don’t really know what’s in it,” Judin said.

The GDPR states that companies can only process sensitive data in a few circumstances, such as if a person gives explicit consent for it to be used for a specific purpose.

Regulators have grappled with the question of how to determine what is sensitive data. Last year, the Norwegian regulator fined gay dating app Grindr LLC 65 million crowns, or about $6.7 million. The regulator said user data was sensitive because use of the app indicated their sexual orientation.

Grindr said it does not require users to share this data. The company appealed in February. Mr. Judin said his office was reviewing the documents submitted by the company as part of its appeal. The Spanish regulator came to a different conclusion in January and found that data shared by Grindr for advertising purposes was not sensitive.

A company that uses cookies to collect data on a health-related website could process information indicating the health status of a person visiting the page, said Jeroen Terstegge, managing partner at Privacy Management Partners, a company Dutch consultancy. Cookies track user data for targeted online advertising. It will be particularly difficult for a company to determine whether it has sensitive information in unstructured datasets such as documents or meeting notes, Terstegge said.

It will take too much work for small businesses to identify and dispose of so much sensitive information, said Michiel Steltman, chief executive of Digital Infrastructure Association NL, a Dutch association representing digital infrastructure companies such as cloud providers and data centers. of data. “Any data could potentially pose a risk because someone at some point could somehow glean insights from it,” he said.

The ruling is another blow to companies whose business models rely on large amounts of data, even if they don’t primarily make money from sensitive data, Judin said. “You have this ecosystem where everything has been to collect as much data as possible. Now we see that if you have a lot of data, it becomes a huge liability for you,” he said.

Write to Catherine Stupp at [email protected]

Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8