Database definition

The CJEU: broadening the definition of sensitive personal data

The Court of Justice of the EU (CJEU) has issued a preliminary ruling that the disclosure of personal information which may imply a person’s sexual orientation constitutes the processing of “special categories” of personal data at the meaning of Article 9(1) of the General Data Protection Regulation ((EU) 2016/679) (EU GDPR).

In case C-184/20: OT v Vyriausioji tarnybinės etikos komisija (Chief Official Ethics Commission, Lithuania), the CJEU seems to have interpreted “data concerning the sex life or sexual orientation of a natural person” broadly, since the data to be published did not inherently fall into the category of special category data. The court also considered the grounds for data processing and the balance between privacy and other purposes.

Background and facts

The case was a request for a preliminary ruling on the interpretation of Article 6(1) and Article 9(1) of the EU GDPR arising from the following Lithuanian anti-corruption case.

The Lithuanian Anti-Corruption Law required various public persons and persons receiving government funding to complete and file a declaration of interests online which is published on the website of the Chief Ethics Commission and is therefore widely accessible. This information included the data subject’s name and other personal data, as well as that of any spouse or partner, and details of “close relatives” or other persons who may give rise to a conflict of interest. .

In this case, it was discovered that OT, a company director receiving public funds, had not made such a declaration and a decision was made against him for this failure, under these laws.

This decision was challenged by OT, in particular on the ground that the publication of such a declaration would infringe his privacy and the privacy of other persons whom he would also be obliged to name.

Judgement

In coming to its conclusion, the court asked:

First, do Articles 6(1) and 6(3) of the GDPR (and the rules that preceded it) mean that a national law cannot require the publication of reporting data online?

In short, Article 6(1)(e) has been treated as the legal basis for processing – processing necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the controller, Article 6(3) requiring in particular that such processing be provided for by law, meet an objective of general interest and be proportionate to the legitimate aim pursued.

Although the court considered that the limitation of privacy was prescribed by law and that the objective of fighting corruption was a legitimate interest, it did not consider that the publication of such data was necessary and proportionate to reach this goal. A registrant’s information was readily available on the Internet with no access restrictions, and therefore searchable by anyone, whether or not they had an anti-corruption interest. The public disclosure, online, of personal data relating to the spouse, cohabiting partner or partner, etc. of a person seems to go beyond what is strictly necessary and the law does not sufficiently protect against the risk of abuse.

The court therefore concluded that the Lithuanian legislation violated the rights of the data subject.

Secondly, the CJEU considered to what extent the publication of information such as the name of a spouse or partner constitutes the processing of special categories of personal data when examining Article 9, paragraph 1, GDPR (and previous rules).

Article 9 of the EU GDPR prohibits (with exceptions) the “processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing genetic data, biometric data for unique purposes identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person”.

Special data that had to be reported under Lithuanian law was not inherently special category data. However, the CJEU concluded, after examining settled case law, that the GDPR should be interpreted as meaning that the publication of such personal data on the website of the public authority was likely to indirectly reveal sexual orientation because it may “reveal” that someone’s partner is of the same sex and therefore constituted the processing of special categories of personal data.

To advance

In this case, the judgment effectively concludes that data relating to the name of a natural person can reveal his or her sexual orientation, so that this data is protected as special category personal data.

This decision follows previous judgments of the CJEU to broadly interpret the definitions of data protection.

Although this judgment is not binding on the UK courts, the decision can be followed in its approach by the UK. It is likely to be of particular importance and interest to any business dealing with data which may indirectly reveal special category data, not just sexual orientation. The UK ICO guidelines already discuss that data that “reveals” special category data (e.g. names) can be captured even if the data is not itself special category if it allows draw conclusions about (for example) race, but also clarify that “it is inappropriate to treat all of these names as special category data in each case, as that would mean you need a special category condition just to keep these names in a customer database, which is not the case”.