ECJ C‑184/20: Pro­ce­s­sing of spe­cial cate­go­ries of per­so­nal data also in case of pos­si­ble infe­ren­ces on sen­si­ti­ve information

The ECJ issued a decis­i­on on August 1, 2022. on a refer­ral from a Lithua­ni­an admi­ni­stra­ti­ve court, in which it sub­jects the pro­ce­s­sing of data reve­al­ing sen­si­ti­ve infor­ma­ti­on to the strict regime for spe­cial cate­go­ries of per­so­nal data (Art. 9 GDPR).

Initi­al situation

In order to avo­id con­flicts of inte­rest and to com­bat cor­rup­ti­on, Lithua­ni­an law requi­res, inter alia, heads of enti­ties recei­ving public funds to make a “decla­ra­ti­on of pri­va­te inte­rests.” A head of such an insti­tu­ti­on refu­sed to make the decla­ra­ti­on, inter alia, becau­se the publi­ca­ti­on of infor­ma­ti­on con­tai­ned in the decla­ra­ti­on on the web­site of the com­pe­tent com­mis­si­on dis­re­gard­ed his right to respect for pri­va­te life as well as that of the other per­sons he might be requi­red to name in his declaration.

Legal basis for processing

The first que­sti­on, which is of less inte­rest here, con­cer­ned the legal basis of the publi­ca­ti­on on the web­site of the com­pe­tent aut­ho­ri­ty, for which the ECJ exami­ned the requi­re­ments of Artic­le 6 (1)(1)(c) and (3) of the GDPR (ful­fill­ment of a legal obli­ga­ti­on) in light of the rele­vant fun­da­men­tal rights.

The online publi­ca­ti­on pro­vi­ded for in the law in que­sti­on ser­ved the public inte­rest objec­ti­ve of avo­i­ding con­flicts of inte­rest and com­ba­ting cor­rup­ti­on in the public sec­tor and was sui­ta­ble for con­tri­bu­ting to the achie­ve­ment of the objec­ti­ves pur­sued. Howe­ver, the neces­si­ty of the data pro­ce­s­sing was lack­ing in many respects. With regard to the prin­ci­ple of data mini­mizati­on, it would go bey­ond what is neces­sa­ry to publish data by name on the spou­se, life part­ner or part­ner as well as on clo­se rela­ti­ves or other known per­sons who could con­sti­tu­te a con­flict of inte­rest. Gene­ric infor­ma­ti­on about the spou­se, coha­bi­tant or part­ner tog­e­ther with the cor­re­spon­ding infor­ma­ti­on about the inte­rests is sufficient.

Online publi­ca­ti­on is a serious inter­fe­rence with fun­da­men­tal rights becau­se infor­ma­ti­on about cer­tain sen­si­ti­ve aspects of the pri­va­te life of the data sub­jects can be deri­ved from the data and the publi­ca­ti­on has the con­se­quence that the­se data are free­ly acce­s­si­ble on the Inter­net to a poten­ti­al­ly unli­mi­t­ed num­ber of per­sons, regard­less of their moti­ves. Against this back­ground, the GDPR pre­clu­des, in par­ti­cu­lar, online publi­ca­ti­on of name-rela­ted infor­ma­ti­on about other per­sons who may have to be named in the declaration.

Pro­ce­s­sing of spe­cial cate­go­ries of per­so­nal data

In the second que­sti­on for a preli­mi­na­ry ruling, the ECJ had to assess whe­ther the online publi­ca­ti­on of data that may indi­rect­ly reve­al sen­si­ti­ve infor­ma­ti­on is also sub­ject to the fun­da­men­tal pro­ce­s­sing pro­hi­bi­ti­on of Artic­le 9 (1) of the GDPR. In this case, the data con­cer­ned name-rela­ted infor­ma­ti­on about the spou­se, coha­bi­tant or part­ner, from which infor­ma­ti­on about the sex life or sexu­al ori­en­ta­ti­on of the declarant and his spou­se, coha­bi­tant or part­ner could be derived.

The ECJ first con­side­red the wor­ding of Artic­le 9(1) GDPR (and Artic­le 8(1) DSRL) and held that:

[…] the use of the verb ‘to emer­ge’ in the­se pro­vi­si­ons sug­gests that pro­ce­s­sing is cover­ed which rela­tes not only to data which are sen­si­ti­ve in natu­re, but also to data from which sen­si­ti­ve infor­ma­ti­on is indi­rect­ly deri­ved by means of a men­tal pro­cess of deduc­tion or matching, whe­re­as the pre­po­si­ti­ons ‘to’ and ‘about’, or the use of a com­pound noun, seem to express that the­re must be a more direct link bet­ween the pro­ce­s­sing and the data in que­sti­on, which must be con­side­red in terms of their intrin­sic nature.

Sin­ce the verb “to emer­ge” refers only to one part of the spe­cial cate­go­ries of per­so­nal data and the pre­po­si­ti­ons “to” and “about” refer to ano­ther part, a lite­ral inter­pre­ta­ti­on would have the con­se­quence that a distinc­tion would have to be made depen­ding on the type of sen­si­ti­ve data con­cer­ned. Howe­ver, this would not be in line with a syste­ma­tic ana­ly­sis of the pro­vi­si­ons, in par­ti­cu­lar in view of Artic­le 4(15) of the GDPR and Reci­tal 35 of the GDPR, which also attri­bu­te to health data data from which infor­ma­ti­on on the sta­te of health is derived.

Fur­ther­mo­re, the pur­po­se of the GDPR to gua­ran­tee a high level of pro­tec­tion of the fun­da­men­tal rights and free­doms of the data sub­ject in data pro­ce­s­sing is in favor of a broad inter­pre­ta­ti­on. A rest­ric­ti­ve inter­pre­ta­ti­on, on the other hand, would run coun­ter to the pur­po­se of Artic­le 9(1) of the GDPR (also set out in EC 51), which is to ensu­re spe­cial pro­tec­tion against data pro­ce­s­sing that threa­tens a par­ti­cu­lar­ly serious inter­fe­rence with the fun­da­men­tal rights to respect for pri­va­te life and pro­tec­tion of per­so­nal data due to the par­ti­cu­lar sen­si­ti­vi­ty of the data processed.

For the­se rea­sons, the online publi­ca­ti­on of per­so­nal data that may indi­rect­ly reve­al sexu­al ori­en­ta­ti­on con­sti­tu­tes a pro­ce­s­sing of spe­cial cate­go­ries of per­so­nal data.

Notes

The que­sti­on of whe­ther the pos­si­bi­li­ty of dra­wing con­clu­si­ons about sen­si­ti­ve infor­ma­ti­on is suf­fi­ci­ent for qua­li­fi­ca­ti­on as a spe­cial cate­go­ry of per­so­nal data is not undis­pu­ted in the lite­ra­tu­re. Nevert­hel­ess, the ECJ’s ruling comes as litt­le sur­pri­se after it likes to empha­si­ze the pur­po­se of the GDPR to ensu­re a high level of pro­tec­tion – a kil­ler argu­ment in favor of broad inter­pre­ta­ti­ons of pro­tec­ti­ve provisions.

The syste­ma­tic argu­ment as to why no distinc­tion should be made among the spe­cial cate­go­ries of per­so­nal data is also not enti­re­ly con­vin­cing, espe­ci­al­ly sin­ce the cited pro­vi­si­ons (Art. 4 No. 15 GDPR and EC 35 GDPR) refer exclu­si­ve­ly to health data. The distinc­tion bet­ween data for which the emer­gence of sen­si­ti­ve infor­ma­ti­on is suf­fi­ci­ent and the other data is cle­ar­ly laid out in the wor­ding of Art. 9 (1) GDPR. In its comm­ents on the pur­po­se of Art. 9(1) GDPR, the ECJ does not take into account that the EC 51 GDPR cited by it speaks of per­so­nal data that is by their natu­re are par­ti­cu­lar­ly sen­si­ti­ve with regard to fun­da­men­tal rights and free­doms. As part of the doc­tri­ne holds for it, pos­si­ble infe­ren­ces would not have to be taken into account accordingly.

How far the ruling can be gene­ra­li­zed is que­stionable. On the one hand, the sen­si­ti­ve infor­ma­ti­on about sexu­al ori­en­ta­ti­on could easi­ly be dedu­ced in the pre­sent case, and on the other hand, it con­cer­ned a publi­ca­ti­on of data, after which the fur­ther use of the data can­not natu­ral­ly be con­trol­led. It the­r­e­fo­re seems conceiva­ble that the ECJ would not con­sider pos­si­ble infe­ren­ces in a dif­fe­rent con­text to be suf­fi­ci­ent. This would also be in line with the opi­ni­on expres­sed in various doc­tri­nes that the pro­ce­s­sing con­text and the inten­ti­on of the con­trol­ler should also be taken into account when qua­li­fy­ing the spe­cial cate­go­ry of per­so­nal data.

For Swiss law, the same que­sti­on ari­ses with regard to per­so­nal data requi­ring spe­cial pro­tec­tion. Sin­ce the wor­ding of Art. 3 lit. c DPA – in con­trast to Art. 9 (1) DPA (“her­vor­ge­hen”) – con­ta­ins no indi­ca­ti­on that pos­si­ble infe­ren­ces are also suf­fi­ci­ent, it can be que­stio­ned whe­ther this is suf­fi­ci­ent under Swiss law. In the final report regar­ding Post­fi­nan­ce (we have repor­ted on this), the FDPIC took into account the pos­si­bi­li­ty of eva­lua­ti­on, but with regard to the pro­ce­s­sing con­text, denied the exi­stence of per­so­nal data requi­ring spe­cial pro­tec­tion becau­se Post­Fi­nan­ce did not eva­lua­te the data (in con­nec­tion with the e‑cockpit) for its own or third-par­ty pur­po­ses. The prac­ti­ce also assu­mes that pos­si­ble con­clu­si­ons are not suf­fi­ci­ent, at least not wit­hout taking into account the spe­ci­fic pro­ce­s­sing context.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be