The ECJ issued a decision on August 1, 2022. on a referral from a Lithuanian administrative court, in which it subjects the processing of data revealing sensitive information to the strict regime for special categories of personal data (Art. 9 GDPR).
Initial situation
In order to avoid conflicts of interest and to combat corruption, Lithuanian law requires, inter alia, heads of entities receiving public funds to make a “declaration of private interests.” A head of such an institution refused to make the declaration, inter alia, because the publication of information contained in the declaration on the website of the competent commission disregarded his right to respect for private life as well as that of the other persons he might be required to name in his declaration.
Legal basis for processing
The first question, which is of less interest here, concerned the legal basis of the publication on the website of the competent authority, for which the ECJ examined the requirements of Article 6 (1)(1)(c) and (3) of the GDPR (fulfillment of a legal obligation) in light of the relevant fundamental rights.
The online publication provided for in the law in question served the public interest objective of avoiding conflicts of interest and combating corruption in the public sector and was suitable for contributing to the achievement of the objectives pursued. However, the necessity of the data processing was lacking in many respects. With regard to the principle of data minimization, it would go beyond what is necessary to publish data by name on the spouse, life partner or partner as well as on close relatives or other known persons who could constitute a conflict of interest. Generic information about the spouse, cohabitant or partner together with the corresponding information about the interests is sufficient.
Online publication is a serious interference with fundamental rights because information about certain sensitive aspects of the private life of the data subjects can be derived from the data and the publication has the consequence that these data are freely accessible on the Internet to a potentially unlimited number of persons, regardless of their motives. Against this background, the GDPR precludes, in particular, online publication of name-related information about other persons who may have to be named in the declaration.
Processing of special categories of personal data
In the second question for a preliminary ruling, the ECJ had to assess whether the online publication of data that may indirectly reveal sensitive information is also subject to the fundamental processing prohibition of Article 9 (1) of the GDPR. In this case, the data concerned name-related information about the spouse, cohabitant or partner, from which information about the sex life or sexual orientation of the declarant and his spouse, cohabitant or partner could be derived.
The ECJ first considered the wording of Article 9(1) GDPR (and Article 8(1) DSRL) and held that:
[…] the use of the verb ‘to emerge’ in these provisions suggests that processing is covered which relates not only to data which are sensitive in nature, but also to data from which sensitive information is indirectly derived by means of a mental process of deduction or matching, whereas the prepositions ‘to’ and ‘about’, or the use of a compound noun, seem to express that there must be a more direct link between the processing and the data in question, which must be considered in terms of their intrinsic nature.
Since the verb “to emerge” refers only to one part of the special categories of personal data and the prepositions “to” and “about” refer to another part, a literal interpretation would have the consequence that a distinction would have to be made depending on the type of sensitive data concerned. However, this would not be in line with a systematic analysis of the provisions, in particular in view of Article 4(15) of the GDPR and Recital 35 of the GDPR, which also attribute to health data data from which information on the state of health is derived.
Furthermore, the purpose of the GDPR to guarantee a high level of protection of the fundamental rights and freedoms of the data subject in data processing is in favor of a broad interpretation. A restrictive interpretation, on the other hand, would run counter to the purpose of Article 9(1) of the GDPR (also set out in EC 51), which is to ensure special protection against data processing that threatens a particularly serious interference with the fundamental rights to respect for private life and protection of personal data due to the particular sensitivity of the data processed.
For these reasons, the online publication of personal data that may indirectly reveal sexual orientation constitutes a processing of special categories of personal data.
Notes
The question of whether the possibility of drawing conclusions about sensitive information is sufficient for qualification as a special category of personal data is not undisputed in the literature. Nevertheless, the ECJ’s ruling comes as little surprise after it likes to emphasize the purpose of the GDPR to ensure a high level of protection – a killer argument in favor of broad interpretations of protective provisions.
The systematic argument as to why no distinction should be made among the special categories of personal data is also not entirely convincing, especially since the cited provisions (Art. 4 No. 15 GDPR and EC 35 GDPR) refer exclusively to health data. The distinction between data for which the emergence of sensitive information is sufficient and the other data is clearly laid out in the wording of Art. 9 (1) GDPR. In its comments on the purpose of Art. 9(1) GDPR, the ECJ does not take into account that the EC 51 GDPR cited by it speaks of personal data that is by their nature are particularly sensitive with regard to fundamental rights and freedoms. As part of the doctrine holds for it, possible inferences would not have to be taken into account accordingly.
How far the ruling can be generalized is questionable. On the one hand, the sensitive information about sexual orientation could easily be deduced in the present case, and on the other hand, it concerned a publication of data, after which the further use of the data cannot naturally be controlled. It therefore seems conceivable that the ECJ would not consider possible inferences in a different context to be sufficient. This would also be in line with the opinion expressed in various doctrines that the processing context and the intention of the controller should also be taken into account when qualifying the special category of personal data.
For Swiss law, the same question arises with regard to personal data requiring special protection. Since the wording of Art. 3 lit. c DPA – in contrast to Art. 9 (1) DPA (“hervorgehen”) – contains no indication that possible inferences are also sufficient, it can be questioned whether this is sufficient under Swiss law. In the final report regarding Postfinance (we have reported on this), the FDPIC took into account the possibility of evaluation, but with regard to the processing context, denied the existence of personal data requiring special protection because PostFinance did not evaluate the data (in connection with the e‑cockpit) for its own or third-party purposes. The practice also assumes that possible conclusions are not sufficient, at least not without taking into account the specific processing context.