Earlier this month the Court of Justice of the European Union (“CJEU”) issued a decision adopting a surprisingly broad interpretation of the “special categories of personal data” under GDPR. Under GDPR Article 9, such data includes “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” Article 9(1) expressly prohibits the processing of that data unless one of the conditions specified in Article 9(2) applies, such as when the data subject has explicitly consented to the processing.

In its decision, the CJEU held that personal data elements that do not themselves directly reveal any “special category” data can be subject to Article 9’s restrictions if they indirectly reveal special category data through an “intellectual operation” involving cross-referencing or deduction.

This post examines the CJEU’s decision, and the impact it could have for organizations whose processing implicates its holding.

Case Background

The CJEU ruling arose from a Lithuanian anticorruption case. A Lithuanian public ethics regulator alleged that Lithuanian law required an executive at an organization in receipt of public funds to file a declaration making certain disclosures, including any spouse or partner name. The declaration would then be published on the internet. The executive argued that his filing of that declaration and its subsequent publication on the internet would violate his privacy and the privacy of any other individuals identified.

The referring court in Lithuania found the executive’s argument had some merit and noted in particular that the declaration’s collection of information such as spouse or partner name could reveal sensitive data such as “the fact that the data subject is cohabiting or is living with another person of the same sex.” The referring court therefore asked the CJEU to address whether the publication of declaration responses that could indirectly reveal special categories of data is subject to GDPR Article 9.

The CJEU’s Ruling

The CJEU held that the publication of “personal data that are liable to disclose indirectly the sexual orientation of a natural person” constitutes processing subject to GDPR Article 9. The analysis focused on the verb “reveal” in Article 9’s recitation of special data categories. To that end, the court found that “reveal” captures “not only . . . inherently sensitive data, but also . . . data revealing information of [a sensitive] nature indirectly, following an intellectual operation involving deduction or cross-referencing.”

The CJEU also stated that a broad conception of personal data subject to Article 9 accords with GDPR’s purpose of providing “a high level of protection of the fundamental rights and freedoms of natural persons, in particular of their private life.” The court held that applying its broad interpretation of “reveal” meant “the publication, on [a] website . . .of personal data that are liable to disclose indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data” under GDPR Article 9.

While the decision is thus clear that data indirectly revealing special categories of data can be subject to GDPR Article 9, it leaves open several key issues for organizations to wrestle with, including:

• What activities constitute “intellectual operations involving deduction or cross-referencing?”
• Relatedly, is there a point at which the relationship between distinct data elements becomes too attenuated to “indirectly” reveal special categories?
• Should organizations assume that conclusions about sensitive data that could theoretically be drawn based on cross-referencing or deduction from available non-sensitive data are always accurate with respect to the data subject?

What to Do in Response

The CJEU ruling means that organizations may need to treat more personal data and combinations of personal data as special category data, and implement measures designed to satisfy the specific conditions that Article 9 imposes on the processing of that data. For example, under the CJEU’s reasoning, an employer collecting an employee’s spouse’s name for emergency contact purposes could be processing special category data if the name reveals the sexual orientation of the employee, in which case the data could be processed only if one of the conditions in Article 9(2) applies.

To address the associated compliance risk, organizations whose processing is subject to GDPR should take these three steps.

1. Assess data elements processed to identify their potential to indirectly reveal special categories.

Organizations should carefully assess their personal data processing activities and relevant data elements to determine whether any data elements or combinations of data elements could indirectly reveal special categories. To be sure, the ambiguity left by the CJEU’s decision around the key interpretative issues noted above will make it difficult to reach definitive conclusions and will require some consideration of an organization’s general risk tolerance. But the CJEU’s reasoning suggests that, at a minimum, data elements presented side-by-side or in the same dataset (like in the declaration form at issue in the Lithuanian case) could constitute special category data when that presentation naturally leads to a sensitive inference.

2. Ensure Article 9 legal bases for processing for any indirect special category data are established.

If an organization does determine that it is processing indirect special category data, it should then ensure there is an appropriate legal basis for that processing under Article 9. If, for example, consent is the basis for the processing of any non-sensitive data elements, the consent language should be explicit and broad enough to cover any indirect special category data or combinations of data as well.

3. Update other GDPR-required compliance measures as necessary.

Additional GDPR compliance updates, such as special category processing descriptions in privacy notices and Article 32 processing records, may also need to be updated to account for any indirect special category data.

* * *

The CJEU’s interpretation for special category data is likely broader than the standard many organizations applied when implementing their GDPR compliance programs. Organizations should thus review those programs, and adjust them as appropriate, to account for the CJEU’s decision.