On 1st August 2022, the CJEU in Grand Chamber handed down a decision on the scope of Article 9 GDPR.
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.”
Those categories are also referred to as sensitive personal data. In the judgement (C 184/20), the CJEU interpreted “data concerning a natural person’s sex life or sexual orientation” very wide, but also raised a few other interesting points.
The case dealt with a conflict of anti-corruption laws in Lithuania and data protection law. The Chief Ethics Commission in Lithuania is tasked with fighting corruption. It asked a director of a public establishment (= the data subject) to declare his and his spouses interests according to the anti-corruption laws. The Lithuanian regime foresaw that certain information from the declaration had to be published on the website of the Chief Ethics Commission, such as the forename and surname and as well income related data.
There were two questions before the Court. First, whether the publication obligation violated data protection rules and second, in how far the publication of the name of the spouse constitutes processing of sensitive personal data.
The European Court started its analysis with a proportionality test based on article 52(1) of the Charter of Fundamental Rights, which reads:
“1. Any limitation on the exercise of the rights and freedoms recognised by this charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the union or the need to protect the rights and freedoms of others.”
The first parts of the proportionality tests were easily met: the objective of fighting corruption are legitimate interests to start with, and the limitations to the right to privacy were also laid down by law. The more difficult question was whether the publication was necessary to foster the aim of anti-corruption. The CJEU decided that the interests (fighting corruption v. data protection) need to be carefully balanced and depending on the level of corruption in the Member States could be decided differently. In the end, the Court sided with the data subject and found that the Lithuanian legislation did not provide sufficient safeguards against the risk of abuse and as a result such legislation violated the right of the data subject. The Court especially pointed out that the argument of the authority that there were not sufficient resources available to individually check all concerned records was invalid:
“[…] a lack of resources allocated to the public authorities cannot in any event constitute a legitimate ground justifying interference with the fundamental rights guaranteed by the Charter.”
In the second part of the judgement, the Court was asked in how far the publication of the name of the spouse constituted processing of sensitive personal data. The Court concluded that already the fact that the gender of the spouse might be “revealed” is enough to constitute processing of sensitive data. An alternative interpretation was available, namely, to interpret the word “concerning” in the text of Article 9 more narrowly. To put it simply: The names Max, Alex or Pat are as such just names, combination of letters. They do not concern sexual orientation, but they reveal in most cultures the gender (more or less as the examples show) and taken in context with the spouse’s name, reveal the likely sexual orientation. As a result, the publication of the name of a spouse together with the data subject’s name constitutes processing of special categories of personal data, as it indirectly discloses the sexual orientation.
The judgement is in line with previous rulings by the Court to interpret data protection definitions very wide. Overall, it is also a decision that carefully looks at different processing activities; the court stresses that it analyses the publication on the website, not other anti-corruption measures. Looking however at a long line of case law (Lindqvist, Breyer), I feel that we are going into a direction of tightening requirements for controllers bit by bit. After all, many activities concern the processing of personal data, and after this judgement, they are also concerning more and more often the processing of special categories of personal data. This is because a lot of data might, combined with other data, reveal sensitive personal data. Here is an example: A company might want to post pictures from employees on their intranet. Picture of persons reveal their racial origin, which in turn means that controllers must apply the stricter standard at Article 9 GDPR for justifying the processing. In most cases that means explicit consent. Are we heading towards a form of data protection puritanism?