Insights Court of Justice of European Union finds personal data that indirectly reveals a person’s sexual orientation falls within GDPR regime for protection of sensitive data

Contact

In February 2018, Vyriausioji tarnybinės etikos komisija (the Ethics Commission of Lithuania) ruled that the director of an organisation in receipt of public funds (OT) had breached his obligation to lodge a declaration of private interests under Lithuanian law.

OT challenged the Ethics Commission’s decision, arguing that publication of private interests on the Ethics Commission’s website would breach his right to respect for private life and that of others mentioned in the declaration.

The Lithuanian court asked the CJEU whether Articles 6(1)(c) and (e) and Article 6(3) of the GDPR must be interpreted as precluding a national provision obliging the head of an organisation in receipt of public funds to publish online personal data in his/her declaration of private interests. It also asked whether Article 9(1) of the GDPR meant that the publication of personal data liable to disclose indirectly the political opinions, trade union membership or sexual orientation of a data subject, constituted processing of special categories of personal data, i.e., sensitive data.

The CJEU accepted that to prevent conflicts of interest and corruption in the public sector, which was a legitimate aim, it might be appropriate to publish information identifying the declarant as well as information on the activities of his/her spouse/partner. However, the public disclosure of the spouse/partner’s name, or the names of others likely to give rise to a conflict of interest, went beyond what was strictly necessary. The objective could just as easily be achieved by referring generically to the other people involved.

As for Article 9(1), the CJEU said that although the data in question was not inherently sensitive, the concern was that it was possible to deduce from the naming of OT’s spouse/partner certain information concerning OT’s sex life or sexual orientation and that of the spouse/partner. The question was therefore whether data capable of revealing the sexual orientation of someone by means of an intellectual operation involving comparison or deduction constituted sensitive data.

The CJEU noted that Article 9(1) GDPR prohibits the processing of personal data “revealing” racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union membership. It also prohibits the processing of data “concerning” a person’s sex life or sexual orientation. Whilst the word “revealing” was consistent with considering the processing of both inherently sensitive data and data that might indirectly reveal sensitive information through deduction or cross-referencing, the word “concerning” indicated a more direct and immediate link between the processing and the data.

However, in the CJEU’s view, interpreting it this way would result in a distinction between the types of sensitive data concerned and would not be consistent with a contextual analysis of the GDPR as a whole.

Therefore, the CJEU held that the processing of personal data likely, indirectly, to reveal sensitive information about someone was not excluded from the strengthened protection regime around sensitive data under the GDPR. Therefore, publication on the Chief Ethics Commission’s website of personal data likely to disclose indirectly the data subjects’ sexual orientation constituted the processing of sensitive data. (Case C-184/20 OT v Vyriausioji tarnybinės etikos komisija EU:C:2022:601 (1 August 2022) — to read the judgment in full, click here).

Expertise