CJEU strikes again, this time targeting special data


Cyber security safe encrypted digital data networks for secure global information technology - Conceptual 3D illustration rendering
Authors: Madalina Vasile (Bucur), Iurie Cojocaru

If one can indirectly deduce some sensitive characteristics about a person from some general categories of personal data that are being made available through publication, that personal data would qualify as special categories of personal data[1].

This conclusion results, at first sight, from the CJEU[2] recent ruling from 1 August 2022, in case C‑184/20.

The case at hand concerned a Lithuanian law that requires any head of an establishment receiving public funds to make a declaration of private interests. That declaration requires also naming the declarant’s spouse, cohabitee or partner. The declaration is made publicly accessible on the internet to ensure transparency and prevent corruption and conflicts of interests.

CJEU held that it is possible to deduce the declarant’s sexual orientation based on the publication of the name of that person’s spouse. Indirect revelation of the sexual orientation would be possible, according to CJEU, by means of an intellectual operation involving comparison or deduction. Thus, CJEU concluded that personal data that are liable to disclose indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data within the meaning of Article 9 of the GDPR.

In reaching this conclusion, CJEU assessed both the wording of Article 9 of the GDPR and its context and objectives, namely, to ensure a higher level of protection in those cases where personal data reveal some specific sensitive characteristics about a person.

The importance of this ruling should not be ignored, its outcome having potentially significant practical implications. This is since processing special categories of personal data is generally prohibited, except in cases where one of the conditions under Article 9 of the GDPR is met.

However, one should not ignore that the circumstances of the case at hand are quite specific and the extension of the ruling to other apparently similar cases should be seen with caution.

For instance, will the interpretation CJEU gave in the afore-mentioned case apply also in case of a video commercial published by a company to promote its brand, that captures the imagine of several persons? It could be interpreted that the answer is yes, since the racial or ethnic origin of persons appearing in that video could be deduced. But is this the case though? Same, for instance, where a charity or a non-profit organization publishes the name of the donators, in which context one could perhaps deduce the religious or philosophical beliefs of that persons. And the list of scenarios could be continued.

It must not be forgotten that the EDPB[3] had a rather different optic from CJEU when it issued its Guidelines 3/2019, stating that capturing, through CCTV monitoring, the image of a person with disabilities would not, by itself, be regarded as processing of special categories of personal data, provided that the image is not processed for the purpose of deducing special categories of personal data related to that person.

It is yet to be seen how the positions of the CJEU and the EDPB will be reconciled on this matter in the future. In the meanwhile, CJEU ruling brought some additional tasks for companies and privacy professionals, as this court has already done on several occasions in the past (for example, in cases like Planet49, FashionID or Schrems II).

We hope that in the future, the EU top court will also come with judgements which bring helpful and down-to-earth guidance in interpreting the GDPR, which will indeed make this EU regulation a predictable set or rules for everyone who must observe them.

[1] Special categories of personal data are personal data that reveal the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of a person, genetic data and biometric data that are processed for uniquely identifying a person, as well as data concerning health and data concerning a person’s sex life or sexual orientation.

[2] CJEU – Court of Justice of the European Union

[3] EDPB – European Data Protection Board (the European body reuniting representatives of all the EU data protection authorities)