Some courts judgments do what they say on the tin, whilst others reveal themselves like a Trojan Horse. On Monday, the Court of Justice of the European Union handed down just such a ruling.
The case concerned a topic that most people would consider to be (1) fairly dull and (2) not relevant to their business: the Lithuanian government’s publication of personal data relating to a civil servant who received public funds.
But in finding that publishing details of a civil servant’s spouse, cohabitee or partner would breach the GDPR and is a serious interference with the individual’s fundamental right to a private life, the CJEU buried the lede big time.
That’s because of what it went on to say about sensitive personal data — namely, that ostensibly non-sensitive data are capable of being captured by Article 9 of the GDPR if they reveal sensitive data characteristics “by means of an intellectual operation involving comparison or deduction”.
So, if Mr. Jones tells you that he’s married to Mr. Smith, it would be reasonable to conclude that they are gay men, such that the information constitutes sensitive personal data. That's fairly cut and dry. But what about if Mr Jones cohabits with Mr Smith and Mrs Doe and you know that (1) Mrs Doe is married to Mr Doe, and (2) Mr Jones has previously donated to an LGBT charity? Are the data sensitive for the purposes of the GDPR in that case?
It may not seem like it, but this is a Very Big Deal. European regulators have taken contrasting positions on the issue in the context of dating apps, the question being: does using an app indicate — whether directly or indirectly — an individual’s sexuality?
The ramifications here are significant for organisations of all shapes and sizes, and will bite on a wide range of activities — from HR processing to targeted advertising and profiling. Taking this thinking to its logical conclusion, almost any information could be deduced to reveal sensitive personal data. And it’s not just sexuality; health, religion, politics and other types of sensitive data will be treated to the same interpretation.
So if you haven't already been thinking about inferred sensitive personal data in this way (and for non-privacy wonks that's not unreasonable) I'm afraid that things will need to change.
To our modern eyes the Trojans look pretty naïve — but at least they weren't told what to expect. We now have confirmation about how the ECJ thinks about this issue, so it's worth figuring out whether and what you need to do to avoid the same fate as Troy with your mere personal data being deemed sensitive and becoming its own Trojan Horse in your data protection compliance programme.
...it should be determined whether data that are capable of revealing the sexual orientation of a natural person by means of an intellectual operation involving comparison or deduction fall within the special categories of personal data, for the purpose of Article 8(1) of Directive 95/46 and Article 9(1) of the GDPR.