GDPR: Is the Scope of Special Category Data Widening?
On Monday 1 August 2022, the European Court of Justice (ECJ) confirmed that the disclosure of personal data that has the potential to indirectly give away the sexual orientation of a person constitutes processing of special categories of personal data for the purpose of EU GDPR.
Although no longer binding in the UK, the decision may be of interest to UK organisations who have an establishment in the EU or who offer goods or services to data subjects in the EU. The decision also potentially indicates how the UK courts would interpret UK GDPR in relation to the same question.
What is special category personal data?
Personal data is any information that can identify someone (i.e. name, email address, address). Special category personal data is personal data that is subject to heightened protection, because it is revealing or concerning one of the following:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- health;
- sex life; and
- sexual orientation.
What are the requirements to process special category data?
If an organisation wishes to process personal data, it must have a specific reason to do so. This is called a lawful basis. Ultimately, if an organisation cannot establish that it has a lawful basis (as listed below), then it would not be able to lawfully use personal data.
There must be a lawful basis to process special category data under each of Article 6 and Article 9 of the UK GDPR (note that only one lawful basis under Article 6 is needed for non-special category personal data).
|
(A) Article 6 bases |
(B) Article 9 Bases |
|
Consent |
Explicit consent |
|
Contract |
Employment, social security and social protection* |
|
Legal obligation |
Vital interests |
|
Vital interests |
Not-for-profit bodies |
|
Public task |
Made public by the data subject |
| Legitimate interests |
Legal claims or judicial acts |
|
Reasons of substantial public interest* |
|
|
Health or social care* |
|
|
Public Health* |
|
|
Archiving, research and statistics* |
*These five bases have additional conditions provided under the Data Protection Act 2018 which must be satisfied.
As such, any organisation which processes special category personal data must be able to show that there is a lawful basis for processing under both column A and B.
In addition, an appropriate policy document may be required in certain situations which sets out how GDPR is being complied with and a data protection impact assessment must be done in any situation where processing data is likely to be a high risk (which is often the case for special category personal data).
What are the potential wider implications following the ECJ ruling?
The ECJ took the view that it is possible to indirectly deduce from certain data, like the name of somebody’s spouse, cohabitee or partner, information about the sex life or sexual orientation of that person.
The ruling may also have wider implications on the interpretation of the other special categories of personal data and highlights how broadly personal data is defined in the EU, for example, it is entirely plausible that someone could indirectly deduce racial or ethnic origin from a person’s name, or religious or philosophical beliefs or political opinions from details published about a person’s donation to a particular organisation. As a result, companies may have to reconsider whether they are processing special category data and whether they satisfy any Article 6 and Article 9 bases to process that data lawfully.
In addition, the ruling may have implications for online platforms that use background tracking and profiling to target users with behavioral ads. Large platforms have, for years, been able to hold behavioural data on the basis that they are not technically holding special category data. These platforms use behavioural data, for example, if a person likes the Facebook page of their local church choir, to infer information about that person (in this example, that that person is a Christian) and to tailor content which targets that person specifically. This ruling now casts further doubt over the legality of how many of these platforms operate and use data, what was behavioural data could now potentially be interpreted as special category data.
Summary
While the ECJ judgement is not explicitly clear on what the knock-on effect this ruling will have for data controllers and processors, as set out above, it is feasible that this ruling will result in a much greater amount of personal data falling into the definition of special category personal data, which in turn will increase the compliance requirements on organisations holding such data.
If you would like any guidance on, and/or assistance complying with, the data protection legislation, contact our Data Protection Team on 01603 610911 or by email at info@leathesprior.co.uk.