Rethinking the Concept of Sensitive Personal Data in the Light of the C‑184/20 - Vyriausioji Tarnybinės Etikos Komisija Decision of the Court of Justice of the European Union


Baştürk Akkaya F. N.

YENİ İÇTİHATLAR: ULUSAL, ULUSLARARASI VE YABANCI MAHKEME KARARLARI SEMPOZYUMU, İstanbul, Turkey, 07 October 2022

  • Publication Type: Conference Paper / Summary Text
  • City: İstanbul
  • Country: Turkey
  • Erzincan Binali Yildirim University Affiliated: No

Abstract

The Grand Chamber of the Court of Justice of the European Union (CJEU) ruled

in response to the Vilnus (Lithuania) Regional Administrative Court's request for

a preliminary ruling that any data capable of revealing sensitive personal data of

an individual through an "intellectual processing operation" - such as

comparison or deduction - falls under the scope of "special category" personal

data under article 9 of the General Data Protection Regulation (GDPR). This

decision is characterized as a ground-breaking decision on the interpretation of

the sensitive personal data category. Furthermore, the decision will certainly

have significant effects and consequences in terms of the opposing opinions

among EU member states' data protection authorities on the interpretation of

data categorized as sensitive personal data. Indeed, in previous investigations of

the Spanish and Norwegian data protection authorities on the application known

as GRINDR, different perspectives on the qualification of data that could

potentially reveal sensitive personal data indirectly were adopted, resulting in

different results in the application of the Union law in member states.

The case before the CJEU is about a legal dispute that arose in Lithuanian courts

between the director of a Lithuanian environmental protection company that

received public funds and an ethics commission. The dispute concerns a

Lithuanian law on interest reconciliation that requires public servants to make

public disclosures of private interests. The disclosures are published on a

publicly accessible internet register and are intended to provide transparency

and prevent conflicts of interest and corruption in the public sector.

Aside from the question of whether the regime regulated by the Lithuanian Law

is compatible with Article 6 of the GDPR, which regulates the general principles

of data processing, the administrative court applying for the preliminary decision

procedure has expressed reservations about whether the rules regarding the

processing of sensitive personal data in Article 9 of the GDPR should be applied

to such a data processing activity. According to the CJEU, because some

personal data within declarations of private interests is "liable to indirectly

reveal the sexual orientation of a natural person," such processing constitutes


“processing of special categories of personal data" under the GDPR. In other

words, the CJEU ruled that to provide effective protection the Article 9 regime

should be applied in cases where sensitive personal data is likely to be exposed,

even if the data being processed is not inherently sensitive.

The list of sensitive data contained in Article 9(1) GDPR is exhaustive, so

additional types of sensitive data may not be added it. As stated in Recital 51

GDPR, ‘they are, by their nature, particularly sensitive in relation to fundamental

rights and freedoms merit specific protection as the context of their processing

could create significant risk to the fundamental rights and freedoms’, it is

deemed necessary to provide sensitive data with a high level of protection under

GDPR. Paragraph 1 of article 9 prohibits the processing of sensitive data, whilst

paragraph 2 lays down exceptions to this prohibition in certain circumstances. In

addition to those outlined in Article 9 of the regulation, the processing of

sensitive data may have consequences for other GDPR obligations, such as

Article 27 regarding the obligation to appoint a Data Protection Officer or Article

35 on the obligation to conduct a Data Protection Impact Assessment. It is

possible to predict that, considering the CJEU's interpretation of the regime to

which data that indirectly reveals sensitive personal data will be subjected, a

much broader range of data will be affected by these legal consequences,

especially given the opportunities provided by developing technology. As a

result, public or private actors who process personal data must now conduct an

even more rigorous assessment of the data categories they will process and the

information that data has the potential to reveal.

This study will first analyse the CJEU C-184/20 decision by comparing it to CJEU

and Data Protection Authorities’ decisions on similar disputes by revealing its

distinctive and innovative aspects. Second, it is intended to discuss the legal

implications of the CJEU's interpretation, which is binding on member states.