YENİ İÇTİHATLAR: ULUSAL, ULUSLARARASI VE YABANCI MAHKEME KARARLARI SEMPOZYUMU, İstanbul, Türkiye, 07 Ekim 2022, ss.72-73
The Grand Chamber of the Court of Justice of the European Union (CJEU) ruled
in response to the Vilnus (Lithuania) Regional Administrative Court's request for
a preliminary ruling that any data capable of revealing sensitive personal data of
an individual through an "intellectual processing operation" - such as
comparison or deduction - falls under the scope of "special category" personal
data under article 9 of the General Data Protection Regulation (GDPR). This
decision is characterized as a ground-breaking decision on the interpretation of
the sensitive personal data category. Furthermore, the decision will certainly
have significant effects and consequences in terms of the opposing opinions
among EU member states' data protection authorities on the interpretation of
data categorized as sensitive personal data. Indeed, in previous investigations of
the Spanish and Norwegian data protection authorities on the application known
as GRINDR, different perspectives on the qualification of data that could
potentially reveal sensitive personal data indirectly were adopted, resulting in
different results in the application of the Union law in member states.
The case before the CJEU is about a legal dispute that arose in Lithuanian courts
between the director of a Lithuanian environmental protection company that
received public funds and an ethics commission. The dispute concerns a
Lithuanian law on interest reconciliation that requires public servants to make
public disclosures of private interests. The disclosures are published on a
publicly accessible internet register and are intended to provide transparency
and prevent conflicts of interest and corruption in the public sector.
Aside from the question of whether the regime regulated by the Lithuanian Law
is compatible with Article 6 of the GDPR, which regulates the general principles
of data processing, the administrative court applying for the preliminary decision
procedure has expressed reservations about whether the rules regarding the
processing of sensitive personal data in Article 9 of the GDPR should be applied
to such a data processing activity. According to the CJEU, because some
personal data within declarations of private interests is "liable to indirectly
reveal the sexual orientation of a natural person," such processing constitutes
“processing of special categories of personal data" under the GDPR. In other
words, the CJEU ruled that to provide effective protection the Article 9 regime
should be applied in cases where sensitive personal data is likely to be exposed,
even if the data being processed is not inherently sensitive.
The list of sensitive data contained in Article 9(1) GDPR is exhaustive, so
additional types of sensitive data may not be added it. As stated in Recital 51
GDPR, ‘they are, by their nature, particularly sensitive in relation to fundamental
rights and freedoms merit specific protection as the context of their processing
could create significant risk to the fundamental rights and freedoms’, it is
deemed necessary to provide sensitive data with a high level of protection under
GDPR. Paragraph 1 of article 9 prohibits the processing of sensitive data, whilst
paragraph 2 lays down exceptions to this prohibition in certain circumstances. In
addition to those outlined in Article 9 of the regulation, the processing of
sensitive data may have consequences for other GDPR obligations, such as
Article 27 regarding the obligation to appoint a Data Protection Officer or Article
35 on the obligation to conduct a Data Protection Impact Assessment. It is
possible to predict that, considering the CJEU's interpretation of the regime to
which data that indirectly reveals sensitive personal data will be subjected, a
much broader range of data will be affected by these legal consequences,
especially given the opportunities provided by developing technology. As a
result, public or private actors who process personal data must now conduct an
even more rigorous assessment of the data categories they will process and the
information that data has the potential to reveal.
This study will first analyse the CJEU C-184/20 decision by comparing it to CJEU
and Data Protection Authorities’ decisions on similar disputes by revealing its
distinctive and innovative aspects. Second, it is intended to discuss the legal
implications of the CJEU's interpretation, which is binding on member states.