On August 1, 2022, the CJEU issued its ruling in Case 184/20 (OT v Vyriausioji tarnybinės etikos komisija) following a referral from the Lithuanian Regional Administrative Court. In this ruling, the CJEU elected to interpret the GDPR very broadly in a judgment that is likely to have a significant impact for organisations processing personal data.
The case arose from a question concerning the application of Lithuanian law requiring people in receipt of public funds to file declarations of interest. Those declarations, including information about the interests of the individual’s “spouse, cohabitee or partner”, were published online. Here, the applicant had failed to file a declaration and was sanctioned. In the first place, the CJEU found that the underlying law did not strike a proper balance between the public interest in preventing corruption and the rights of affected individuals.
On its own, this would not necessarily be controversial. However, the CJEU went on to note that because it is possible to deduce information about an individual’s sex life or sexual orientation from the name of their partner, publishing that information online involves processing special category data subject to Article 9 GDPR.
Specifically, the CJEU found that the processing of any personal data that are “liable indirectly to reveal sensitive information concerning a natural person”, i.e. any information that may reveal a person’s racial or ethnic origin, religious or philosophical beliefs, political views, trade union membership, health status or sexual orientation, is subject to the prohibition from processing under Article 9(1) GDPR, unless an exception under Article 9(2) applies.
The practical implications of this judgment could be significant. It is conceivable that common processing operations, such as publishing a photo on a corporate social media page, could reveal some information that is protected under Article 9. Controllers may now need to review their processing operations through a contextual lens to assess whether the data being processed and the manner of processing is liableto reveal any sensitive information.
Unhelpfully, the judgment is not clear how far controllers will need to go to make this assessment. For example, it may be arguable that if a controller does not make personal data public, and it implements policies that prohibit employees from making inferences, then information is not liable to reveal special category data, but this is not certain. An alternative interpretation might result in a much greater amount of data subject to Article 9. Regulatory guidance on how controllers can comply would now be welcome, and to resolve the tension with, for example, the EDPB’s existing guidelines on processing data through video devices, which state that video footage will only be special category data if it is actually used to deduce special category data.
The Covington team will keep monitoring the developments on this issue, including any regulatory guidance released in response to the judgment, and is happy to assist with any inquiries on the topic.