Lawful processing conditions and special category data in the CJEU

With apologies for the delay, Panopticon now brings you highlights from a CJEU judgment from August 2022, that contributes to case law – albeit of a post-Brexit variety – on two GDPR issues. These are (i) the necessity and proportionality of the legislative basis for relying on Article 6(1)(e), and (ii) whether data can be ‘special category data’ by reason of an inference. Here are some key points from the Grand Chamber’s judgment in OT v Vyriausioji tarnybinės etikos komisija (Case C‑184/20).

The context

Lithuania seems to be a remarkably transparent place. It has what the CJEU labelled a “Law on the reconciliation of interests”, aimed at combatting corruption, which requires public officials and officials in non-public bodies that receive public funds to make detailed declarations of their and their spouse/partner’s private interests (including gifts, transactions, and such like) to Lithuania’s Chief Ethics Commission. The same law also requires those declarations to be published online.

OT challenged a decision that he had failed to make the requisite declaration. This prompted a reference to the CJEU from the Lithuanian court, which was clearly very uncomfortable about the proportionality of the requirement imposed by Lithuanian legislation for the publication of such detailed personal data.

The basic principles

The Grand Chamber’s analysis builds on some very well-established principles.

DP rights are not absolute: “It should indeed be borne in mind that the fundamental rights to respect for private life and to the protection of personal data, guaranteed in Articles 7 and 8 of the Charter, are not absolute rights, but must be considered in relation to their function in society and be weighed against other fundamental rights. Limitations may therefore be imposed, so long as, in accordance with Article 52(1) of the Charter, they are provided for by law, respect the essence of the fundamental rights and observe the principle of proportionality…” (at [70]).

The proportionality test means that “limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. They must apply only in so far as is strictly necessary and the legislation which entails the interference must lay down clear and precise rules governing the scope and application of the measure in question…” (at [70]).

Proportionality and necessity are inextricably linked concepts. The necessity test “is met where the objective of general interest pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights of data subjects, in particular the rights to respect for private life and to the protection of personal data” (at [85]).

Application to Lithuania’s Law on the reconciliation of interests

The Law was clearly aimed at, and helped to further, an important legitimate interest in combatting corruption. But, in requiring the full details (bar very few omissions) of an individual’s declaration to be published online, the Law failed the necessity and proportionality tests. Flaws identified by the CJEU include these:

  • The making of detailed declarations to the responsible body (the Chief Ethics Commission) is one thing – but why did those declarations need to be published online? The Chief Ethics Commission said, in effect, that it needed to crowdsource its scrutiny of the declarations: it lacked the resources to check them all itself, so public transparency was the answer in terms of scrutiny. That was not a sufficient answer, said the CJEU: “a lack of resources allocated to the public authorities cannot in any event constitute a legitimate ground justifying interference with the fundamental rights guaranteed by the Charter” (at [89]).
  • Even if you need to publish something, why do you need to publish so much granular detail? The CJEU saw no good answer here. Even the Lithuanian government seemed to suggest that the Law went too far in this respect. The CJEU concluded that the scope of required publication exceeded what was strictly necessary. This meant the necessity/proportionality tests were failed, and also that the data minimisation principle under Article 5(1) GDPR was contravened (see [93], [96]).
  • In order for the Law to be proportionate, there needed to have been consideration of the extent of the data required for publication, the extent of publication (e.g. why online to the whole world, as opposed to sharing with specific persons with legitimate interests) and the interference this would have on individuals’ data protection and privacy rights (rooted in the Charter of Fundamental Rights). These matters did not appear to have been considered by the Lithuanian legislature (see [92], [98], [99]).
  • Overall, this publication requirement constituted a serious interference with individual rights. Declarations painted very detailed pictures of the lives of the declarer (and their families), which intruded upon their privacy and exposed them to (for example) risks of targeted advertising. There were no safeguards in place against such prejudicial outcomes (see [105]).
  • Therefore, while combatting corruption was an important objective, and while the balance of competing interests may pan out differently depending on the individual in question and on the particular environment in any given country, a proper balance had not been struck here (at [112]).

How does this cash out?

The CJEU plainly considered the Law – and particularly its publication requirement – to mandate processing activities that contravened the GDPR. But it is important to note that the CJEU did not strike down the Law (and was not tasked with doing so). Instead, the upshot was this: the Chief Ethics Commission sought to rely on Articles 6(1)(c) (legal obligation( and (e) (public interest task/official function) GDPR as its lawful processing conditions for publishing the declarations, but it was unable to do so. This is because Article 6(3) dictates that, in order to rely on those conditions, the processing must be based on EU law or on Member State law to which the controller is subject, and that legal basis must meet an objective of public interest and be proportionate to the legitimate aim (which was not the case here).

So the takeaway for a controller relying on the Article 6(1)(c) or (e) processing conditions is to satisfy yourself that the basis in law that underpins your reliance on those conditions meets the Article 6(3) tests. In other words, just because there is a law apparently authorising your processing does not mean that you will automatically be home and dry under Articles 6(1)(c) or (e). If the law you’re relying on authorises or requires outcomes that are (for example) disproportionate, your lawful processing conditions may be on shaky ground, as happened in the OT case.

Special category data

There is one further interesting point from OT. The details of the declarations that were published did not say anything explicit about individuals’ sexual orientation, but they did tend to contain details of the identifiable persons with whom the declaring individuals were in relationships, or with whom they cohabited. Could this be said to be information “revealing” or “concerning” sexual orientation, such as to constitute special category data under Article 9(1) GDPR? The issue, as the CJEU saw it, was “whether data that are capable of revealing the sexual orientation of a natural person by means of an intellectual operation involving comparison or deduction fall within the special categories of personal data” (at [120]).

Answer: yes, an inference can suffice, because a more restrictive approach – i.e. that data is only special category data if it directly conveys Article 9(1) information – would not further the protective purposes behind the GDPR generally and Article 9(1) specifically.

For UK readers, that approach now sits alongside the approach of (i) the Upper Tribunal in Colenso-Dunne v Information Commissioner [2015] UKUT 0471 (AAC) at [46]: the ‘special category data’ question has to be answered “in the immediate context of the information in question” (without looking at extraneous sources that might piece the jigsaw together) (at [46]), and (ii) the High Court in Aven v Orbis Business Intelligence Ltd [2020] EWHC 1812 (QB) (see [41]: ask yourself how the “ordinary reader” would construe the information.

Robin Hopkins