As most of Europe is swaying into an unusually warm summer recess, the Court of Justice of the European Union is turning up the heat for privacy professionals. On 1 Aug., it issued a preliminary ruling on a couple of questions of legal interpretation referred by a Regional Administrative Court in Lithuania and pertaining to the processing of sensitive data under Article 9(1) of the EU General Data Protection Regulation and Article 8(1) of Directive 95/46.
The key question at stake for privacy pros was if these articles should be interpreted as meaning the online publication "of personal data that are liable to disclose indirectly the political opinions, trade union membership or sexual orientation of a natural person constitutes processing of special categories of personal data, for the purpose of those provisions.”
The court ruled the interpretation should indeed be so broad as to recognize that “it is possible to deduce from the name-specific data relating to the spouse, cohabitee or partner of the declarant certain information concerning the sex life or sexual orientation of the declarant and his or her spouse, cohabitee or partner.” It considered not only the wording of the legislation but also its context and objectives to determine that “data that are capable of revealing the sexual orientation of a natural person by means of an intellectual operation involving comparison or deduction fall within the special categories of personal data.”
One cannot help but wonder where the natural stopping point of this reasoning lies, as one considers what constitutes “an intellectual operation involving comparison or deduction” (though leaving aside the fact that comparison and deduction do not necessarily lead to truth or fact).
A few other things I picked up this week:
- In case you want to refresh your knowledge on the EU Data Strategy, the IAPP is digesting new legislative acts for you. We are starting this series with a primer on the Data Governance Act, giving you a sneak peek of the legislation’s objective, material and territorial scope, main requirements, enforcement, and oversight structure.
- The European Data Protection Supervisor and European Data Protection Board issued a joint opinion on the European Commission’s proposal on preventing and combating child sexual abuse. The proposal issued 11 May aims to move from the current system of voluntary detection and reporting by companies to mandatory requirements for providers to do assessment and risk mitigation, as well as detection, reporting and removal of child sexual abuse material on their services. The EDPS and EDPB jointly expressed concerns that the proposed approach is not targeted enough and “could become the basis for a generalized and indiscriminate scanning of content of virtually all types of electronic communications.”
- The European Commission published its first report on the application and functioning of the Data Protection Law Enforcement Directive (EU) 2016/680 (LED), following its adoption in 2016. The 38-page report concludes that, overall, the transposition of the Directive in the EU member states has been “satisfactory.” It highlights some outstanding issues, including some that have led to infringement proceedings. At this stage, the commission excludes a revision of the LED but the report does list a number of actions expected by member states, DPAs and the EDPB to improve its implementation.