Landmark CJEU judgment confirms broad interpretation of special categories of personal data and provides a balancing tool for conciliation of transparency in public service and privacy : Case C 184/20 “OT v Vyriausioji tarnybinės etikos komisija”
E-Bulletin No: 05/2023
Case Background
The case primarily emerged from a Lithuanian anti-corruption law which requires natural persons working in the public service, or establishments receiving public funds to fill in a declaration of interests which would be published on the Chief Ethics Commission's website, as the controller, making such information publicly and widely accessible online. Such disclosure is designed to favour transparency and prevent conflict of interests in the public sector.
Article 6 of the Law on the reconciliation of interests, headed ‘Content of the declaration’, states:
1. The declarant shall set out in his or her declaration the following data concerning the declarant and his or her spouse, cohabitee or partner:
(1) forename, surname, personal identification number, social security number, employer(s) and duties;
(2) legal person of which the declarant or his or her spouse, cohabitee or partner is a member;
(3) self-employed activity, as defined in the Law on personal income tax;
(4) membership of undertakings, establishments, associations or funds and the functions carried out, with the exception of membership of political parties and trade unions;
(5) gifts (other than those from close relatives) received during the last 12 calendar months if their value is greater than EUR 150;
(6) information about transactions concluded during the last 12 calendar months and other current transactions if the value of the transaction is greater than EUR 3000;
(7) close relatives or other persons or data known by the declarant liable to give rise to a conflict of interests.
Law also prescribes that data set out in the declarations of elected representatives and persons occupying certain public service positions shall be public and be published on the website of the [Chief Ethics Commission] in accordance with the detailed rules laid down by it.
OT, a director of an establishment under Lithuanian law in receipt of public funds, did not comply with this requirement. OT argued that as a non-governmental organisation they do not fall under this category as the activities that they carry out are independent from public authorities. More importantly, they also argued that it would adversely affect the right to respect for private life of the persons whom they would be required to mention in the declaration.
The Regional Administrative Court in Vilnius, Lithuania decided to stay proceedings and refer the following questions to the CJEU for a preliminary ruling:
1. Whether the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, with regard to the requirements laid down in Article 6(3) of the GDPR, including the requirement that the Member State law must meet an objective of public interest and be proportionate to the legitimate aim pursued, and also with regard to Articles 7 and 8 of the EU Charter of Fundamental Rights (the "Charter"), be interpreted as meaning that national law may not require the disclosure of declarations of private interests and their publication on the website of the controller, thereby providing access to those data to all individuals who have access to the internet; and
2. Whether the prohibition of the processing of special categories of personal data under Article 9(1) of the GDPR, especially with regards to the question of 'necessary for public interest' and 'proportionate to the aim pursued' must respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject - such that it is interpreted as meaning that national law may not require the disclosure of data relating to declarations of private interests which may disclose personal data, including data which make it possible to determine a person's political views, trade union membership, sexual orientation and other personal information, and their publication, providing access to those data to all individuals who have access to the internet.
The main objective of Directive 95/46 (the "Directive") is that of ensuring a high level of protection of the fundamental rights and freedoms of natural persons with respect to the processing of personal data, primarily when read in conjunction to the GDPR and that right is also recognised in Article 8 of the Charter and is closely connected to the right to respect for private life, enshrined in Article 7 of the Charter.
Within the meaning of Article 2(a) of the Directive and Article 4(1) of the GDPR, information on natural persons which can be identified by their forename and surname and is intended to be published on the Chief Ethics Commission's website, constitutes personal data. And the fact that that information was provided in the context of the declarant’s professional activity does not mean that it cannot be so characterised (judgment of 9 March 2017, Manni, C 398/15, EU:C:2017:197, paragraph 34 and the case-law cited). Furthermore, the operation of loading personal data on an internet page constitutes processing, within the meaning of Article 2(b) of Directive 95/46 and Article 4(2) of the GDPR (see, to that effect, judgment of 1 October 2015, Weltimmo, C 230/14, EU:C:2015:639, paragraph 37), in respect of which the Chief Ethics Commission is the controller, within the meaning of Article 2(d) of Directive 95/46 and Article 4(7) of the GDPR (see, by analogy, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C 439/19, EU:C:2021:504, paragraph 101).
Article 7 of Directive 95/46 and the first subparagraph of Article 6(1) of the GDPR set out an exhaustive and restrictive list of the cases in which processing of personal data can be regarded as lawful. Thus, in order to be capable of being regarded as such, processing must fall within one of the cases provided for in those provisions (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C 439/19, EU:C:2021:504, paragraph 99 and the case-law cited).
Under Article 7(e) of the Directive and point (e) of the first subparagraph of Article 6(1) of the GDPR, processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller is lawful.
Article 6(3) of the GDPR specifies, in respect of those two situations where processing is lawful, that the processing must be based on EU law or on Member State law to which the controller is subject, and that that legal basis must meet an objective of public interest and be proportionate to the legitimate aim pursued. Since those requirements constitute an expression of the requirements arising from Article 52(1) of the Charter, they must be interpreted in the light of the latter provision and must apply mutatis mutandis to Article 7(c) and (e) of Directive 95/46.
However, the legal basis must meet an objective of public interest and be proportionate to the legitimate aim pursued. the CJEU highlighted that the fundamental rights to respect for private life and to the protection of personal data, guaranteed in Articles 7 and 8 of the Charter, are not absolute rights, but must be considered in relation to their function in society and be weighed against other fundamental rights. Limitations may therefore be imposed, so long as, in accordance with Article 52(1) of the Charter, they are provided for by law, respect the essence of the fundamental rights and observe the principle of proportionality. Under the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others. They must apply only in so far as is strictly necessary and the legislation which entails the interference must lay down clear and precise rules governing the scope and application of the measure in question (judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C 439/19, EU:C:2021:504, paragraph 105 and the case-law cited). Additionally, seriousness of that interference must be weighed against the importance of the objectives of preventing conflicts of interest and corruption in the public sector. The nature of the personal data at issue, in particular any sensitive information in those data, as well as the nature and specific methods of processing the data, in particular the number of people with access to those data and the methods of accessing them, must all be taken into consideration in determining how serious that interference is.
It follows from the foregoing considerations that the processing of personal data pursuant to the Law on the reconciliation of interests is intended to meet objectives of general interest recognised by the European Union, within the meaning of Article 52(1) of the Charter, and objectives that are of public interest and therefore legitimate, within the meaning of Article 6(3) of the GDPR.
That being so, it must be ascertained whether the placing online, on the Chief Ethics Commission’s website, of part of the personal data contained in the declaration of private interests that any head of an establishment receiving public funds is required to lodge with that authority is appropriate for achieving the objectives of general interest defined in Article 1 of the Law on the reconciliation of interests and does not go beyond what is necessary in order to achieve those objectives
As regards the requirement of necessity, it is apparent from recital 39 of the GDPR that that requirement is met where the objective of general interest pursued cannot reasonably be achieved just as effectively by other means less restrictive of the fundamental rights of data subjects, in particular the rights to respect for private life and to the protection of personal data guaranteed in Articles 7 and 8 of the Charter, since derogations and limitations in relation to the principle of protection of such data must apply only in so far as is strictly necessary (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C 439/19, EU:C:2021:504, paragraph 110 and the case-law cited). Consequently, it should be ascertained in the present instance whether the objective of preventing conflicts of interest and corruption in the public sector by reinforcing the probity and impartiality of public officials might reasonably be achieved just as effectively by other measures less restrictive of the rights to respect for private life and to the protection of personal data of heads of establishments receiving public funds.
That assessment must be carried out in the light of all the matters of fact and law specific to the Member State concerned – such as the existence of other measures designed to prevent conflicts of interest and combat corruption, and the scale of such conflicts and of the phenomenon of corruption within the public service – and of the nature of the information at issue and the importance of the duties carried out by the declarant, in particular his or her hierarchical position, the extent of the powers of public administration with which he or she may be vested and the powers that he or she has in relation to the commitment and management of public funds.
Finally, in any event, it is to be borne in mind that the condition relating to the necessity of processing must be examined in conjunction with the ‘data minimisation’ principle, enshrined in Article 6(1)(c) of Directive 95/46 and Article 5(1)(c) of the GDPR, under which personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (see, to that effect, judgment of 11 December 2019, Asociaţia de Proprietari bloc M5A ScaraA, C 708/18, EU:C:2019:1064, paragraph 48).
According to the CJEU, whilst, with a view to preventing conflicts of interest and corruption in the public sector, it may be appropriate to require information enabling the declarant to be identified and information relating to the activities of the declarant’s spouse, cohabitee or partner to be set out in the declarations of private interests, the public disclosure, online, of name-specific data relating to the spouse, cohabitee or partner of a head of an establishment receiving public funds, and to close relatives, or other persons known by the declarant, liable to give rise to a conflict of interests, seems to go beyond what is strictly necessary. As the Advocate General has observed in point 66 of his Opinion, it does not appear that the objectives of public interest pursued could not be achieved if, for the purposes of publication, reference were solely made generically to a spouse, cohabitee or partner, as the case may be, together with the relevant indication of the interests held by those persons in relation to their activities.
In the present instance, first, the public disclosure, online, of name-specific data relating to the declarant’s spouse, partner or cohabitee, or to persons who are close relatives of the declarant, or are known by him or her, liable to give rise to a conflict of interests, and mention of the subject of transactions the value of which is greater than EUR 3000 are liable to reveal information on certain sensitive aspects of the data subjects’ private life, including, for example, their sexual orientation. Furthermore, since it envisages such public disclosure of name-specific data relating to persons other than the declarant in his or her capacity as a public sector decision maker, the processing of personal data that is provided for in Article 10 of the Law on the reconciliation of interests also concerns persons who do not have that capacity and in respect of whom the objectives pursued by that law are not imperative in the same way as for the declarant.
The seriousness of such an infringement may still be increased by the cumulative effect of the personal data that are published as in the main proceedings, since combining them enables a particularly detailed picture of the data subjects’ private lives to be built up (see, to that effect, Opinion 1/15 (EU-Canada PNR Agreement) of 26 July 2017, EU:C:2017:592, paragraph 128).
Uploading personal data of declarants and their spouse, cohabitee or partner, and relatives’ data on the internet is liable to enable those data to be freely accessed by persons who, for reasons unrelated to the objective of general interest of preventing conflicts of interest and corruption in the public sector, seek to find out about the personal, material and financial situation of the declarant and the members of his or her family (see, to that effect, judgment of 22 June 2021, Latvijas Republikas Saeima (Penalty points), C 439/19, EU:C:2021:504, paragraph 118).
Thus, as the Advocate General has observed in point 78 of his Opinion, publication of those data is liable, for example, to expose the persons concerned to repeated targeted advertising and commercial sales canvassing, or even to risks of criminal activity.
For the reasons mentioned above, the CJEU has found that the publication of personal data of public officials and their spouses and relatives on the internet, which is accessible to everyone, constitutes a disproportionate interference with declarant’s private life and his/her right to protection of personal data.
There has been ongoing discourse on whether certain sensitive data “inferred” from personal information can be considered to fall within the definition of special category data under GDPR. In its ruling, the CJEU held that data which could “by means of an intellectual operation involving comparison or deduction” reveal a person’s sexual orientation, is special category data and so the general prohibition for processing such data applies. In the case being considered by the CJEU, publication of a spouse or partner’s name was considered to be processing of special category data.
Notably, a person’s name is not listed as special category data under the GDPR. The matters before the court essentially turn on the word “reveal” in the definition of special category data under Article 9. By publishing the name of an individual’s spouse, this could reveal data concerning a natural person’s sex life or sexual orientation, albeit indirectly. The judgment confirms that inferred data is personal data. Indeed, the judgment considered not only the wording of Article 9, but also to its purpose or intent – to ensure the highest level of protection for the categories of personal data which, when processed, pose the highest risk to the rights and fundamental freedoms of data subjects.
Case Implications
Through this ruling, the CJEU has adopted its general view of widening concepts in such a way that personal data about one person, like the name or gender, can also reveal personal data about another person. Therefore, the abovementioned personal data factors can emerge not only from the data subject himself, but also from people connected to such person.
The CJEU has settled an issue in respect of which European supervisory authorities had adopted contrasting positions. the decision will certainly have significant effects and consequences in terms of the opposing opinions among EU member states' data protection authorities on the interpretation of data categorized as sensitive personal data. Indeed, in previous investigations of the Spanish and Norwegian data protection authorities on the application known as GRINDR, different perspectives on the qualification of data that could potentially reveal sensitive personal data indirectly were adopted, resulting in different results in the application of the Union law in member states
The CJEU's judgement can also be broadened to influence other forms of online processing in any context where Article 9 of the GDPR is applicable, as it extends the concept of 'revealing'. This includes, for example, location data indicating places of worship, or dating apps where sensitive inferences can be made about individuals.
Public or private actors who process personal data are now required to review their existing processing activities to consider whether any personal data processed by it could be considered to indirectly reveal information concerning the data subject’s health, sex life or religious beliefs, among other categories of sensitive data. Unless an exemption to the general prohibition on processing such information can be identified, such processing may be unlawful.
The implications for industries, such as targeted advertising, which are built on inferred data or data from which inferences can be drawn, such as location data, is obvious. Processing of location data that reveals a person’s regular visits to a church or mosque, which is capable of revealing religious beliefs could now be subject to a general prohibition under GDPR. There are implications for all industries, however, with every organisation processing personal data now required to re-evaluate its processing activities. Indeed, simply asking an employee, passenger or an event attendee about their dietary requirements, could result in the processing of data that could infer religious belief or health data.
It should be born in mind that sensitive data (special categories of personal data) are subject to a much higher level of protection under GDPR. Paragraph 1 of article 9 prohibits the processing of sensitive data, whilst paragraph 2 lays down exceptions to this prohibition in certain circumstances. In addition to those outlined in Article 9 of the regulation, the processing of sensitive data may have consequences for other GDPR obligations, such as Article 27 regarding the obligation to appoint a Data Protection Officer or Article 35 on the obligation to conduct a Data Protection Impact Assessment. It is possible to predict that, considering the CJEU's interpretation of the regime to which data that indirectly reveals sensitive personal data will be subjected, a much broader range of data will be affected by these legal consequences.
DISCLAIMER: The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Whilst all efforts have been used to present the information accurately, we make no representations and provide no warranties to that effect or to its reliability. Readers must obtain their own independent advice. This publication may be used by third parties, provided that so long as this is done in a manner that is not misleading and the source is properly quoted.