On August 1, 2022, the CJEU issued its ruling in Case 184/20 (OT v Vyriausioji tarnybinės etikos komisija) following a referral from the Lithuanian Regional Administrative Court. In this ruling, the CJEU elected to interpret the GDPR very broadly in a judgment that is likely to have a significant impact for organisations processing personal data.

The case arose from a question concerning the application of Lithuanian law requiring people in receipt of public funds to file declarations of interest. Those declarations, including information about the interests of the individual’s “spouse, cohabitee or partner”, were published online. Here, the applicant had failed to file a declaration and was sanctioned. In the first place, the CJEU found that the underlying law did not strike a proper balance between the public interest in preventing corruption and the rights of affected individuals.

On its own, this would not necessarily be controversial. However, the CJEU went on to note that because it is possible to deduce information about an individual’s sex life or sexual orientation from the name of their partner, publishing that information online involves processing special category data subject to Article 9 GDPR.

Specifically, the CJEU found that the processing of any personal data that are “liable indirectly to reveal sensitive information concerning a natural person”, i.e. any information that may reveal a person’s racial or ethnic origin, religious or philosophical beliefs, political views, trade union membership, health status or sexual orientation, is subject to the prohibition from processing under Article 9(1) GDPR, unless an exception under Article 9(2) applies.

The practical implications of this judgment could be significant. It is conceivable that common processing operations, such as publishing a photo on a corporate social media page, could reveal some information that is protected under Article 9. Controllers may now need to review their processing operations through a contextual lens to assess whether the data being processed and the manner of processing is liableto reveal any sensitive information.

Unhelpfully, the judgment is not clear how far controllers will need to go to make this assessment. For example, it may be arguable that if a controller does not make personal data public, and it implements policies that prohibit employees from making inferences, then information is not liable to reveal special category data, but this is not certain. An alternative interpretation might result in a much greater amount of data subject to Article 9. Regulatory guidance on how controllers can comply would now be welcome, and to resolve the tension with, for example, the EDPB’s existing guidelines on processing data through video devices, which state that video footage will only be special category data if it is actually used to deduce special category data.  

***

The Covington team will keep monitoring the developments on this issue, including any regulatory guidance released in response to the judgment, and is happy to assist with any inquiries on the topic.

Photo of Paul Maynard Paul Maynard

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Siobhán O’Shea

With multi-jurisdictional experience, Siobhán O’Shea advises clients on a range of data protection, information technology, e-commerce and freedom of information issues under EU, Irish, and UK law. Siobhán also advises on a variety of technology regulatory and policy issues and developments in the…

With multi-jurisdictional experience, Siobhán O’Shea advises clients on a range of data protection, information technology, e-commerce and freedom of information issues under EU, Irish, and UK law. Siobhán also advises on a variety of technology regulatory and policy issues and developments in the EU and the UK.