History unapologetically indicates there’s only so much privacy lawmakers, academics, and practitioners can agree on. And that’s tough. But there’s a sweet spot many of us are inclined to opt into: Sensitive data needs stronger protections than regular personal data. But if that’s true, what’s sensitive? In the U.S., it often includes things like geolocation data or financial account information. While the EU’s rules for sensitive data tend to be stricter than those in the U.S., the GDPR only considers protected class information and health information sensitive.
Or it did. Until Europe’s Highest Court declared it’s throwing some shade on those definitions’ rigidity. Now, you may need to take a pause on what you’re considering “sensitive” data at your organization and how to treat it. Here’s what happened.
What did the EU ruling say?
On Aug. 1, the European Court of Justice took on a case against Lithuania’s Chief Ethics Commission. As part of its efforts to combat corruption, the Commission created a registry in which certain politicians, public servants, and their spouses – that’s the important part – were required to declare any private investments. The reasoning: That database would make it more difficult for nefarious opportunists to skew public policy to favor the companies in which they’d invested.
Under the GDPR, this all sounds fine at first glance. Yawn. Afer all, spouses’ names aren’t sensitive data. And any investment portfolio details aren’t all that interesting in privacy. But the court ruled that even if spouses’ names weren’t technically considered sensitive under the law, maintaining a list of which politicians are married to which individuals would make it pretty easy to guess the sexual orientation of politicians, which is sensitive personal information under the GDPR. If Fiona is married to Mary, you’re probably able to infer the couple’s sexual orientation.
It’s a bit wild to watch a law meant to guard personal privacy undermining an anti-corruption initiative. But when courts hash out litigants’ privacy concerns, sometimes unintended consequences result.
How to prepare your business for the new norm
The court’s ruling changes the game for businesses. Up until now, businesses have only worried about following the GDPR’s sensitive data rules when they’re actively seeking to ingest that sort of data. But now, if regular personal data (like an IP address) helps you infer someone’s protected class status or health history, that regular personal data becomes sensitive data in the eyes of the EU.
For example, you might assume a video recording of a bar mitzvah service’s parking lot doesn’t contain sensitive data. But if the security camera operator can deduce Jewish people own those cars, then the license plate numbers are now sensitive data in the eyes of the EU.
For your business, this means two things. First, you need to build into every privacy review an analysis of whether innocuous data you collect or collected for a feature could be misused to make inferences about protected class or health information (considered sensitive in Europe). Review your current ROPAs to understand which inferences could most likely be derived from existing data, and determine whether any additional safeguards are necessary as a result.
Second, if your business caters to a specific demographic community (like trade union members, or members of a particular religion or ethnicity), you (now) may need to consider that data de facto sensitive.
What comes next?
We’ll want to stay on top of any EDPB guidance that comes out in light of this decision, or if DPAs start dedicating more firepower to fining companies for failing to sufficiently safeguard innocuous data from which sensitive inferences could be derived. And we’ll want to see if this European decision ricochets across the pond – if American privacy agencies kick off more investigations into how companies infer traits of data subjects, this would suggest that this ruling may command influence outside of European shores.