Sensitive data and special categories of data: six of one and half a dozen of the other?

Legal Watch No. 43 – January 2022

Sensitive data and special categories of data: six of one and half a dozen of the other?. When dealing with data relating to health, political or religious opinions, the qualification that immediately comes to mind is that of "sensitive data"., which require special protection within the meaning of the European Data Protection Regulation.

The CNIL also classifies sensitive data on its website as "special categories of data" regulated by the GDPR.

Does this mean that these two notions are the same?

The question is important because its interpretation leads to the application of a series of legal provisions that are binding on the data controller.

The GDPR specifies that “personal data which are, by their nature, particularly sensitive from the point of view of fundamental freedoms and rights deserve specific protection, because the context in which they are processed could give rise to significant risks for these freedoms and rights.”

A certain amount of sensitive data has been explicitly identified, and their processing is prohibited except for the exceptions specified in Article 9 of the GDPR.

These are special categories of data, which reveal the alleged racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Given the risks, particularly of discrimination, raised by the processing of such data, the European Regulation requires increased accountability of data controllers and careful use of data in compliance with the exceptions provided for by law.

These mainly refer to vital or important public interests, more likely to justify such an intrusion.

It should be noted that other data sometimes also qualified as sensitive, but not included in the list in Article 9 of the GDPR, are also subject to specific protection..

The notion of sensitive data is thus sometimes considered, for example in the official documents of the British and Belgian data protection authorities, as informally covering a wider set of data whose processing may be considered particularly harmful to the persons concerned.

In addition to the special categories of data in Article 9, data relating to criminal convictions and offences (Article 10), but also telecommunications data or unique identifiers may also be subject to specific protection measures, in the context of the GDPR or the ePrivacy Directive.

The appointment of a DPO, the maintenance of a register of processing operations and the carrying out of impact analyses thus target both the special categories of data of Article 9 and the judicial data of Article 10 of the GDPR (in the event of large-scale processing of this data).

In order to avoid any misunderstanding, it is recommended to use the terms of the GDPR and to refer either to the special categories of data as provided for in Article 9, or to the other provisions of the GDPR which protect other specific data, and thus clearly identify the applicable principles..

Even within special categories of data, determining what falls within the scope of the GDPR can sometimes be a challenge.

Thus, if the results of a medical analysis fall without discussion into the category of health data, other less obvious information could also be found there, independent of the framework of health professionals and care pathways.

For example, we are thinking of data recorded by a connected watch, analyzing heart rate or possible sleep disorders.

Such data transmitted and analyzed online by a third party is therefore subject to the strict framework of Article 9 of the GDPR.

It is different if the information remains stored in the user's terminal and is only accessible to him.

Besides the nature of the data, the determining element is the context in which this data will be processed, and the information that will be deduced from it.

Thus, a photo can reveal the skin color of the person photographed, and also constitute biometric data.

A surname can be used to infer, with some degree of probability, the ethnic origin of the person concerned.

These “raw” data are not, however, special categories of data.

Depending on the purposes for which they are processed, they may become so.

A file classifying people listed by name according to their probable ethnic origin will be prohibited (except for the exception set out in Article 9 of the GDPR), even if the accuracy of the deductions is not guaranteed.

Similarly, the GDPR specifies that "the processing of photographs should not systematically be considered as constituting the processing of special categories of personal data, given that these only fall within the definition of biometric data when they are processed using a specific technical method allowing the unique identification or authentication of a natural person."

The scope of the provisions concerning special categories of data is therefore both broad and subject to interpretation depending on the context of the processing.

In case of doubt, the discriminatory nature of this information and the purpose pursued are useful elements of assessment.

And also

France:

On 30 December, the Council of State considered the appeal by Quadrature du Net and other applicants against a decree of 27 March 2020 concerning the DataJust database to be unfounded..

This database provides for the processing of judicial data including sensitive data using an algorithm, in order to facilitate the assessment of compensation in matters of civil and administrative liability.

The Council of State also rejected, on January 28, the appeal by Google LLC and Google Ireland Limited against the CNIL decision which had imposed a fine of 100 million euros on the company in December 2020 for illegal use of cookies.

This decision confirms the CNIL's authority to take this type of sanction against companies established in other European countries, and confirms the proportionate nature of the sanctions.

The Official Journal of December 26, 2021 published a decree authorizing the creation of a file intended to combat ransomware, and called “MISP-PJ”.

This file will store for six years the data of people who are victims of computer attacks as well as technical information concerning the attack and its perpetrator.

The Court of Cassation ruled in a ruling dated 10 November that evidence obtained in violation of an employee's right to privacy may nevertheless be retained in court.

Even if the treatment which provided for the monitoring of employees without their knowledge is unlawful, it is up to the judge to balance the right of evidence and the rights of the employee and to verify on a case-by-case basis whether the fairness of the procedure is respected.

Europe:

Google Analytics is in the crosshairs of several data protection authorities:

• Austria has just decided that its use does not comply with the GDPR requirements regarding transborder data flows, as specified by the European Court of Justice in its Schrems II ruling.
• The European Data Protection Supervisor has sanctioned the European Parliament on the same basis for illegally transferring data to the United States.
• The Netherlands, which is handling two complaints regarding Google Analytics, warns that its use may be illegal, and Norway announced on January 26 that it is also looking into the matter.

The issue of transfers to the United States is also at the heart of the decision of the Munich State Court of January 20 : When a user downloads Google fonts, their IP address is automatically transmitted to the United States.

The court considered this transfer illegal and awarded compensation of €100 to the plaintiff.

The European Supervisory Authority ruled on 20 January on a draft regulation of political advertising.

In his opinion, he recommends a total ban on micro-targeting in political marketing, which aims to influence specific groups of voters based on their online profile.

It also advocates restrictions on the categories of data that can be used for such marketing purposes.

On January 27, the European Commission and the network of national consumer protection authorities sent a letter to WhatsApp demanding that the company more clearly inform users about the terms of use of their data..

The company is asked to specify the changes made to its general conditions, its data protection policy, and to comply with European law.

The European Institute of Innovation and Technology (EIT) published a tool on January 20 designed to promote the use of artificial intelligence by European companies.

The "artificial intelligence maturity tool" should allow companies to assess their degree of readiness for the use of AI, in compliance with the European legal framework.

On 15 December 2021, the European Commission launched a consortium project to support the development of next-generation technologies.

Called the "European Alliance for Industrial Data, Edge and Cloud," the consortium takes over from the Gaia-X project and is also open to foreign companies, provided they comply with European security requirements (intellectual property, procurement, information) and the European Union's key objectives in this area.

The European Data Protection Board adopted guidelines on individuals' right of access to their data at its plenary session on 18 January..

To respond to demands for a uniform interpretation of the rules concerning the use of cookies, the Committee announces the creation of a working group on the subject.

The Court of Justice of the European Union considered in its judgment of 25 November last that, in the context of a free messaging service financed by advertising, such advertising automatically displayed in an electronic inbox can be considered a prospecting email, and is therefore subject to the condition of prior consent from the user as provided for in the European ePrivacy Directive.

The Italian data protection authority has imposed several corrective measures and a fine of more than 26,000 euros on Enel Energia. for illegal processing of data of millions of users for telemarketing purposes.

The Norwegian Data Protection Authority has fined the Public Roads Administration €400,000. for improper retention of data concerning toll crossings.

In Portugal, the data protection authority fined the city of Lisbon €1,250,000 for sharing the personal and sensitive data of protesters.s with third parties, including the embassies and foreign ministries of the countries targeted by the protesters.

Bavaria's highest administrative court has ruled that the requirement for unvaccinated students to present a negative test certificate to covid or to undergo an on-site test is justified by Article 9(2)(i) of the GDPR, which allows the processing of sensitive data for reasons of public interest relating to health.

International :

The Conference of German Data Protection Authorities published a report dated 15 November, which summarizes the findings of an analysis carried out by SI Vladeck on the legal framework for surveillance measures in the United States.

It contains useful information on the conditions for applying American law to European companies and subsidiaries. 

Always In the United States, four attorneys general accuse Google of deceiving its users, continuing to track those of them who have changed tracking preferences and refused the collection of their data.

The lawsuits were filed by the states of Texas, Washington, Indiana, and the District of Columbia.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.