Sensitive data: a particularly broad scope of application

Legal Watch No. 50 – August 2022.

It can be difficult to assess whether the data you are collecting is sensitive or not, and to decide whether this data requires specific protection under the GDPR.

We echoed these difficulties of interpretation in our editorial last February.

The Court of Justice of the European Union has just clarified the scope of the judgment of 1 August 2022 of the notion of sensitive data, or to be exact, of special categories of data.

And according to the Court, this scope is particularly broad.

It should be remembered that Article 9 of the GDPR applies to data revealing the alleged racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

The ruling in question concerns the provisions of a Lithuanian law aimed at combating corruption, which requires certain public sector workers to declare their private interests as well as information about their spouses and families, almost all of which will be made public on the internet.

Following the opposition of a person concerned by this obligation, the Court is required to rule

• On the necessity of online disclosure of data relating to the spouse
• On whether these data concerning the spouse should be considered sensitive data within the meaning of Article 9 of the GDPR, because they allow information to be deduced about the sexual orientation of the persons concerned. The Court considers firstly that the online dissemination of these data does not appear necessary for the intended objective of combating corruption, and then specifies that the concept of sensitive data must be interpreted broadly.

Until now, some questions have persisted about the difference in terms used in the wording of Article 9, to regulate data which on the one hand "reveal" political opinions, trade union membership, etc. or which on the other hand "concern" health or sexual orientation.

The Court considers that all special categories of data must be interpreted broadly, with respect for the context and other provisions of the GDPR.

It thus includes, in this case, data which are likely to reveal, by an intellectual operation of comparison or deduction, the sexual orientation of a natural person.

This ruling could have a significant impact on the scope of the obligations of those responsible for processing “potentially” sensitive data.

The CNIL seems to have had, until now, a more restrictive interpretation of these obligations: it indicated last January that "the mere act of photographing or filming an image from which it is possible that certain elements may allow personal data to be deduced constituting sensitive data does not in itself constitute processing of sensitive data (…). This It is only if these images are processed in order to extract, interpret or use said sensitive data that the processing will be considered as falling under the regime for processing sensitive data.

A determining element in the Court's reasoning seems to be the fact that the data are publicly accessible: from that moment on, anyone can collect the data, deduce sensitive information from it, and process it for a purpose completely unrelated to the original purpose, with the consequences that one might fear for the persons concerned.

It should also be remembered that the deductions made from the available data do not need to be correct to fall within the requirements of the GDPR: indeed, what matters is not whether or not the conclusions are valid: erroneous deductions can have even more damaging consequences for the data subjects.

This decision is expected to impact data controllers who process data on a large scale and profile Internet users, particularly in the context of social networks, by making explicit consent necessary.

Finally, let us add that future regulations for digital services and digital markets provide for a ban on the use of sensitive data for advertising targeting.

Combined with the CJEU's broad interpretation of sensitive data, we can envisage a restriction of behavioral advertising at European level that is more severe than expected.

And also

France:

ACCOR has just been fined 600,000 euros for having carried out commercial prospecting without the consent of the persons concerned and for not having respected the rights of customers and prospects.

The booking forms included a pre-checked option by default, providing for the automatic sending of a newsletter to customers containing commercial offers from partners.

The CNIL also noted repeated technical anomalies that prevented many people from refusing to receive messages.

The CNIL's decision was subject to a cooperation procedure with the authorities of other EU countries in which the ACCOR group processes data, at the end of which the European Data Protection Committee ordered the CNIL to increase the amount of the fine so that the measure taken would be more dissuasive.

Among the elements taken into consideration are the number of breaches, the fact that these breaches relate to several fundamental principles of the protection of personal data and constitute a substantial infringement of the rights of individuals, as well as the number of individuals concerned and the financial situation of the company.

In August, it became impossible to connect to France Connect with your Ameli credentials., the connection button having been deactivated by Bercy.

The cause is a resurgence of phishing attacks using these credentials. The Directorate General of Public Finance is reportedly working to secure France Connect and plans to gradually transition the most sensitive procedures, particularly those allowing access to financial payments, to more secure identification services.

On August 25, the NGO noyb.eu has filed a complaint against Google with the CNIL.

Google is accused of ignoring the European Court of Justice (ECJ) ruling on direct marketing emails and using its Gmail email platform to send unsolicited advertising emails without users' valid consent.

French adtech giant Criteo could be fined €60 million

as part of an investigation opened by the CNIL.

This is a preliminary decision at this stage, made public on August 5 by the organization that filed the complaint, Privacy International.

Europe:

EU spyware investigation powers criticized during a parliamentary hearing on Tuesday, August 30, during which a Europol representative said that the agency's mandate was limited to supporting member states that chose to launch an investigation.

To date, at least 14 European governments are known to have purchased spyware from the NSO Group, which created the Pegasus spyware, and experts believe many other vendors operate in the EU.

Former Twitter security chief Peiter "Mudge" Zatko filed a lawsuit against the company, which was recently made public.

The document details a series of damning allegations on security, privacy, and data protection issues (among others), as well as claims that Twitter had misled or intended to mislead regional watchdogs about its compliance with local laws.

The Irish and French supervisory authorities have taken up the case.

The Irish Data Protection Commission has fined social media platform Instagram €405 million., owned by Meta, for GDPR violation.

The fine is the second largest under the GDPR after a €746 million penalty against Amazon, and the third for a company owned by Meta imposed by the Irish regulator.

The ruling targets Instagram's violation of children's privacy, including the publication of children's email addresses and phone numbers.

The Higher Regional Court of Cologne (OLG Köln) awarded €500 to an individual, due to of the delay taken by a data controller in providing it with the requested information in accordance with Article 15, paragraph 1, of the GDPR (via GDPRhub).

In a similar case, the Italian DPA fined Deutsche Bank €20,000 for failing to respond in a timely manner to a data subject's access request (via GDPRhub).

The Greek DPA has fined a medical diagnostic center €30,000 for violated the principle of data integrity and confidentiality : the manager had lost mammogram images due to insufficient technical and organizational measures.

In addition to the fine, the DPA ordered the center to communicate the violation to the data subjects (via GDPRhub).

The Spanish Supreme Court has ruled that the exercise of an individual's rights with the data controller (Articles 15 to 22 of the GDPR) is not a prerequisite for filing a complaint. with a data protection authority: the latter can act even if the data subject has not first contacted the controller (via GDPRhub).

In Switzerland, a new data protection law will come into force on September 1, 2023.

Some commentators note that several principles would be less restrictive than those of the GDPR, notably those relating to consent and the DPO.

The security requirements, on the other hand, are particularly detailed.

International :

European entities may be within the scope of the Cloud Act, even if they are located outside of the United States, decides a study carried out by a law firm on behalf of the Ministry of Justice and Security of the Netherlands, and made public on July 26.

It is possible for European companies to minimize this risk by establishing a "Chinese wall" with the United States, notably by not employing any Americans or having any American customers, which could justify US intervention under the Cloud Act.

However, even this shield would be insufficient if the entity uses US technologies, as the Cloud Act allows access to data via subcontractors/hardware and software suppliers, to/from cloud providers.

These findings have sparked debate over offerings such as the Bleu "Trusted Cloud" (Microsoft's technologies offered by Orange and Capgemini) and S3ns (Google's with Thales).

In the United States, Facebook has agreed to settle a settlement in the Cambridge Analytica scandal, which concerns its access to the private data of tens of millions of Facebook users during an election campaign. The scandal erupted following revelations by a Cambridge Analytica whistleblower to the Observer in 2018, which had already led to Facebook paying a fine worth billions of euros.

In Cuba, the law on the protection of personal data was published in the Official Journal on August 25. It will come into force 180 days after its publication.

Russia has amended its data protection law following the signing of Council of Europe Convention 108+.

The new Federal Law No. 266 of July 14, 2022, substantially amends some of the legislative acts governing the processing of personal data in Russia, and now includes an obligation to notify data breaches.

Growing political and security tensions between Beijing and the West have prompted calls in the UK for a review of the transfer of genetic data to China from a biomedical database containing the DNA of half a million British citizens.

The best security measures do not protect against subcontractor vulnerabilities.

On August 24, Twilio reported that hackers had broken into its systems.

Twilio provides verification services to its customers, including encrypted messaging company Signal.

When a user registers their phone number, Twilio sends them an SMS containing a verification code, which they then enter into Signal.

While the impact on Signal and its users is limited due to the way the service is designed, this is a warning to any platform or service that could be manipulated to transmit credentials to an attacker.

Google LLC fined $60 million in Australia dollars for misleading consumers about the collection and use of their personal location data on Android phones.

Anne Christine Lacoste

Partner of the Olivier Weber Avocat firm, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations with the European Data Protection Supervisor and worked towards the implementation of the GDPR in the European Union.