The EU’s top court said data that indirectly reveals sexual orientation falls under GDPR, which could greatly impact how this data is handled by tech companies and advertisers.
A decision by the European Union’s top court could have broad implications on how sensitive personal data is processed by companies.
The Court of Justice of the EU (CJEU) issued a ruling on 1 August on a Lithuanian case concerning national anti-corruption legislation.
As part of this case, the CJEU assessed whether data that can indirectly reveal the sexual orientation of a person falls under privacy law protection. The question was centred around the publication of the name of a spouse.
The CJEU found that personal data that can indirectly disclose the sexual orientation of a person constitutes special category data under General Data Protection Regulation (GDPR).
Privacy law experts have said the ruling is significant and could lead to broad changes in how data is processed and shared for a variety of companies.
Previous disagreements
Dr Gabriela Zanfir-Fortuna, VP for global privacy at the Future of Privacy Forum, said on Twitter that the judgment is “groundbreaking and may have substantial impact”.
Very significant judgment today from the #CJEU Grand Chamber on the interpretation of special categories of personal data under the #GDPR: processing personal data liable to disclose indirectly sexual orientation constitutes processing of special categories of personal data 1/
— Dr. Gabriela Zanfir-Fortuna (@gabrielazanfir) August 1, 2022
She explained that data protection authorities in the EU have had disagreements on this question, citing a GDPR case against dating platform Grindr.
In that case, Grindr was facing a €10m fine from the Norwegian data protection authority for data protection breaches. A complaint against Grindr alleged that the app unlawfully shared data with third parties that included GPS location, user profile data, and the fact that the user was on Grindr.
“We believe that the fact that someone is a Grindr user speaks to their sexual orientation, and therefore this constitutes special category data that merit particular protection,” Norway’s Datatilsynet said in a statement.
The Norwegian authority found that Grindr had breached GDPR law and fined the app €6.5m last year for not complying with consent rules.
However, the Spanish data protection authority had a different view as it “did not find that Grindr processed any special category of personal data”.
Unambiguous interpretation
Dr Lukasz Olejnik, an independent consultant and security and privacy researcher, told TechCrunch that the CJEU ruling is “the single, most important, unambiguous interpretation of GDPR so far,” as it states that inferred data is personal data.
“This judgement will speed up the evolution of digital ad ecosystems, towards solutions where privacy is considered seriously,” he added.
Olejnik said on Twitter that any industry that processes large amounts of data “must pay attention”. He noted that the advertising industry and trade are directly mentioned in the CJEU ruling.
“If it was assumed that ‘inferred data is not data’, changes must be done immediately,” Olejnik said. “Make sure to learn all the ways in which data are processed.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.