European Union Flexes Muscle on Sensitive Data

Data Privacy

Since the inception of the General Data Protection Regulation, the EU courts have continued to progress on setting game-changing standards for data privacy. On August 1, 2022, the Court of Justice of the EU (CJEU) published a significant case related to Lithuanian anti-corruption legislation. This decision places stricter rules around the term “sensitive data,” which will once again directly impact the ad industry, online platforms, and the use of targeting for personalization.

Let’s unpack the implications of this ruling and the broader impact it will have across the data privacy ecosystem.

Article 9: The Special Categories of Sensitive Data

The GDPR sets the legal framework for how data should be collected, managed, and shared in the EU and for any companies that process EU data. Article 9 details the General Prohibition of Processing of Special Categories of Personal Data, which can be any data that can be broadly interpreted or sensitive information that can be inferred from the collection. The categories include data revealing political preferences, ethnicity, religious affiliations, sexual orientation or sexual lifestyle, genetic data, and biometric data uniquely identifying a person.

This new ruling could broadly impact what counts as “Special Categories” of data and how it is used related to online advertising, dating apps, food preferences, hobbies, lifestyle, and location data tied to places such as clinics and churches.

Can the Data Be Inferred?

In the Lithuanian case, the CJEU evaluated whether data that indirectly exposes a person’s sexual orientation should fall under the protection of privacy laws. Part of this case surrounded whether the publication of the name of a spouse, would fall under special category data in Article 9. As a result, the courts established in the ruling that personal data that can indirectly disclose the sexual orientation of a person is considered special category data under GDPR.

And in a recent TechCrunch article, Dr. Lukasz Olejnik, privacy researcher and advisor told TechCrunch that the ruling is “the single, most important, unambiguous interpretation of GDPR so far.” As a result, it is now clear that inferred data is officially considered personal data.

In response to the ruling, Dr. Gabriela Zanfir-Fortuna, VP for Global Privacy at the Future of Privacy Forum, states, “It also raises huge complexities and practical difficulties to catalog data and build different compliance tracks.”

When these correlations to identity become so interwoven into sensitive data, organizations must take a step back and assess how identifiers could potentially be a privacy risk.

Ad Tracking & Personalization

This judgment will likely evolve the digital ad ecosystem regarding behavioral data captured on individuals. Before the verdict, most companies would consolidate the information to build a profile; any inferred data wasn’t considered personal data.

The impact is broad as most organizations use some form of ad-tracking. Companies would make several inferences and then develop the personalization of ad targeting based on those data sets. Those sets of data did not apply to Article 9 and GDPR— only data supplied directly by an individual.

Examples of inferences potentially include using the fact a person has liked BBC’s page to infer they hold liberal political views, linking membership to a gym to promote health and wellness products, or the purchase of a crib or a stroller, which will profile individuals as an expected parent. Similarly, if a person reviews T-Mobile phones on YouTube, that person will likely get targeted with ads for T-Mobile accessories, like cases, headphones, screen protectors, etc.

It’s clear that inferences can simply be built through correlation, which adds to the complexity of data discovery, classification and overall privacy strategy.

Explicit Consent is Even More Necessary

Rather than opting out of targeted advertising, which has been the de facto model for years now, the CJEU ruling will likely require explicit consent for personalized recommendations, given the inferences of this type of data. Organizations have to demonstrate that explicit consent was asked for, so that behavioral data doesn’t bleed into sensitive processing or face insurmountable fines.

How Companies Can Evolve Alongside Article 9

All industries that process large amounts of data must start paying attention. This judgment places strict requirements on the legal basis to process data, explicit consent and insights into data inventory to find related and correlated personal data.

Where to start? With BigID organizations can:

  • Automatically find, classify and inventory personal information based on relationship, context, and ML capabilities
  • Identify data subjects whose consent is not valid, up-to-date or consistent with the purpose of use and related privacy policy
  • Align with regulatory requirements, including policies, classifiers, and workflows for GDPR Article 9
  • Identify and reduce risks associated with data processing based on risk level and activity
  • Easily create regulatory reporting to comply with privacy requirements

It’s crucial for privacy and risk professionals to pay close attention to these EU legislation and stay on top of privacy updates which can ensure that your business maintains a consistent privacy program and meets the demands of new compliance requirements. Get a 1:1 demo to see BigID in action.