In a judgment of August 1, 2022, the Court of Justice of the European Union (CJEU) provided further guidance on two important aspects of the General Data Protection Regulation (GDPR) (CJEU C-184/20). In summary, the CJEU held that, first, for a national law that imposes a legal obligation to process personal data to be able to constitute a legal basis for processing, it needs to be lawful, meaning that it must meet an objective of public interest and be proportionate to the legitimate aim pursued, and second, that non-sensitive data that are liable to reveal sensitive personal data need to be protected by the strengthened protection regime for processing of special categories of personal data.
The judgment followed the request for a preliminary ruling from the Vilnius Regional Administrative Court (Lithuania) concerning a Lithuanian anti-corruption law that required individuals working in the public service and the public interests of society to declare their private interests by lodging a declaration of private interests. The declarant was obliged to provide details about him- or herself and his or her spouse, cohabitee or partner, such as name, personal identification number, employment status, membership or undertakings, and information about certain financial transactions. Most of this information, including the name of the declarant’s partner, was published by the Chief Official Ethics Commission on a public website.
The main take-aways from the judgment can be summarized as follow.
I. A national law that imposes a legal obligation to process personal data can only constitute a legal basis for processing when it meets an objective of public interest and is proportionate to the legitimate aim pursued
The CJEU recognizes that the Lithuanian law that required the declaration of private interests serves an objective of public interest, i.e. guaranteeing the proper management of public affairs and public property, by ensuring that public sector decision makers perform their duties impartially and objectively and preventing them from being influenced by considerations relating to private interests. Combating corruption is an objective of public interest and, accordingly, legitimate.
On the other hand, the CJEU emphasizes that Member States need to consider the principle of proportionality in setting out the requirements for achieving such a legitimate objective. This means that the measures to achieve the objective need to be appropriate, adequate and strictly necessary.
While the measure—the declaration of private interests—is appropriate for contributing to the achievement of the objectives of general interest that it pursues, it is not strictly necessary to publish the content of the declarations of private interest on a public website. The objective could be achieved as effectively if the Chief Ethics Commission would review the content of the declarations instead of publishing them. Not having sufficient human resources to check effectively all the declarations cannot justify the publication of the declarations.
Moreover, an objective of general interest may not be pursued without having regard to the fact that it must be reconciled with the fundamental rights affected by the measure. This means that, for the purpose of assessing the proportionality of the processing, it is necessary to measure the seriousness of the interference with the fundamental rights to respect for private life and to the protection of personal data that that processing involves and to determine whether the importance of the objective of general interest pursued by the processing is proportionate to the seriousness of the interference.
In this context, the CJEU stresses a number of contextual elements. First, the public disclosure, online, of name-specific data relating to the declarant’s partner, or to persons who are close relatives of the declarant, are liable to reveal information on certain sensitive aspects of the data subjects’ private life, including, for example, their sexual orientation. Second, the declaration also concerns persons who are not public sector decision makers, but who are related to the declarant in another than his/her public sector capacity, and in respect of whom the objectives pursued by the law are not imperative in the same way as for the declarant. Third, the cumulative effect of the personal data that are published may still increase the seriousness of the infringement, since combining them enables a particularly detailed picture of the data subjects’ private lives to be built up. The CJEU further points out that the publication of the content of the declaration implies that the personal data are made freely accessible on the internet to the whole of the general public and, accordingly, to a potentially unlimited number of persons.
All this leads to a serious interference with the fundamental rights of data subjects to respect for private life and to the protection of personal data. The seriousness of that interference must be weighed against the importance of the objectives of preventing conflicts of interest and corruption in the public sector. In that regard, the CJEU confirms again the great importance of the objective of combating corruption, but concludes that the publication online of the majority of personal data contained in the declaration of private interests of any head of an establishment receiving public funds, does not meet the requirement of a proper balance. The interference following from the publication of the declaration is considerably more serious than the interference that would follow from a declaration coupled with a check of the declaration’s content by the Chief Ethics Commission. The court stresses that it is up to the Member State to ensure the effectiveness of such check with the means necessary for that purpose.
II. Non-sensitive data that are liable to reveal sensitive personal data need to be protected by the strengthened protection regime for processing of special categories of data
As set out above, the declaration of private interests also contained details about individuals that are related to the declarant. Some of these details, such as the name of the partner of the declarant, are liable to reveal information on certain sensitive aspects of the data subjects’ private life, such as their sexual orientation. The CJEU recognizes that non-sensitive personal data may reveal indirectly, following an intellectual operation involving deduction or cross-referencing, sensitive personal data that are protected by a strengthened protection regime.
In this regard, the CJEU first confirms the wide interpretation of the terms “special categories of personal data” and “sensitive data”, and consequently rules that personal data that are liable to disclose indirectly special categories of personal data of a natural person, need to be protected by the strengthened protection regime for processing of special categories of personal data, if the effectiveness of that regime and the protection of the fundamental rights and freedoms of natural persons that it is intended to ensure are not to be compromised.
III. Key points to remember
- Even where processing can be based on a legal obligation to which the controller is subject, the legal obligation may not constitute a legal basis if it, in itself, is not lawful.
- A lack of resources cannot justify a controller’s choice for achieving a legitimate aim with more intrusive means.
- Non-sensitive data may reveal indirectly, following an intellectual operation involving deduction or cross-referencing, sensitive personal data.
- Personal data that are liable to reveal sensitive data need to be protected by the strengthened protection regime for processing of special categories of personal data.