Är alla personuppgifter direkt eller indirekt känsliga? – Om yttergränserna för tillämpningen av artikel 9 i GDPR i ljuset av C-184/20 Etikosdomen

Abstract

In August 2022, the CJEU confirmed the existence of indirectly sensitive personal data, leaving critical questions unanswered. While certain data may unequivocally and indirectly disclose sensitive information, a vast amount of data can be used to indirectly deduce such sensitive data only through mere indication. This raises the question of which statistical thresholds or discretionary methods should be used to assess these uncertain cases. As such, this thesis explores the outer boundaries of Article 9 of the General Data Protection Regulation (GDPR) ahead of the anticipated preliminary ruling of C-21/23 Lindenapotheke, which is hoped to provide some clarity on the issue. Consequently, practitioners grappling with these questions are provided with valuable examples, analysis, and discussions to inspire their own legal analysis. By examining how data subjects' names in customer records can potentially reveal sexual orientation and ethnicity, readers gain insight into the three-step process of determining the permissibility of processing sensitive categories of personal data: identifying a sensitive category prohibited under Article 9(1), assessing the applicability of any exceptions under Article 9(2), and — as a last resort — conducting a proportionality test pursuant to Article 52(1) of the EU Charter. Unable to establish a detailed and definitive criteria, thresholds or other methods to be applied generally, the thesis contends that an assessment must be made on a case-by-case basis by taking into account whether credible or sufficient reasons to classify personal data as indirectly sensitive exist. One reinforcing factor should be when the data concerned is typically deemed to reveal a sensitive category Applied in practice, pupils attending confessional schools in Sweden do not automatically reveal religious beliefs, as there are both objective and subjective reasons for choosing such schools unrelated to their confessional profile. However, attendance in a Sami school does, in fact, reveal ethnicity, despite the theoretical possibility of non-Sami people attending one, as there are no non-Sami people who have chosen to attend one in practice. Additionally, the thesis predicts that the second question referred to in C-21/23 Lindenapotheke will be answered in the affirmative because such online customers are typically the ones taking the ordered medicine. However, only time will tell if the CJEU will continue down the path of broad interpretation.