Personal data or inferred special category data?
A complaint is being filed in Italy against Pornhub by the #StopDataPorn collective for its handling of the personal data of millions of its website users. The complaint has re-opened the discussion as to whether, under GDPR, special category data may be inferred by combining different sets of personal data.
The litigation is led by Alessandro Polidoro, a digital rights activist and criminal and technology lawyer. Polidoro has explained that the complaint is centred on three issues:
- Users aren't consenting to tracking;
- Pornhub is sharing users' information with other businesses owned by their parent company MindGeek without sufficient transparency; and
- The algorithm is using people's video history to assign them sexual preferences without their knowledge.
Inferred special category data: Sexual orientation
This third issue of Pornhub's algorithm tracking the videos that users watch doesn't at first glance appear to be subject to Article 9 of the GDPR's requirements to put in place extra protections for special category data. However, by processing certain categories of personal data you may also be able to deduce and therefore could be processing special category data.
In the case of OT v Vyriausioji tarnybinės etikos komisija in 2021, the Court of Justice of the European Union (CJEU) decided that if you can draw inferences about special category data "following an intellectual operation involving deduction or cross-referencing", it can be considered special category data under Article 9 GDPR.
In this case, the CJEU was asked to decide whether the online publishing of an individual's spouse, cohabitee or partner could be considered as processing special category data, which would therefore require the additional protections afforded by Article 9(2) GDPR. The CJEU concluded that although details of someone's spouse weren't inherently sensitive, the sexual orientation of the concerned person could be deduced from the information.
In their decision, the CJEU reasoned that the disclosure could "result in significant nuisance in the private life of those persons" and would therefore run counter to the purpose of Article 9(1) GDPR (to ensure the enhanced protection of special category data) and GDPR’s general protection of someone’s fundamental right to respect for private life.
What does this mean for organisations?
The decision in OT v Vyriausioji tarnybinės etikos komisija has meant that businesses who depend on the bulk collection and cross-referencing of multiple sources of data to draw conclusions about people, might need to treat the information they collect as special category. This would apply whether or not the inferences capable of being drawn were actually accurate. Should an investigation into Pornhub follow the complaints against it, we would expect any regulatory decision to provide further guidance on this issue.
Companies should consider how they can mitigate similar risks by considering whether the personal data they are processing could constitute special category data by virtue of the inferences that may be drawn from it. If yes, organisations will need to consider whether or not they require a condition as set out in Article 9(2) of the GDPR, such as: (a) explicit consent; (g) the processing is necessary in connection with a substantial public interest; or (i) the processing is necessary in connection with public health. Where there is not a suitable condition, then organisations will need to review the lawfulness of their data processing.