Data Privacy 101: Sensitive Personal Data, Big Data and its Tumultuous Relationship with GDPR
Data protection is defined as the legal protection offered to a person, referred to as a ‘data subject’ with special emphasis on processing of data related to him or her by another person or institution, commonly referred to as the ‘data controller’. Data protection strives to ensure efficient safeguarding of data subjects from any potential harm arising from computerized or manual processing of personal information.
The generation of huge amounts of data in modern times, along with fast-paced technological development, stresses upon the importance of formulating an effective and strong framework for the protection of such data. Since the lines which demarcate the collection, use and disclosure of data have become blurred, the formulation of modern data protection principles is of paramount importance.
EU’s Past and Present Efforts on Data Protection
Taking cognizance of the expeditious evolution of technology, the EU began discussing the need to combat present and future data protection problems. Their initial efforts culminated in the form of the European Data Protection Directive in the early 90s. Initially promising, the Directive looked fitting for the time being, however problems soon started following suit, including the failure of incorporation of its principles in the national laws of the member states along with subjective and vague interpretations of its provisions.
In the 2010s, the European Commission proposed to strengthen online privacy rights and bolster the digital economy by implementing a comprehensive reformation of EU’s earlier data protection rules. With helpful inputs from the European Data Protection Supervisor and the Working Party, the European Parliament demonstrated an overwhelming support for the passing of General Data Protection Regulation (GDPR). Its official adoption was accompanied by a proposal for a Regulation, on the protection of personal data limited to EU institutions, on 25th May 2018.
GDPR is an extensive data protection regime that strives to simplify data privacy and protection in the regulatory environment and to protect the interests of all individuals residing within the territory of the EU and the European Economic Area (EEA).
Article 9 of the GDPR provides for a special category of data commonly referred to as “Sensitive Personal Data” (hereinafter referred to as SPD). Article 9(2) sets out the circumstances in which the processing of SPD, which is otherwise prohibited, may take place.
The following categories of data are considered “sensitive”, as set out in Article 9(1):
racial or ethnic origin;
religious or philosophical beliefs;
trade union membership;
data concerning health or sex life and sexual orientation;
genetic data (new); and
bio metric data where processed to uniquely identify a person (new).[ii]
The latest addition to the categories of SPD include bio metric, genetic and health records. Entities that process these categories of data continue to develop and incorporate such legal provisions in their national laws.[iii] For instance, the European Courts on Human Rights (ECHR) in S & Marper v UK,[iv] ruled on the sensitive nature of DNA information and found that their sensitivity was linked to their characteristics, i.e. the possibility that DNA information could reveal ethnic origin,[v] and family genetic makeup.[vi]
Moreover, in the case of Michael Schwarz vs. Stadt Bochum,[vii] the Court ruled that ‘bio metric data’ is personal data because it objectively contains unique information about individuals which allows those individuals to be identified with precision.
In I vs. Finland,[viii] the ECHR noted the special nature of the health data, stating that its protection is of fundamental importance to a person’s enjoyment of his or her right to respect for their private and family life as guaranteed by Article 8 of ECHR. The court further stated that these considerations are especially valid as they are regarding protection of the confidentiality of information about a person’s HIV information, given the ‘sensitive information’ surrounding the disease.
The data regarding criminal offences committed by data subjects is found under Article 10 of the GDPR. The provisions of GDPR, parallel to the provisions of its predecessor, do not include this special category within the purview of SPD because the realm of criminal law lies beyond the scope the EU’s legislative competence.[ix] However, member states often notoriously deviate from the GDPR’s regulations and include such data within SPD. For example, in ICO vs. Colenso-Dunne,[x] UK confirmed that data relating to actual or alleged criminal offences or convictions is not “less sensitive” merely because the category is not listed as SPD in the Directive. Similarly, in Denmark, criminal offences or criminal convictions are given the status of semi-sensitive data and they are subject to selective protections afforded to SPD.
Nexus Between GDPR and Big Data
GDPR depends on deep, philosophical convictions, regarding the extent to which specific rights are vested in individuals and groups and the need to protect them in the digital age.[xi]
Big Data addresses fundamental changes in the methods of data collection, storage and its usage, resulting from recent technological evolution. Consisting of automated processes and heavily powered by data mining tools, this specific advanced form of data is used in boosting analytical processes for application in multiple contexts. The outputs of Big Data analysis are applied to specific individuals and affect them directly.[xii]
Big Data analysis manifests a double-sided effect on data analytics and is majorly influenced by the extent of data protection policies. These advanced forms of data analyses can compromise an individual’s privacy rights and the degree of control that citizens exercise over their personal data. Moreover, stringent data protection laws impede the flow, analysis and utilization of personal data.[xiii] The framers of GDPR were not oblivious to the existing tension and suggested to implement regulations that would curb any potential risks harbored by such Big Data analysis. The European Commission commented that GDPR can enhance Big Data analysis as it would promote “trust” and thus lead to a greater engagement with various platforms and reap greater benefits.[xiv]
As stated above, SPD substantially requires the explicit consent of the data subject for its processing. Obtaining consent for such Big Data analysis is a challenging task since it belongs to a special category.[xv] The special categories encompass vital, private information pertaining to individuals and jeopardising the protection of such information is bound to cause individuals the greatest of harms. Addressing these concerns, the GDPR enhanced the protection of several categories by expanding their scope and drawing a clear distinction between ‘special’ and ‘regular’ categories.
Big Data challenges the ability to differentiate between such categories and finds itself mistaking regular categories for special categories.[xvi] Overtime, the special categories mushroom in size and Big Data processors are inadvertently encumbered to shift from one category to another, every one of which requires the application of a different set of legal rules.
The escalating cost of seeking legal advice along with substantial undermining of logic and utility, makes the rise of Big Data questionable. Experts argue that if almost all data must fall under the special category, the signal and message that this regulatory framework provides regarding higher levels of privacy due to “special categories” is subsequently diluted.[xvii] This eventually defeats the purpose of the regulatory body and paints a false picture in the eyes of the public, who will view all forms of data as similar, with a stark lack of special treatment.
Therefore, Big Data’s impact on SPD and its regulation must be accounted for at once.[xviii]
Sensitive Personal Data’s Future: Bleak or Bright?
GDPR ostensibly serves as a model governing body for bringing order in the digital dominion but suffers from multiple shortcomings. The Information Commission Office (ICO) has critiqued the provisions of GDPR. The ICO has remarked that the scope of SPD lacks finer and narrower definitions and is afflicted with vague, confusing interpretations by individuals and institutions alike. The ICO mentioned that numerous amendments need to be proposed for cohesiveness and practical applicability.
Criticising the GDPR’s limited approach on non-contextualising sensitive data categories, the ICO observed that it did not reflect the average citizen’s perception of ‘sensitive’ . Also, it found it surprising that an individual’s financial details were excluded from the definition.
The consequences of violation of data protection rules provide for legal measures to be undertaken by data subjects. This has lead to subsequent imposition of administrative fines. These measures include indulging in costly and time-consuming litigation. The data subjects are hesitant to initiate legal proceedings due to lack of resources and awareness. GDPR’s folly of not including ‘financial data’ under SPD has demotivated individuals from taking legal recourse since they do not derive any legal or financial benefit.
The lines classifying ‘Personal Data’ and ‘Sensitive Personal Data’ are hazy in nature. Thus,their understanding needs to be propounded to the general masses and organisations with clarity. This is imperative to strengthen the GDPR’s vision of providing proper and increased security to SPD.
The idea of categorisation of sensitive personal data was designed considering the needs of the present digital era. However, if re-evaluated and amended, it can render a platform to balance the interests of the individual, the data controller and the community at large.
[i] These categories of data can be processed only if:
the data subject has given explicit consent,
processing is necessary for the purposes of carrying out the obligations and exercising specific right of the controller or data subject in the field of employment, and social security
processing is necessary to protect the vital interests of the data subject;
processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation on the condition that it relates solely to the members of the body and such data is not disclosed without the consent of the data subject;
processing relates to personal data which are manifestly made public by the data subject;
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
[ii]Bird and Bird, Sensitive Data and Lawful Processing, (Jan. 25, 2019, 8:40 PM) https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/25–guide-to-the-gdpr–sensitive-data-and-lawful-processing.pdf?la=en
[iv] S and Marper v United Kingdom  ECHR 1581;
[v] Ibid, para 76.
[vi] Ibid, para 103.
[vii] Michael Schwarz vs. Stadt Bochum  EUECJ C-291/12;
[viii] Appl. No. 20511/03, Judgment of 17 July 2008
[ix] Dr. Detlev Gabel, Tim Hickman, Chapter 9: Rights of data subjects-Unlocking the EU General Data Protection Regulation,(Jan. 25, 2019, 8:40 PM) https://www.whitecase.com/publications/article/chapter-9-rights-data-subjects-unlocking-eu-general-data-protection-regulation
[x] (2015) UKUT 471 (AAC)
[xi] Colin J. Bennett & Robin M. Bayley, Privacy Protection in the Era of ‘Big Data’: Regulatory Challenges and Social Assessments, in Exploring the Boundaries Of Big Data 205, 212 (2016)
[xii] Tal Z. Zarsky, Incompatible: The GDPR in the Age of Big Data, 47 SETON HALL L. REV. 995 (2017)
[xiv] Antoinette Rouvroy, “Of Data and Men “: Fundamental Rights and Freedoms in a World of Big Data, COUNCIL OF EUR., DIRECTORATE GEN. OF HUM. RTS. AND RULE OF L., (Jan 11, 2016),
[xv] This special category of SPD has been embraced by the GDPR by virtue of Article 9
[xvi] Paul Ohm, Sensitive Information, 88 S. CAL. L. REv. 1125, 1169 (2015)
[xvii] supra at nt. 12
[xviii]Lokke Moerel, GDPR conundrums: Processing special categories of data, IAPP (Sept. 12, 2016), https://iapp.org/news/a/gdpr-conundrumsprocessing-special-categories-of-data/.
By-Aishwarya S.Iyer and Manisha Nanda,Students of Symbiosis Law School, Hyderabad .