Abstract

AbstractThe concept of sensitive data has been a mainstay of data protection for a number of decades. The concept itself is used to denote several categories of data for which processing is deemed to pose a higher risk for data subjects than other forms of data. Such risks are often perceived in terms of an elevated probability of discrimination, or related harms, to vulnerable groups in society. As a result, data protection frameworks have traditionally foreseen a higher burden for the processing of sensitive data than other forms of data. The sui generis protection of sensitive data—stronger than the protection of non-sensitive personal data—can also seemingly be a necessity from a fundamental rights-based perspective, as indicated by human rights jurisprudence. This Article seeks to analyze the continued relevance of sensitive data in both contemporary and potential future contexts. Such an exercise is important for two main reasons. First, the legal regime responsible for the regulation of the use of personal data has evolved considerably since the concept of sensitive data was first used. This has been exemplified by the creation of the EU’s General Data Protection Regulation (GDPR) in Europe. It has introduced a number of requirements relating to sensitive data that are likely to represent added burdens for controllers who want to process personal data. Second, the very nature of personal data is changing. Increases in computing power, more complex algorithms, and the availability of ever more potentially complimentary data online mean that more and more data can be considered of a sensitive nature. This creates various risks going forward, including an inflation effect whereby the concept loses its value, as well as the possibility that data controllers may increasingly seek to circumvent compliance with the requirements placed upon the use of sensitive data. This Article analyzes how such developments are likely to influence the concept of sensitive data and, in particular, its ability to protect vulnerable groups from harm. The authors propose a possible interpretative solution: A hybrid approach where a purpose-based definition acquires a bigger role in deciding whether data is sensitive, combined with a context-based ‘backstop’ based on reasonable foreseeability.

Highlights

  • In order to assess this, this Article will look at these changes in the context of recent innovations in the European data protection framework, in particular in light of recent changes made by the General Data Protection Regulation (GDPR)

  • The addition of an element of purpose to an otherwise context-based definition may serve to widen the scope of sensitive data in a way that would protect against a number of likely risks in terms of the harms that were discussed in section B, such as discrimination and related harms

  • What is certain is that the GDPR is demanding that data controllers consider issues that go beyond those one might have traditionally associated with data protection

Read more

Summary

Sensitive Data in Law

Justifications for the concept of sensitive—or special categories of personal—data appear in the first international legal formulations of data protection, where one can find justification for a specific protection for sensitive data. The case law related to Article 8 ECHR has been applied by the European Court of Human Rights (ECtHR) to ensure that individual privacy is respected in a wide array of contexts This importantly includes an obligation to safeguard personal data in general and sensitive data in particular. This arguably means that were such legislation not to function adequately—in other words, in creating a specific framework to protect sensitive personal data—the GDPR could no longer be considered as being able to protect the fundamental rights of individuals in terms of the processing of their personal data This fundamental-rights-based requirement is something that must be taken into account when assessing continued fitness for purposes of the GDPR’s approach to sensitive data, including, as the authors discuss in section D, in the context of an evolving world of personal data generation and use

The Evolving Contours of Sensitive Data in Data Protection Law
Context and Purpose Based Definitions
The GDPR
Likely Problems with a Purpose Based Definition
More Data is Likely to Mean More Sensitive Data
An Emblematic Example
Two Forms of Consent for Two Types of Personal Data
A Barrier Function Weakened by the GDPR?
Data Protection Impact Assessment
Data Protection Officers
The Possibility for Extra Protection in Member State Law
The Potential Effects and Risks of More Sensitive Data
More Administrative Burdens on Controllers
Sensitive Data Inflation
The Risk of Sensitive Data Protection Circumvention
The Way Forward?
Step I
Step II
Conclusion

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.