ARTICLE
25 November 2024

May You Inadvertently Be Processing Special Category Data?

F
Fieldfisher

Contributor

Fieldfisher  logo

Fieldfisher is a European law firm known for its market-leading practices in technology, financial services, energy, and life sciences. With a focus on client collaboration, innovation, and social responsibility, the firm integrates cutting-edge legal technologies and provides tailored solutions. Fieldfisher’s global presence spans Europe, the US, China, and international partner firms, allowing seamless cross-border services. Recognized for excellence, Fieldfisher holds high rankings in dispute resolution, M&A, and IP, and has a strong commitment to environmental, social, and governance (ESG) leadership. The firm operates with over 1,800 professionals across 23 offices in 12 countries.

The CJEU ruled that data enabling inferences about sensitive characteristics, such as health, constitutes special category data under GDPR, even without intent. Businesses, especially online retailers, must reassess compliance if customer data implies sensitive traits.
United Kingdom Privacy

A recent CJEU judgement involving an online pharmacy ("Lindenapotheke") (available here) has held that data which can indirectly reveal information about a person's health must be treated as health data under the GDPR even if the organisation processing the data did not intend to process health data. While this case concerns health data, the CJEU's judgment is of interest to anyone who processes personal data from which inferences can be made about a person's sensitive characteristics.

Introduction

Lindenapotheke had been selling pharmacy-only medicines through Amazon Marketplace and to do so collected such data as the customer's name, delivery address and information required for individualising the medicine

The question for the CJEU was whether the data of customers obtained during the sale of medicines would constitute health data under the GDPR.

CJEU's findings

The CJEU held:

  • Data obtained on the sale of medical products which allow controllers to make inferences regarding the health of the buyer is itself health data. The pharmacy order meets that requirement as it creates a link between a medicinal product, its therapeutic uses, and the personal purchasing it.
  • The purchase information is health data irrespective of whether: (i) the information relates to the purchaser or another person; (ii) the information is correct; or (iii) the controller intended to collect special category data.
  • Even if the medicine is intended for someone other than the purchaser, it is still possible that this person could be identified, for instance, if the purchaser provides another somebody else's delivery address for the medicines.3

Does the position in the UK differ?

As the UK is no longer in the EU, the CJEU's judgment does not of course apply in the UK.

The ICO has set out guidance (available here) on whether the fact that it may be possible to infer special category data means that a controller processes that data. The guidance confirms that this would depend on whether the controller:

  • intends to make an inference linked to these special categories; or
  • plans to treat somebody differently based on the special category data.

The ICO guidance notably focusses on the intention of the controller, whereas the CJEU's decision says that intention is irrelevant.

Conclusion

As the Lindenapotheke case relates to non-prescription products sold by a pharmacy and many other businesses (e.g. supermarkets, convenience stores, delivery businesses) sell these types of medicines, it raises questions about what does this mean for these other online retailers?

The judgment also leaves many questions about how it might apply to other special categories of data. For example, would a retailer that sells religious garments, Halal prepared food, or books from a prominent political author be processing special category data about their customer's religious beliefs or political views? The CJEU judgment suggests that they are, if it is possible to infer such data from the customer's purchases.

Online businesses will need to re-assess whether they are processing health data (or other special categories of data) and, if so, what this means for their compliance programs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More