GDPR: Changes to Sensitive Personal Data

Article 9(1) of the GDPR added genetic data, biometric data where it is used to uniquely identify a person as well as sexual orientation into the definition of "sensitive personal data". These changes were likely prompted by the social and technological changes that occurred in the decade between when the Data Protection Directive came into force (1995) and when the GDPR came into force (2018).

Prior to 2006, genetic testing was mainly performed by healthcare providers for medical reasons and thus the data was considered health data which is protected under GDPR. 23andMe, one of the first companies to offer direct-to-consumer genetic testing, was set up in 2006 [1]. With the subsequent rise of direct-to-consumer genetic testing, genetic testing began to be done for various reasons inter alia, finding out their heritage or ancestry, finding distant relatives, and even lifestyle related reasons such finding out indicators related to sleep, diet or exercise. Thus, such new innovative uses for genetic testing likely prompted the need for it to be added into the definition to prevent misuse of such data by companies offering genetic testing.

In 2013, Apple launched the iPhone 5s, which is one of the first phones to incorporate a fingerprint sensor [2]. This marked the first time that companies were able to collect biometric data from its users in bulk and thus once again warranted protection through the adding of biometric data into the definition of "sensitive personal data".

In 2001, the Netherlands became the first country in the world to legalize same-sex marriages [3]. A number of other countries have also followed suit since then. A growing social acceptance for LGBT rights has likely contributed to the decision to include sexual orientation into the definition of "sensitive personal data" so as to protect individuals from possible discrimination.

As our society undergoes further social and technologies changes, we will likely see changes to the definition of "sensitive personal data".

Article 9(2) covers the conditions under which such data can be processed under GDPR. In summary, processing of such data is allowed if the individual has given explicit consent, or if processing is critical to preserve the individual's life, or if the individual has voluntary made the data public, or if it is authorized by EU or national law in relation to employment, social security, or if there is public health or public interest in the archival or statistical collection.

[1] Christina Farr, '23andMe founder Anne Wojcicki is leading a DNA revolution by going directly to consumers' (CNBC, 22 May 2018) https://www.cnbc.com/2018/05/22/23andme-took-years-building-a-direct-to-consumer-health-business.html accessed 28 September 2023

[2] Luke Dormehl, 'Today in Apple history: Apple acquires the company behind Touch ID' (Cult of Mac, 28 July 2023) https://www.cultofmac.com/440033/today-in-apple-history-apple-acquires-the-company-behind-id/ accessed 28 September 2023

[3] Government of the Netherlands, 'Same-sex marriage' https://www.government.nl/topics/marriage-cohabitation-agreement-civil-partnership/marriage-civil-partnership-and-cohabitation-agreements/same-sex-marriage accessed 28 September 2023