I. “Means to an End” Justifications for the Existence of the Concept

Justifications for the concept of sensitive—or special categories of personal—data appear in the first international legal formulations of data protection, where one can find justification for a specific protection for sensitive data. Common themes for the existence of sensitive data often revolve around the need to prevent harmful forms of discrimination or related phenomena. The U.N., for example, issued Guidelines for the Regulation of Computerized Personal Data Files in 1990, justifying a further protection for sensitive data because such data are “likely to give rise to unlawful or arbitrary discrimination.”Footnote ⁴ Such a vision clearly views sensitive data as a “means to an end,” or, in other words, being required to reduce the possibility of distinctive harms such as discrimination.

Similarly, almost two decades later, the GDPRFootnote ⁵ also provides a justification for the augmentation of requirements surrounding sensitive data. In particular, recital 51 explains that such data are, “by their nature, particularly sensitive in relation to fundamental rights and freedoms” and, thus, they “merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.”Footnote ⁶ In addition, recital 71, when addressing the right not to be subject to automated decisions with legal or similarly significant effects on individuals, explains that one significant concern is the possibility of discrimination based on sensitive data: “[D]iscriminatory effects on natural persons on the basis of racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation, or that result in measures having such an effect.” Footnote ⁷ In sum, the GDPR provides a specific protection for some types of personal data because their processing could produce significant risks to fundamental rights and freedoms, which includes—but is not limited to—discriminatory effects.Footnote ⁸

A much more detailed justification was provided by the Council of Europe (CoE) Modernized Convention 108 on Automatic Processing of Personal Data in its Explanatory Report.Footnote ⁹ In general, it also acknowledges that sensitive data should be more protected because its processing “may lead to encroachments on interests, rights and freedoms.”Footnote ¹⁰ The Explanatory Report argues that this “can for instance be the case where there is a potential risk of discrimination or injury to an individual’s dignity or physical integrity, where the data subject’s most intimate sphere, such as his or her sex life or sexual orientation, is being affected, or where processing of data could affect the presumption of innocence.”Footnote ¹¹ Accordingly, “in order to prevent adverse effects for the data subject” such processing “should only be permitted where appropriate safeguards, which complement the other protective provisions of the Convention, are provided for by law.”Footnote ¹² In sum, the CoE Convention Report does not mention only discrimination, but adopts a wider approach. It recognizes that the processing of sensitive data is more likely to have adverse effects on data subjects, in particular discrimination, but also injury to dignity or physical integrity, thus affecting their most intimate sphere, their presumption of innocence, etc.

Interestingly, the proposed e-privacy Regulation—in the version of the Commission Proposal—shows a broad justification for the protection of “sensitive information.” Recital 2 states: “[T]he content of electronic communications may reveal highly sensitive information about the natural persons involved in the communication, from personal experiences and emotions to medical conditions, sexual preferences and political views, the disclosure of which could result in personal and social harm, economic loss or embarrassment.”Footnote ¹³ Here, the term “discrimination” is not even mentioned, while the broad perspective—persona, social, economic harm, or embarrassment—is preferred.

The rationales put forward here are important, especially in the context of the ever-changing nature of sensitive data, which is discussed in section 8. The evolving nature of sensitive nature in de facto terms means that there is a constant need to ask whether sensitive data as a legal concept is able to prevent the kind of harms that have been discussed here —given that the need to prevent such harms is often presented as a justification for the existence of such measures.

II. The Protection of Sensitive Data as a Fundamental Right—as an “End in Itself”

As alluded to in recital 51 of the GDPR, discussed above, the need to protect personal data—and sensitive data in particular— from improper use also finds its grounding in fundamental rights. Privacy in general and data protection in particular are identified as fundamental rights in the EU’s Charter of Fundamental Rights and Freedoms (ECFR).Footnote ¹⁴ The European Court of Justice has made the link between the need to protect sensitive data and fundamental rights in a number of cases.Footnote ¹⁵ In the recent case of GC and Others v. CNIL, Footnote ¹⁶ which concerned the application of the GDPR to search engines, the court stated:

Perhaps of even more significance is Article 8 of the European Convention of Human Rights (ECHR) which mandates the protection of ‘private and family life.’ The ECHR is of general binding application on signatory states—unlike the ECFR which is limited in scope to the exercise of EU law. The case law related to Article 8 ECHR has been applied by the European Court of Human Rights (ECtHR) to ensure that individual privacy is respected in a wide array of contexts. This importantly includes an obligation to safeguard personal data in general and sensitive data in particular.

In a selection of seminal cases the ECtHR has demanded inter alia that a legal basis must exist for the processing of sensitive forms of data, that it should be outlined clearly in law and in a way that is foreseeable for data subjects.Footnote ¹⁸ In the case of Z v. Finland the court referred specifically to the need to have special and suitable legal frameworks in order to protect sensitive forms of data such as health data.Footnote ¹⁹ Unlike the “means to an end” vision of sensitive data outlined above, the ECtHR therefore appears to regard the existence of law regulating sensitive data to be an “end in of itself.” This is significant because it implies that the existence of only a general framework to protect all personal data would be insufficient.Footnote ²⁰ It is arguably necessary to have specific rules and requirements that safeguard the use of sensitive forms of data that exist in addition to those tailored to regulating the use of personal data in general. In cases such as Z v. Finland, Footnote ²² the authors of this Article would argue that the court therefore recognized the insufficiency of a single regime of data protection to protect the fundamental rights of individuals. This requirement is of central importance when analyzing the GDPR’s approach to regulating the use of sensitive data. The requirements it poses with regards to the use of sensitive data should not merely be viewed as an extra or optional choice made by the EU, but rather, the creation of legislation that is needed to ensure that the fundamental rights of data subjects are protected. This arguably means that were such legislation not to function adequately—in other words, in creating a specific framework to protect sensitive personal data—the GDPR could no longer be considered as being able to protect the fundamental rights of individuals in terms of the processing of their personal data. This fundamental-rights-based requirement is accordingly something that must be taken into account when assessing continued fitness for purposes of the GDPR’s approach to sensitive data, including, as the authors discuss in section D, in the context of an evolving world of personal data generation and use.

III. The Evolving Contours of Sensitive Data in Data Protection Law

I. Context and Purpose Based Definitions

As described above, the GDPR has introduced a number of new requirements that are likely to apply to the processing of sensitive data in many instances. In addition to the regulation of such data, however, the very nature of such data is itself in a state of full evolution. This change is taking place in a world where concepts such as the Internet of Things (IoT) and “Big Data” have become common.^{Footnote 48} These phenomena entail the continuous creation of enormous amounts of personal data.Footnote ⁴⁹ Taken with never ending increases in computing power and the increasing ease of sharing and combining disparate datasets, more and more data is arguably becoming of a sensitive nature. How much is dependent upon the definition of sensitive data that is used. In particular, the potential scope of sensitive data can vary greatly depending on whether a context or purpose-based definition is used.

The contextual approach—originally adopted, for example, in Germany and Austria—Footnote ⁵⁰ views the question of whether personal data is sensitive or not in primarily objective terms. Any personal information can, depending on the circumstances of the processing, be “sensitive.” Accordingly, as Simitis argued two decades ago, all personal data should be assessed against the background of the context that determines their processing, as determined by several factors. In other words, the specific interests of the controller, as well as of the potential recipients of the data, the aims for which the data are collected, the conditions of the processing and its possible consequences for the persons involved. All these elements might help determine the sensitivity of personal data processing. Whilst a contextual understanding of what sensitive data is may well take into account the—subjective—intentions of any data controller, it is likely to go beyond that and consider a range of other—objective—factors also.

The contextual approach can be contrasted with the purposeful approach, which primarily focuses on the intentions of the data controller. It essentially looks at the intention of the data controller and asks whether the controller intends to draw conclusions from the processing of particular data that could be regarded as being sensitive in nature.Footnote ⁵¹ These intentions are in general determinative in deciding whether the data that is being used is sensitive or not. Where the controller in question has no intention of creating or using data in a way that could be considered sensitive, a purpose-based definition would find that no sensitive data is involved. By contrast, a context-based approach is less concerned with the intentions of the controller and more preoccupied with the objective nature of the data itself. A context-based approach would suggest that sensitive data is being processed where, given the overall context, it would be possible to draw a conclusion from the data that might be sensitive in nature.

In determining what this context is, there may be a number of important factors to take into account. First, it is necessary to consider what other data may be available to a data controller. This is important because the combination of various datasets may increase the likelihood that conclusions of a sensitive nature can be reached, even where this may not be apparent when looking at particular datasets in isolation.^{Footnote 52} In the increasingly interconnected online world, this may entail taking into account not only other data that may be physically in a controller’s possession but also data that it may have access to elsewhere, such as data that may be freely available online. A second factor is the technical abilities of the data controller, or other potential data controllers. This will include the computing or analytical power or the technical know-how available to data controllers. Given that such factors are in a constant state of evolution, and that access to potentially complimentary datasets is ever increasing, the particular context of an instance of data processing is always changing. Given this—as section D discusses in more detail—data processing that may not have been considered sensitive in the past, may well be considered sensitive in the future.

The contextual and purpose-based approaches can be conceptualized as being distinct and in contrast to each other, but the reality is that elements of one approach may be infused with that of another. For example, a legal text may in general be understood as employing a contextual approach with certain elements that may also be purpose-based. Elements of one approach can be blended with another to either moderate the effect of one approach or ensure that it does not miss certain instances of processing that should clearly be considered as sensitive in character. In terms of the former, one could imagine the use of a context-based approach that would also require elements of purpose or intention. For example it might be required that, for data to be considered of a sensitive nature, a potential data controller would have to be aware that there was a potential that the data under its control could be processed in a way to produce conclusions that would be of a sensitive nature, even if it were not intending to carry out such processing.Footnote ⁵³ Such a compromise would act to reduce the effect of a purely contextual approach and to introduce an element of intention without restricting it as much as a purely intentional approach would do. Such an understanding could be used to moderate the potentially explosive growth in the volume of sensitive data that may occur in the future—discussed in section G—if a primarily context-based understanding of sensitive will be maintained.

In other situations, however, one approach can be added to another to ensure that important gaps are not created by exclusively depending on one approach alone. Imagine for instance a controller that collected large amounts of personal data concerning certain behavioral characteristics in the vague hope that some form of innovative data processing may be available in the future that would permit conclusions to be drawn concerning the health status of data subjects. Using a strictly contextual definition of sensitive data might mean such processing could not be considered as the processing of sensitive data, given that it might not be possible at present to draw such conclusions, because the required technological or analytic processes might not yet be available, as an example. Such a manner of defining personal data may be insufficient given the likelihood that future technological evolutions will render such data sensitive in nature—even though it might not be at present. Alternatively, new forms of potentially complimentary data might become available—allowing potentially sensitive conclusions to be drawn. Given this, a definition that ignores purpose may not always be suitable given that a data controller could assemble data with the hope that unknown future evolutions will allow sensitive conclusions to be drawn—that cannot at present.

In such contexts, the addition of an element of purpose to an otherwise context-based definition may serve to widen the scope of sensitive data in a way that would protect against a number of likely risks in terms of the harms that were discussed in section B, such as discrimination and related harms. Such a situation could be contrasted with a solely purpose-based definition where the intentions of the data controller were the central factor in deciding upon the sensitivity of the data. Whilst such an approach would undoubtedly prevent an overly extensive coverage of sensitive data it would arguably increase the risks of ill thought through or negligent processing of personal data. This could include cases where the controller itself had no intention to derive sensitive conclusions from personal data but nonetheless processed it in such a way that would create risks vis-à-vis third parties that might have access to the data and might be able to draw such conclusions.^{Footnote 54}

II. Likely Problems with a Purpose Based Definition

I. More Data is Likely to Mean More Sensitive Data

Whilst there may be logical reasons for giving the definition of biometric data a purposebased perspective, the question could be raised as to why this did not occur with other forms of sensitive data, some of which are likely to face similar issues to biometric data, such as the likely unintentional collection and processing of sensitive data that would occur where a solely context-based definition is used. This includes not only health but also other aspects such as political opinion and sexual orientation. The changing nature of personal data means that, in reality, it may not be very difficult for a data controller to use datasets within its possession to arrive at conclusions that may be sensitive in nature. Although the decision to make biometric data an exception in this regard is understandable, there is no clear reason why such an exception has been made only for biometric data because it is likely that conclusions that might be of sensitive nature—in terms of other categories of sensitive data—may be drawn from potentially any large dataset.

Another puzzling issue is that no effort appears to have been made to combine purposeful and context-based elements in the definition of sensitive data despite the advantages that this could produce.Footnote ⁷¹ Rather, all forms of sensitive data are defined contextually, with the exception of biometric data which is defined exclusively in purposeful terms. This does not permit the moderating effect that such a combination would allow,Footnote ⁷² whereby the extreme effects of a more polarized definition— tending exclusively towards a purposeful or context-based perspective— are reduced. Accordingly, and without the seeming existence of a purposeful element in their respective definitions, it appears that most types of sensitive data—data that are not biometric in nature—will be defined in an extremely broad fashion, encompassing a potentially enormous amount of personal data.

One potential issue arises as a result of the ever-increasing amount of data that is likely to fall within the net of sensitive data. Changes in terms of computing power and online interconnectivity mean that more and more data samples are likely to fall within the definition of personal data, in other words, that it can be linked directly or indirectly to particular individuals.Footnote ⁷³ Indeed, the guidance by the Article 29 Working Party about the boundary between personal and non-personal data—before the GDPR came into force—indicated clearly that the types of data that can be considered “personal” may go far beyond that which is immediately intuitive.Footnote ⁷⁴ In invoking the concept of “reasonably likely” invoked both in Directive 95/46/EC and the GDPR, the working party emphasized that it may often be difficult to state that various data sets are anonymous.Footnote ⁷⁵ This is due largely because of increasing computational capacity and advancement in data mining technologies. This allows more forms of analysis that can potentially identify individuals from data that may intuitively seem to be non-personal in nature.Footnote ⁷⁶

An analogous argument can be made for the case of sensitive data. That is because the same factors—data mining technologies, availability of data—mean that it is becoming more and more likely that data that might not intuitively appear to be sensitive data is indeed sensitive data. The increasing ability to combine various datasets that may not be sensitive data and perform complex analysis on them may mean that, together, such data can be considered sensitive in nature.Footnote ⁷⁷ Looking at datasets in isolation to discern whether they are of a sensitive nature is becoming increasingly unacceptable. The continued application of a strictly contextual understanding of what most forms of sensitive data are will mean data controllers will have to consider access not only to data that is in their own direct possession; but, because of a world of online connectivity, access to potentially large amounts of complimentary data. The availability of such data, together with the availability of ever more powerful analytical tools means that inferences or conclusions can be drawn—often even from intuitively innocuous data—that can in fact make them of a sensitive nature.

This situation is by no means a static one. Each of the elements described here are in a constant state of evolution. This is only likely to intensify the problems that exist in determining whether data is of a sensitive nature or not.Footnote ⁷⁸ The amount of data that is publicly available is only likely to increase by orders of magnitude in the future. Developments such as IoT mean that an enormous amount of data on all matter of things is continuously being created. This increases the possibility that, through a combination of various datasets, data controllers may be able to arrive at sensitive conclusions, conclusions that would not be possible with individual datasets. This must be considered in addition to the enormous explosion of all forms of data that are available online on a shared basis. This ranges from social media postings to databases of family histories to the results of scientific research on an enormous range of issues.Footnote ⁷⁹ The pace of the creation of such data is ever increasing, augmenting in turn the possibility that various innocuous sets of data can be combined to form inferences that would amount to sensitive data.Footnote ⁸⁰ A problem that is now much more complex than it was a number of years ago—in other words, trying to determine when exactly personal data is sensitive data—will become more prominent in the coming years. Computing power is only going to increase further. With this comes the possibility to create ever more powerful algorithms that are able to deduce relationships between various sets of data that may not have been possible before. These developments all mean that it will become increasingly likely that controllers of a particular dataset, will be able to make inferences that themselves represent sensitive data, through comparison and analysis with data available elsewhere. Such developments will provide an important justification to question the use of a strictly contextual understanding of what most forms of sensitive data are.

II. An Emblematic Example: Medical Information v. Health Status

Health data is one of the most problematic examples of “special categories of personal data.” It is defined at Article 4(15) as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”Footnote ⁸¹ This has the potential to include a potentially enormous range of data, depending on how much and how accurate the degree of information revealed about an individual’s needs to be. As one of the authors of this work has previously stated, determining the “degree of revelation” can be a complex affair.Footnote ⁸² Trying to set a clear test for the definition of health data, the Article 29 Working Party summarized three cases in which personal data should be considered health data:

1. 1. The data are inherently/clearly medical data;

2. 2. The data are raw sensor data that can be used in itself or in combination with other data to draw a conclusion about the actual health status or health risk of a person;

Conclusions are drawn about a person’s health status or health risk, (irrespective of whether these conclusions are accurate or inaccurate, legitimate or illegitimate, or otherwise adequate or inadequate.)

Whilst these concepts may seem clear they are not. The second example in particular can be used to illustrate the problems that a purely context-based definition of sensitive data could produce. In the world of IoT and big data, an extremely large range of data could be thought to fall under the concept of “sensor data.’” It will become more and more feasible for disparate sources of data to be combined in order to allow conclusions to be drawn about individuals and their health status. Going forward, the increasing penetration of IoT, including in domains such as eHealth, will mean that more and more data will be considered “raw sensor data.” This will occur in a big data world where the capacity to find a particular piece of information using other data will be greatly expanded.Footnote ⁸³ At the same time, drawing conclusions from raw data is a common trend for many digital service providers.Footnote ⁸⁴ This is also particularly true in the field of biomedical data processing.Footnote ⁸⁵ As one of the authors of this Article identified in a previous article there are two important elements that can be used to determine the likelihood of any particular data being sensitive in nature:

1. 1. The “intrinsic sensitiveness,” of a particular data set;

2. 2. The computational distance: In other words, the effort that would be needed to draw sensitive conclusions from various data that might not be prima facie intrinsically sensitive.Footnote ⁸⁶

The intrinsic sensitiveness of data concerns the content of that information: Data about health status—such as diagnosis, blood pressure, and blood readings—are inherently “sensitive,” whereas data about, for instance, food consumption, daily exercise, air pollution of one’s city—are not intrinsically “sensitive,” but might be considered sensitive because the computational distance between such data and an inference revealing a sensitive aspect, such as health status, is relatively small. Even though it is a static parameter, intrinsic sensitiveness is not binary; instead, it is a spectrum of different shades. Some data might concern an explicit health status description, for instance, a diagnosis; while others might be biometric data unrelated to health conditions, such as height; or be strongly related to health even if not directly describing a health status, for example, sleep-wake schedules and appointments on a calendar. Further, others might be unrelated to health at all, such as quantity of time spent on social networks; or—as in a recent case in Italy—being the beneficiary of a periodic payment from the State in accordance with law regulating reimbursement for victims or parents of victims of injuries caused by vaccination.Footnote ⁸⁷

Conversely, computational distance concerns the level of scientific, economic, and technological effort required when combined with other—personal or non-personal data—to infer sensitive data from apparently non-sensitive information. For example, the computational distance between daily diet and health status is small, while the computational distance between hours spent on social media and future health conditions is larger. Continuing developments in the de facto nature of both personal data and sensitive data mean that the computational distance required to arrive at sensitive conclusions is being dramatically reduced. This is becoming particularly apparent with regards to health data. Enormous reservoirs of personal data are being created in diverse domains such as social media or the monitoring of IoT in the form of wearables for fitness purposes. Such data can be in theory combined with a range of other data in order to form conclusions that could be considered sensitive in nature, such as inferences about health status. The online and interconnected world means that such data is more likely to be available to potential data controllers. Potentially complimentary data does not only include additional datasets that are in the possession of a data controller but a range of complimentary available data from other sources including social media, genealogical databases, data concerning movement, and potentially electronic health records. Computational distance is further reduced by ever-increasing computer power and the development of novel analytic techniques, including inter alia forms of deep learning that allow the potential for a range of sensitive conclusions concerning health status to be drawn even where this may not be the intention at the outset.Footnote ⁸⁸

The likely increase in the quantity of sensitive data that it will entail means that it is important to consider whether approaches such as the GDPR will be in a position to provide for adequate and meaningful regulation of the use of such data, especially where a contextbased form of definition continues to be used. Given the constant evolution of the nature of data in general, it is arguably important to constantly enquire as to the ability of data protection frameworks such as the GDPR to prevent the types of harm that sensitive data have been traditionally associated with, for example, harms associated with discriminatory contexts. Section F will look at the main features of the GDPR that are intended to apply when sensitive data is processed and discuss what their value is likely to be in a world where more and more data is likely to become sensitive in nature.

I. Two Forms of Consent for Two Types of Personal Data

Informed consent is perhaps the best-known legal basis for the processing of personal data. The notion of informed consent, however, predates the concept of data protection itself. The intuitive idea of consent is unproblematic: It is an important ethical principle,Footnote ⁸⁹ familiar to all. This instinctual understanding is demonstrated through any number of daily deals, deeds, or transactions. In some more formal contexts, it is common practice to engrave informed consent in documents and legal requirements, for instance, in marriage. Regardless of the form, any act of giving, refusing, or withdrawing consent, can be represented as an act that is freely embarked upon. Discourses on consent have flourished in the last four decades; many fields, from finance to education, but with particular intensity in the medical field, have grown accustomed to requiring formal forms of consent, employing procedural ways of seeking, giving, recording, and respecting informed consent.Footnote ⁹⁰ Traditionally the processing of personal health data, for example, was seen as something that posed a high degree of risk for those involved, including a risk of discrimination and related phenomena.Footnote ⁹¹ For these reasons the use of consent—as a legal basis—for the processing of personal health data has often been more formalized than the type of consent required for the processing of data in other areas which may have regarded as posing a lower level risk.Footnote ⁹² Such a division has been clearly recognized in data protection since the creation of Directive 95/46/EC. This directive foresaw two different regimes relating to consent for personal data that was not sensitive in nature and personal data which was sensitive in nature. The first foresaw a looser set of requirements relating to the need for a: “[F]reely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” Footnote ⁹³

This could be compared to consent for the processing of sensitive data which was deemed to require “explicit consent.”Footnote ⁹⁴ The former foresaw forms of passive consent where actions could be understood as implicitly representing consent.Footnote ⁹⁵ These include entering an area with signs—explaining personal data could be processed—or continuing to visit a web site after being warned that there may be related processing of personal data. For sensitive data, however, such passive forms of consent were not permitted. Explicit consent was understood as requiring that consent be given in a discrete and separate act, distinguishable from other activities that might be taking place. Such consent equated to a definitive sign that the data subject had been properly informed and understood the consequences of consent.Footnote ⁹⁶ Unlike “regular” consent—for non-sensitive data—there was no option of such consent being passive or simply implied from other actions. Explicit consent could only be affirmative in nature.Footnote ⁹⁷ In addition, for explicit consent, there is a need to for some form of record to be kept of this affirmative action and its significance.

Again, health data can be used as an illustrative example of how more rigorous requirements for consent concerning the processing of health data were required. Such requirements traditionally manifested themselves as an informed consent form in healthcare contexts. For many years, the signed consent form was seen as the gold standard of informed explicit consent. National law in many States accordingly demanded that consent for the use of certain forms of sensitive data—in the medical treatment context, for instance,—required written consent.Footnote ⁹⁸ Although this was not required by Directive 95/46/EC, the fact that it foresaw two different levels of consent and that it was a directive, leaving the choice of transposing law up to Member States, seemed to encourage or at least permit such a division.

II. A Barrier Function Weakened by the GDPR?

The more burdensome form of consent for sensitive data arguably allowed the creation of a “sensitive data barrier.” Whilst consent is not the only legal basis for the processing of sensitive data, it is one of the most important, and for many data controllers that are not able to avail themselves of the other options—for example, actors outside the traditional health care or scientific research setting— it may be the only basis available.Footnote ⁹⁹ The “consent barrier” therefore represented an important extra hurdle that those who wanted to process sensitive data had to overcome. In the healthcare context, this often meant that those wishing to create and process medical data could not do so unless they had obtained a more formalized form of consent than would be required for the processing of non-sensitive personal data—,the details of which would often be spelt out by national law.Footnote ¹⁰⁰ This barrier represented more than a simple piece of paper and entailed a number of important efforts that were not to be underestimated. Participants had to be identified and contacted. They had to be informed of what was to happen. Importantly, potential controllers also had to gather potential signees physically in a certain location so that they could sign the consent form. This might entail a physical appointment with patients where a health professional presented them with the necessary material and then kept the signed form for their records.Footnote ¹⁰¹ Where the intention was to process the health data of numerous individuals—such as in large healthcare or scientific research projects—such requirements could represent an enormous impediment that may, in many cases, make potential controllers or processors think twice about processing such data in the first place.Footnote ¹⁰² In many instances, the problems associated with obtaining explicit consent arguably disincentivized the unnecessary of processing of inter alia health data.

With the development of more complex ICT systems, an increased ability to share data—especially in the health sector with the development of phenomena such as eHealth and mHealth—the traditional barrier of written consent became to be seen as more of a problem.Footnote ¹⁰³ In place of an accepted golden standard, the need for written consent came increasingly to be seen as a barrier to the development of novel forms of health care.Footnote ¹⁰⁴ These novel forms were built on the digitization of health care and have in certain contexts allowed acts of medicine to be conducted outside the usual setting of a medical institution. This includes the ability to transfer medical records between distant institutions or to engage in the remote monitoring or treatment of patients in various contexts. In such changing contexts, together with the increasing need to make consent as granular as possible, the need for static forms of written consent became less evident—and even perceived as an impediment to progress. In order to facilitate technological developments in areas such as eHealth/mHealth, requirements in national law for consent—for the processing of health data—have been largely relaxed. This has allowed the increasing use of electronic and remote consent processes.

This process has arguably been facilitated by the GDPR which has blurred the line between consent for the processing of non-sensitive and sensitive data. This can be seen in two regards. First, the GDPR confirms that explicit consent—for sensitive data—need not be written.Footnote ¹⁰⁵ This confirms the changes that have been taking place in Member State law in recent years, in particular concerning consent related to the use of health or medical data. This has been enforced by the choice of regulation as legislative instrument, bringing about a greater degree of harmonization across Europe.Footnote ¹⁰⁶ Second, the requirements pertaining to consent for non-sensitive data have been bolstered. Passive, implied consent is no longer permitted.Footnote ¹⁰⁷ Rather, data subjects must give an indication— an affirmatory act—signifying that they provide consent for the processing of their data. This dilution of the formerly hard distinction between the two consents means that in many contexts the real difference between the two comes down to the notion of formality. This is exemplified with digital forms of consent and particularly in the context of online forms for the use of health data. The changes discussed here arguably mean that there is little real difference in terms of the ability of consent to act as a barrier function to the processing of sensitive data.^{Footnote 108} The remaining difference—relating to the notion of the consent being explicit—is that the consent for the processing sensitive data amounts to a discrete and clear acknowledgement that the action being undertaken is indeed an act of consent for the processing of sensitive data, together with the legal ramifications of such an act. Whilst requiring separate and clear affirmatory acts to signify consent may sound like an impediment of some significance, the reality is that in the modern electronic and online context, this difference is becoming less significant. Efforts to comply with such requirements can often be complied with through pop-up prompts—linked to terms and conditions—asking for confirmation that consent is indeed intended. In contexts such as eHealth, where granular consent is increasingly being encouragedFootnote ¹⁰⁹ and consent has become a frequent exercise, there is a risk that such requirements become an exercise in “ticking the boxes,” an inconsequential burden that differs little from the type of consent that would be needed for non-sensitive data.Footnote ¹¹⁰

It is, however, important not to consider the “barrier function” in isolation, especially given that the GDPR includes a range of novel measures that pertain to the potential processing of sensitive data. These are discussed further in the sections below.

I. Data Protection Impact Assessment

One of the novel requirements of the GDPR is the need to perform a “Data Protection Impact Assessment”Footnote ¹¹¹ (DIPA) in a number of circumstances where the proposed processing may “represent a high risk to the rights and freedoms of natural persons.”Footnote ¹¹² The required content of such assessments is currently the subject of debate both within and beyond academic circles.Footnote ¹¹³ The GDPR does not exhaustively describe all the situations where a data protection impact assessment is required but does describe certain occasions where it shall be required, including situations that require “processing on a large scale of special categories of data.”Footnote ¹¹⁴ As section D discussed, in the era of big data, the processing of data, including sensitive forms of data such as health data will increasingly become the norm. This arguably means that more and more processing of sensitive data will inter alia meet the criterion of “processing on a large scale of special categories of data” and, thus, warrant a DPIA.

In terms of what exactly may be required concerning the form such an impact assessment should take or what substance it should have, there is currently much uncertainty, though some guidance has been created in order to aid potential data controllers.Footnote ¹¹⁵ These range from harms on the individual level, such as privacy harms, to wider and more diffused harms produced at the societal level, including the types of harms that may be traditionally associated with the improper use of sensitive data and which were discussed in section B.I. What is certain is that the GDPR is demanding that data controllers consider issues that go beyond those one might have traditionally associated with data protection. A consideration of all such harms and the measures needed to mitigate them—if this is indeed what Article 35 is demanding—Footnote ¹¹⁶ may often be a considerable exercise demanding a truly multidisciplinary perspective from diverse disciplines such as ethics, law, and sociology.Footnote ¹¹⁷ Again, the example of health data can be used to illustrate the potential breadth of issues that could be involved and would likely merit consideration within a DPIA. Health data has a relevance that goes far beyond medical treatment, which is itself of a highly sensitive nature. The improper use of such data can thus have a range of consequences not only in the healthcare sector but in domains far beyond, including discrimination in employment, insurance, and a range of other areas. In addition, the GDPR’s use of the term “a risk to rights and freedoms” means it may be necessary to go far beyond traditionally considered harms such as discrimination and include other more complex issues than the protection of fundamental rights and the prevention of phenomena such as stigmatization and marginalization.Footnote ¹¹⁸ The requirement to mobilize and use expertise in such areas may be onerous for many data controllers, especially when they are smaller entities or individuals. Given the potential effort required, the need to perform a DPIA will likely form a deterrent to the potential processing of sensitive data in certain contexts, if this duty is not accompanied by financial or organizational support.

Whilst forming a potential extra burden on data controllers, where DPIAs are performed they should result in a greater consideration of the harms that the use of such data can produce and therefore represent an added protection for data subjects.Footnote ¹¹⁹ The raison d’être behind DPIAs was to make data controllers more responsible for considering the potential negative externalities of their processing decisions. This involves requiring data controllers to go beyond the consideration of obvious risks such as data breaches and the harms that could stem therefrom. In doing so, it is hoped that they will reduce the risk of discrimination and related harms that are often given a reason for the existence of data protection regulation itself. Given the wide potential scope for DPIAs that appears to be envisaged within the GDPR one might hope that they may play a role in preventing harms not only fundamental rights—for example, privacy and discrimination—but also the wide array of related harms that can be produced from improper use of data.Footnote ¹²⁰ If executed properly and thoroughly, this may well be the case, but there are also risks that DPIAs may not be so effective, especially given the potential for the volume of sensitive data to increase greatly and the associated extra burdens that may be placed upon data controllers.Footnote ¹²¹

II. Data Protection Officers

The GDPR envisages that in a number of instances it will be necessary for controllers to appoint a Data Protection Officer (DPO).Footnote ¹²² One of these is described as: “[W]here the core activities of the controller or the processor consist of processing on a large scale of special categories of data ….”

In short, the role of the DPO is to help ensure adherence to data protection and other forms of law when certain forms of data are processed in certain contexts.Footnote ¹²³ This involves both giving advice on the law—and how to implement it—and verifying whether such implementation has occurred.Footnote ¹²⁴ Other requirements involve giving advice on the implementation of DPIAs, as discussed above. This function can therefore play an important role in ensuring compliance with the requirements of the GDPR and protecting data subjects,^{Footnote 125} inter alia in contexts where sensitive data is produced. The existence of this function will also represent an added administrative burden for controllers that wish to process sensitive data. Such individuals should be adequately trained—not only in the rigors of the GDPR but also all other potentially applicable law—and should have high level of decisional independence.Footnote ¹²⁶ Such requirements will entail the commitment of resources and may represent important burdens for smaller data controllers that have limited personal and resources. Their role may entail a high level of legal knowledge, especially in instances where GDPR permits Member States to maintain their own additional law on concerning the use of certain types of personal data.Footnote ¹²⁷ In such instances, a likely solution may be to access external expertise, often at considerable cost.Footnote ¹²⁸

III. The Possibility for Extra Protection in Member State Law

Another important difference between non-sensitive and some forms of sensitive personal data is Member States may maintain divergent laws in a number of instances. This is a result of Article 9(4) of the GDPR which states: “Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.”Footnote ¹²⁹ Whilst this does not cover all forms of sensitive data described by the GDPR, it does cover some very important types, most notably health data, which, for the reasons described above in Section D, is likely to cover an ever-broader range of personal data going forward, especially if a context-based definition continues to be deployed. The consequence of Article 9(4) of the GDPR is that Member States do not need to harmonize their law concerning the processing of such data. Member States will therefore be able to maintain—and add to—the complex and diverse array of laws they already have concerning for example the use of medical files in particular or health data in general. Such laws are exacting and their variation across Europe makes the utilization of health data on a cross-border basis problematic. The demanding nature of such laws and the variation in form therefore represents a considerable added burden for parties that wish to process such types of data.Footnote ¹³⁰ This will form a particular difficulty for DPOs that will be tasked with taking such laws into accountFootnote ¹³¹ given that they will have to be aware of not only the requirements of the GDPR on such issues, but also a potentially complex web of applicable Member State law.

IV. Stricter Conditions for Automated Processing

Automated processing is likely to form a central plank of many novel uses of data, in contexts as diverse as advertising, insurance, and health care. Developments such as those discussed in section D will allow powerful analytical techniques to discover relationships and correlations between various data and allow decisions to be made that may be seen as bringing about an advantageous result. Such processes also, however, threaten to bring about or exacerbate problems associated with discrimination and associated phenomena.Footnote ¹³² This is because they are able to create and act upon harmful stereotypes in ways that may produce harms for vulnerable or sensitive groups. As a result, the use of automated decision making has given rise to concerns, especially in certain areas that have been traditionally considered as being associated with risks for vulnerable and marginalized groups. The phenomenon of “machine bias” is becoming perceived of as an ever more important risk in the future.Footnote ¹³³ From the perspective of this Article, it is notable that the risks most often associated with automated processing are broadly similar to the reasons often put forward for the existence of sensitive data.Footnote ¹³⁴ Automated decision-making is accordingly often described as a practice that will exacerbate the risks associated with the processing of sensitive data in general.

Given these risks, it seems appropriate that the GDPR foresees stricter conditions for the automated decision-making data processing based on sensitive data. In particular, Article 22(4) restricts the potential legal bases for such processing for controllers wishing to process sensitive data in this fashion. This leaves data controllers with the sole option of obtaining explicit consent unless legislation exists under national law permitting such processing where it is for reasons of substantial public interest.Footnote ¹³⁵ In many cases, the latter option will not be available, meaning that data controllers will be forced to obtain explicit consent. Given that explicit consent must be informed and unambiguousFootnote ¹³⁶ this should reduce the risks of harms occurring, given that individuals from at-risk backgrounds may arguably be in the best position to appreciate such risks and therefore not give consent where this is appropriate. Whilst this will undoubtedly be true in certain instances, the use of explicit consent itself is not a panacea for concerns surrounding automated processing for a number of reasons. First, as discussed in section E, the changing nature of consent in the electronic online age and the way in which this has rendered the concept of explicit consent a less onerous burden than was the case in earlier times. This means that consent may not be such an important barrier as it might seem at first glance. A second problem is the difficulties data controllers may have in adequately explaining what processing of data is occurring and what are the potential outcomes. This is because, given the nature of many automated forms of data processing, it may be difficult to understand in advance what is occurring. This may be particularly true with forms of machine learning where computer programs effectively decide based on complex forms of analysis of sample data what processes are to be applied.Footnote ¹³⁷

I. More Administrative Burdens on Controllers

Perhaps the most obvious issue relates to the fact that the use of sensitive data means that controllers will have to endure a higher regulatory burden. If the proportion of personal data that is sensitive data is higher, this burden may apply in instances where the data in question might not hitherto have been considered of a sensitive nature. Such burdens would include a more frequent need to utilize legal bases associated with sensitive data, including, as section E discussed, explicit consent, the more frequent need to appoint a DPO, conduct a Data Protection Impact Assessment, and implement other administrative requirements requested by national legislations pertaining to sensitive data.Footnote ¹³⁸,Footnote ¹³⁹

Another important burden that is likely to apply more frequently, given the changing backdrop above, may often apply even where the data in question turns out not to be sensitive at all. This is due to the need to perform a threshold analysis to discern what data one is in possession of. This is needed to discern both whether one is dealing with personal data and, if so, whether that data is sensitive. In order to do this, it is necessary to analyze the data in question in the context of the other data that might be available to the controller—including from publicly available sources—and the processing methods that could be applied.Footnote ¹⁴⁰ Performing such an exercise in order to discern the possible presence of sensitive data will become a more frequent and more demanding exercise. With each year that passes, and the increasing use of large—often big—datasets, the likelihood that data could be both personal and sensitive in nature will increase. The fact that the presence of sensitive data will become less and less intuitive will mean that exercises of determination—of the existence of sensitive data—will have to occur more often. Increases in both the quantity of potential complimentary available data and computing power—or “computational capacity”—will also make such a determination a more demanding task. More possibilities for combination with other alternative sources will have to be taken into account.Footnote ¹⁴¹ The increasing ability to deduce relationships brought about by forms of big data analysis as deep learning will also make the exercise of interpreting when data may or may not be sensitive more difficult.Footnote ¹⁴² Such techniques create a range of problems in terms of foreseeability.Footnote ¹⁴³ Given that they can result in finding correlations and relationships that were completely unexpected, they may make predicting the presence of sensitive data increasingly difficult.Footnote ¹⁴⁴ This will be particularly true where data protection frameworks such as the GDPR foresee a primarily context-based definition for certain types of sensitive data.Footnote ¹⁴⁵ The result of this may be the need to adopt an ever more cautionary approach towards potential personal data, assuming that it may often be of a sensitive nature also even where this may not intuitively appear to be the case and, thus, increasing the administrative burden attached to it.

II. Sensitive Data Inflation

A further risk is that the concept of sensitive data itself becomes devalued over time. If an ever-greater proportion of personal data is likely to be sensitive data, one might begin to question the value of sensitive data. Whereas in the past sensitive data represented a small fraction of personal data for which the need for a higher regulatory burden may have been easier to understand, this may change in a future where an ever-greater proportion of personal data is sensitive in nature. One can arguably say that this is already the situation, for example, with regards to the use of health data given the increased acceptance of digital forms of consent.Footnote ¹⁴⁶ Whilst facilitating various forms of mHealth processes that would not have been possible, such forms of consent arguably represent a far lower barrier to the utilization of sensitive data in comparison with more traditional requirements of consent for the processing of medical data, for example, signed written consent forms. We would argue that the change in perception of what is required in terms of consent for the use of health data can, in part, arguably be attributed to an inflation effect that has been produced as a result of the ever-increasing quantity of health data that is continuously being created and the innovation of processes designed to make use of it. This has in some ways arguably reduced the perception of the importance of the concept, allowing for a softening of consent as a barrier function to its use.Footnote ¹⁴⁷

As section F discussed, the GDPR in introducing a new range of requirements for the processing of inter alia sensitive data—especially on a large scale—arguably provides some balance to the situation that has arisen vis-á-vis the changing nature of explicit consent. Requirements such as the need to appoint DPOs or to conduct a DPIA will act to reduce some of the risks that are associated with the use of sensitive data and which may have arguably been increased by the weakening of the “consent barrier.” There exists, however, the risk that, with time and the potential “inflation” of sensitive data, these tools will also become weakened. In a world where more and more data are sensitive data, one might ask whether instruments such as DPIAs will retain the same level of effectiveness. Given the potential ubiquity of sensitive data, will the effort expected of and put into such requirements remain the same? If such exercises become the norm, arguably there is a risk that they will be reduced to tick box exercises, for instance, through software that automatically conducts or structures large parts of such assessments.Footnote ¹⁴⁸ Such a risk will increase where too few resources are deployed for an ever-increasing number of assessments to make them meaningful. This would reduce their ability to prevent the sort of harms that are associated with the use of sensitive data—including inter alia risks such as discrimination and associated effects. At present, these exercises are not seen as the norm, but as undertakings that must be engaged in when the data processing is seen to bring higher risks.^{Footnote 149} This arguably provides such exercises with a certain level of gravity that might be reduced if they become the norm.

III. The Risk of Sensitive Data Protection Circumvention

Given the relative nature of sensitive data and the increasing potency of data mining techniques, it seems clear that risks of circumvention of sensitive data protection rules and safeguards are high.

In particular, data controllers might avoid processing formally sensitive data by substituting them with “proxies.”Footnote ¹⁵⁰ The classic example is not processing information related to the “race” of individuals, but just processing data related to postal codes. This may be possible because in several cities, data about neighborhood can be an effective proxy for inferring ethnic origins.Footnote ¹⁵¹ This represents an important disadvantage of an overly contextual definition of sensitive data:Footnote ¹⁵² Even where data cannot apparently be used to draw firm objective conclusions about individuals, it may be possible to make probabilistic correlations that are sufficient for commercial or other purposes. In the example quoted here, for example, the fact an individual comes from a certain area may only mean that there is a fifty percent chance that they belong to a particular ethnic minority. Whilst this may not be sufficient to conclude, with any reasonable degree of certainty, membership of such a group, it may in many instances be sufficient for purposes such as marketing or insurance for which low probabilistic determination may still have significant commercial importance. Similarly, imagine a situation where a data controller discovers that people having yellow cars are more likely to buy products popular amongst gay people. In such situations, data controllers interested in exploiting the commercial opportunities of targeted advertising to gay consumers will not need to process any data related to sexual orientation, but rather be able to use a proxy that has low—but sufficient—correlation.Footnote ¹⁵³

Importantly, where data is of a low probabilistic nature, potential controllers may arguably be able to process it whilst claiming that it does not represent sensitive data from a context-based perspective. This is because on an individual level the data in question may be too uncertain to draw a sensitive inference—even if on a macro level it may be of commercial use, such as for advertising purposes. Unfortunately, it is possible that whilst not being sensitive data, from a purely context-based perspective at least, its use may have the potential to produce the same adverse effects that could be associated with the use of sensitive data.Footnote ¹⁵⁴ This situation arguably creates an incentive for certain data controllers to circumvent the use of objectively clear forms of sensitive data—from a context-based perspective—in favor of forms of data that will allow similar conclusions to be reached. This incentive is arguably increased by the changing de facto nature of sensitive data and the increased administrative burdens for data controllers who opt to process sensitive data, discussed in Section D.

I. Step I: Is there an intent to use the data in question for a sensitive purpose?

Determining an answer to this question will likely involve asking a series of important sub questions. Does the data controller intend to process sensitive data? Do they intend to use the data in question to arrive at conclusions—now or potentially in the future—that could be deemed of being of a sensitive nature?

Where the answer to such questions is “yes,” based on the available evidence, such as the identity of controller, stated aims, its usual practices or commercial motives, then the data in question could be assumed as being sensitive personal data. In particular, this could include attempts to assemble large amounts of data which although not sensitive at present might one day in the future be considered so because of—for example—increases in scientific knowledge, computing power, or the increased availability of potentially compatible data.

II. Step II: Is There a Need to Use the Objective “Backstop?”

If the answer to the main question above was however “no,” that would not necessarily be the end of the matter. This is because, to avoid some of the problems discussed above in section G.III, it is also necessary to determine that there is at least some level of objective analysis—irrelevant of the intentions of the data controller—concerning the nature of the data in question and its potential sensitivity. In such cases the context-based “back stop” should be applied. This involves asking the following question; regardless of the purpose of the data controller, is it reasonably foreseeable that in certain contexts the data in question could reveal sensitive aspects of data subjects or allow them to be inferred?

The authors of this Article would argue that such a hybrid view of what constitutes sensitive data can actually be supported looking at the wider way the GDPR refers to sensitive data. Unlike Article (9)(1), which seems to use mainly contextually orientated language, language that could be understood as being representative of a more purposeful understanding of what constitutes sensitive data, is used elsewhere. This is particularly true when one looks at the alternative legal bases to consent that are provided with in Article 9. This relates to the possibility to process data for reasons of “scientific research,” “public health,” and “substantial public interest.”Footnote ¹⁵⁶ Each of these potential legal grounds for the processing of sensitive data is defined in terms of a “purpose.” This arguably demonstrates that the concept of purpose should by no means be seen as alien to the question of what constitutes sensitive data. Given this, the authors of this Article would argue that utilizing “purpose” in the question of “what is sensitive data” within the context of a hybrid definition as outlined above is by no means a “step too far.”

One open issue concerning Step II is the threshold of the objective analysis. Given the risks of inflation and the creation of too many burdens identified in this Article, we would argue that the bar should not be set too low. It should therefore preclude distant theoretical possibilities that sensitive conclusions could be drawn from a particular dataset. Doing so would avoid many of the problems associated with employing solely a “maximalist” contextbased definition of personal data. At the same time, however, were the bar to be set too high, such as requiring it to be immediately obvious that the data in question was of a sensitive nature, then too much data that was in reality of a sensitive nature would be excluded. What is rather required is an intermediate level, in other words, where the bar would be set requiring a level of threshold analysis to discern whether or not it is reasonably foreseeable that the data in question could be considered as sensitive in nature.^{Footnote 157} This would include considering the computing power and analytical algorithms available and other potentially available complimentary sources.Footnote ¹⁵⁸ It would also require a fair consideration of likely developments in the future.

The most difficult aspect of this proposal is admittedly determining the intensity of review that should be required. As with many areas of data protection, the particular context involved will be important in providing guidance. Going beyond mere intuition is obviously necessary but an exhaustive investigation of all theoretical possibilities would clearly be too. That effort would invoke too many burdens and would result in problems linked to the concept of “maximization” discussed above. Rather, such an analysis should look for what is reasonably foreseeable in the context which exists. Such a “backstop,” if employed properly, should act to avoid many instances of negligent or poorly thought through processing that could put data subjects at risk.