A New Perspective on Article 9 GDPR - Are photos of people wearing glasses already considered "Health Data"?

How broadly should "health data" under Article 9 of the GDPR be interpreted? This question has come under renewed scrutiny following the opinion of Advocate General Szpunar in case C-21/23, delivered on April 25, 2024. His views could signal a shift from the previously strict approach of the?CJEU?(Court of Justice of the European Union).

?? The Strict Approach: CJEU's Past Rulings

In a 2023 ruling (Meta Platforms case, C-252/21), the CJEU took a broad view of what qualifies as health data. It ruled that the protections of Article 9 applied even if:

• The data did not definitively reflect a person’s health condition.
• The purpose behind the data processing wasn’t directly related to health.

The CJEU emphasized that almost any information that could potentially reveal something about a person’s health could be considered "health data," irrespective of its accuracy or the intended purpose of the processing. This led to a very expansive interpretation, raising compliance requirements for businesses.

?? A Shift in Perspective: Advocate General Szpunar's Opinion

Advocate General Szpunar challenges this interpretation. He argues that for data to be classified as "health data," there must be a?minimum level of certainty?that it reveals information about an individual’s health. This perspective introduces three key criteria:

• The data should clearly relate to health information and its accuracy matters.
• The context of the data's use and the way it is processed should be considered.
• The data must allow for clear, non-hypothetical conclusions about a person’s health.

For instance, Szpunar suggests that purchasing common over-the-counter medications like paracetamol does not automatically indicate a specific health condition. Simply knowing that someone bought pain relief does not make the data "health data" unless it allows a definite conclusion about their health status.

?? What This Means for Businesses

If the CJEU adopts Szpunar's view, it would narrow the scope of what qualifies as health data, easing the burden of compliance. This could mean that everyday data, like information about a customer’s purchase of non-prescription medicines, might not automatically be classified as sensitive health data.

Such a change would allow businesses to focus more on truly sensitive health information, rather than stretching the definition of health data to include any potential inference. This would make a significant difference in practice, especially for companies handling data in sectors like online retail or healthcare services.

?? Looking Ahead

The CJEU’s final decision on this matter will be pivotal. It has the potential to redefine the boundaries of "health data" under GDPR, offering a more balanced approach that aligns better with everyday business practices. Until then, businesses should continue to monitor these developments and be prepared to adjust their data-handling practices accordingly.

About Kertos

Kertos is the no-code solution for fully automated implementation of global data protection and compliance regulations. Our platform enables fast-scaling tech companies to streamline their compliance with minimal personnel costs.

Helpful Ressources

↘? Shhh! It's private. Read our latest newsletter editions.

?? Kertos. Discover how you can streamline your compliance operations.

?? The AI Act. Dive into our latest whitepaper on the new AI Act.