The Difficulty of Defining Sensitive Data – The Concept of Sensitive Data in the EU Data Protection Framework

German Law Journal, (Forthcoming)

33 Pages Posted: 16 Nov 2020 Last revised: 22 Mar 2021

See all articles by Paul Quinn

Paul Quinn

Vrije Universiteit Brussel (VUB), LSTS, Interdisciplinary Research Group on Law Science Technology & Society, Students

Gianclaudio Malgieri

EDHEC Business School - Augmented Law Institute; Vrije Universiteit Brussel (VUB) - Faculty of Law

Date Written: October 16, 2020

Abstract

The concept of sensitive data has been a mainstay of data protection for a number of decades. The concept itself is used to denote several categories of data for which processing is deemed to pose a higher risk for data subjects than other forms of data. Suck risks are often perceived in terms of an elevated probability of discrimination (or related harms) to vulnerable groups in society. As a result, data protection frameworks have traditionally foreseen a higher burden for the processing of sensitive data than other forms of data. The sui generis protection of sensitive data (stronger than the protection of non-sensitive personal data) can also seemingly be a necessity from a fundamental rights-based perspective (as indicated by human rights jurisprudence). This paper seeks to analyse the continued relevance of sensitive data in both contemporary and potential future contexts. Such an exercise is important for two main reasons. First, the legal regime responsible for the regulation of the use of personal data has evolved considerably since the concept of sensitive data was first used. This has been exemplified by the creation of the EU's General Data Protection Regulation in Europe. It has introduced a number of requirements relating to sensitive data that are likely to represent added burdens for controllers who want to process personal data. Second, the very nature of personal data is changing. Increases in computing power, more complex algorithms and the availability of ever more potentially complimentary data online mean that more and more data can be considered of a sensitive nature. This creates various risks going forward, including an inflation effect whereby the concept loses its value and also the possibility that data controllers may increasingly seek to circumvent complying with the requirements placed upon the use of sensitive data. This paper analyses how such developments are likely to influence the concept of sensitive data and in particular its ability to protect vulnerable groups form harms. The authors propose a possible interpretative solution: a hybrid approach where a purpose-based definition acquires a bigger role in deciding whether data is sensitive combined with a context-based ‘backstop’ based on reasonable foreseeability.

Keywords: sensitive data, special categories of data, personal data, privacy, GDPR

Suggested Citation

Quinn, Paul and Malgieri, Gianclaudio, The Difficulty of Defining Sensitive Data – The Concept of Sensitive Data in the EU Data Protection Framework (October 16, 2020). German Law Journal, (Forthcoming) , Available at SSRN: https://ssrn.com/abstract=3713134 or http://dx.doi.org/10.2139/ssrn.3713134

Paul Quinn

Vrije Universiteit Brussel (VUB), LSTS, Interdisciplinary Research Group on Law Science Technology & Society, Students ( email )

Brussels
Belgium

Gianclaudio Malgieri (Contact Author)

EDHEC Business School - Augmented Law Institute ( email )

58 rue du Port
Lille, 59046
France

HOME PAGE: http://https://www.gianclaudiomalgieri.eu/

Vrije Universiteit Brussel (VUB) - Faculty of Law ( email )

Brussels
Belgium

HOME PAGE: http://www.vub.ac.be/LSTS/members/malgieri/

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
197
Abstract Views
736
rank
184,692
PlumX Metrics