Turning to the provisions of the GDPR at issue, it is necessary to underline that art. 9, para. 2, letter e) constitutes an exception to the general principle that sets forth in an absolute prohibition on the processing of personal data belonging to the specific categories indicated paragraph 1: in summary, the provision states that such information, whenever it is made manifestly public by the data subject, can be processed. However, it does not identify the rules by which this is possible.
Of particular significance, as set forth herein, is the first (and the most general) of the exceptions, namely giving the “explicit consent to the processing of those personal data for one or more specified purposes” (letter a): despite the formal manner in which the law is set out (a general prohibition with exceptions), in practice the general rule appears to be that the processing of data belonging to special categories is permitted upon receipt of express consent for one or more specific purposes, while the other exceptions to the prohibition assume the function of specific circumstances equivalent to express consent.
Therefore, because the exceptions are to be read as being alternative to each other, one may say that the action of making one’s “special categories’” personal data manifestly public equates to providing valid consent to the processing of the same: therefore, data belonging to special categories that the data subject on its own initiative makes manifestly public may be processed.
The recognition of an affirmative action by the data subject as equivalent to valid consent is therefore consistent with the characteristics that consent has in the GDPR, as deduced from the various whereas (for example, see n. 32) and the related definition (art. 4, n. 11) “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
But this does not signify that the information made manifestly public may be processed indiscriminately: without a doubt, the scope of the exception, as stated, is not to exempt it from the appropriate treatment with respect to the general principles (art. 5 GDPR), including all of those traditionally present in our legal framework, including purpose limitation principle
As a stimulating point, I remind that article 6, para. 4 GDPR specifies general condition for lawfulness of data processing – not based on consent – for different purposes than those for which the personal data are initially collected, in compatibility of such subsequent purposes with the original purposes, leaving the controller to conduct – for the related verification – the evaluation, including “(…) c) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9 (…); d) the possible consequences of the intended further processing for data subjects;”.
With regard to the evaluation of the scope of protection the regulation offers to the data subject that makes its personal data “manifestly public”, it is necessary to also highlight that the GDPR definitively sets forth (see whereas 4) the right to protection of personal data as a fundamental right to be considered “in light of its social function”: the substantial effect of which seems to be the extension of the related protection to other (autonomous) fundamental rights of the data subject belonging to the category of personality rights, including in particular the right to personal identity.
In this sense the “whereas” of the regulation (specifically 75 and 85) set forth indications that explicitly identify – among the risks inherent in the processing that are subject to identification, evaluation and obligatory prevention by the controller – those acts that cause “social disadvantage” to the data subject, expressly including “damage to reputation”.
Therefore, the use of this personal information must have limits, aside from the general principles that constitute the framework of the right to protection of personal data, while also respecting other personality rights of the data subject, with particular regard to personal identity: from there it follows that within the GDPR system the related processing, even if supported by a precise exception for consent and by purposes that are abstractly consistent with those for which the information was made public by the data subject itself, may be illegitimate – also considering the same regulations on the protection of personal data – whenever, for the means with which the processing is conducted or for the effects that it produces, it creates a social or reputational damage for the data subject.
There remains no doubt as to the possibility for the data subject to exercise its right to object (art. 21 GDPR) and, above all, the right to erasure (“to be forgotten”) (art. 17 GDPR).
Lastly, respect for privacy is not enough: the use of “personal data made manifestly public by the data subject” must in any case also respect all applicable norms, as those regarding copyright (for example, with regard to the use of photographs) or legal penalties (for example, laws regarding defamation).
In conclusion, I do not believe that the GDPR, once effective, will legitimise the indiscriminate use of personal data belonging to the special categories indicated in article 9 when posted on social networks: the processing, as a result of the norms under examination, will be possible, but will always need to respect the principles of lawfulness, purpose limitation, data minimisation and be considered in the context of a balance of interests between the fundamental rights which – in observance of the mechanism of “accountability” – the controller shall be responsible for, and able to demonstrate compliance with.