What is so special about special categories of data?

  • Panel
  • Grande Halle
  • Thursday 21.05 — 14:15 - 15:30

Organising Institution

EDPS

Belgium

The European Data Protection Supervisor is an independent supervisory authority, with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities at national level. The EDPS remit includes: • developing and communicating an overall vision, thinking in global terms and proposing concrete recommendations; • providing policy guidance to meet new challenges in the area of data protection; • operating at the highest levels and developing effective relationships with diverse stakeholders in other EU institutions, Member States, non EU countries and other national or international organisations. Under the AI Act (Regulation (EU) 2024/1689), the European Data Protection Supervisor is now the Market surveillance authority for EUIs’ AI systems and a notified body for high-risk AI assessments
The broad interpretation of the notion of special categories of data under the GDPR is informed by the aim of ensuring a high level of protection of fundamental rights and freedoms. Despite the general prohibition set forth in Article 9 GDPR, there is a clear increase in the processing of sensitive data in practice. In addition, an increasing number of policy and legislative initiatives would further legitimate the processing of special categories of data. These developments invite us to reflect upon the specific nature of sensitive data: what makes it so special? Is it "intrinsically" sensitive, or does its nature depend on the purpose and the context of the processing? The panel will take stock of both legal developments and operational challenges to provide a better understanding of the scope, logic and limits of special categories of data.

Questions to be answered

  1. What evolutions can we witness in the notion of special category of data and its boundaries?
  2. What is the rationale behind the new exceptions to the general prohibition laid down in Article 9 GDPR, included in the Digital and AI Omnibus proposals?
  3. Which use cases illustrate the tensions around the application of the notion?
  4. Are certain data (e.g. neurodata) inherently sensitive in all contexts, whereas others require a more contextual assessment?

Moderator

Brendan Van Alsenoy

EDPS - Europe

Dr. Brendan Van Alsenoy is Acting Head of Unit "Policy & Legislative Consultation" at the European Data Protection Supervisor (EDPS). He joined the EDPS in 2020 and served as deputy Head of Unit between 2021 and 2025. Before joining the EDPS, he worked as a Legal Advisor and Acting Head of Unit at the Belgian Data Protection Authority. Prior to that, he worked as a legal researcher at the KU Leuven Centre for IT & IP Law, with a focus on data protection and privacy, intermediary liability and trust services. In 2012, he worked at the Organisation for Economic Co-operation and Development (OECD) to assist in the revision of the 1980 OECD Privacy Guidelines.

Speaker

Gianclaudio Malgieri

the Leiden University - Netherlands

Dr. Gianclaudio Malgieri is an Associate Professor of Law & Technology and a Board Member at eLaw – Center for Law and Digital Technologies. He serves as the Honorary Director of the Brussels Privacy Hub, Free University of Brussels (VUB), and as the Managing Editor of Computer Law and Security Review, an External Ethics Expert of the European Commission. He leads the RESOCIAL Project and will lead VaROS (Vulnerability and Resilience in an Online Society), two interdisciplinary projects on social media vulnerability and resilience funded by the Dutch Research Agenda . His field of research and teaching is digital rights, digital vulnerability, digital wellbeing, data protection law, privacy, AI regulation, AI explainability rights, and consumer protection in the digital market. Gianclaudio has authored more than 100 publications, including the book "Vulnerability and Data Protection Law" (Oxford University Press, 2023) and articles in leading international academic journals, and he is the Co-Rapporteur for the American Law Institute - European Law Institute Principles on Biometrics. His works have been cited by, inter alia, top international newspapers (The New York Times, The Washington Post, Al Jazeera, Le Monde, Politico, La Tribune, France Culture, ilSole24Ore, la Repubblica, il Corriere della Sera, Euractiv, the EU Observer) but also institutions, e.g. the European Commission and the Council of Europe, and the Advocate General of the EU Court of Justice.

Speaker

Ruth Boardman

Bird & Bird's International Privacy and Data Protection Group - International

I am based in London and co-head Bird & Bird's International Privacy and Data Protection Group. I enjoy providing practical advice and solutions to complex legal issues. I have extensive experience advising a broad range of organisations on data privacy matters. I advise on the data protection aspects of new products or services and on commercial arrangements involving personal data. I also help when there has been a personal data breach. I advise clients on their dealings with data protection authorities and with those involved in passing new data protection legislation. I work with clients in many sectors - including online providers, ad-tech, ed-tech and all companies providing services likely to be accessed by children, new technology and electronics, life sciences, financial services including payments, creative industries (such as music and film), automotive and sports. I have co-written Data Protection Strategy (Sweet & Maxwell), which has been re-published to take account of the GDPR and UK legislation. I recently served on the Board of the International Association of Privacy Professionals and have been a member of the UK Government's Expert Council on data transfers. I also assisted the Global Alliance on Responsible Genome and Clinical Data Sharing, where I served as a member of its Regulatory and Legal Group. My Education University of Oxford, English Language & Literature College of Law, Chester, Common Professional Exam and Law Society Finals My Admissions Law Society of England & Wales in 1995

Speaker

Anne Debet

CNIL (Commission nationale de l'informatique et des libertés) - France

Speaker

Stephane Kolanowski

International Committee of the Red Cross (ICRC) - Switzerland

Stéphane Kolanowski is the ICRC Deputy Data Protection Officer responsible for Europe, Central Asia and francophone Africa, as well as for the ICRC Resource mobilisation division. In that capacity, he is advising ICRC delegations in the EURASIA region and the ICRC delegations in francophone countries in Africa on data protection issues, and he is supervising the compliance with ICRC Rules on Data Protection. Stéphane holds a Law Degree and a Master in Laws (LL.M.) in Public International Law. He joined the International Committee of the Red Cross (ICRC) Legal Division (Geneva) in 1997, where he worked on different issues, such as Human Rights, impunity, as well as on some arms related issues. In 1999, he participated in the build-up of the ICRC Delegation to the EU, NATO and the Kingdom of Belgium, a Delegation in which he was the Senior Legal Adviser until May 2021. He was responsible for following relevant legal developments in EU and NATO policies and operations and for promoting and disseminating International Humanitarian Law for several audiences. Since 2013, Stéphane is visiting professor at the College of Europe where he lectures on International Humanitarian Law.