What does it mean for a data subject to make their personal data "manifestly public"? An analysis of GDPR Article 9(2)(e)

Abstract

• This article investigates an under-discussed and potentially significant provision in the EU General Data Protection Regulation (GDPR), namely Article 9(2)(e), which permits processing of special category personal data if the “processing relates to personal data which are manifestly made public by the data subject”.
• This provision may be of increasing interest to data controllers in a variety of cloud-based, internet-related, and/or social media contexts. We specifically consider the application of this provision in the context of genetic data and open data sharing (i.e. data that can be freely used, re-used, and redistributed by anyone), illustrating this by way of several cases of initiatives that seek to share genetic data. We query whether by uploading one’s own genetic data onto the internet, a person has made their data “manifestly public” within the meaning of the GDPR.
• Our response to this query is that in general, the answer should be no, but it remains possible. We argue that Article 9(2)(e) must be construed narrowly; outside of clearly defined contexts, it would be legally inappropriate to invoke and rely upon this manifestly public self-disclosure exception in data protection law. Our narrow interpretation of the provision aligns with the limited guidance made available from data protection authorities. As part of this argument, we propose a legal test that must be satisfied before