Part I of this blog examined the protection of an individual’s HIV status under the UK’s data protection regime in the context of ongoing litigation against Grindr. Part II examines the human rights implications of the disclosure of individuals’ HIV status to third parties in the European human rights context.

The Protection of Individuals’ HIV Status under the Right to Private Life

Under Article 8(1) of the European Convention on Human Rights (ECHR), all individuals have the right to respect for their private life. The European Court of Human Rights’ (ECtHR) case law makes clear that the processing of an individual’s HIV status as data falls within Article 8(1). Generally, the Court has established that the collection, storage and disclosure of ‘highly sensitive personal data’ falls under Article 8(1) (Surikov v Ukraine, [75]). In both PT v Moldova and OG v Greece, the Court assessed alleged violations of Article 8(1) where individuals’ HIV status had been disclosed.

The disclosure of an individual’s HIV status is only compatible with the right to private life where the interference pursues a legitimate aim, was done in accordance with domestic law, and is necessary in a democratic society, in accordance with Article 8(2). The Court considers data protection to be of ‘fundamental importance for the effective exercise’ of the right to private life, therefore States’ margin of appreciation for determining whether the disclosure pursues a legitimate aim is limited (PT v Moldova, [27]). The PT judgment suggests that, in the HIV context, it is only where an individual’s HIV status poses health risks that a disclosure of that status could serve a legitimate aim (PT v Moldova, [29]). Even when a measure serves such a legitimate aim, the Court will closely scrutinise the necessity of the disclosure. In OG, the Greek authorities published the names, photographs, and HIV-positive status of several sex workers. Although the Court accepted that the measure served the legitimate aim of the protection of the rights and freedoms of others – insofar as the disclosure would encourage sex workers’ clients to undergo HIV testing – the Court affirmed that the disclosure of such information without an individual’s consent can only be reconciled with Article 8(1) where it defends an overriding public interest (OG v Greece, [149], [153]). The Court was not satisfied that the disclosure could achieve the legitimate aim identified, noting that no other measures had been considered which could expose the sex workers’ data to a lesser extent (OG v Greece, [155]-[156]).

ECHR Implications of the Grindr Litigation

Grindr is not a public body: its actions are not attributable to a State under the ECHR, nor does the UK’s Human Rights Act 1998 require the company to protect ECHR rights. However, it is crystal clear that if a public body disclosed individuals’ HIV status without consent for commercial purposes, this would violate Article 8 ECHR.

There have been creative attempts by some national courts to enable litigation against companies for violations of international law, most notably the Canadian Supreme Court’s decision in Nevsun v Araya. However, without reinventing the wheel, the ECHR may indirectly allow for Grindr to be held to account for violating Article 8. The ECHR does not simply require States to desist from violating ECHR rights – States are also under positive obligations to protect those rights (see Council of Europe Human Rights Handbook No. 7, pp 5-6). Although positive obligations are clearest in other ECHR rights, particularly Article 2’s right to life (see, e.g., Osman v UK, [115]; McCann v UK, [202]-[214]), such obligations have also been recognized in cases of third party interference with the right to private life. In Beizaras and Levickas v Lithuania, the Court accepted that Article 8 may require the adoption of measures ‘in the sphere of relations between individuals’ to protect the right to private life. In that case, Lithuania’s failure to take effective measures to investigate homophobic hate speech against a gay couple violated Article 8(1) in combination with Article 14’s prohibition on the discriminatory enjoyment of ECHR rights ([110], [129]-[130]).

In a similar vein, if the UK courts’ application and interpretation of the UK GDPR fails to sanction Grindr for the disclosure of users’ HIV status, the UK may find itself before the ECtHR for having failed to protect those users’ rights to their private lives under Article 8(1). Hopefully, if the applicants’ case is proven, in accordance with their duties under the Human Rights Act 1998 to take account of ECtHR decisions, and interpret legislation in accordance with ECHR rights, the British courts will award an appropriate remedy against Grindr and underscore that the misuse of personal health data for commercial purposes is unacceptable.