Google continues to drive the development in case law of the Court of Justice of the European Union (CJEU) on the right to be forgotten, in two recent cases.

A lot of the media attention in Europe has focused on Google's 'major victory' in Google v CNIL (Case C-507/17), according to which the EU General Data Protection Regulation (GDPR) did not require Google to de-list search engine results globally following a successful de-listing request in the EU. The CJEU noted, however, that while the GDPR did not require global de-listing, it did not prohibit it. Therefore, EU member states' courts and data protection authorities would have jurisdiction to determine whether, in light of national standards, a search engine operator would also need to de-list globally.

The CJEU's decision in Google v CNIL is of limited importance to U.S. companies that do not operate search engines. By contrast, the other right-to-be-forgotten case concerning the tech giant in GC v CNIL (Case C-136/17) may be far more significant for U.S. companies. This case concerning sensitive personal data and criminal conviction data has not received much attention outside of specialist legal and regulatory circles but may in fact have a real impact on companies that may be inadvertently processing European criminal conviction data and may be doing so in violation of EU law.

Background

Two of the claimants in GC v CNIL requested the de-listing of Google results linking to articles published in the French press concerning criminal proceedings brought against them. Having assessed the requests, Google determined that the public's right to the information prevailed and this determination was upheld by the CNIL following the claimants' complaints to the French supervisory authority.

The CJEU held that the information about proceedings brought against an individual, even absent a conviction, constitutes data relating to 'offences' and 'criminal convictions' within the meaning of Article 10 of the GDPR and therefore was subject to conditions and protections set out in that provision.

The CJEU also noted that with the passage of time and in accordance with the principles of data minimisation, accuracy and storage limitation, the processing of such information may no longer comply with the GDPR.

Finally, the CJEU held that search engine operators must assess whether published information relating to earlier stages of criminal proceedings did not reflect the current situation and "whether, in the light of all the circumstances of the case, such as, in particular, the nature and seriousness of the offence in question, the progress and the outcome of the proceedings, the time elapsed, the part played by the data subject in public life and his past conduct, the public's interest at the time of the request, the content and form of the publication and the consequences of publication for the data subject", the search results should be delisted or otherwise reordered to reflect the "current legal position".

Analysis

The CJEU's decision in GC v CNIL can be problematic, not because the decision is unsound (in fact, the decision is well reasoned and to that extent unexceptional) but because it significantly broadens what is meant by criminal conviction data.

Article 10 of the GDPR provides the following:

"Processing of personal data relating to criminal convictions and offences or relating to security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or member state law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority."

The drafting in Article 10 GDPR is almost identical to that of its predecessor, the Data Protection Directive, and sets out the following three cardinal rules for the processing of criminal conviction data:

• The processing criminal conviction data can only be carried out by official authorities; or
• The processing of criminal conviction data must be authorised by EU or member state law; and
• Only authorities can maintain a comprehensive register of criminal convictions.

But what is criminal conviction data? Is it just a recorded criminal offence or something much broader? The GDPR does not provide a definition and neither did the Data Protection Directive. Moreover, Article 10 is one of the few articles in the GDPR that does not have a corresponding recital to aid in its interpretation.

According to advocate general Szpunar and the CJEU, information about proceedings brought against an individual even absent a conviction constitutes data relating to 'offences' and 'criminal convictions'. This broad definition should come as no surprise to data protection practitioners familiar with UK law as the Data Protection Act 2018 (and its predecessor, the Data Protection Act 1998) broadly defines criminal conviction data as the commission or "the alleged commission of offences by the data subject" and " proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing". A similar view was adopted in pre-GDPR guidance by the CNIL in France. However, this broader definition is likely to have significant impact in other member states and for U.S. companies operating across the EU where national laws do not contain a similar definition. For example, in Germany the prevailing view before the CJEU's decision was that allegations of criminal offences, absent an actual conviction, would not be subject to Article 10 GDPR. Similarly in the Netherlands, suspected criminal activity may have been caught by Article 10 GDPR if there are concrete and well-founded indications that an individual has committed a criminal offence.

Each EU member state has its own laws concerning the recording of criminal convictions and the processing of criminal conviction data by public authorities and private organisations. Some EU member states only permit the processing of criminal conviction data by private organisations to a very limited extent, such as in respect of individuals working with children or vulnerable adults (Ireland, Poland and Sweden), whereas others only allow the data subject rather than private organisations to access the data directly (France, Germany and Spain). In contrast, other member states have established comprehensive processes for private organisations to access criminal record data whether for background checks or for other purposes (United Kingdom), with additional requirements regarding the retention and use of such data.

The variability across the EU represents a hurdle for U.S. companies seeking a consistent approach regarding their European operations. For example, many U.S. companies have access to or would otherwise process data concerning the background of EU-based employees and contingent workers, which may now constitute criminal conviction data following the CJEU's decision. Consequently U.S. companies must consider applicable national variations, as enshrined in cardinal rule (2). Although the CJEU's decision goes some way to provide some consistency, albeit by bringing more data into scope, it would still defer to national law as regards what is permitted.

It is important for U.S. companies that are subject to the GDPR and that may process data that would now constitute 'criminal conviction' data to review this data and determine if it is being lawfully processed, whether by them or their European subsidiaries. In making that determination, it is useful to refer back to the CJEU's decision that requires taking into account "all the circumstances of the case, such as, in particular, the nature and seriousness of the offence in question, the progress and the outcome of the proceedings, [and] the time elapsed". That assessment will necessarily require companies to research and record the development and outcome of legal proceedings, as well as recording possible convictions. It is unlikely that the recording of the assessment would generally amount to a 'comprehensive register of criminal convictions' in violation of cardinal rule (3).

Oran Kiazim is a senior data protection adviser in international law firm Bird & Bird's privacy and data protection practice, providing strategic and practical support to the firm's multinational clients. His work covers all aspects of privacy and data protection law, including carrying out data protection impact assessments and developing practical data breach response procedures, as well as creating global privacy compliance frameworks that comply with the GDPR and implement Binding Corporate Rules.