Are You Inadvertently Processing European Criminal Conviction Data? The Overlooked Impact of GC v CNIL
The CJEU's other 'right to be forgotten' decision in GC v CNIL has not received much attention, but may in fact have a real impact on companies that may be inadvertently processing European criminal conviction data in violation of EU law.
October 21, 2019 at 07:00 AM
8 minute read
Google continues to drive the development in case law of the Court of Justice of the European Union (CJEU) on the right to be forgotten in two recent cases.
A lot of the media attention in Europe has focused on Google's 'major victory' in Google v CNIL (Case C-507/17), according to which the EU General Data Protection Regulation (GDPR) did not require Google to de-list search engine results globally following a successful de-listing request in the EU. The CJEU noted, however, that while the GDPR did not require global de-listing, it did not prohibit it. Therefore, EU member states' courts and data protection authorities would have jurisdiction to determine whether, in light of national standards, a search engine operator would also need to de-list globally.
The CJEU's decision in Google v CNIL is of limited importance to U.S. companies who do not operate search engines. By contrast, the other right to be forgotten case concerning the tech giant in GC v CNIL (Case C-136/17) may be far more significant for U.S. companies. This case concerning sensitive personal data and criminal conviction data has not received much attention outside of specialist legal and regulatory circles but may in fact have a real impact on companies which may be inadvertently processing European criminal conviction data and may be doing so in violation of EU law.
|Background
Two of the claimants in GC v CNIL requested the de-listing of Google results linking to articles published in the French press concerning criminal proceedings brought against them. Having assessed the requests, Google determined that the public's right to the information prevailed and this determination was upheld by the CNIL following the claimants' complaints to the French supervisory authority.
The CJEU held that the information about proceedings brought against an individual, even absent a conviction, constitutes data relating to 'offences' and 'criminal convictions' within the meaning of Article 10 of the GDPR and therefore were subject to conditions and protections set out in that provision.
The CJEU also noted that with the passage of time and in accordance with the principles of data minimisation, accuracy and storage limitation, the processing of such information may no longer comply with the GDPR.
Finally, the CJEU held that search engine operators must assess whether published information relating to earlier stages of criminal proceedings that did not reflect the current situation and "whether, in the light of all the circumstances of the case, such as, in particular, the nature and seriousness of the offence in question, the progress and the outcome of the proceedings, the time elapsed, the part played by the data subject in public life and his past conduct, the public's interest at the time of the request, the content and form of the publication and the consequences of publication for the data subject" the search results should be delisted or otherwise reordered to reflect the " current legal position".
|Analysis
The CJEU's decision in GC v CNIL can be problematic, not because the decision is unsound (in fact, the decision is well reasoned and to that extent unexceptional) but because it significantly broadens what is meant by criminal conviction data.
Article 10 of the GDPR provides the following:
"Processing of personal data relating to criminal convictions and offences or relating to security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority."
The drafting in Article 10 GDPR is almost identical to that of its predecessor, the Data Protection Directive, and sets out the following three cardinal rules for the processing of criminal conviction data:
- The processing criminal conviction data can only be carried out by official authorities; or
- The processing of criminal conviction data must be authorized by EU or member state law; and
- Only authorities can maintain a comprehensive register of criminal convictions.
But what is criminal conviction data? Is it just a recorded criminal offence or something much broader? The GDPR does not provide a definition and neither did the Data Protection Directive. Moreover, Article 10 is one of the few articles in the GDPR that does not have a corresponding recital to aid in its interpretation.
According to Advocate General Szpunar and the CJEU, information about proceedings brought against an individual even absent a conviction constitutes data relating to 'offences' and 'criminal convictions'. This broad definition should come as no surprise to data protection practitioners familiar with UK law as the Data Protection Act 2018 (and its predecessor, the Data Protection Act 1998) broadly defines criminal conviction data as the commission or "the alleged commission of offences by the data subject" and " proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing". A similar view was adopted by pre-GDPR guidance by the CNIL in France. However, this broader definition is likely to have significant impact in other member states and for U.S. companies operating across the EU where national laws do not contain a similar definition. For example, in Germany the prevailing view before the CJEU's decision was that allegations of criminal offences, absent an actual conviction, would not be subject to Article 10 GDPR. Similarly in the Netherlands, suspected criminal activity may have been caught by Article 10 GDPR if there are concrete and well-founded indications that an individual has committed a criminal offence.
Each EU member state has its own laws concerning the recording of criminal convictions and the processing of criminal conviction data by public authorities and private organisations. Some EU member states only permit the processing of criminal conviction data by private organisations to a very limited extent, such as in respect of individuals working with children or vulnerable adults (Ireland, Poland and Sweden), whereas others only allow the data subject rather than private organisations to access the data directly (France, Germany and Spain). By contrast, other member states have established comprehensive processes for private organisations to access criminal record data whether for background checks or for other purposes (United Kingdom), with additional requirements regarding the retention and use of such data.
The variability across the EU represents a hurdle for U.S. companies seeking a consistent approach regarding their European operations. For example, many U.S. companies have access to or would otherwise process data concerning the background of EU-based employees and contingent workers, which may now constitute criminal conviction data following the CJEU's decision. Consequently U.S. companies must consider applicable national variations, as enshrined in cardinal rule (2). Although the CJEU's decision goes some way to provide some consistency, albeit by bringing more data into scope, it would still defer to national law as regards what is permitted.
It is important for U.S. companies that are subject to the GDPR and that may process data that would now constitute 'criminal conviction' data to review this data and determine if it is being lawfully processed whether by them or their European subsidiaries. In making that determination it is useful to refer back to the CJEU's decision that requires taking into account "all the circumstances of the case, such as, in particular, the nature and seriousness of the offence in question, the progress and the outcome of the proceedings, [and] the time elapsed." That assessment will necessarily require companies to research and record the development and outcome of legal proceedings, as well as recording possible convictions. It is unlikely that the recording of the assessment would generally amount to a 'comprehensive register of criminal convictions' in violation of cardinal rule (3).
Oran Kiazim is am a senior data protection advisor in international law firm Bird & Bird's Privacy & Data Protection practice, providing strategic and practical support to the firms multinational clients. His work covers all aspects of privacy and data protection law, including carrying out data protection impact assessments and developing practical data breach response procedures, as well as creating global privacy compliance frameworks that comply with the General Data Protection Regulation (GDPR) and implement Binding Corporate Rules (BCRs).
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Decision of the Day: Administrative Court Finds Prevailing Wage Law Applies to Workers Who Cleaned NYC Subways During Pandemic
- 2Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 3Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 4'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 5Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250