Are You Inadvertently Processing European Criminal Conviction Data? The Overlooked Impact of GC v CNIL

Google continues to drive the development in case law of the Court of Justice of the European Union (CJEU) on the right to be forgotten in two recent cases.

A lot of the media attention in Europe has focused on Google’s ‘major victory’ in Google v CNIL (Case C-507/17), according to which the EU General Data Protection Regulation (GDPR) did not require Google to de-list search engine results globally following a successful de-listing request in the EU. The CJEU noted, however, that while the GDPR did not require global de-listing, it did not prohibit it. Therefore, EU member states’ courts and data protection authorities would have jurisdiction to determine whether, in light of national standards, a search engine operator would also need to de-list globally.

The CJEU’s decision in Google v CNIL is of limited importance to U.S. companies who do not operate search engines. By contrast, the other right to be forgotten case concerning the tech giant in GC v CNIL (Case C-136/17) may be far more significant for U.S. companies. This case concerning sensitive personal data and criminal conviction data has not received much attention outside of specialist legal and regulatory circles but may in fact have a real impact on companies which may be inadvertently processing European criminal conviction data and may be doing so in violation of EU law.