Is a candidate’s exam script ‘personal data’ about him? If so, then does he have the right to access a copy of his script under the EU’s ‘data processing’ Directive 95/46/EC?
Having repeatedly failed an exam, Mr Nowak made a data access request to the body setting the exam, Ireland’s Institute of Chartered Accountants (the ‘CAI’). He sought access to all ‘personal data’ about him that was held by the CAI. The CAI duly sent him copies of 17 items but it declined to send him a copy of his exam script. The CAI took the view that since his exam script was not ‘personal data’ it was not legally obliged to send him a copy of what he had written.
Undeterred, Mr Nowak asked the Irish Data Protection Commissioner for help. However, the Commissioner declined to offer assistance because exam scripts ‘would not generally constitute personal data’.
Consequently, Mr Nowak lodged an official complaint with the Commissioner. The Commissioner simply refused to open an investigation into Mr Nowak’s complaint. It justified its refusal by invoking an Irish statutory rule that is applicable to complaints which the Commissioner deems to be either vexatious or frivolous.
Mr Nowak appealed to an Irish Circuit Court. However, the Judge took the view that no appeal could be brought. This was because there was only a right to appeal if there was a ‘decision’ to appeal, and that was not the case here. That is to say, the Commissioner had not taken ‘a decision’ about whether the complaint was vexatious or frivolous, he had merely made a ‘determination’. The Circuit Court Judge admitted that even if she were wrong on that point, then were she to hear Mr Nowak’s appeal, he would still be unsuccessful because in her view an exam script was not ‘personal data’.
Mr Nowak appealed unsuccessfully to the High Court and also lost in a further appeal to the Ireland’s Court of Appeal. However, the Court of Appeal did grant leave for Mr Nowak to take his case to the Supreme Court of Ireland. The reason for granting leave to appeal was that his case raised a matter of ‘general public importance’. There were two particular issues at stake: did Mr Nowak have a ground to appeal where the Commissioner had determined but not decided his complaint to be vexatious; and if he was indeed entitled to bring an appeal to the Circuit Court, then was it right that his exam script was not personal data?
At the Supreme Court of Ireland
The judge delivering the leading judgment of the Irish Supreme Court took an introductory swipe at the Commissioner. Determining Mr Nowak’s complaints to be frivolous or vexatious meant that if he wanted to bring an appeal then he would have to mount a full judicial review, and Judge O’Donnell thought that was ‘incongruous’ in circumstances where this same Commissioner had also determined Mr Schrems’ complaint to be frivolous or vexatious – something which had sparked ‘perhaps the most important data protection case to emerge from this jurisdiction’.
That said, it was not completely clear on what plank of the EU’s ‘data processing’ Directive 95/46/EC, Mr Nowak should base his appeal. On the one hand, Mr Nowak relied on the general terms in Article 28(3) that “[d]ecisions by the supervisory authority which give rise to complaints may be appealed against through the courts”.
On the other hand, the Commissioner thought Article 28(4) was more pertinent because it provides: “Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.”
Judge O’Donnell thought that Article 28(3) could offer Mr Nowak a route of appeal to a court in light of what the CJEU in Schrems had reasoned:
64. In a situation where the national supervisory authority comes to the conclusion that the arguments put forward in support of such a claim are unfounded and therefore rejects it, the person who lodged the claim must, as is apparent from the second subparagraph of Article 28(3) of Directive 95/46, read in the light of Article 47 of the Charter, have access to judicial remedies enabling him to challenge such a decision adversely affecting him before the national courts.
Consequently, was Mr Nowak’s exam script ‘personal data’? Judge O’Donnell recalled the key definitions in the Irish and EU legislation:
“Personal data” is defined within the [Irish] Acts as follows:
“[D]ata relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller.”
In Directive 95/46/EC, “personal data” is defined as:
“‘personal data’ shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
Judge O’Donnell recorded the Commissioner’s three denials that an exam script constituted personal data. First, an open book exam would not be expected to contain any personal information about Mr Nowak. Second, there was no point of making Mr Nowak aware of what was in the exam script because he himself had generated it. Third, Advocate General Sharpston in Case C-141/12, Y.S had made a distinction in her Opinion between facts about an individual being disclosable data; in contrast with an analysis for legal purposes, which was not disclosable.
In contrast, Mr Nowak was arguing that that his exam script constituted personal data. Since the Irish Data Protection Act contained a specific statutory exception for exam results, then these must by their very nature be ‘personal data’. Consequently, if an exam result was personal data, then the script and possibly even the examiner’s marks or comments must be personal data too.
The judge acknowledged that Mr Nowak’s argument was a possibility, and added that it was ‘not inconceivable that there might be circumstances in which a data subject might wish to control the processing of such information outside of the examination process’.
The judge conceded that ‘In any event, this is ultimately a matter of European law’ which was not acte clair, and because the Irish Supreme Court was the final court of appeal, in light of the CILFIT test a preliminary reference to the CJEU was necessary.
A copy of the Questions has not yet been published on the websites of either the Irish Supreme Court or EUR-Lex.
The ability of German law to prevail over a decision of the Irish Data Protection Commissioner is at issue in another recent preliminary reference; see further, Case C-210/16, Wirtschaftsakademie Schleswig-Holstein – Facebook Fan Page visitor data.
Update – 10 August 2016
Requests for information need not only arise in the context of data processing law. In the area of financial regulation, regulators are finding themselves the target of access requests and are relying on confidentiality laws; see for example, Case C-358/16, UBS – stopping a lawyer from seeking access to documents that could establish his innocence.
Update – 3 October 2016
According to today’s Official Journal (C 364/11), the Nowak questions are:
1. Is information recorded in/as answers given by a candidate during a professional examination capable of being personal data within the meaning of Directive 95/46/EC […]?
2. If the answer to Question 1 is that all or some of such information may be personal data within the meaning of the Directive, what factors are relevant in determining whether in any given case such script is personal data, and what weight should be given to such factors?