By John O Brien, Associate on the Privacy & Data Security Team, Hason Hayes & Curran
The Irish Supreme Court recently handed down a decision in the long-running case of Nowak v. Data Protection Commissioner [2016] IESC 18. The Supreme Court’s decision, its first ever data protection ruling, means that the Court of Justice of the European Union (“CJEU”) must now decide whether an exam candidate’s script constitutes personal data.
Legal saga
Mr. Nowak’s long-running legal battle has been heard by four separate rungs of the Irish courts system. It is now set to be heard on the European stage.
Mr. Nowak failed, on three separate occasions, one of the mandatory exams to become a chartered accountant. Mr. Nowak then submitted a request under Section 4 of the Irish Data Protection Acts 1988 and 2003 (“DPA”) seeking all personal data held by the relevant examining body. That body declined to release his examination script on the basis that it did not constitute personal data within the meaning of the DPA.
Mr. Nowak contended that his examination script constitutes his personal data because:
1. it contains his handwriting, which he contends is biometric data; and
2. it may contain markings and/or comments by the examiner.
Mr. Nowak submitted a formal complaint to the Irish Data Protection Commissioner (“DPC”). He disputed the assertion that his examination script does not constitute personal data. The DPC refused to investigate the complaint under Section 10(1)(b)(i) of the DPA. The DPC was of the opinion that Mr. Nowak’s complaint was “frivolous and vexatious”.
Mr. Nowak appealed this decision to Ireland’s Circuit Court. When the Circuit Court upheld the DPC’s decision, further appeals were made to the High Court and, subsequently, the newly established Court of Appeal. The matter eventually found its way to the Supreme Court.
What’s in a scrawl?
A number of matters were examined by the Irish Supreme Court. These included whether Mr. Nowak enjoyed a right of appeal in the Irish Courts under the DPA and what form these appeals may take.
Of most interest to privacy and data protection professionals will be the Supreme Court’s examination of Mr. Nowak’s assertion that his examination script is his personal data. Mr. Justice O’Donnell, writing the unanimous decision for the Court stated:
The underlying issue here, whether an examination script is ever capable of being personal data within the meaning of the [DPA], and if so, whether this script is such personal data, is one of some difficulty and complexity that requires the analysis of a number of different texts and provisions.
The Supreme Court went on to review how the term ‘personal data’ is defined in both the DPA and the Data Protection Directive (95/46/EC).
The DPC relied on previous analysis by Advocate General Sharpston in the YS case where she stated that:
… only information relating to facts about an individual can be personal data. Except for the fact that it exists, a legal analysis is not such a fact. Thus, for example, a person’s address is personal data but an analysis of his domicile for legal purposes is not.
Mr. Nowak cited Section 4(6)(b) of the DPA which prevents the DPA being used by exam candidates to circumvent the publication of exam results. Mr. Nowak argued that Section 4(6)(b) implicitly recognises that examination results constitute personal data. If examination results constitute personal data, Mr. Nowak argued that the raw material from which results are derived must also be personal data. Such raw material would include an examination script and examiner’s comments or marks.
Europe to decide
The Supreme Court decided that this “is ultimately a matter of European law”. The Court wasn’t satisfied that the issue at hand was reasonably clear and free from doubt. In such circumstances, it decided to refer the question as to whether an examination script is capable of constituting personal data to the CJEU.
Students, examiners, colleges, professional bodies and privacy professionals alike should follow Mr. Nowak’s onward journey to Luxembourg with great interest. We will now have to wait for the CJEU to decide just how wide the definition of ‘personal data’ is at EU law.
The content of this article is provided for information purposes only and does not constitute legal or other advice.
About the author
John is an Associate on the Privacy & Data Security Team, working with large technology and internet clients in the areas of data protection, security and transfer. As part of the MHC team advising on complex data transboundary flows, John has advised on a wide range of issues, including significant data breach incidents, emerging technologies and the effective implementation of global privacy structures.
John also provides commercial contract advice to some of Ireland’s best known companies and brands.
Clients John advises on a daily basis include Facebook, LinkedIn, Yahoo!, Adobe and Twitter.