Nowak v The Data Protection Commissioner | |
Court: | Supreme Court of Ireland |
Full Name: | Nowak v The Data Protection Commissioner |
Date Decided: | 24 April 2016 |
Citations: | [2016] IESC 18; [2016] 2 IR 585 |
Transcripts: | https://www.bailii.org/ie/cases/IESC/2016/S18.html |
Judges: | O'Donnell Donal J, McKechnie J, Clarke J, MacMenamin J, Laffoy J, Dunne J, Charleton J |
Number Of Judges: | 7 |
Decision By: | O'Donnell Donal J. |
Appealed From: | High Court |
Appealed To: | Supreme Court |
Opinions: | Upon referreal by the Supreme Court, the CJEU decided that the answers provided by a candidate sitting an exam can be considered as information relating to the candidate and thus can be defined as the personal data of the candidate. |
Italic Title: | yes |
Nowak v Data Protection Commissioner [2016] IESC 18 is an Irish Supreme Court case in which the Court referred the question of what constitutes as personal data to the Court of Justice of the European Union (CJEU).[1] In this case, the Court saw for the first time an applicant contending that an exam script is his personal data. The CJEU decided that the answers provided by a candidate sitting an exam can be considered as information relating to the candidate and thus can be defined as the personal data of the candidate.
The Court of Justice of the European Union's decision in this case is significant because it set a precedent for other Member States as well. Also, it gave clarification on what can be considered personal data.[2]
In this case, Mr. Peter Nowak was a trainee accountant who had passed the first level of his accountancy exams, which were issued by the Institution of Chartered Accountants in Ireland. He took the strategic finance and management accounting exams in two separate sittings. Once in 2008 and again in 2009 after subsequently failing his initial attempt. Mr Nowak failed his final attempt at the exams and subsequently requested a copy of his exam scrips from the Chartered Accountants of Ireland. He did this under Section 4 of the Data Protections Act 1998 and 2003.[3] Despite retaining some documents from Chartered Accountants Ireland, he did not receive his exam script for review as they believed that the scrips did not fall under what they believed to be personal data.[4]
The request for his exam scripts was then put to the Office of the Data Protection Commissioner.[5] The Commissioner felt there was no need to conduct an independent investigation as under the terms of the Data Protections Act, exam scripts did not constitute as personal data.[6] The Commissioner was of the view that if a complaint forwarded to him does not have any substantial legal grounds, then it can be considered frivolous and vexatious. In which circumstance, he would not be obliged to investigate the complaint any further. This process is what Nowak was questioning.[7]
The Circuit Court rejected Mr Nowak's request for an appeal, and the same conclusion was reached by the Court of Appeal as well. This resulted in him bringing the case to the Supreme Court in April 2016.
The Supreme Court overturned the decision of the High Court that an appeal could not be made on the basis of a complaint which was frivolous or vexatious, as this was unjust. On the very basis of data protection, any appeal in relation to one's personal data could be appealed.
This Court had to consider three questions. Firstly, can Nowak appeal the Data Protection Commissioner's decision under section 26 of the Data Protection Act 1988 and 2003. Secondly, if he could, then what test should the Circuit Court have applied in relation to his case? Lastly, by applying this test, is the Data Protection Commissioner correct in making his decision?
Frivolous complaints are usually disregarded. Administrative decision makers can dismiss unfounded allegations. This is to avoid having to formalise every complaint and postpone work that might be done promptly. This is in the context of a frivolous complaint that raises a substantial legal question. Nowak's complaint was valid, but the Circuit Court can hear legal issues. Both Acts do not limit appeals. The Commissioner claimed he acted legally. Supreme Court stated that section 26 of the Data Protection Act 2003 deals with appeals and is clear. The modified section 26 also applies to complaints that are vexatious under section 10(1)(b).
If the Commissioner finds that a complaint cannot be settled, he or she just needs to tell the complainant. Reading the Acts as requiring a comprehensive inquiry does not limit appeals. It would require an unnecessary procedure that would delay other instances.[8] The Court concluded that a frivolous or vexatious finding that a document is not personal data can be challenged. The Commissioner suggested judicial review.[9] The Court disagreed because there is no reason to limit judicial review to legal questions. This matter is not suitable for judicial review. The Commissioner may have erred in rejecting the complaint as frivolous or vexatious. The Court rejected Mr. Nowak's claim that his handwritten script constituted personal data because exams are not graded on handwriting.[10] Accountancy exams only test one topic. Mr. Nowak maintained that if the Act considers exam results personal data, then the script, markings, and other exam-related data should be too.[11]
However, on the issue of personal data, the Court held that there was no prior case law for it to make its decision.[12] There is also no European authority relating to data protection for the Court to base its decision upon whether an examination script falls under the scope of what is personal data.[13]
The Supreme Court made the decision to refer the case to the Court of Justice of the European Union in a request to answer the question of whether an examination script and its attached result can constitute personal data.[14]
The Court of Justice of the European Union decided that the answers provided by a candidate sitting an exam are, in fact, information relating to the candidate. It can therefore be defined as the personal data of the candidate. The CJEU held that all information provided by a candidate in an exam on the exam paper is under an obligation to be compliant with all data protection principles and the safeguards relating to that data, including the right to access the information.[15]
The CJEU took a broad view of the concept of personal data. This case highlighted the importance of personal data and the rights that come with it, including all GDPR rules, as a guideline for all EU member states regarding what rules to follow when dealing with issues relating to the request for access to personal data.