The Court of Appeal of Ireland adopted on 1 July 2020 a judgement in a dispute between Peter Nowak and the Irish Data Protection Commissioner, as respondent (“DPC“), at the end of a years-long judicial saga. The case, taken in its entirety, offers interesting insight into two important questions:
- can written opinions and assessments made by an individual and written opinions and assessment made about that individual be considered personal data of such individual?; and
- does the right of access to personal data mean an obligation of a data controller to provide a data subject with its personal data in the original document, i.e. a copy of that document, or the data controller also meets its obligation by furnishing to the individual the data in a different format?
The judgement of the Court of Appeal does not deal with provisions of the GDPR, but with provisions of the former EU Data Protection Directive (95/46/EC). Nevertheless, the Court’s interpretation and, earlier in the same matter, interpretation by the CJEU, of relevant provisions in the Directive sheds light on the meaning of the equivalent GDPR provisions.
Facts and procedural history
In the summer and autumn of 2009, Nowak sat an exam with The Institute of Chartered Accountants in Ireland in order to qualify as a chartered accountant. Nowak did not pass the exam. In order to have the results of the exams judicially reviewed Nowak made a formal request to the Institute to provide all personal data they held on him, and especially a copy of his examination scripts. In response, the Institute furnished copies of 17 documents, but declined to furnish copies of the examination scripts, stating that they did not consist of personal data. Nowak submitted a complaint to the office of the DPC, alleging an infringement of his right of access to personal data. The DPC rejected the complaint and Nowak initiated judicial proceedings against the DPC before the competent court in Ireland. The case eventually reached the CJEU (Case-434/16) by reference from the Irish Court of Appeals.
While the judicial review of the complaint was in progress, Nowak lodged another complaint with the DPC, now claiming that the Institute destroyed the originals of the data about him. The DPC again rebuffed Nowak, holding that exam scripts did not consist of personal data, and therefore that the non-retention of the originals of the information by the Institute would not be a data protection issue. Nowak therefore initiated one more case before the competent court in Ireland.
Do exam scripts consist of personal data?
This question was not primarily in the focus of the Irish Court of Appeals, since the CJEU had responded to it in Case-434/16, Nowak v The Data Protection Commissioner. In the judgment of 20 December 2017, the CJEU determined that the written answers submitted by a candidate at a professional examination, and any comments made by an examiner with respect to those answers, constitute personal data. In its reasoning the CJEU stated that the formulation “[…] any information relating to an identified or identifiable natural person […]”, used in Art. 2(a) of the Directive for defining personal data, has a wide scope
which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective but also subjective, in form of opinions and assessments, provided that they relate to the data subject.
The CJEU did not break a new ground with this pronouncement, because the EU member states’ data protection authorities (Article 29 Working Party) had already, ten years earlier, concluded in an opinion on the concept of personal data (WP 136, 20 June 2007), that the concept of personal data “also includes ‘subjective’ information, opinions or assessments'”, such as an assessment in employment (“Titius is a good worker and merits promotion”).
The CJEU elaborated on the meaning of the condition to “relate to the data subject” and explained that the condition is “satisfied where the information, by reason of its content, purpose, or effect, is linked to a particular person“. Here, again, the CJEU heavily relied on the Article 29 Working Party opinion from 2007. With that in mind, the CJEU stated that the written answers submitted by a candidate at a professional examination, as its opinions and assessments, constitute information that is linked to the candidate, and therefore represent its personal data, by virtue of:
- content – because they reflect the extent of the candidate’s knowledge, competence, intellect, thought processes, judgement, and in case of handwritten scripts they also contain information as to his/her handwriting;
- purpose – because they are used to evaluate the candidate’s abilities and suitability for practice; and
- effect – because they will be used to determine the candidate’s success or failure at the exam, and therefore will have effect on his/her rights or interests.
Similarly, with regard to the written comments by an examiner about the candidate’s answers, which amount to opinion and assessment of the candidate, the CJEU regarded them as linked to the candidate and therefore personal data, by virtue of:
- content – because the comments reflect the opinion or the assessment of the examiner of the performance of the candidate at the exam;
- purpose – because the purpose of the comments is to record the evaluation by the examiner of the candidate’s performance; and
- effect – because the comments are liable to determine success or failure of the candidate, and therefore have effect on his/her rights or interests.
It seems that, pursuant to the interpretation of the CJEU, there is little room for any information that relates in any way to an individual to not be considered as personal data about that individual. At least the “content” element seems to always be present in information, linking it to some particular individual. This is not a straightforward conclusion, as demonstrated by the fact that the Irish DPC – a highly competent agency with substantial experience in data protection matters given the importance of Ireland as a European hub for world’s leading internet and software companies – repeatedly held in the Nowak case that the data in exam scripts are not personal data.
Does the “right of access” mean access to the originals, i.e. copies of documents?
In dealing with this question, the Court of Appeals referred to a judgement of 17 July 2014 by the CJEU in Y.S. v Minister voor Immigratie, Integratie en Asiel, Minister voor Immigratie, Integratie en Asiel v. M. (joint cases C – 141/12 and C – 372/12). In the Y.S. case, the CJEU stated that providing the claimant with a copy of the minutes of the proceedings before an administrative body would serve the purpose of guaranteeing a right of access to administrative documents, rather than the Directive’s purpose of guaranteeing the protection of the right to privacy with regard to the processing of personal data. The CJEU approvingly quoted a decision of the Court of Appeal in England and Wales to the effect that the Directive was concerned with access to personal data/information and was not targeting documents per se.
The relevant part in the Directive was Art. 12(a), which stated that every data subject had the right to obtain from the controller “communication … in an intelligible form of the data undergoing processing“. One could not derive from that a right to obtain a copy of the document or the original file in which personal data about the individual appear. Rather, the right of access would be satisfied if the individual is provided with a full summary of the data in an intelligible form. “Intelligible” means that the form allows the person to become aware of those data and to check that they are accurate and processed in compliance with the law.
Considering the wording of the equivalent provision from Art. 15.3 of the GDPR: “The controller shall provide a copy of the personal data undergoing processing”, a question may be raised as to whether that means a copy of the document, or, on the contrary, “a full summary of the data in an intelligible form” (or a similar concept along the lines of what the CJEU said in the Y.S. case about Art. 12(a) of the Directive).
The GDPR, like the Directive, is primarily concerned with access to personal data, not with access to documents. So, a data controller has no obligation to furnish either the original or a copy to the data subject. There will nevertheless be circumstances where it will be more convenient for the data controller to supply the data subject with copies of the documents. True, the data controller may end up redacting too little, or too much, of information from such a document, due to insufficient expertise in the matter of what constitutes personal data, due to the intrinsic difficulty of determining what is requestor’s personal data in a particular case, or simply due to a mistake. In this regard, however, the challenge remains even if the data controller provides the data subject with personal data in summarized intelligible form, since the same risks also apply.
[Note: Serbian Data Protection Act and the current draft of Montenegrin Data Protection Act mirror the provisions of GDPR. The decisions of supervisory authorities and courts in EU member states may therefore serve as an instructive guidance for compliance with local regulations.]