Nowak v Data Protection Commissioner

Last updated
Nowak v The Data Protection Commissioner
Coat of arms of Ireland.svg
Coat of arms of Ireland
Court Supreme Court of Ireland
Full case nameNowak v The Data Protection Commissioner
Decided24 April 2016
Citation(s)[2016] IESC 18; [2016] 2 IR 585
Transcript(s) https://www.bailii.org/ie/cases/IESC/2016/S18.html
Case history
Appealed fromHigh Court
Appealed toSupreme Court
Court membership
Judges sittingO'Donnell Donal J, McKechnie J, Clarke J, MacMenamin J, Laffoy J, Dunne J, Charleton J
Case opinions
Upon referreal by the Supreme Court, the CJEU decided that the answers provided by a candidate sitting an exam can be considered as information relating to the candidate and thus can be defined as the personal data of the candidate.
Decision byO'Donnell Donal J.
Keywords

Nowak v Data Protection Commissioner[2016] IESC 18 [1] is an Irish Supreme Court case in which the Court referred the question of what constitutes as personal data to the Court of Justice of the European Union (CJEU). [2] In this case, the Court saw for the first time an applicant contending that an exam script is his personal data. The CJEU decided that the answers provided by a candidate sitting an exam can be considered as information relating to the candidate and thus can be defined as the personal data of the candidate.

Contents

The Court of Justice of the European Union's decision in this case is significant because it set a precedent for other Member States as well. Also, it gave clarification on what can be considered personal data. [3]

Background

In this case, Mr. Peter Nowak was a trainee accountant who had passed the first level of his accountancy exams, which were issued by the Institution of Chartered Accountants in Ireland. He took the strategic finance and management accounting exams in two separate sittings. Once in 2008 and again in 2009 after subsequently failing his initial attempt. Mr Nowak failed his final attempt at the exams and subsequently requested a copy of his exam scrips from the Chartered Accountants of Ireland. He did this under Section 4 of the Data Protections Act 1998 and 2003. [4] Despite retaining some documents from Chartered Accountants Ireland, he did not receive his exam script for review as they believed that the scrips did not fall under what they believed to be personal data. [5]

The request for his exam scripts was then put to the Office of the Data Protection Commissioner. [6] The Commissioner felt there was no need to conduct an independent investigation as under the terms of the Data Protections Act, exam scripts did not constitute as personal data. [7] The Commissioner was of the view that if a complaint forwarded to him does not have any substantial legal grounds, then it can be considered frivolous and vexatious. In which circumstance, he would not be obliged to investigate the complaint any further. This process is what Nowak was questioning. [8]

The Circuit Court rejected Mr Nowak's request for an appeal, and the same conclusion was reached by the Court of Appeal as well. This resulted in him bringing the case to the Supreme Court in April 2016.

Holding of the Supreme Court

The Supreme Court overturned the decision of the High Court that an appeal could not be made on the basis of a complaint which was frivolous or vexatious, as this was unjust. On the very basis of data protection, any appeal in relation to one's personal data could be appealed.

This Court had to consider three questions. Firstly, can Nowak appeal the Data Protection Commissioner's decision under section 26 of the Data Protection Act 1988 and 2003. [4] Secondly, if he could, then what test should the Circuit Court have applied in relation to his case? Lastly, by applying this test, is the Data Protection Commissioner correct in making his decision?

Frivolous complaints are usually disregarded. Administrative decision makers can dismiss unfounded allegations. This is to avoid having to formalise every complaint and postpone work that might be done promptly. This is in the context of a frivolous complaint that raises a substantial legal question. Nowak's complaint was valid, but the Circuit Court can hear legal issues. Both Acts do not limit appeals. The Commissioner claimed he acted legally. Supreme Court stated that section 26 of the Data Protection Act 2003 [4] deals with appeals and is clear. The modified section 26 [4] also applies to complaints that are vexatious under section 10(1)(b). [4]

If the Commissioner finds that a complaint cannot be settled, he or she just needs to tell the complainant. Reading the Acts as requiring a comprehensive inquiry does not limit appeals. It would require an unnecessary procedure that would delay other instances. [9] The Court concluded that a frivolous or vexatious finding that a document is not personal data can be challenged. The Commissioner suggested judicial review. [10] The Court disagreed because there is no reason to limit judicial review to legal questions. This matter is not suitable for judicial review. The Commissioner may have erred in rejecting the complaint as frivolous or vexatious. The Court rejected Mr. Nowak's claim that his handwritten script constituted personal data because exams are not graded on handwriting. [11] Accountancy exams only test one topic. Mr. Nowak maintained that if the Act considers exam results personal data, then the script, markings, and other exam-related data should be too. [12]

However, on the issue of personal data, the Court held that there was no prior case law for it to make its decision. [13] There is also no European authority relating to data protection for the Court to base its decision upon whether an examination script falls under the scope of what is personal data. [14]

The Supreme Court made the decision to refer the case to the Court of Justice of the European Union in a request to answer the question of whether an examination script and its attached result can constitute personal data. [15]

Holding of the CJEU

The Court of Justice of the European Union decided that the answers provided by a candidate sitting an exam are, in fact, information relating to the candidate. It can therefore be defined as the personal data of the candidate. The CJEU held that all information provided by a candidate in an exam on the exam paper is under an obligation to be compliant with all data protection principles and the safeguards relating to that data, including the right to access the information. [16]

The CJEU took a broad view of the concept of personal data. This case highlighted the importance of personal data and the rights that come with it, including all GDPR rules, as a guideline for all EU member states regarding what rules to follow when dealing with issues relating to the request for access to personal data. [16]

See Also

Related Research Articles

Vexatious litigation is legal action which is brought solely to harass or subdue an adversary. It may take the form of a primary frivolous lawsuit or may be the repetitive, burdensome, and unwarranted filing of meritless motions in a matter which is otherwise a meritorious cause of action. Filing vexatious litigation is considered an abuse of the judicial process and may result in sanctions against the offender.

Malicious prosecution is a common law intentional tort. Like the tort of abuse of process, its elements include (1) intentionally instituting and pursuing a legal action that is (2) brought without probable cause and (3) dismissed in favor of the victim of the malicious prosecution. In some jurisdictions, the term "malicious prosecution" denotes the wrongful initiation of criminal proceedings, while the term "malicious use of process" denotes the wrongful initiation of civil proceedings.

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

<i>Privacy Act</i> (Canada) Canadian federal legislation (1983)

The Privacy Act is the federal information-privacy legislation of Canada that came into effect on July 1, 1983. Administered by the Privacy Commissioner of Canada, the Act sets out rules for how institutions of the Government of Canada collect, use, disclose, retain, and dispose of personal information of individuals.

<span class="mw-page-title-main">Adrian Hardiman</span>

Adrian Hardiman was an Irish judge who served as a Judge of the Supreme Court from 2000 to 2016.

<span class="mw-page-title-main">Supreme Administrative Court of Finland</span>

The Supreme Administrative Court of Finland is the highest court in the Finnish administrative court system, parallel to the Supreme Court of Finland. Its jurisdiction covers the legality of the decisions of government officials, and its decisions are final. Appeals are made to the Supreme Administrative Court from the decisions of the administrative courts of Helsinki, Turku, Hämeenlinna, Kouvola, Kuopio, Vaasa, Oulu, Rovaniemi and Åland, the Market Court, and the Council of State.

In law, frivolous or vexatious is a term used to challenge a complaint or a legal proceeding being heard as lacking in merit, or to deny, dismiss or strike out any ensuing judicial or non-judicial processes.

<span class="mw-page-title-main">Investigatory Powers Tribunal</span> State surveillance tribunal in the United Kingdom

The Investigatory Powers Tribunal (IPT) is a first-instance tribunal and superior court of record in the United Kingdom. It is primarily an inquisitorial court.

An Isaac Wunder order is an order issued by an Irish court restricting the ability of a vexatious litigant to institute legal proceedings without leave from that or another court, whether for a specified period of time or indefinitely. It is named after Isaac Wunder, an Irishman who became notorious for instituting a number of actions that were subsequently deemed by the court to be frivolous or vexatious.

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014) is a decision by the Court of Justice of the European Union (CJEU). It held that an Internet search engine operator is responsible for the processing that it carries out of personal information which appears on web pages published by third parties.

<span class="mw-page-title-main">Max Schrems</span> Austrian author and privacy activist

Maximilian Schrems is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM program. Schrems is the founder of NOYB – European Center for Digital Rights.

The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU–US Privacy Shield went into effect on 12 July 2016 following its approval by the European Commission. It was put in place to replace the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015. The ECJ declared the EU–US Privacy Shield invalid on 16 July 2020, in the case known as Schrems II. In 2022, leaders of the US and EU announced that a new data transfer framework called the Trans-Atlantic Data Privacy Framework had been agreed to in principle, replacing Privacy Shield. However, it is uncertain what changes will be necessary or adequate for this to succeed without facing additional legal challenges.

<span class="mw-page-title-main">NOYB</span> European data protection advocacy group

NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.

<i>Adam v The Minister for Justice, Equality and Law Reform</i> Irish Supreme Court case

Adam v The Minister for Justice, Equality and Law Reform [2001] IESC 38 is a reported decision of the Irish Supreme Court, in which the Court, in affirming High Court orders to strike out two judicial review proceedings as frivolous, held that, to challenge the decision of a public authority, one must attempt to rely on proved individual circumstances.

<i>H v H</i> Irish Supreme Court case

H v H, [2015] IESC 85, also known as JMH v KH, is an Irish Supreme Court case in which the husband was found to have vexatiously abused the court process by repeatedly pursuing legal action against his former wife. An Isaac Wunder order was made by the court against the husband which states that any legal proceedings against his wife and children will be halted. However, the court did not suspend all legal action from the husband; rather it ruled that further legal action would require a decision by a relevant court. This decision is significant because the Court established guidelines for when common law principles could be reinterpreted.

<i>Goold v Collins and Ors</i> Irish Supreme Court case

Goold v Collins and Ors [2004] IESC 38, [2004] 7 JIC 1201 is an Irish Supreme Court case in which the Court ruled that a statutory provision's constitutionality may be reviewed only at the behest of a litigant who is contesting some current application of that provision.

<i>Wansboro v DPP and anor</i> Irish Supreme Court case

Wansboro v DPP and anor, [2017] IESCDET 115 is an Irish Supreme Court case in which the Court ruled that granting 'leapfrog' leave to appeal directly to the Supreme Court from the High Court under Art. 34.5.4 of the Constitution of Ireland may be appropriate where the (intermediate) Court of Appeal has already clearly taken a view on the issues raised by the applicant.

<i>AAA & Anor v Minister for Justice & Ors</i> Irish Supreme Court case

AAA & Anor v Minister for Justice & Ors, [2017] IESC 80, was an Irish Supreme Court case which arose from the judgment delivered by Cooke J in the High Court on 17 May 2012, due to the fact that the applicant AAA and her children were deported to Nigeria in 2011. The court held that "as a rule" there is no right to an oral hearing in an application for leave to remain on humanitarian grounds and subsidiary protection where there has already been oral hearings in relation to an application for asylum. This decision clarified the grounds under which a claim for subsidiary protection could be heard.

<i>A (a Minor) v Minister for Justice and Equality and others</i> Irish Supreme Court case

A v Minister for Justice and Equality, Refugee Applications Commissioner, Ireland and the Attorney General[2013] IESC 18, (2013) 2 ILRM 457 is an Irish Supreme Court case where the Supreme Court concluded that a certificate of leave to appeal was not required in order to appeal to the Supreme Court a decision of the High Court to dismiss proceedings as frivolous or vexatious.

<i>Sheedy v Information Commissioner</i> Irish Supreme Court case

Barney Sheedy v The Information Commissioner, [2005] IESC 35; [2005] 2 IR 272 is an Irish Supreme Court case where Mr Barney Sheedy appealed against a High Court decision to not overturn a promise made by the Information Commissioner to grant access to redacted versions of certain reports of The Irish Times newspaper. The appellant argued that the High Court judge misdirected himself in law and was wrong in his interpretation of the Education Act 1998 and of the Freedom of Information Act 1997. This was the first opportunity for the Supreme Court to interpret The Freedom of Information Act.

References

  1. Nowak -v- The Data Protection Commissioner [2016] IESC 18, 28 April 2016, retrieved 2024-04-29
  2. "Accountancy exam paper dispute referred to EU court". The Irish Times. Retrieved 2020-04-06.
  3. https://unece.org/fileadmin/DAM/env/pp/compliance/C2014-113_Ireland/frPartyC113_10.06.2016/Annex_13_Nowak_v_Data_Protection_Commissioner__2016__IESC_18..pdf
  4. 1 2 3 4 5 Book (eISB), electronic Irish Statute. "electronic Irish Statute Book (eISB)". www.irishstatutebook.ie. Retrieved 2023-04-28.
  5. Missing (2016-05-09). "Data Protection - Is an Exam Script Personal Data?". Wendy Doyle Solicitors. Retrieved 2024-02-24.
  6. A&L Goodbody, 'Irish Data Protection Law – 2018 in Review'
  7. Missing (2016-05-09). "Data Protection - Is an Exam Script Personal Data?". Wendy Doyle Solicitors. Retrieved 2024-02-24.
  8. Đurović, BDK Advokati-Stefan; Ivanišević, Bogdan (2020-10-07). "Nowak: Opinions are personal data; access is to data, not documents". Lexology. Retrieved 2024-02-24.
  9. admin (2016-05-03). "Data Protection: It's a long way from Portarlington to Luxembourg". FP Logue LLP. Retrieved 2023-04-28.
  10. McMahon, Paul. "Overview – Page 4 – McMahon Legal (Solicitors)" . Retrieved 2024-02-24.
  11. Imelda Maher and Ronan Riordan, 'The Supreme Court and EU Law: Reshuffling Institutional Balance', UCD Working Papers in Law, Criminology & Socio-Legal Studies Research Paper No. 16/2019.
  12. "Peter Nowak vs. Data Protection Commissioner". privacylibrary.ccgnlud.org. Retrieved 2023-04-28.
  13. "Data Protection Commissioner v Facebook Ireland Limited & anor | LK Shields". www.lkshields.ie. Retrieved 2024-02-24.
  14. "Law | Data Protection Commission". Law | Data Protection Commission. Retrieved 2023-04-28.
  15. "Testing Times: Are Exam Scripts Personal Data? Irish Supreme Court…". Mason Hayes Curran. Retrieved 2023-04-28.
  16. 1 2 "CURIA - List of results". curia.europa.eu. Retrieved 2023-04-28.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.