Thursday, July 20, 2017

CJEU AG opinion in Peter Nowak v Data Protection Commissioner

Students are going to like this one. Lily livered, liberal, commie, Brexit hating, elitist, expert, EU & CJEU & human rights loving, ivory towered, [insult of choice] academics, a constituency the scars of which yours truly can display two decades plus residency of, possibly not quite so much. Educational bureaucrats may well spurt their morning tea into their cornflakes on noticing tomorrow morning's headlines relating the news.

The Advocate General of the European Court of Justice has decided, in Case C‑434/16, Novak v Irish Data Protection Commissioner, that exam scripts are classifiable as personal data under the data protection directive 95/46/EC.

Mr Novak failed the Strategic Finance and Management Accounting examination of the Chartered Accountants of Ireland (CAI) on four occasions. In the end he decided to submit a subject access request for all personal data held by the CAI, with the intention of getting hold of his exam scripts. CAI refused to hand over the scripts, so he complained to the data protection commissioner. The commissioner declared the scripts to be outside the scope of what constituted personal data.

And so it was onward to the courts and eventually the Irish Supreme Court referred the matter to the Court of Justice, requesting a response to the following questions:
‘(1)      Is information recorded in/as answers given by a candidate during a professional examination capable of being personal data within the meaning of Data Protection Directive?
(2)      If the answer to Question 1 is that all or some of such information may be personal data within the meaning of the Directive, what factors are relevant in determining whether in any given case such script is personal data, and what weight should be given to such factors?’
In accordance with Article 2(a) of the data protection directive, ‘personal data’ means any information relating to an identified or identifiable individual. So it has a very wide scope.

In paragraphs 19 to 28 of her opinion, AG Kokott today clearly disagrees with the decision of the Irish Data Protection Commissioner not to support Mr Novak's perspective. The logic underpinning that opinion is clear from paragraph 24:
"24.      However, in every case, the aim of an examination — as opposed, for example, to a representative survey — is not to obtain information that is independent of an individual. Rather, it is intended to identify and record the performance of a particular individual, i.e. the examination candidate. Every examination aims to determine the strictly personal and individual performance of an examination candidate[emphasis added] There is a good reason why the unjustified use in examinations of work that is not one’s own is severely punished as attempted deception. 
25.      Consequently, an examination script incorporates information about the examination candidate and is in that sense a collection of personal data. [emphasis added]
26.      That this is the correct conclusion is also shown, moreover, in the fact that an examination candidate has a legitimate interest, based on the protection of his private life, in being able to object to the processing outside the examination procedure of the examination script ascribed to him. An examination candidate does not have to accept that his script can be disclosed to third parties or published without his permission.
27.      Contrary to the argument of the Irish Data Protection Commissioner, the personal data incorporated in an examination script is not confined to the examination result, the mark achieved or even points scored for certain parts of an examination. That marking merely summarises the examination performance, which is recorded in detail in the examination script itself.

28.      The classification of an examination script as incorporating personal data is not affected if, instead of bearing the examination candidate’s name, the script has an identification number or bar code. Under Article 2(a) of the Data Protection Directive, it is sufficient for the existence of personal information that the data subject may at least be indirectly identified. (6) Thus, at least where the examination candidate asks for the script from the organisation that held the examination, that organisation can identify him by means of the identification number."
AG Kokott is very clear that exam scripts are personal data. She also notes the importance of handwriting:
"29.      Mr Nowak, Poland and the Czech Republic also rightly argue that answers that are handwritten contain additional information about the examination candidate, namely about his handwriting. A script that is handwritten is thus, in practice, a handwriting sample that could at least potentially be used at a later date as evidence to determine whether another text was also written in the examination candidate’s writing. It may thus provide indications of the identity of the author of the script.
30.      The question whether such a handwriting sample is a suitable means of identifying the writer beyond doubt is of no importance for its classification as personal data. Many other items of personal data are equally incapable, in isolation, of allowing the identification of individuals beyond doubt. For that reason, neither is it necessary to determine whether the handwriting should be regarded as biometrical information."  
I'm a skeptic on handwriting analysis, so interested to see she refers to the potential practice of the use of handwriting analysis being the determinative factor here, rather than whether it has any legitimacy as a forensic tool.

Next up she tackles Ireland's concern that section 12(b), relating to the right to rectification of inaccurate data, will be used by unscrupulous students to demand incorrect answers to exams be declared correct. She beings by pointing out in paragraphs 32 to 34 that:
"32.      First, it must be remembered that the issue of right of access is only secondary in this case, where the main issue is in fact the interpretation of the concept of ‘personal data’... 
34.      Therefore, the classification of information as personal data cannot be dependent on whether there are specific provisions about access to this information which might apply in addition to the right of access or instead of it[emphasis added] Further, neither can problems connected with the right of rectification be decisive in determining whether there exists personal data. If those factors were regarded as determinative, certain personal data could be excluded from the entire protective system of the Data Protection Directive,[emphasis added] even though the rules applicable in their place do not ensure equivalent protection but fragmentary protection at best."
So, even if there were to be hypothetical problems with what someone might do with the personal data once they gain access to it, that cannot be used as an excuse to exclude access.

On the right to rectification of inaccurate data in this context again she is clear:
"35.      However, if one concentrates on the right of access and the issue of rectification, it must be recognised that in relation to an examination script this right clearly cannot be claimed in order, subsequent to obtaining that access, to demand rectification, pursuant to Article 12(b) of the Data Protection Directive, of the contents of the script, i.e. the solution written down by the examination candidate. [emphasis added] (9) As Poland has rightly emphasised, the accuracy and completeness of personal data pursuant to Article 6(1)(d) must be judged by reference to the purpose for which the data was collected and processed. The purpose of an examination script is to determine the knowledge and skills of the examination candidate at the time of the examination, which is revealed precisely by his examination performance and particularly by the errors in the examination. The existence of errors in the solution does not therefore mean that the personal data incorporated in the script is inaccurate.
36.      However, rectification would be conceivable if it were the case that the script inaccurately or incompletely recorded the examination performance of the data subject. For example, such a situation would arise if — as observed by Greece — the script of another examination candidate had been ascribed to the data subject, [emphasis added] which could be shown by means of, inter alia, the handwriting, or if parts of the script had been lost."
Next up comes the section of the decision - paragraphs 42 to 50 - that exams administrators, especially, are going gnash multitudes of molars on. The Irish Data Protection Commissioner, with the support of the Czech Republic, attempted to have Mr Novak's claim classed as abusive because he didn't follow the requisite procedures laid down for checking exam results. Instead he tried to bypass those procedures and get the information he wanted via data protection legislation.

Now anyone who has spent even a short time working in the education sector will tell you that it is a mortal sin, in the land of educational administrators, to attempt to circumvent their inviolable procedures. Forms must be filled in, boxes must be ticked and procedures must be followed. Even when those procedures are mutually exclusive and diametrically opposed. Exams procedures, in particular, are absolutely sacrosanct. In fairness to the exams zombies, this is often for good reasons - to protect the integrity of the institution, the exams and the interests of the students. But they are, nevertheless, sacrosanct, even if, over the generations, they evolve primarily to serve the interests of the examination bureaucracy.

AG Kokott does not see that Mr Novak was attempting, improperly or fraudulently, to take advantage of provisions of EU law, to gain access to scripts. After all, if he could otherwise have obtained access through exams procedures, why should he be considered to be engaged in abusive exploitation of data protection regulations, just to get access to the same information?
"45.      If examination scripts incorporate personal data, according to the pleadings of the Data Protection Commissioner and Ireland, a misuse of the aim of the Data Protection Directive would arise in so far as a right of access under data protection legislation would allow circumvention of the rules governing the examination procedure and objections to examination decisions.
46.      However, any alleged circumvention of the procedure for the examination and objections to the examination results via the right of access laid down by data protection legislation would have to be dealt with using the provisions of the Data Protection Directive. In that regard, Article 13 in particular comes to mind, which allows for exceptions to the right of access to be established to protect certain interests specified therein.
47.      To the extent that these grounds do not justify exceptions in certain situations, as may be the case in connection with examinations, it must be recognised that the legislature has given precedence to the data protection requirements which are anchored in fundamental rights over any other interests affected in a specific instance.
48.      However, it should be pointed out that the General Data Protection Regulation, which will apply in the future, resolves this tension. First, under Article 15(4) of the regulation, the right to obtain a copy of personal data is not to adversely affect the rights and freedoms of others. Second, Article 23 of the regulation sets out the grounds for a restriction of data protection guarantees in slightly broader terms than Article 13 of the Directive, since, in particular, protection of other important objectives of general public interest of the Union or of a Member State pursuant to Article 23(1)(e) of the regulation may justify restrictions.
49.      On the other hand, the mere existence of other national legislation that also deals with access to examination scripts is not sufficient to allow the assumption that the purpose of the Directive is being misused.
50.      However, even if one wished to assume misuse of purpose, it is still not apparent where the undue advantage lies if an examination candidate were to obtain access to his script via his right of access. In particular, no abuse can be identified in the fact that someone obtains information via the right of access which he could not otherwise have obtained. If there were already access to personal information, the introduction of a right of access under data protection law would not have been required. It is instead the task of the right to access under data protection legislation to make available to the person concerned — subject to the exceptions provided for in Article 13 of the Data Protection Directive — access to his own data, where otherwise no right of access exists."
The unuttered assumption, of course, is that Mr Novak would have had access to the information he was requesting under the requisite exams procedures or other national legislation. Even if there was a clash in relation to degree of access then, as paragraph 47 insists "data protection requirements which are anchored in fundamental rights over any other interests affected in a specific instance" take precedence. The AG is optimistic (para 48) that the GDPR will resolve any such tension in the future. I can't share that optimism until the scope and boundaries of articles 15(4) and 23 become more clearly defined in practice when such clashes do arise, in the wake of the GDPR implementation in May 2018.

That part of the analysis complete the AG declares in paragraph 51 that
"51.      In brief, it can be concluded that a handwritten examination script capable of being ascribed to an examination candidate constitutes personal data within the meaning of Article 2(a) of the Data Protection Directive."
She next tackles the question of examiner's corrections on an exam script in paragraphs 52 to 65. In particular she notes that it is a question for the Irish data protection commissioner whether the examiner's comments corrections are information about Mr Novak:
"53.      However, an answer to this question is not necessary for a decision in the main proceedings since it is not at issue whether any such corrections constitute information about Mr Nowak. Rather, the subject matter of the proceedings is whether the then Irish Data Protection Commissioner was entitled to dismiss the complaint submitted by Mr Nowak on the ground that his examination script was a priori not personal data. The extent to which corrections should also be regarded as data relating to the examination candidate would have to be ruled upon not by the Supreme Court but rather, should the action be successful, at first instance by the present Irish Data Protection Commissioner."
Having said it is a question for the DPC she, nevertheless, goes on to opine that examiner's corrections are information about an examination candidate, as well as the examiner's own personal data.
"61.      Nonetheless, the purpose of comments is the evaluation of the examination performance and thus they relate indirectly to the examination candidate. The organisation holding the examination is also able to identify the candidate without difficulty and link him with the corrections once it receives the marked script back from the examiner.
62.      ...in general, comments on an examination script are typically inseparable from the script itself ... because they would not have any informative value without it. However, the script itself incorporates, as previously stated, personal data of the examination candidate. The purpose of collecting and processing this data is precisely to permit the evaluation of the examination candidate’s performance as incorporated in the examiner’s corrections.
63.      Precisely because of that close link between the examination script and any corrections made on it, the latter also are personal data of the examination candidate pursuant to Article 2(a) of the Data Protection Directive.
[...]
65.      It should be mentioned for the sake of completeness that corrections made by the examiner are, at the same time, his personal data. His rights are an appropriate basis in principle for justifying restrictions to the right of access pursuant to Article 13(1)(g) of the Data Protection Directive if they outweigh the legitimate interests of the examination candidate. However, the definitive resolution to this potential conflict of interests is likely to be the destruction of the corrected script once it is no longer possible to carry out a subsequent check of the examination procedure because of the lapse of time."
AG Kokott then briefly addresses additional requirements on the application of the data protection directive and its facilitation of restrictions on the right to information.
"67.      However, no questions have been raised about these additional requirements and restriction options and therefore the Court need not address them. It would also appear that their consideration is not necessary in order for the Supreme Court to be able to rule on whether the then Irish Data Protection Commissioner was right to refuse further examination of the complaint made by Mr Nowak.
She finally concludes:
"70.      I therefore propose that the Court should rule as follows:
A handwritten examination script capable of being ascribed to an examination candidate, including any corrections made by examiners that it may contain, constitutes personal data within the meaning of Article 2(a) of Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data."
So it would appear that the Irish Supreme Court will be obliged to rule that the then Irish Data Protection Commissioner was not entitled to dismiss the complaint submitted by Mr Nowak, on the ground that his examination script was a priori not personal data.

As it is the Advocate General's opinion only, it remains advisory and it will be interesting to see if the the Court of Justice comes to the same conclusions. The Court often takes a strong lead from the AG Educational institutions, exams administrators in particular, would do well to take note.