The Conclusions of Advocate General Kokott in C-73/16 Puškár were published on 30 March and remained under the radar, even though they deal with a couple of very important questions for EU data protection law that may have wide implications: effective judicial remedies, lawful grounds for processing other than consent, the right to access one’s own personal data. As a bonus, the AG refers to and analyses Article 79 GDPR – the right to a judicial remedy.
The analysis regarding effective judicial remedies under Article 47 Charter and Directive 95/46 could be relevant for the debate on essentially equivalence when it comes to adequacy decisions for international data transfers (for those of you who don’t remember, one of the two main findings in Schrems was that the Safe Harbor framework touched the essence of the right to effective judicial remedies, breaching thus Article 47 Charter). In this sense, the AG founds that a measure that does not restrict the category of people who could in principle have recourse to judicial review does not touch the essence of this right. Per a contrario, if a measure does restrict these categories of people, it would touch the essence of the right to an effective judicial remedy, and, therefore, it would breach the Charter.
Finally, a question of great importance for EU law in general is also tackled: what should national courts do when the case-law of the CJEU and the case-law of the ECtHR diverge regarding the protection of fundamental rights?
Here is what you will further read:
- Facts of the case and questions referred to the CJEU
- Requiring claimants to exhaust administrative remedies before going to Court can be compatible with the right to effective judicial remedy
- Internal documents of a tax authority obtained without the consent of the authority must be admitted as evidence if they contain personal data of the person who obtained the documents
- The performance of a task in the public interest allows a tax authority to create a black list without the consent of the persons concerned, if this task was legally assigned to the tax authority and the list’s use is appropriate and necessary (Article 7 and 8 Charter are not breached in this case)
- A missed opportunity to better define the difference between the right to privacy and the right to personal data protection
- Where ECtHR and CJEU case-law diverge, national courts have to ask the CJEU on how to proceed when the ECtHR case-law provides a higher level of protection for the rights of a person
- What to expect from the Court
Note that all highlights from the post are made by the author.
Facts of the case and questions referred to the CJEU
C-73/16 Puškár concerns the request of Mr Puškár to have his name removed from a blacklist kept by the Finance Directorate of Slovakia which contains names and national ID numbers for persons “who purport to act, as ‘fronts’, as company directors”. The list associates a legal person or persons with a natural person who supposedly acted on their behalf (§15) and is created for the purposes of tax administration and combating tax fraud (§23 2nd question for a preliminary ruling). It transpires from several paragraphs of the Conclusions that Mr Puskar found out about the list and the fact that he is on the list from a leak (§23 2nd question;§72; §76). Instead of relying on the more straightforward right to erasure or right to object under data protection law, Mr Puškár claimed that “his inclusion in the above mentioned list infringes his personal rights, specifically the right to the protection of his good name, dignity and good reputation” (§16).
The Supreme Court rejected his claims, partly on procedural issues, partly on substantive grounds (§18). Later, the Constitutional Court found that “the Supreme Court infringed the fundamental right to the protection of personal data against unauthorised collection and other abuses, in addition to the right to privacy”, quashed its decision and send back the case to the Supreme Court for retrial, grounding its findings on ECtHR case-law (§20). In the context of these second round proceedings, the Supreme Court sent questions for a preliminary ruling to the CJEU to essentially clarify:
- whether the right to an effective remedy under Article 47 of the Charter in the context of data protection is compatible with a national law requirement that a claimant must first exhaust the procedures available under administrative law (administrative complaints) before going to Court;
- whether the legitimate grounds for processing under Directive 95/46 and Articles 7 and 8 of the Charter preclude tax authorities to create such a blacklist without the consent of the individuals on the list;
- whether the list obtained by the claimant without the consent of the tax authorities is admissible as evidence;
- whether national courts should give precedence to the case-law of the CJEU or the case-law of the ECtHR on a specific topic where the two diverge.
Requiring claimants to exhaust administrative remedies before going to Court can be compatible with the right to effective judicial remedy
To reply to the first question, AG Kokott looks at Articles 28(4) and 22 of Directive 95/46 and also at Article 79 of the General Data Protection Regulation, which will replace Directive 95/46 starting with 25 May 2018.
Article 28(4) of Directive 95/46 states that each supervisory authority (Data Protection Authority) is to hear claims lodged by any person concerning the protection of his rights and freedoms with regard to the processing of personal data. Article 22 provides that, without prejudice to the remedy referred to in Article 28(4), every person is to have a right to a judicial remedy for any breach of the rights guaranteed him by the national law applicable to the processing in question (§37, §38).
In practice, this means that an individual who engages in Court proceedings for a breach of data protection law must be able to also initiate administrative proceedings with a DPA (complaints lodged with DPAs).
The same rule is kept under Article 79 GDPR, slightly broadened: the right to a judicial remedy must be effective and must be granted without prejudice to any administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority.
AG Kokott explains that these rules still do not clarify “whether the bringing of legal proceedings may be made contingent upon exhaustion of another remedy. All that can be taken from Article 79 of the General Data Protection Regulation is that the judicial remedy must be effective. An obligation to exhaust some other remedy before bringing legal proceedings will consequently be impermissible if the judicial remedy is rendered ineffective as a result of this precondition” (§43).
The AG found that Article 47(1) of the Charter and the principle of effectiveness “ultimately embody the same legal principle” and that they can be examined jointly using the rules in Articles 47(1) and 52(1) of the Charter – which is the provision that enshrines the rules for limiting the exercise of the fundamental rights in the Charter (§51). Hence, the question is whether the obligation to exhaust administrative procedures before going to Court amounts to a justified interference with the right to an effective judicial remedy.
AG Kokott remarks that the interference is provided for by Slovakian law and that it does not touch the essence of the right to effective judicial remedy because “it does not restrict the category of people who could in principle have recourse to judicial review” (§56). [Small comment here: this means that a provision which would restrict the category of people who could in principle have recourse to judicial review touches the essence of the right in Article 47 Charter. Check out paragraphs 45 and 46 of the EDPS Opinion on the EU-US Umbrella Agreement commenting on the fact that Article 19 of the Agreement provides for the possibility of judicial redress only for citizens of the EU, excluding thus categories of individuals that would otherwise be covered by the Charter, such as asylum seekers and residents].
It remained to be analysed whether the interference complies with the principle of proportionality, which “requires that a measure be ‘appropriate, necessary and proportionate to the objective it pursues’” (§58). The AG retains the submission of the Supreme Court that “the exhaustion of the administrative remedy represents a gain in efficiency, as it provides the administrative authority with an opportunity to remedy the alleged unlawful intervention, and saves it from unwanted court proceedings” (§59). The AG considers that “obligatory preliminary proceedings are undoubtedly appropriate for achieving the objectives” and that a “less onerous method” does not suggest itself as capable of realising them to the same extent (§62).
However, the AG points out that the “specific form” of the administrative remedy is important to determine the appropriateness of the measure in practice. This condition applies in particular if there is uncertainty “as to whether the time limit for bringing an action begins to run before a decision has been made in the administrative action” (§64). Additionally, Article 47(2) Charter establishes the right of every person to have their case dealt with within a reasonable period of time. “While this right in fact relates to judicial proceedings, naturally it may not be undermined by a condition for the bringing of an action” (§67).
In conclusion, the AG considers that the right to effective judicial review under Article 47 Charter and the principle of effectiveness “do not preclude an obligation to exhaust an administrative remedy being a condition on bringing legal proceedings if the rules governing that remedy do not disproportionately impair the effectiveness of judicial protection. Consequently, the obligatory administrative remedy must not cause unreasonable delay or excessive costs for the overall legal remedy” (§71).
Internal documents of a tax authority obtained without the consent of the authority must be admitted as evidence if they contain personal data of the person who obtained the documents
Essentially, the question asked by the Supreme Court is whether the contested list may be excluded as evidence due to the fact that it came into the possession of the claimant without the consent of the competent authorities (§72).
The AG considers that “a review should be carried out to determine whether the person affected has a right of access to the information in question. If this were the case, the interest in preventing unauthorized use would no longer merit protection” (§83).
Further, it is recalled that “under the second sentence of Article 8(2) of the Charter and Article 12 of the Data Protection Directive, everyone has the right of access to data which has been collected concerning him or her. This also applies in principle to data being recorded in the contested list. Furthermore, the persons so affected would, by virtue of the collection of the data, have to be informed of the use of the data, under either Article 10 or Article 11 of the Data Protection Directive” (§85).
While indeed Article 13 of the Directive allows this right to information to be restricted, it also “expressly requires that such restrictions be imposed by legislative measures” (§86). The AG acknowledged that “there is a potential risk that inspection and monitoring activities based on the list would be less effective if it were known who was named on that list” (§87). However, the national Court must examine:
- “whether a restriction of the right of information of this kind is provided for” (§88) and
- “where appropriate” if it is “justified” (§88). This is an indication that even if such an exemption would be provided for by law, a further analysis is needed to see whether the exemption is justified.
A key point the AG makes is that “even if there are indications of a legitimate interest in a hypothetical, legally justified non-disclosure of the list in question, the national courts must also examine whether in the individual case these outweigh the legitimate interests of the individual in bringing the proceedings” (§89). This is important because it is a clear indication that when a controller relies on their legitimate interest as a ground for processing, it always has to engage in a balancing exercise with the legitimate interests (and rights) of the data subject.
In conclusion, the AG established that refusing to accept as evidence a document obtained by the claimant without the consent of an authority is not possible under the principle of a fair hearing in Article 47 Charter when the document contains personal data of the claimant, which the authority is required to disclose to the claimant under Article 12 and 13 of the Data Protection Directive.
The performance of a task in the public interest allows a tax authority to create a black list without the consent of the persons concerned, if this task was legally assigned to the tax authority and the list’s use is appropriate and necessary (Article 7 and 8 Charter are not breached in this case)
The Supreme Court wanted to know whether the fundamental right to privacy (Article 7 Charter) and protection of personal data (Article 8 Charter) and the Data Protection Directive prohibit a Member State from creating a list of personal data for the purposes of tax collection without the consent of the persons concerned.
The AG points out that “this question is primarily to be answered in the light of the Data Protection Directive, as this specifies the rights to privacy and data protection” (§95).
The AG further recalls that Article 7 of the Data Protection Directive allows processing of personal data if it is based on one of the six lawful grounds for processing provided for (§99) [NB: of which only one is “consent”!]. While the AG acknowledges that three of the six conditions are applicable in this case (1 – performance of a task in the public interest [Article 7(e)]; 2 – legitimate interest of the controller [Article 7(f)] and 3 – necessity of compliance with a legal obligation [Article 7(c)]), she considers the examination of the latter 2 as “superfluous”: “This is because all parties acknowledge that tax collection and combating tax fraud are tasks in the public interest within the meaning of Article 7(e) of the Data Protection Directive” (§100).
A much-welcomed clarification is further brought by the AG, who specifies that Article 7(e) of the Data Protection Directive “must be read in conjunction with the principles of Article 6. According to Article 6(1)(b), personal data must only be collected for specified, explicit and legitimate purposes. Within the scope of Article 7(e), the purpose of the data processing is inseparably linked to the delegated tasks. Consequently, the transfer of the task must clearly include the purpose of the processing” (§106).
This clarification is welcomed because it reminds controllers that even if they correctly process personal data on one of the lawful grounds for processing (such as consent or legitimate interest) in compliance with Article 7 of the Directive, they still have to comply with all the other safeguards for processing personal data, including the principles for processing in Article 6 of the Directive (purpose limitation, data minimization etc).
The AG remarks that the reference for a preliminary ruling does not specify the purpose of the contested list and leaves it to the Supreme Court to look further into this question (§107). Additionally, the AG also considers that the Supreme Court “will have to examine whether the creation and use of the contested list and in particular the naming of Mr Puškár is necessary for the claimed public interest”. This is yet another reminder how important “necessity” is for personal data protection in the EU legal framework (check out EDPS’s recently published “Necessity Toolkit”).
Another very interesting point that the AG brings forward is how naming a person on this black list constitutes “a considerable interference with the rights of the person concerned”, beyond the right to privacy in Article 7 Charter – it also touches (§110):
- “his reputation and could lead to serious, practical disadvantages in his dealings with the tax authorities;
- the presumption of innocence in Article 48(1) of the Charter;
- the legal persons associated with the person concerned, which will be affected in terms of their freedom to conduct business under Article 16 of the Charter”.
This finding is a testimony of the importance of complying with the right to the protection of personal data, as non-compliance would have various consequences on several other fundamental rights.
As the AG explains, “such a serious interference of this kind can only be proportionate if there are sufficient grounds for the suspicion that the person concerned purported to act as a company director of the legal persons associated with him and in so doing undermined the public interest in the collection of taxes and combating tax fraud” (§111).
In conclusion, the tax authorities can create a blacklist such as the one in the main proceedings on the grounds of Article 7(e) of the Data Protection Directive, but this assumes that (§117):
- “the task was legally assigned to the tax authorities,
- the use of the list is appropriate and necessary for the purposes of the tax authorities and
- there are sufficient grounds to suspect that these persons should be on the list”.
A missed opportunity to better define the difference between the right to privacy and the right to personal data protection
Further, the AG spelled out that “neither the fundamental rights to privacy, Article 7 of the Charter, or data protection, Article 8, would in this case prevent the creation and use of the list” (§117).
The analysis to reach this conclusion was another missed opportunity to persuade the Court of Justice to better delineate the two fundamental rights protected by Article 7 and Article 8 of the Charter. The AG referred to these as “the fundamental rights to privacy and data protection”.
Without a clear analysis of what constitutes interference with the two rights, the AG referred to “naming of a person on the contested list” as “affecting” both fundamental rights (§115). In the same paragraph, she further analysed en masse “these interferences”, writing that they are only justified “if they have a sufficient legal basis, respect the essence of both fundamental rights, and preserve the principle of proportionality” (§ 115). Considering that the legality and proportionality of the measure were addressed in previous sections, the AG merely stated that “the adverse effects associated with inclusion on the contested list, those interferences do not meet the threshold of a breach of the essence of those rights” before concluding that neither of the two Charter articles would prevent the creation of such a blacklist.
Where ECtHR and CJEU case-law diverge, national courts have to ask the CJEU on how to proceed, even if the ECtHR case-law provides a higher level of protection for the rights of a person
The last question is one that is extremely interesting for EU lawyers in general, not necessarily for EU data protection lawyers, because it tackles the issue of different levels of protection of the same fundamental right emerging from the case-law of the Court of Justice of the EU in Luxembourg, on one hand, and the European Court of Human Rights in Strasbourg, on the other hand.
As the AG summarizes it, “the fourth question is aimed at clarifying whether a national court may follow the case-law of the Court of Justice of the European Union where this conflicts with the case-law of the ECtHR” (§118). This issue is relevant in our field because Article 8 of the European Convention of Human Rights shares partially the same material scope of Article 7 and Article 8 of the EU Charter of Fundamental Rights (Article 8 of the Convention is more complex), and Article 52(3) of the Charter states that “the rights in the Charter, which correspond to rights guaranteed by the European Convention on the Protection of Human Rights and Fundamental Freedoms (ECHR), have the same meaning and scope as conferred by the ECHR” (§122). However, the second sentence of Article 52(3) of the Charter permits EU law to accord more extensive protection (§122).
The AG specifies that “EU law permits the Court of Justice to deviate from the case-law of the ECtHR only to the extent that the former ascribes more extensive protection to specific fundamental rights than the latter. This deviation in turn is only permitted provided that it does not also cause another fundamental right in the Charter corresponding to a right in the ECHR to be accorded less protection than in the case-law of the ECtHR. One thinks, for example, of cases in which a trade-off must be made between specific fundamental rights” (§123).
Not surprisingly, the AG advises that when the case-law of the two Courts comes in conflict, the national courts should directly apply the case-law of the CJEU when it affords more protection to the fundamental rights in question, but they should send a reference for a preliminary ruling to the CJEU to ask which way to go when the case-law of the ECtHR affords enhanced protection to the fundamental right in question (§124 and §125). The argument of the AG is that the latter case “inevitably leads to a question of the interpretation of EU law with regard to the fundamental right in question and Article 52(3) of the Charter” which, if performed by the national Court, could further “amount to the view that the interpretation of the fundamental right in question by the Court of Justice is not compatible with Article 52(3)”.
As for the relevance of this question to the case at hand – it remains a mystery. The AG herself pointed out that “the admissibility of the question in this form is dubious, particularly as the Supreme Court does not state on which issue the two European courts supposedly are in conflict and the extent to which such a conflict is significant for the decision in the main proceedings” (§119).
What to expect from the Court
How will the CJEU reply to these questions? My bet is that, in general, the Court will follow the AG on substance. However, it is possible that the Court will simplify the analysis and reformulate the questions in such a way that the answers will be structured around three main issues:
- lawfulness of creating such a blacklist (and the lawful grounds for processing in the Data Protection Directive) and compatibility of this interference with both Article 7 and Article 8 of the Charter (I do hope, having low expectations nonetheless, that we will have more clarity of what constitutes interference with each of the two rights from the Court’s perspective);
- compatibility of procedural law of Slovakia in the field of data protection with Article 47 Charter (in fact, this may be the only point where the Court could lay out a different result than the one proposed by the AG, in the sense that the condition to exhaust first administrative remedies before engaging in litigation may be considered a non-proportionate interference with the right to effective judicial remedy; it is also possible that the Court will refer for the first time directly to the GDPR);
- the relationship between ECtHR and CJEU case-law on the same fundamental right.
Suggested citation: G. Zanfir-Fortuna, “Summary of the Opinion of AG Kokott in Puškár (on effective judicial remedies and lawful grounds for processing other than consent)”, pdpEcho.com, 24 April 2017.
If you find information on this blog useful and would like to read more of it, consider supporting pdpecho here: paypal.me/pdpecho.
Exam scripts and examiner’s corrections are personal data of the exam candidate (AG Kokott Opinion in Nowak)
AG Kokott delivered her Opinion on 20 July in Case C-434/16 Nowak v Data Protection Commissioner, concluding that “a handwritten examination script capable of being ascribed to an examination candidate, including any corrections made by examiners that it may contain, constitutes personal data within the meaning of Article 2(a) of Directive 95/46/EC” (Note: all highlights in this post are mine).
This is a really exciting Opinion because it provides insight into:
But also because it technically (even if not literally) invites the Court to change its case-law on the definition of personal data, and specifically the finding that information consisting in a legal assessment of facts related to an individual does not qualify as personal data (see C-141/12 and C-372/12 YS and Others).
The proceedings were initially brought in front of the Irish Courts by Mr Nowak, who, after failing an exam organised by a professional association of accountants (CAI) four times, asked for access to see his exam sheet on the basis of the right to access his own personal data. Mr Nowak submitted a request to access all his personal data held by CAI and received 17 items, none of which was the exam sheet. He then submitted a complaint to the Irish Data Protection Commissioner, who decided not to investigate it, arguing that an exam sheet is not personal data. The decision not to investigate on this ground was challenged in front of a Court. Once the case reached the Irish Supreme Court, it was referred to the Court of Justice of the EU to clarify whether an exam sheet falls under the definition of “personal data” (§9 to §14).
Analysis relevant both for Directive 95/46 and for the GDPR
Yet again, AG Kokott refers to the GDPR in her Conclusions, clarifying that “although the Data Protection Directive will shortly be repealed by the General Data Protection Regulation, which is not yet applicable, the latter will not affect the concept of personal data. Therefore, this request for a preliminary ruling is also of importance for the future application of the EU’s data protection legislation” (m.h.).
The nature of an exam paper is “strictly personal and individual”
First, the AG observes that “the scope of the Data Protection Directive is very wide and the personal data covered by the Directive is varied” (§18).
The Irish DPC argued that an exam script is not personal data because “examination exercises are normally formulated in abstract terms or relate to hypothetical situations”, which means that “answers to them are not liable to contain any information relating to an identified or identifiable individual” (§19).
This view was not followed by the AG, who explained that it is incongruent with the purpose of an exam. “In every case“, she wrote, “the aim of an examination — as opposed, for example, to a representative survey — is not to obtain information that is independent of an individual. Rather, it is intended to identify and record the performance of a particular individual, i.e. the examination candidate” (§24; m.h.). Therefore, “every examination aims to determine the strictly personal and individual performance of an examination candidate. There is a good reason why the unjustified use in examinations of work that is not one’s own is severely punished as attempted deception” (§24; m.h.).
What about exam papers identified by codes?
In a clear indication that pseudonymized data are personal data, the AG further noted that an exam script is personal data also in those cases where instead of bearing the examination candidate’s name, the script has an identification number or bar code: “Under Article 2(a) of the Data Protection Directive, it is sufficient for the existence of personal information that the data subject may at least be indirectly identified. Thus, at least where the examination candidate asks for the script from the organisation that held the examination, that organisation can identify him by means of the identification number” (§28).
Characteristics of handwriting, personal data themselves
The AG accepted the argument of Mr Nowak that answers to an exam that are handwritten “contain additional information about the examination candidate, namely about his handwriting” (&29). Therefore, the characteristics of the handwriting are personal data themselves. The AG explains that “a script that is handwritten is thus, in practice, a handwriting sample that could at least potentially be used at a later date as evidence to determine whether another text was also written in the examination candidate’s writing. It may thus provide indications of the identity of the author of the script” (§29). According to the AG, it’s not relevant whether such a handwriting sample is a suitable means of identifying the writer beyond doubt: “Many other items of personal data are equally incapable, in isolation, of allowing the identification of individuals beyond doubt” (§30).
Classifying information as ‘personal data’ is a stand alone exercise (does not depend on whether rights can be exercised)
The Irish DPC argued that one of the reasons why exam scripts are not personal data in this case is because the “purpose” of the right to access and the right to rectification of personal data precludes them to be “personal data” (§31). The DPC is concerned that Recital 41 of Directive 95/46 specifies that any person must be able to exercise the right of access to data relating to him which is being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing. “The examination candidate will seek the correction of incorrect examination answers”, the argument goes (§31).
AG Kokott rebuts this argument by acknowledging that the classification of information as personal data “cannot be dependent on whether there are specific provisions about access to this information” or on eventual problems with rectification of data (§34). “If those factors were regarded as determinative, certain personal data could be excluded from the entire protective system of the Data Protection Directive, even though the rules applicable in their place do not ensure equivalent protection but fragmentary protection at best” (§34).
Even if classification information as “personal data” would depend in any way on the purpose of the right to access, the AG makes it clear that this purpose is not strictly linked to rectification, blocking or erasure: “data subjects generally have a legitimate interest in finding out what information about them is processed by the controller” (§39). This finding is backed up by the use of “in particular” in Recital 41 of the Directive (§39).
The purpose of processing and… the passage of time, both relevant for obtaining access, rectification
After clarifying that it’s irrelevant what an individual wants to do with their data, once accessed (see also the summary below on the ‘abuse of rights’), AG Kokott explains that a legitimate interest in correcting an “exam script”-related data is conceivable.
She starts from the premise that “the accuracy and completeness of personal data pursuant to Article 6(1)(d) must be judged by reference to the purpose for which the data was collected and processed” (§35). The AG further identifies the purpose of an exam script as determining “the knowledge and skills of the examination candidate at the time of the examination, which is revealed precisely by his examination performance and particularly by the errors in the examination” (§35). “The existence of errors in the solution does not therefore mean that the personal data incorporated in the script is inaccurate”, the AG concludes (§35).
Rectification could be achieved if, for instance, “the script of another examination candidate had been ascribed to the data subject, which could be shown by means of, inter alia, the handwriting, or if parts of the script had been lost” (§36).
The AG also found that the legitimate interest of the individual to have access to their own data is strengthened by the passage of time, to the extent that their recollection of the contents of their answer is likely to be considerably weaker a few years after the exam. This makes it possible that “a genuine need for information, for whatever reasons, will be reflected in a possible request for access. In addition, there is greater uncertainty with the passing of time — in particular, once any time limits for complaints and checks have expired — about whether the script is still being retained. In such circumstances the examination candidate must at least be able to find out whether his script is still being retained” (§41).
Is Mr Nowak abusing his right of access under data protection law?
AG Kokott recalls CJEU’s case-law on “abuse of rights” and the double test required by the Court to identify whether there had been any abuse of rights in a particular case (C-423/15 Kratzer and the case-law cited there at §38 to §40), which can be summed up to (§44):
i) has the purpose of the EU legislation in question been misused?
ii) is the essential aim of the transaction to obtain an undue advantage?
The DPC submitted during the procedure that if exam scripts would be considered personal data, “a misuse of the aim of the Data Protection Directive would arise in so far as a right of access under data protection legislation would allow circumvention of the rules governing the examination procedure and objections to examination decisions” (§45).
The AG considers that “any alleged circumvention of the procedure for the examination and objections to the examination results via the right of access laid down by data protection legislation would have to be dealt with using the provisions of the Data Protection Directive” and she specifically refers to the restrictions to the right of access laid down in Article 13 of the Directive with the aim “to protect certain interests specified therein” (§46). She also points out that if restricting access to exam scripts can’t be circumscribed to those exceptions, than “it must be recognised that the legislature has given precedence to the data protection requirements which are anchored in fundamental rights over any other interests affected in a specific instance” (§47).
The AG also looks at the exceptions to the right of access under the GDPR and finds that it is more nuanced than the Directive in this regard. “First, under Article 15(4) of the regulation, the right to obtain a copy of personal data is not to adversely affect the rights and freedoms of others. Second, Article 23 of the regulation sets out the grounds for a restriction of data protection guarantees in slightly broader terms than Article 13 of the Directive, since, in particular, protection of other important objectives of general public interest of the Union or of a Member State pursuant to Article 23(1)(e) of the regulation may justify restrictions” (§48).
However, it seems that she doesn’t find the slight broadening of the scope of exemptions in the GDPR as justifying the idea of an abuse of right in this particular case.
The AG also argues that “on the other hand, the mere existence of other national legislation that also deals with access to examination scripts is not sufficient to allow the assumption that the purpose of the Directive is being misused” (§49). She concludes that even if such misuse would be conceivable, the second limb of the “abuse of rights” test would not be satisfied: “it is still not apparent where the undue advantage lies if an examination candidate were to obtain access to his script via his right of access. In particular, no abuse can be identified in the fact that someone obtains information via the right of access which he could not otherwise have obtained” (§50).
Examiner’s correction on the exam script are the examinee’s personal data and his/her own personal data at the same time
The AG looks into whether any corrections made by the examiner on the examination script are also personal data with respect to the examination candidate (a question raised by some of the parties), even though she considers that the answer will not impact the result of the main proceedings (§52, §53).
It is apparent that the facts of this case resemble the facts of YS and Others, where the Court refused extension of the right of access to the draft legal analysis of an asylum application on the grounds that that did not serve the purpose of the Data Protection Directive but would establish a right of access to administrative documents. The Court argued in YS that such an analysis “is not information relating to the applicant for a residence permit, but at most information about the assessment and application by the competent authority of the law to the applicant’s situation” (§59; see YS and Others, §40). The AG considers that only “at first glance” the cases are similar. But she doesn’t convincingly differentiate between the two cases in the arguments that follow.
However, she is convincing when explaining why the examiner’s corrections are “personal data”. AG Kokott explains that the purpose of the comments made by examiners on an exam script is “the evaluation of the examination performance and thus they relate indirectly to the examination candidate” (§61). It does not matter that the examiners don’t know the identity of the examination candidate who produced the script, as long as the candidate can be easily identified by the organisation holding the examination (§60 and §61).
The AG further adds that “comments on an examination script are typically inseparable from the script itself … because they would not have any informative value without it” (§62). And it is “precisely because of that close link between the examination script and any corrections made on it”, that “the latter also are personal data of the examination candidate pursuant to Article 2(a) of the Data Protection Directive” (§63).
In an important statement, the AG considers that “the possibility of circumventing the examination complaint procedure is not, by contrast, a reason for excluding the application of data protection legislation” (§64). “The fact that there may, at the same time, be additional legislation governing access to certain information is not capable of superseding data protection legislation. At most it would be admissible for the individuals concerned to be directed to the simultaneously existing rights of information, provided that these could be effectively claimed” (§64).
Finally, the AG points out “for the sake of completeness” that “corrections made by the examiner are, at the same time, his personal data”. AG Kokott sees the potential conflict between the right of the candidate to access their personal data and the right of the examiners to protect their personal data and underlines that the examiner’s rights “are an appropriate basis in principle for justifying restrictions to the right of access pursuant to Article 13(1)(g) of the Data Protection Directive if they outweigh the legitimate interests of the examination candidate” (§65).
The AG considers that “the definitive resolution to this potential conflict of interests is likely to be the destruction of the corrected script once it is no longer possible to carry out a subsequent check of the examination procedure because of the lapse of time” (§65).
An exam script forms part of a filing system
One last consideration made by AG Kokott is whether processing of an exam script would possibly fall outside the scope of Directive 95/46, considering that it does not seem to be processed using automated means (§66, §67).
The AG points out that the Directive also applies to personal data processed otherwise than by automated means as long as they form part of a “filing system”, even if this “filing system” is not electronically saved (§69).
“This concept covers any structured set of personal data which is accessible according to specific criteria. A physical set of examination scripts in paper form ordered alphabetically or according to other criteria meets those requirements” (§69), concludes the AG.
Conclusion. What will the Court say?
The Conclusions of AG Kokott in Nowak contain a thorough analysis, which brings several dimensions to the data protection debate that have been rarely considered by Courts – the self-standing importance of the right of access to one’s own data (beyond any ‘utilitarianism’ of needing it to obtain something else), the relevance of passage of time for the effectiveness of data protection rights, the limits of the critique that data protection rights may be used to achieve other purposes than data protection per se, the complexity of one data item being personal data of two different individuals (and the competing interests of those two individuals).
The Court will probably closely follow the Conclusions of the AG for most of the points she raised.
The only contentious point will be the classification of an examiner’s corrections as personal data of the examined candidate, because following the AG will mean that the Court would reverse its case-law from YS and Others.
If we apply the criteria developed by AG Kokott in this Opinion, it is quite clear that the analysis concerning YS and their request for asylum is personal data: the legal analysis is closely linked to the facts concerning YS and the other asylum applicants and the fact that there may be additional legislation governing access to certain information (administrative procedures in the case of YS) is not capable of superseding data protection legislation. Moreover, if we add to this the argument that access to one’s own personal data is valuable in itself and does not need to satisfy other purpose, reversing this case-law is even more likely.
The only arguable difference between this case and YS and Others is that, unlike what the AG found in §62 (“comments on an examination script are typically inseparable from the script itself… because they would not have any informative value without it”), it is conceivable that a legal analysis in general may have value by itself. However, a legal analysis of particular facts is void of value when applied to different individual facts. In this sense, a legal analysis can also be considered inseparable from the particular facts it assesses. What would be relevant in classifying it as personal data would then remain the identifiability of the person that the particularities refer to…
I was never convinced by the argumentation of the Court (or AG Sharpston for that matter) in YS and Others and I would welcome either reversing this case-law (which would be compatible with what I was expecting the outcome of YS to be) or having a more convincing argumentation as to why such an analysis/assessment of an identified person’s specific situation is not personal data. However, I am not getting my hopes high. As AG Kokott observed, the issue in the main proceedings can be solved without getting into this particular detail. In any case, I will be looking forward to this judgement.
(Summary and analysis by dr. Gabriela Zanfir-Fortuna)
Posted in CJEU case-law, Comments, Europe, GDPR, News
Tagged access to an exam script, AG Kokott, an exam script is personal data, CJEU, data protection, definition of personal data, definition of personal data under the GDPR, do I have access to my own exam paper, Nowak, personal data, pseudonymized data, what is a filing system, YS and Other