Brussels Update: Exams and Data Transfers

It is worth noting a couple of data protection developments from our European neighbours from the last week or so. First, Advocate General Kokott has handed down an Opinion in Case C-434/16 Nowak v Data Protection Commissioner (ECLI:EU:C:2017:582) about examination scripts. Second, the CJEU has delivered itself of Opinion 1/15 (ECLI:EU:C:2017:592) on the compatibility with Charter rights of the envisaged agreement between the EU and Canada on Passenger Name Record data.Nowak was a case in which a candidate who had sat an exam made a subject access request for his script. The Irish Data Protection Commissioner considered that the request was abusive and that the script was not his personal data. AG Kokott disagreed. Although an odd context, the Opinion actually has some useful nuggets in relation to classic data protection issues. A script, and the comments of an examiner on it, can be linked back to a candidate by the examining organisation, and is indirectly linked to them sufficiently for the purposes of identifiability, even if it was taken anonymously: at [28] and [60]-[61]. The AG considered that the script incorporates information about the candidate, showing how the candidate thinks and works, and the outcome is used as an important piece of personal CV information: [21]-[25]. In much the same way, the comments of the examiner are also personal data of the candidate because the very purpose of them is to permit evaluation of the candidate’s performance: at [61]. The AG also agreed that the handwriting of a script was itself the personal data of the candidate, providing indications as to identity (and it was not necessary to have to prove identity beyond doubt from a single element of personal data): at [29]-[30]. (If readers are thinking that surely the examiner’s comments must also be the examiner’s personal data, the AG agreed and noted that that may be a basis to refuse to disclose them: at [65].)

The Opinion also considered whether or not to reason backwards from the utility of rights afforded by the Directive in respect of personal data. AG Kokott was clearly reluctant to let the remedy tail wag the personal data dog: at [34]. But observations were made about how rights such as rectification might work in this context. As the AG noted, it could clearly be of relevance for a candidate to be able to ascertain whether or not a script was still being held by a data controller, and to be able to require its destruction after the period of time relevant to challenging the examination outcomes. The AG was keen to explain that the Directive could not be used by a candidate to ‘rectify’ their answers or the marking of their answers by examiners; in both cases the script would accurately record the answers given and the evaluation of them, and what rectification allows has to be considered by reference to the context of the data: at [35] and [54]. This is obviously sensible, and is a helpful reminder that ‘inaccuracy’ is not a concept which can be bent by the data subject to remove everything with which they disagree.

Finally, the AG was obviously unimpressed by the out-of-hand rejection by the Irish regulator of the complaint as an abuse because of alternative methods of appealing examination results. The fact that there were other procedures would have to be something dealt with by an exemption permitted under the Directive: at [46] (easier, says AG Kokott under the GDPR: at [48]). Importantly, the AG explicitly recognises that the general principle of EU law of abuse of rights can have application to attempts to vindicate personal data rights under the Directive: at [43]-[44]. This is what the Court of Appeal reminded us in Ittihadieh v 5-11 Cheyne Gardens [2017] EWCA Civ 121 at [88], noting it as a potential control mechanism (unmentioned by the differently constituted Court in Dawson-Damer). It is a difficult test to surmount, but it is useful to have its relevance confirmed at domestic and European levels.

Opinion 1/15 is, by contrast, a total monster of a judgment, weighing in at over 230 paragraphs. Much of that analysis concerned the compatibility with the Charter of the PNR agreement’s provisions on data transfer and data retention. The headlines can be usefully taken from the operative paragraph of the CJEU’s decision: “the envisaged agreement is incompatible with Articles 7, 8 and 21 and Article 52(1) of the Charter in so far as it does not preclude the transfer of sensitive data from the European Union to Canada and the use and retention of that data“; and

the envisaged agreement must, in order to be compatible with Articles 7 and 8 and Article 52(1) of the Charter:

(a) determine in a clear and precise manner the PNR data to be transferred from the European Union to Canada;

(b) provide that the models and criteria used in the context of automated processing of PNR data will be specific and reliable and non-discriminatory; provide that the databases used will be limited to those used by Canada in relation to the fight against terrorism and serious transnational crime;

(c) save in the context of verifications in relation to the pre-established models and criteria on which automated processing of PNR data is based, make the use of that data by the Canadian Competent Authority during the air passengers’ stay in Canada and after their departure from that country, and any disclosure of that data to other authorities, subject to substantive and procedural conditions based on objective criteria; make that use and that disclosure, except in cases of validly established urgency, subject to a prior review carried out either by a court or by an independent administrative body, the decision of that court or body authorising the use being made following a reasoned request by those authorities, inter alia, within the framework of procedures for the prevention, detection or prosecution of crime;

(d) limit the retention of PNR data after the air passengers’ departure to that of passengers in respect of whom there is objective evidence from which it may be inferred that they may present a risk in terms of the fight against terrorism and serious transnational crime;

(e) make the disclosure of PNR data by the Canadian Competent Authority to the government authorities of a third country subject to the condition that there be either an agreement between the European Union and that third country equivalent to the envisaged agreement, or a decision of the Commission, under Article 25(6) of Directive 95/46, covering the authorities to which it is intended that PNR data be disclosed;

(f) provide for a right to individual notification for air passengers in the event of use of PNR data concerning them during their stay in Canada and after their departure from that country, and in the event of disclosure of that data by the Canadian Competent Authority to other authorities or to individuals; and

(g) guarantee that the oversight of the rules laid down in the envisaged agreement relating to the protection of air passengers with regard to the processing of PNR data concerning them will be carried out by an independent supervisory authority.”

Those summary conclusions give a pretty good indication of the degree of detail to which the CJEU was subjecting the agreement, and the degree of protection it expected the agreement to provide to comply with Charter rights. Time and reader boredom thresholds preclude detailed analysis here, but for those interested (perhaps those currently thinking negotiating a significant set of agreements across a wide range of policy areas which will inevitably include provisions about data transfers, for example), this post by Christopher Kuner on the Verfassungsblog is a very helpful of the concerns of the CJEU and the considerable difficulties posed by the judgment for the future, both in substance and in understanding what the Court is saying. Suffice it to say for the moment that the judgment is not an easy read, and when you think you understand what is being required, the difficulty of achieving those requirements is clear.

Christopher Knight