Ireland’s Data Protection Commissioner (DPC) is facing another possible defeat at Europe’s highest court in an eight-year legal marathon over an exam script.

In a referral from the Supreme Court, the European Court of Justice (ECJ) in Luxembourg has been told by its Advocate General that Ireland’s DPC was wrong to say an accountancy trainee had no right to access the script of a failed exam.

In an opinion released on Thursday, the ECJ Advocate General recommended the court classify the script as personal data under EU data protection laws.

In 2009 Peter Nowak, a registered student with the Institute of Chartered Accountants of Ireland (CAI) asked to view his scripts for an accounting exam after failing it for the fourth time, with a view to challenging the result.

The CAI released 17 items but declined to release the exam script, saying it did not constitute personal data under data protection legislation.

Mr Nowak then sought assistance from the Data Protection Commissioner, who advised him that exam scripts “would not generally constitute personal data”.

Formal complaint

After he filed a formal complaint, the commissioner refused to investigate the complaint, saying it was not sustainable on legal grounds and, in a technical sense, was frivolous and vexatious.

Mr Nowak appealed the commissioner’s decision to the Circuit Court, which found he had no right to appeal the commissioner’s determination.

The High Court agreed with the Circuit Court but the Supreme Court said it was not clear whether an exam script constitutes personal data and asked the ECJ for guidance.

In its opinion, the Advocate General said the Data Protection Commissioner may have been correct in the narrow sense, that the solutions in exam scripts do not constitute personal data, but this disregards how exam scripts contain the workings of the candidate.

“The script is a documentary record that the individual has taken part in a given examination and how he performed,” wrote Juliane Kokott, German Advocate General at the ECJ. “The personal connection to that performance is also shown in the fact that examination candidates often include their most important examination results in their CVs.”

‘Individual performance’

Every exam is a test of the “strictly personal and individual performance” of a candidate and is thus “a collection of personal data”.

As well the Irish parties involved, the case before the ECJ attracted submissions from seven EU member states and the European Commission.

In its opinion the Advocate General said the issue was less about access to the exam script but the Data Protection Commissioner’s refusal to assist Mr Nowak in securing access. While the DPC refused to take on his case, believing it had no chance of success, the Advocate General saw a “genuine need” for Mr Nowak to access his exam script and that such a document might be of interest at a later date.

The opinion points out that the Nowak ruling and the personal data issues it addresses were “also of importance” for the looming new era of EU data protection regulations.

A ruling on the Nowak case is likely in the autumn, referring it back to the Supreme Court. The Advocate General’s opinion is not a ruling and the Luxembourg-based court is not obliged to follow its Advocate General’s line or argument, but it very often does.

This case is the second time in two years that a DPC finding has been challenged in Europe’s highest court. In 2015 Luxembourg judges struck out transatlantic data transfers under the so-called “Safe Harbour” provisions on foot of a complaint by Austrian lawyer Max Schrems to the Irish DPC.

No case to investigate

The Irish authority claimed it had no case to investigate as Safe Harbour, and its implementation, was solely a matter for the European Commission. The Luxembourg court disagreed and said the Irish authority was wrong not to investigate the Schrems complaint.

On Wednesday Mr Schrems was back in Luxembourg’s ECJ in the latest round of his long-running legal battle with Facebook’s Irish subsidiary.

After withdrawing a complaint in Ireland, claiming the DPC was delaying a ruling, Mr Schrems took a class action against Facebook’s data collection policies in Vienna.

He argues that Facebook collection of European users’ data for commercial gain disregards EU data protection laws. Austrian courts so far have agreed with Facebook that such a class action suit – involving 25,000 European Facebook users backing Mr Schrems – are not permissible under EU law.

Another, separate, case involving Mr Schrems, Facebook and the DPC is still ongoing at the Commercial Court over possible links between Facebook user data collection and US surveillance programmes.