Data Protection: It’s a long way from Portarlington to Luxembourg

“Mr Nowak’s legal journey continues”

Thus concludes Mr Justice O’Donnell in delivering a seven-judge Supreme Court decision in Peter Nowak -v- Data Protection Commissioner [2016] IESC 18. The case concerned a claim by Mr Nowak that his exam script in a professional accountancy exam was personal data and therefore should be provided to him under data protection law.

Having began his journey at the Data Protection Commissioner’s office in Portarlington and stopping off at four (yes four!) levels of appellate court along the way Mr Nowak is off to Luxembourg for the final word on the issue.

Mr Nowak wanted to see the exam script from his failed attempt to pass one of four second level exams set by Chartered Accountants Ireland. Having been refused access under the Data Protection Acts he complained to the Data Protection Commissioner who took the view, without reviewing the script, that an exam script such as his could not be personal data. The Commissioner dismissed Mr Nowak’s complaint as being “frivolous or vexatious” since it had no foundation in law.

Three levels of appellate court agreed but the Supreme Court wasn’t sure and referred to question to the CJEU.

Following Schrems, this is the second time in less than two years that a complaint dismissed by the Data Protection Commissioner as hopeless has ended up in the highest court in Europe. A situation described by O’Donnell J as “incongruous”.

The underlying issue here, whether an examination script is ever capable of being personal data within the meaning of the Acts, and if so, whether this script is such personal data, is one of some difficulty and complexity that requires the analysis of a number of different texts and provisions. It might appear rather incongruous, therefore, that the Commissioner, while clearly respectful of Mr Nowak’s complaints, determined them to be frivolous and vexatious, and now maintains that this decision can only be reviewed through the mechanism of judicial review. This incongruity is highlighted by the fact that perhaps the most important data protection case to emanate from this jurisdiction, and which has resulted in a landmark decision of the Court of Justice of the European Union,  Schrems v. The Data Protection Commissioner (Case C-362/14), judgment of the Grand Chamber, 6th October 2015, to which Digital Rights Ireland was added as a party, concerned an issue which was determined by the Commissioner to be frivolous and vexatious under s.10(1)(b)(i).


Meanwhile and arguably more importantly, the Court finally put to bed a glaring anomaly in the rights of data subjects to appeal decisions of the Commissioner in the courts.

Arising out of Mr Nowak’s complaint the Circuit Court, High Court and Court of Appeal all held that where a complaint is dismissed as “frivolous or vexatious” by the Commissioner the data subject has no statutory right of appeal to the Circuit Court under section 26 of the Data Protection Acts. The only route available in that case is the costlier and less extensive remedy of judicial review in the High Court.

According to the Supreme Court this was not what the legislature intended in drafting the Data Protection Acts which provide for a Circuit Court appeal against all Commissioner decisions. It must be assumed, according to O’Donnell J, that the law is intended to make sense and to “achieve some purpose which is to be discerned from the words of the Act, its structure and the background against which it is enacted.”

O’Donnell J didn’t think the Commissioner was looking for a broad definition of “frivolous or vexatious” in order to avoid launching investigations since there was nothing stopping him from making preliminary decisions in any particular circumstance, thereby retaining the ability to filter out clearly misconceived complaints but always subject to appeal to the Circuit Court.

Substance over form

The Court reserved its position on the issue of what form such a statutory appeal would take until a more suitable case arises clearly signalling that it will hear such a case when and if once comes along.

Clarke J in his concurring judgment went a step further and criticised the legislature for not clearly defining the scope of statutory appeals generally, referring to his previous judgment in Fitzgibbon v. The Law Society of Ireland [2014] IESC 48.

The Court felt that the appeal was less than a full rehearing but more than judicial as was set out by a previous Supreme Court in Orange Communications Ltd v. The Director of Telecommunications Regulation and anor (No 2)  [2000] IESC 79 (a case in which O’Donnell J acted as a senior counsel). The Court hinted that even this test in the context of data protection law may need to need to considered again in the future if a suitable case comes along.

The decision on scope of appeal is a welcome one for data subjects who now have a more accessible appeal to the Circuit Court against all decisions of the Data Protection Commissioner even against decisions that a complaint does not come within the scope of data protection law at all.

It is likely that this finding will read across into other statutory appeals regimes, particularly where for costs reasons appeals on procedure and jurisdiction are less common such as those under the Freedom of Information Act 2014 and the Access to Information on the Environment Regulations.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.