Ireland’s Data Protection Commissioner (DPC) could face legal scrutiny after a second case it refused to investigate is to be referred by Irish courts to the European Court of Justice.
The case was taken by Peter Nowak, an accountancy student, after he was refused permission by the Institute of Chartered Accounts of Ireland to review scripts of his failed exams.
The DPC agreed with the institute’s view that exam scripts did not count as personal data under Irish data protection laws, and declined to investigate further.
It said Mr Nowak’s case had no chance of success – in legal terms it was “frivolous and vexatious” – and the DPC, under Irish data protection law, argued it was not obliged to investigate.
After three legal instances, the Supreme Court last month asked the European Court of Justice whether an exam script counts as personal data to which a person is entitled to have access.
In addition, the Supreme Court challenged a DPC stance – until now followed by Irish courts – that cases it dismisses as “frivolous and vexatious” are excluded from appeal.
On April 28th, the Supreme Court ruled that the DPC’s action in the Nowak case were “just as likely to be wrong and in need of correction as any other decision made by the Commissioner”.
Mr Nowak has welcomed the judgment into what he termed the Data Commissioner’s “subjective opinion” and its “not fully transparent” decision-making.
“It is crucial that an appeal process to the courts is in place,” he said.
The data protection office received 13,500 queries in 2014, of which 950 were selected for closer, second-round investigation. The DPC does not collate how many queries it dismisses in the first round as “frivolous and vexatious”.
The Nowak case is the second such "frivolous" dismissal by the DPC to end up at in Europe, following the case of Austrian privacy campaigner Max Schrems involving Facebook and claims by US whistleblower Edward Snowden.