EU data protection law defines personal data as: “… any information relating to an identified or identifiable natural person.” Data protection rules only apply to the processing of data that falls within this definition; so identifying what is and is not personal data is central to many data protection questions. The Court of Justice of the European Union has considered this definition on a number of occasions in the past; and it will consider it again as the Irish Supreme Court has decided to refer questions about the interpretation of this definition the CJEU in Nowak v. Data Protection Commissioner.
This referral arises from a refusal to provide an examination paper in response to an access request brought under the Irish Data Protection Acts. That refusal was on the grounds that a man who took an accounting exam couldn't call the data he wrote in an examination paper his own "personal data." No doubt a person’s exam paper will be of great interest and relevance to that individual. But whether such a paper can be said to “relate” to them is another matter.
The argument facing the plaintiff is that the data is not related to him, but rather relates to the subject of the exam in question — issues of strategic finance and management accounting in this case.
Such an argument seems consistent with the judgment of the CJEU in Y.S. The applicant in that case had been refused a residence permit by the Dutch government. He made a data protection access request and was provided with personal data which explained why his application had been refused. That refusal was based on a legal opinion. And the CJEU held that this legal opinion was not personal data as it was “ … not information relating to the applicant for a residence permit, but at most, in so far as it is not limited to a purely abstract interpretation of the law, is information about the assessment and application by the competent authority of that law to the applicant’s situation.”
Counter-arguments may be made: a person’s handwriting may allow them to be identified; any comments and marks that an examiner may have written on the exam paper may relate to the data subject who did the exam. The Irish Supreme Court has unanimously decided that this is a matter of EU law that must ultimately be decided by the CJEU. It has suggested to the parties what questions might be asked of that court, and the case may go back before the Supreme Court in June so that the questions to be asked of the CJEU can be finalized.
This referral comes at a significant time, as the EU is in the process of updating its data protection laws. The General Data Protection Regulation was signed into law by the EU legislature at the end of April; it must now be published in the EU’s Official Journal. Twenty days after it is so published, the GDPR will enter into force; it will then apply from two years after that date, sometime in the summer of 2018. The definition of personal data in the GDPR is essentially the same as that in the present Data Protection Directive, although the GDPR does include some new examples of what may be considered an identifier. However the GDPR is different in many other ways. And the CJEU’s thinking on data protection has undergone a striking evolution in recent years: compare Ireland v Parliament & Councilwith Digital Rights Ireland; or Lindqvist with Google Spain.
It will be interesting to see if the CJEU’s thinking on the definition of personal data has similarly evolved when it gives judgment on this case, probably in a couple of years’ time.