In a recent article we noted that the Norwegian Data Protection Authority had sent the International Baccalaureate Association (IBO) an advance notification that it was going to order it to rectify grades it had awarded based on “so-called ‘school context’ and ‘historical data'”. The IBO had until 21 August to “contradict” the Norwegian DPA’s draft decision.
Following that, the IBO responded to concerns, at least in part, by making an adjustment to awarded results with the emphasis that “no student will receive a lower grade than what was received previously”. Despite this it is clear (and perhaps unsurprising) that many IB students are still deeply unhappy about the process, and now, with the recent u-turn on the A-Level awards in the UK, are arguably feeling even further aggrieved that their results are still tied to the outcome of what they see as a flawed and unfair algorithmic process. It is not yet clear whether the Norwegian DPA will consider the IBO's review to satisfy its suggestion that the IBO must "redo" the IB grading.
But it is also noteworthy that (as this news item, in Norwegian, reports) the IBO's lawyers appear to have responded to the Norwegian DPA's provisional findings and have, firstly, disputed that the IBO infringed the General Data Protection Regulation (GDPR) but, secondly, challenged the latter as to its jurisdiction to investigate. They argue that as the IBO's relevant operations are in the UK (even though the organisation is based in Switzerland) then the UK Information Commissioner's Office (ICO) is the competent supervisory authority to investigate complaints about infringements of the GDPR.
It does appear that the IBO’s grading process was apparently already being scrutinised by Ofqual, to whom the IBO’s awarding model was submitted both prior to its actual use and to the issue of results (which raises the possibility that Ofqual may have been a controller in GDPR terms for the IB model as well as for the English A-Levels).
The jurisdiction point turns on this: the IBO is based in Switzerland. Although Norway is not in the EU, it is in the European Economic Area (EEA), and by a joint agreement of July 2018 GDPR was incorporated into the EEA Agreement. To the extent that a controller established outside the EU is offering goods or services to data subjects in the European Union, it is subject to GDPR’s extra-territorial provisions at Article 3(2), and subject to the jurisdiction of any and all supervisory authorities in the EU member states where affected data subjects are. However, where a controller is established in the EU (and undertaking processing of data subjects who are in more than one member state) the supervisory authority of the main establishment or of the single establishment of the controller becomes the "lead supervisory authority". The Norwegian DPA appears to have taken the view that the IBO's Swiss base was the relevant controller for the purposes of the IB, i.e. outside of the EU thereby giving the Norwegian DPA jurisdiction, but the IBO's lawyers appear to be arguing that it is the IBO's Cardiff office which is the relevant controller, in which case the UK ICO should lead the investigation.
This is of course wholly unsatisfactory for those students and their families across the globe who rightfully feel aggrieved at the handling of their IB award and at the continuing uncertainty as to their future. The Norwegian news site quotes the ICO as saying "We are currently in contact with both IBO and our Norwegian colleagues on this matter to ensure that the necessary steps are taken". One hopes that greater clarity will emerge, and soon.
Mishcon de Reya are in discussion with a number of affected students and their families, and an email address has been set up by one family and they are inviting contact from those interested in exploring the potential for legal claims. They can be contacted at firstname.lastname@example.org.