Greetings from Ireland via Croatia, where my family and I have just spent a recent holiday break.
But as we boarded the plane home, I was sad to hear that European Data Protection Supervisor Giovanni Buttarelli passed away. I remember his speech at his excellent ICDPPC conference in Brussels last year. It was a motivating, positive and moving discussion on ethics and data. The privacy community has lost a true gentleman and scholar. He will be missed. For more on Giovanni’s life and legacy, be sure to check out our coverage, our memorial page, Omer Tene’s salute to Giovanni, and 's tribute.
In Ireland, the much-awaited Data Protection Commission decision into Ireland’s Public Services Card was released this week. This has been a long-running saga between Irish privacy advocates and the Department of Employment and Social Protection. The history is that the DESPA introduced an identification card for people availing of services from that department (e.g., social welfare and pension payments, etcetera). In order to obtain a card, one had to provide a photo and other details, which DESPA argued, were necessary to authenticate the identity of the individual claiming benefits — the ultimate goal being to combat welfare fraud. So far, so good.
However, the card was increasingly required by other government agencies in order to avail of their services also (e.g., to obtain a passport or renew a driving license). This scope creep was problematic, and people had concerns that the scheme resulted in the introduction of a national ID card by stealth and without adequate consideration of data protection implications. The matter came to a head when a pensioner was refused access to her state pension as she refused to obtain a PSC. Public support for the pensioner resulted in this becoming an issue in the national media.
Complaints were made to the DPC about different elements of the scheme, including queries as to its lawful basis, scope creep, its use of biometrics and also about the treatment of the DESPA’s DPO.
The first decision, issued by the DPC this week, relates to pre-GDPR issues. The full report has not been released, but the DPC issued a summary of its findings, and Helen Dixon gave interviews to the media discussing those findings. The DPC said that there had been “a fundamental misunderstanding” of what was permitted by the legislation underpinning the card. There was also no legal basis for other public sector bodies to mandatorily demand the card. Furthermore, the indefinite retention by the DESPA of the supporting documents gathered for 3.2 million cards issued to date was unlawful.
The ultimate result is that the DESPA may continue to use the card for its original purpose (and as provided for in legislation) but must delete the surrounding identification documentation once it has adequately identified the applicants. Other agencies can no longer require applicants for their services to have a PSC, and the DESPA must stop processing personal data relating to those other agencies’ service users within 21 days.
Now the government is faced with drastically curtailing its much-vaunted scheme; introduce legislation to widen the scope of the scheme (which would, of course, have to meet the CJEU’s Bara & Others (C201/2014) requirements), or it could request a judicial review of the DPC’s decision. It may also have to contend with litigation on behalf of affected individuals. However, given that this DPC decision was made under the 1995 Directive, not the GDPR, any plaintiffs would have to demonstrate “material loss.”
In any analysis, this decision of the DPC is courageous, if inconvenient for the Irish government. We await the DPC’s decisions in relation to the other matters highlighted above, concerning the DESPA’s DPO and the PSC in the coming months.