Greetings from Ireland via Croatia, where my family and I have just spent a recent holiday break.
But as we boarded the plane home, I was sad to hear that European Data Protection Supervisor Giovanni Buttarelli passed away. I remember his speech at his excellent ICDPPC conference in Brussels last year. It was a motivating, positive and moving discussion on ethics and data. The privacy community has lost a true gentleman and scholar. He will be missed. For more on Giovanniâ€™s life and legacy, be sure to check out our coverage, our memorial page, Omer Teneâ€™s salute to Giovanni, and ‘s tribute.
In Ireland, the much-awaited Data Protection Commission decision into Irelandâ€™s Public Services Card was released this week. This has been a long-running saga between Irish privacy advocates and the Department of Employment and Social Protection. The history is that the DESPA introduced an identification card for people availing of services from that department (e.g., social welfare and pension payments, etcetera). In order to obtain a card, one had to provide a photo and other details, which DESPA argued, were necessary to authenticate the identity of the individual claiming benefits â€” the ultimate goal being to combat welfare fraud. So far, so good.
However, the card was increasingly required by other government agencies in order to avail of their services also (e.g., to obtain a passport or renew a driving license). This scope creep was problematic, and people had concerns that the scheme resulted in the introduction of a national ID card by stealth and without adequate consideration of data protection implications. The matter came to a head when a pensioner was refused access to her state pension as she refused to obtain a PSC. Public support for the pensioner resulted in this becoming an issue in the national media.
Complaints were made to the DPC about different elements of the scheme, including queries as to its lawful basis, scope creep, its use of biometrics and also about the treatment of the DESPAâ€™s DPO.
The first decision, issued by the DPC this week, relates to pre-GDPR issues. The full report has not been released, but the DPC issued a summary of its findings, and Helen Dixon gave interviews to the media discussing those findings. The DPC said that there had been â€œa fundamental misunderstandingâ€� of what was permitted by the legislation underpinning the card. There was also no legal basis for other public sector bodies to mandatorily demand the card. Furthermore, the indefinite retention by the DESPA of the supporting documents gathered for 3.2 million cards issued to date was unlawful.
The ultimate result is that the DESPA may continue to use the card for its original purpose (and as provided for in legislation) but must delete the surrounding identification documentation once it has adequately identified the applicants. Other agencies can no longer require applicants for their services to have a PSC, and the DESPA must stop processing personal data relating to those other agenciesâ€™ service users within 21 days.
Now the government is faced with drastically curtailing its much-vaunted scheme; introduce legislation to widen the scope of the scheme (which would, of course, have to meet the CJEUâ€™s Bara & Others (C201/2014) requirements), or it could request a judicial review of the DPCâ€™s decision. It may also have to contend with litigation on behalf of affected individuals. However, given that this DPC decision was made under the 1995 Directive, not the GDPR, any plaintiffs would have to demonstrate â€œmaterial loss.â€�
In any analysis, this decision of the DPC is courageous, if inconvenient for the Irish government. We await the DPCâ€™s decisions in relation to the other matters highlighted above, concerning the DESPAâ€™s DPO and the PSC in the coming months.