Blog

The GDPR and Elections on the Horizon

What with the never-ending Brexit saga and the continuing toxic political stalemate, it may not be popular to delve into any topic with political associations. Nevertheless, this is the intention, and it is one that is primarily inspired by the upcoming European and Irish local elections. Both sets of elections have a novel element, to the extent that they will be the first Euro and local elections to take place since the introduction of the GDPR and The Data Protection Act 2018.

Key actors on this changed set include a number that may play the role of the data controller. In previous blogs and on our website,  we have seen how the notion of accountability of controllers and joint controllers is a central feature of the GDPR. Individual election candidates, political parties, data analytics companies and public authorities responsible for the electoral process can all act as controllers. It is not within the scope of this blog to discuss all facets, and so the less ambitious plan is to look at election candidates in the light of canvassing related activities. Data protection issues arise whenever personal data is being collected, and at election times it is collected in different forms. Canvassing door to door, direct mail marketing, and electronic direct marketing may raise concerns. More data protection issues surface in relation to requests for representation. Inevitably, organisations that receive these requests must also come under the same scrutiny.

 

Getting Started.

The focus of this article lies within the confined context of elections and electoral activities, and the application of Union and National law within this defined landscape.  Micro-targeting of voters by unlawful processing of personal data is still fresh in peoples’ minds following on from Cambridge Analytica and other similar disclosures. A starting point is to acknowledge, as stated by the UK’s Information Commission Office (ICO), that, “engaging voters is important in a healthy democracy, and in order to do that, political parties, referendum campaigners and candidates will campaign using a variety of communication methods. However, they must comply with the law when doing so; this includes the handling of the personal data that they collect and hold”. (ICO, Guidance on Political Campaigning; more details here). This is especially true since the inception of the GDPR, The Data Protection Act 2018 and the E-Privacy Regulation.

The Very Basic Ground Rules.

Individuals now have enhanced rights, and these are strengthened and particularly relevant in the electoral context. These rights place onerous responsibilities on candidates seeking office. Primary responsibilities fall on the candidates and affiliated parties where that is the relationship. Public authorities also have responsibilities under the GDPR and the various Electoral Acts. Whoever is processing the personal data, previously viewed as purely mundane, such as names and addresses, must now pay more attention. Simple names and addresses represent ‘personal data’ under the GDPR. Processing of such data must now be done lawfully, fairly and in a transparent manner, and for a defined specified purpose.  Another limitation (purpose limitation) means the personal data are now less likely to be strategically stored with ulterior motives in mind. Data cannot be further processed in a manner incompatible with the purposes for which the data were initially collected. (Note: a few strict exceptions to this rule). There must be some lawful basis for personal data processing. All data protection principles must be followed without any ‘cherry-picking’.

Pre-election days.

Most of us are well used to the barrage of literature that ends up on our hall floors in the run-up to elections. S.39 DPA 2018 specifically allows for the use of personal data for the purpose of communication in writing (including newsletter or circular) with the data subject.  It is qualified and is limited to  ‘specified persons’, namely: a political party; a member of either house of the Oireachtas, the European Parliament or a local authority; or a candidate for election to the office of  The President of Ireland or for membership of any of the above mentioned. Here the DPA 2018 provides a lawful basis for processing. There is a useful guidance booklet available at the DPC website.  Section 59 DPA 2018 expressly modifies Art. 21 GDPR, so that there is no right to object to electoral direct marketing by post. When communicating by text, e-mail, phone or fax a candidate must have prior consent from the constituent. If contact is then lawfully made, it must be clear about its origin, and it must incorporate an easy opt- out.

Frantic times precede elections and normal rules should apply, but it is probably unrealistic for the office of the DPC to expect candidates to include the amount of information described within this pamphlet with their canvassing materials. What is more unrealistic is to expect the same information to be given by a candidate when going door to door. Time constraints make this impractical. It will be interesting to hear from candidates after the elections about how the new regulations and the DPA 2018 affected their campaigns. Just as interesting will be any feedback from constituents concerning the information they were given regarding data protection rights from candidates. Under Art.9 GDPR there is a general prohibition on the processing of special categories of personal data but there are exceptions to the rule. Section 48 DPA 2018 expressly permits one of these special categories of personal data (revealing political opinions) to be processed. Provided safeguards are taken to protect the data subject’s fundamental rights and freedoms,  such data can be processed in the course of electoral activities by a political party, a candidate for election to, or a holder of, elective political office in the State. (Note: applies to Referendum Commission also). The specific purpose is the compiling of data on people’s political opinions. Section 48 DPA 2018 provides a lawful basis.

 

Requests for Representation

In the course of canvassing at election time, candidates receive numerous requests for representation regarding access to services or the provision of services. Whilst such requests are genuine, they represent a higher level test of a candidate’s knowledge or ability, as perceived by the voter, in the run-up to the election. If a voter gets a favourable and swift response from the candidate the chances are he/she will also get a vote. It is only proper that no short cuts are taken to get this information quickly before Election Day.  When we speak of ‘candidates’, it is important to distinguish between candidates who are current officeholders seeking re-election, and those running for election who do not currently hold any office.  All elected representatives should be aware of, or quickly become familiar with S. 40 Data Protection Act (DPA) 2018. In fact, they should be more conscious of, and extra vigilant in their responsibilities because the number of requests will increase exponentially at election times. Being knowledgeable on S.40 potentially benefits the representative’s reputation. Passing on the relevant specifics of that knowledge to the constituent will deliver benefits to both parties. After the introduction of the GDPR, the office of the DPC issued interpretive guidelines on S. 40 DPA 2018.  Data protection consultants GDPRXpert have the document available here.  We will now look at some of the main points from the guidelines.

 

Some Guidelines on Requests for Representation.

Sections 40(1) and (2) DPA 2018 gives the legislative basis to elected representatives for the processing of personal data of constituents. This includes the special categories of personal data from Art. 6 GDPR. Processing is allowed where the elected representative either receives a request for representation directly from the data subject or where the elected representative receives a request for representation from another person on behalf of the data subject. In all cases, the elected representative must be able to demonstrate that they are compliant with the principles of data protection.  At a minimum, representatives are obligated to meet their transparency responsibilities set out in the GDPR (especially Arts. 12, 13 &14). An elected representative has an obligation to be certain at all times they are acting upon a request from the voter.

 

There will be many situations where “the permission can be implied from the relevant action or request. For example, the raising of the matter by an individual will create an expectation that their personal data will be further processed by the elected representative and other relevant organisations”. (DPC Guidelines 2018 p.4)  A normal expectation is that personal data will be processed.  As part of the representative‘s request for information, the local council, for example, will disclose personal details necessary to satisfy the request. However, best practice is to be sure that the constituent is aware of the likely processing, and we recommend a signed consent form. In many instances, a formal, signed consent form may not be practical. Contemporaneous detailed notes should be taken by the representative, and the DPC suggests this as a good record to demonstrate compliance with S.40DPA 2018.

If any unexpected processing becomes necessary it is advisable to revert to the constituent. An elected representative must be careful not to go beyond the specified purposes for which the consent was given. One recommendation from the DPC is that elected representatives should use Privacy Notices when they collect personal details from people and have a Privacy Notice on their website. All notices should meet the transparency requirements and “satisfactorily address the requirements set out in Articles 12, 13, 14 &30 (where relevant) of the GDPR and also should be clear, accessible and informative to help people understand what will be done with their personal information”. (Office of the DPC, 2018) Simple, best advice: be straight with people on all aspects. Following data protection principles will operate to safeguard both the constituent and the elected representative.

 

Requests From Someone on Behalf of Someone Else

In this scenario, all parties should be extra cautious. Here a request is being made by one person on behalf of another. Common situations include son/daughter on behalf of one or both parents; some family member on behalf of another family member; relative on behalf of another relative; neighbour/friend on behalf of another neighbour/friend, etc. It is no longer sufficient to take the word of one party and accept the bona fides.  Therefore, the elected representative will have to ensure that the individual making the request has the authority from the person whose personal data will be processed on foot of the request. This is a potential minefield and the onus lies on the representative to “demonstrate the data subject has consented to the processing of his or her personal data” (Art.7 (1) GDPR).

Trust is no longer a reliable basis on which to proceed with such a request. Other aspects that merit detailed attention include the competency of the data subject and the legal standing of the person making the request.  For example, is there an enduring power of attorney to manage the affairs of the data subject? Any prudent representative should strive to have a signed consent form provided. Failing that, it will be a decision for the representative whether or not to make a representation.  Where the representative has not been able to fully ascertain the wishes of the individual prior to processing of personal data, he or she should have set out and recorded the specific steps taken to ascertain those wishes. Such records will stand as evidence of reasonable efforts having been made.  This will be crucial at the time the representation is made to the appropriate organisation.

 

Disclosure by an Organisation following a Request under S.40 DPA 2018.

Written Requests

As noted earlier, there is an exponential increase in the number of requests for representation approaching election time.   Section 40 (4) DPA 2018 gives an organisation the legal basis to respond to and process the personal data on foot of a representation from the elected representative. In doing so the organisation must demonstrate compliance with all the data protection principles under Art. 5 GDPR. A precondition is that the disclosure is necessary and proportionate to enable the representative to deal with the request, and safeguards referred to in S. 36 DPA 2018 are taken. Special categories of personal data are allowed to be processed by the organisation under S. 40(4). Where the organisation receives a written representation on foot of S.40 the organisation can assume the constituent has given permission. In other words, it can accept the bona fides of the representative while at the same time satisfying itself it is reasonable to assume the individual would have no objection to the release of the personal data.

Verbal Requests

With verbal representations from an elected representative to an organisation,  it is advisable that a staff member of the organisation logs appropriate details.  Where the elected representative is present when the representation is made it is good practice to have a short form confirming the details signed by him /her. Best practice is for the organisation to have policies and privacy notices in place that outlines how the organisation deals with requests. Ultimately, the organisation decides whether to accede to requests made. In particular, the organisation must ensure they meet responsibilities under Art. 12, 13, 14 and 30 GDPR. Any disclosure must be only what is necessary and proportionate in its impact on the fundamental rights of the individual. An organisation must consider the potential impact and negative implications of any representation and take safeguards to mitigate any risks.

Mitigating Risks

Mitigating risk must reach a higher level of security in the context of special categories of personal data. These are by their nature sensitive. Extra safeguards are advisable where the representation has been made on behalf of the data subject by another individual due to incapacity or age. Where the personal data falls under the special category class, any safeguards must be strengthened.  It must always be borne in mind that reliance on S.40 (4) DPA 2018 as a legal basis to disclose data on foot of a representation is dependent on certain conditions being met in advance: any processing must be necessary and proportionate and suitable measures must be taken to protect the individual’s rights and freedoms. If an organisation acting on foot of a representation has any concern about the level of awareness on the part of the representative or individual, in relation to the sensitive nature of the personal data, it would be prudent to refer back to both. It is only proper that the individual is fully aware of the implications that will follow the processing of their personal data as a consequence of the request. Both the nature and purpose of the request will influence actions taken. For example, some requests may be time-sensitive and getting explicit consent may not be practical. The DPC advises a common-sense approach be taken.

 

Personal Data of Third Parties

As a general rule, it is not permissible to process the personal data of third parties under S. 40 DPA 2018. This is allowed under very limited circumstances. If a third party has not been involved in a request for representation processing of  personal data of that third party will not be permissible unless one of the following apply: the third party cannot give explicit consent; the processing is necessary in somebody else’s interest and explicit consent has been “ unreasonably withheld” by the third party; the balance favours the disclosure in the public interest; the elected representative “cannot reasonably be expected to obtain” the third party’s explicit consent; seeking the third party’s explicit consent would “prejudice the action taken by the elected representative.

Other Considerations Re Special Category Data

Earlier we noted how S. 48 DPA 2018 allowed for one category (personal data revealing political opinions ) within the ‘special categories’ grouping. However, S. 40 (1) DPA 2018 allows the general processing of personal data within these special categories. The elected representative in processing such categories must “impose limitations on access to that data to prevent unauthorised consultation, alteration, disclosure or erasure of that data” (S.40 (3) DPA 2018).  In conjunction with these limitations, suitable and specific measures that take on board the provisions of the Data Protection Health  Regulations ( S.I No.82/1989 and S.I. No. 83/1989) should be considered, as these remain in force under S. 58 DPA 2018. Both equally apply to the elected representative and the organisation receiving the representation. These regulations provide that health data relating to an individual should not be made available to an individual, in response to an access request, if that would be likely to cause serious harm to the physical or mental health of the individual.

If a person is not a health care professional, he or she should not disclose health data to an individual without first consulting that individual’s own doctor, or some other suitably qualified healthcare professional. Where it has been deemed appropriate to disclose such information to an elected representative it should include a warning in regard to the sensitive nature of the data. The elected representative will need to apply safeguards outlined in S. 40 (3) DPA 2018. Finally, in relation to processing of personal data that involves criminal convictions or offences (Art. 10 data), any disclosure on foot of a representation will necessitate an assurance from the representative that explicit consent has been obtained for the request.

Much of the foregoing is evidence of the complicated nature of data protection in the context of electoral activities.  A high level of awareness is expected from elected representatives and from organisations that receive representations from them. Once the relevant information is provided by the elected representative a decision should be common sense based. The Office of the DPC believes any refusal by the organisation should be easily explained by reference to S.40 DPA, without citing data protection requirements as a general ground for refusal. Where the organisation has followed S.40 (4) DPA 2018, the GDPR, data protection principles and implemented suitable and specific safeguards it should be confident it has acted in compliance with DPA 2018.

Patrick Rowland, GDPRXpert.ie

Data Protection Consultants GDPRXpert.ie, with bases in Carlow/Kilkenny and Mayo, offer their expert service nationwide.

Visit www.gdprxpert.ie to learn more.

 

More Problems for Facebook

 

Facebook has not been unused to controversy, especially over the last year. In our most recent blog in relation to the first Annual Report of the new DPC, we pointed out the substantial number of data breaches reported by multinationals. Facebook was one of those multinationals, and the Facebook Token breach became subject to a statutory inquiry by the office of the DPC  in Sept. last year.  Now, in the US, federal prosecutors are conducting an investigation into data deals Facebook struck with some of the world’s largest technology companies. (NY Times, March 13, 2019 https://www.nytimes.com/2019/03/13/technology/facebook-data-deals-investigation.html)

Grand Jury Investigation.

A grand Jury in NY has subpoenaed records from at least two prominent makers of smart phones and other devices. Partnerships with Facebook gave these makers very broad access to the personal information of possibly hundreds of millions of Facebook users. This had been going on for years,  and operated to allow the makers, along with  companies such as Microsoft , Apple, Sony and Amazon, to see users’ friends contact information and other information, most often without any consent. These agreements were previously reported  in The New York Times. (Link to original article here.) Most of the partnerships have now been phased out. However, while it was in operation, the partnerships effectively gave these partnership companies a blanket exemption from the usual privacy rules.

Hundreds of pages of Facebook documents were obtained by The New York Times. These  records, generated as far back as 2017 by the company’s internal system for tracking partnerships, provided the most complete picture yet of the social network’s data-sharing practices. The exchange was intended to benefit everyone. Facebook got more users boosting its advertising revenue, and partner companies acquired features that made their products more attractive. For example,the records show that  Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent, and gave Netflix and Spotify the ability to read Facebook users’ private messages. Facebook users connected with friends across different devices and websites, reaping benefits for Facebook who had engineered extraordinary power over the personal data of more than 2.2 billon users. Prior to the GDPR, even in Europe, this power was exercised with a shameless lack of transparency and a dearth of substantive oversight.

Other investigations.

The latest grand jury inquiry comes amidst the backdrop of the Cambridge Analytica scandal where the political consulting company had improperly obtained the Facebook data of 87 million users and used the data to build tools that helped Trump’s campaign in 2016. This is part of an ongoing investigation by the Justice Department’s securities fraud unit. All along, Facebook’s position was that they had been misled by Cambridge Analytica, and had believed that the data were only being used for academic purposes. “In the furore that followed, Facebook’s leaders said that the kind of access exploited by Cambridge in 2014 was cut off by the next year, when Facebook prohibited developers from collecting information from users’ friends. But the company officials did not disclose that Facebook had exempted the makers of cell phones, tablets and other hardware from such restrictions” (NY Times, June 3, 2018.) https://www.nytimes.com/interactive/2018/06/03/technology/facebook-device-partners-users-friends-data.html?module=inline   Neverthless, some of the fine print on a quiz app that collected the data, which Facebook deleted way back in 2005, was evidence that the company knew about the potential for the data to be used commercially.

Facebook’s Wheeling and Dealing.

The pervasive nature of some of the deals that Facebook initiated become clearer when, for example, the evidence shows that  one deal empowered Microsoft’s Bing search engine to map out the friends of virtually all Facebook users without their explicit consent, and allowed Amazon to obtain users’ names and contact information through their friends. Apple was able to conceal from Facebook users any indicators that the company’s devices were even asking for data.  (NY Times, March 13, 2019). See link at top of blog). This demonstrates the covert level involved. An investigation that is still in progress gives an insight into the business and corporate psyche of the business model that Facebook is proud to espouse.  Facebook entered a data sharing consent agreement with the Federal Trade Commission in 2011. In this consent agreement, Facebook were barred from sharing user data without explicit consent.However, agreements which Facebook concluded, benefited more than 150 companies — most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations. Their applications sought the data of hundreds of millions of people a month. The deals, the oldest of which date to 2010, were all active in 2017. Some were still in effect in late 2018 (NY Times, Dec. 18, 2018).

The Spin.

Facebook’s spin on it was that the companies they entered into agreements with were, ‘extensions of itself’ and not subject to the specific data sharing rules. After all, one can’t really share a secret with oneself!  The service providers were just partners that allowed users to interact with their Facebook friends. Facebook dismissed the notion that they stood to gain substantially from the arrangements, despite admitting that they had not really policed the activities of their partners. Data privacy experts are rightly sceptical that a regulator, as thorough as the Federal Trade Commission, would view these businesses as being ‘alike’. With its experience, the FTC is hardly going to consider businesses as varied as device makers, retailers and search companies as being alike, to such an extent as to be exempt from the regulation. It seems this was Facebook’s opinion. But former chief technologist at the Federal Trade Commission, Ashkan Soltani, saw it as nothing more than a ruse, stating, “The only common theme is that they are partnerships that would benefit the company (Facebook) in terms of development or growth into an area that they otherwise could not get access to”.

Concluding…

In summary, Facebook has trouble on quite a few fronts: the original Cambridge Analytica investigation has now involved Facebook being investigated by both the FBI and the securities fraud unit of the Justice Department; the Federal Trade Commission is close to finalising its investigation into possible violation of the consent agreement ( multi-billion $ fines are anticipated) ; the Justice Department and the Securities and Exchange Commission are investigating Facebook and the U.S Attorney’s Office for the Eastern District of New York is heading a criminal investigation. (Remember, at the moment we are not talking about Europe and GDPR!!) The signs are ominous and expect to hear more from us, and others, on Facebook’s  problems in the near future.

On March 19, Rep David Cicilline (D-RI), head of the House of Representatives Judiciary Committee called for the FTC to investigate Facebook on the grounds of anti-monopoly law. https://www.theverge.com/2019/3/19/18272605/facebook-ftc-investigation-congress-republican-david-cicilline

Patrick Rowland, GDPRXpert.ie

We are GDPR and Data Protection Consultants, with bases in Carlow/ Kilkenny and Mayo, offering a nationwide service.

For more details visit www.gdprxpert.ie

 

 

 

DPC Issues Annual Report

The  DPC’s first annual report since the GDPR has just been released. It is  not surprising to observers of developments in the data protection field that at the outset the report remarks , “it is the rise in the number of complaints and queries to data protection authorities across the EU since 25 May 2018 that demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data”.(DPC Report, 2018) It is fair to say that pre-GDPR there was very much hype and alarm and this amplified the closer it came to D-Day, May 25th, 2018. Things have changed somewhat since then and if, “ we understand something about the GDPR, it is this: it will be a process of dialogue that lasts many years and the dialogue will need to shift and change with technology, context, learning from evidence (including emerging case law) and evolving societal norms.”(DPC Report, 2018)

We spoke in an earlier blog, and we allude to it on this website, about some misinformation and disinformation that unfortunately increased the sense of alarm and panic pre-GDPR. After May 25th there was more.  It seems the hairdresser who cited GDPR as the reason she could not give her customer details of the hair dye she was using in her customer’s hair is the favourite GDPR myth within the office of the DPC. By the way, the hairdresser’s customer was leaving to go to another hairdresser and wanted to be able to tell the new hairdresser what colour went in her hair, but we can be sure that this had nothing to do with the hairdresser’s response!

Some Facts  From the Report.

  • 2,864 complaints, of these the largest single category was in the category ‘Access Rights’ with 977 complaints, or a little over 34%of the total.
  •  1,928 were complaints under GDPR and of these 868 had been concluded.
  •  total of 3,452 data breaches recorded with the largest single category being ‘Unauthorised Disclosures’ and 38 breaches related to 11 multi-national technology companies.
  •  almost 31,000 contacts were made to the Information and     Assessment unit within the DPC.
  • 15 statutory inquiries (investigations) were opened in relation to the compliance of multinational companies with GDPR.
  • 16 requests  –formal and voluntary- for mutual assistance from other EU data protection authorities.
  • 31 own volition inquiries under the Data Protection Act 2018 into the surveillance of citizens by the state sector, for law enforcement purposes, through the use of technologies such as CCTV, body-worn cameras, automatic number plate recognition, drones and other technologies. These inquiries are conducted by the Special Investigation Unit. This same unit continued its work in relation to the special investigation into the Public Services Card that we have featured on our website recently.
  • 950 general consultations were received, excluding the consultations with multinational technology companies.
  •  900 data protection officer notifications.

In late 2018, the DPC established an advanced technology evaluation and assessment unit (the Technology Leadership Unit – TLU) with the objective of supporting and maximising the effectiveness of the DPC’s supervision and enforcement teams in assessing risks relating to the dynamics of complex systems and technology.

So it has been a busy and productive time for the office of the DPC and they even got time to speak at over 110 events including conferences, seminars and presentations. Late last year the DPC commenced a significant project to develop a new five-year DPC regulatory strategy that will include extensive external consultation during 2019.   It has to be remembered that The DPC received complaints under two substantive parallel legal frameworks during this period:

  • complaints and potential infringements that related to, or occurred,                 before 25 May 2018, must be handled by the DPC under the framework    of the Data Protection Acts 1988 and 2003;
  • and in addition and separately, complaints received by the DPC relating to the period from 25 May 2018 must be dealt with by the DPC under the new EU legal framework of the GDPR and Law Enforcement Directive and the provisions of the Data Protection Act 2018, which give further effect to, or transpose those laws into the laws of Ireland as a Member State of the EU.

The DPC took an active part in the Global Privacy Enforcement Network (GPEN) 6th annual privacy sweep. Data protection authorities from around the world participated and the theme in 2018 was privacy accountability. Accountability is a central element of GDPR. It is a concept that, “requires organisations to take necessary steps to implement applicable data protection rules and regulations, and to be able to demonstrate how these have been incorporated into their own internal privacy programs” (DPC Report 2018).  In the last sweep GPEN aimed to assess how well organisations have implemented accountability into their own internal privacy programmes and policies. One goal was to establish a sort of baseline of an organisation’s compliance with data protection. This was the brief for the DPC, as their input was targeted at randomly selected organisations in Ireland. 30 organisations across a range of sectors completed a suite of pre-set questions relating to privacy accountability. Because the sweep was done in the last quarter of 2018 only preliminary or provisional results are available to date of report. Preliminary results include the following:

  • 86% of organisations have a contact listed for a DPO on their website
  • 75% appear to have adequate data breach policies in place
  • All organisations seem to have some kind of data protection training for staff However, only 38% could provide evidence of training for all staff including new entrants and refresher training
  • In most cases organisations appear to undertake data protection monitoring/self- assessment but not to a sufficiently high level. In this category, 3 out of 29 scored ‘poor’ , while 13 could only reach a ‘satisfactory’ level
  • 1/3 of organisations were unable to show any documented processes in place to assess risks associated with new technology and products
  • 30% of organisations failed to show they had an adequate inventory of personal data, while close to  50% failed to keep a record of data flows

These again are preliminary, and the full results will be more instructive. It is to be emphasised that 30 organisations represent a small sample size.  Nevertheless, there seems to be large deficiencies in staff training and data protection monitoring/ self- assessment. Many issues will be more fully addressed in the coming months when the results of the ‘sweep’ will be available.

 

 

 

Public Services Card and Biometric Data.

In our last blog, February 15th, we looked at some arguments raised in the continuing debate surrounding the public services card. There are other aspects to the debate that we will consider now. Amongst these aspects are the special categories of data that are treated differently under the GDPR than more ‘ordinary’ categories. Any general data processing rules, applicable in the case of ordinary categories of personal data, change or become redundant if the data falls within the ‘special category’ definition. Two topical data protection issues dominate this blog: the prohibition, or otherwise, on biometric data processing; and whether the public services card photograph is within the definition of ‘biometric data’.
                       GDPR and Special Categories of Data.
Art. 9 GDPR delineates the categories of data that are covered under the special category umbrella. Their treatment under GDPR differs from other categories because of the sensitive nature of the data. Biometric data, “for the purpose of uniquely identifying a natural person” is included under Art. 9 (1). Art. 9 (1) also includes a prohibition on processing of all the other special categories of data. It is difficult to understand why this prohibition has caused so much confusion and erroneous interpretation. In order to avoid doubt as to the intent, practical application and effect of Art. 9, it is prudent to first examine it in its entirety.
Recently the following appeared on the RTE website, “Article 4 of the GDPR especially says facial images are biometric data, Article 9 of the GDPR specifically says it is illegal to process biometric data. (https://www.rte.ie/news/2019/0207/1028028-public-services-card/) The reference to Art. 9 is not correct. In the first place, it does not use the word ‘illegal’, and secondly, although Art. 9 lays out a prohibition on processing of special category data that includes biometric data, it immediately sets out the exceptions to the general rule. There are many exceptions and these range from Art.9 (2) (a), through to Art. 9 (2) (j). Initially, the general rule is laid out and then the exceptions to the rule follow. Reading the text fully helps to avoid broad misstatements of fact.
                                        There are exceptions to the rule!

 

                                       A Taste of the Exceptions to the General Rule.

• processing where the data subject has given ‘explicit consent’ to the processing (unless where Union or MS law provide that the prohibition may not be lifted);
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent ;
• processing relates to data which are manifestly made public;
• processing is ” necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security law,  in so far as it is authorised by Union or MS law…providing for appropriate safeguards for fundamental rights…” ; (So if the Dept. was processing biometric data in relation to the data subject’s PSC, then this would be legitimate if provided for by law. Again, the prohibition is not a blanket prohibition,  as the quote from RTE website would suggest.)
• processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
• processing is necessary for reasons of substantial public interest, on the basis of Union or MS law (but is proportionate, respects rights and provides safeguards).

                    Another nibble at the exceptions to the rule.

There is also an exception for processing that is necessary for the purposes of preventive or occupational medicine and where necessary for reasons of public interest in the area of public health, such as protecting against serious cross border threats to health. What all this shows is that there are numerous exceptions to the general rule. Section 73 DPA 2018 closely follows GDPR on this with S. 73 (2) providing that regulations may be made permitting the processing of special categories of data for reasons of substantial public interest. This flows from the discretion allowed to Member States under Art. 9(3). Art. 9(3) gives discretion to the member States to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

On this issue, therefore, there is only one conclusion. GDPR does not set out a blanket prohibition on the processing of biometric data. It is a prohibition that is subject to and qualified by, numerous exceptions. Prohibition on processing is waived in the situations expressly stated under Art. 9(1) and 9 (2).

Public Services Card and Biometric Data.

Biometric data is a recurring theme in the public services card debate. This debate centres around one particular feature of the card. It focuses on the photograph taken when applicants present themselves at designated offices to register for the card as part of the SAFE process. SAFE stands for Standard Authentication Framework Environment. It is a standard for establishing and verifying an individual’s identity for the purposes of accessing public services. Is this photograph biometric data? Many people take the view that this photograph is exactly that. The GDPR has laid out a position on this topic.

Art.4 (14) defines biometric data as, “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”. Section 69, DPA 2018 shares this definition except where it replaces ‘natural person’ with ‘individual’. There is a view that ordinary photographs do not constitute biometric data. It may be the case that all photographs are facial images, but not all facial images are biometric data. This is not to initiate an exercise in semantics, but there are technical differences that distinguish one from the other. GDPR has attempted to clarify the distinction by the precise nature of its text. Accordingly, it is the text itself that is most instructive in this particular context.

Verification and Identification.

An obvious purpose for biometric data is recognition of individuals and this takes two forms; identification, followed by verification. Identification is the less complicated of the two, and centres on comparing the data to that of numerous other individuals. Verification aims at matching the physical, physiological and behavioural characteristics to biometric data of a specific individual that have been stored in a database. Identification may be made with a high degree of probability. Identification answers the question, “Who are you”, whereas verification answers the question, “Are you really who you say you are”. (See diagram and note in the appendix below) Verification is made with almost 100 % certainty.

What GDPR is clear about is this; only data concerning a person’s physical, physiological or behavioural characteristics that have gone through specific technical processing allowing the unique identification or verification of a natural person, qualify as biometric data. The essence of the distinction centres on the word ’unique’. There are no degrees of uniqueness. Something is not more unique, or less unique. It can only be unique, or not unique. Therefore, identifying something as unique sets it apart from all others. Can even a mother of identical triplets uniquely identify her three children individually, from a photograph of all three together (presuming that no one has identifiable scars)? GDPR had this in mind when including the word ‘unique’, and this is because it is the specific process after a photograph is taken that enables ‘unique’ identification or verification.

A quite specific process has to be carried out before it qualifies as biometric data. Special and varied aspects of a facial image can be assessed to aid the goal of unique verification. In the context of a facial image, distances from nose to mouth , between nose and mouth, between eyes and nose and from earlobe to earlobe, are examples of, and variations on the means to the end, Unique verification is the end. On this analysis, it is difficult to perceive ordinary photos as biometric data. A photo is a facial image. On its own, and in isolation, a facial image is not biometric data. A facial image must result from, “specific, technical processing” (Art.4 (14)).

GDPR Recital 51 states, “…The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when ( our emphasis) processed through a specific technical means allowing the unique identification or authentication of a natural person”.

                                              Conclusion.

Finally, the Department (Employment Affairs and Social Protection) in its guide to SAFE Registration and in answer to the question, “Does the Public Services card store biometrics”, states, “ No. While the card does store a person’s photograph it does not store the biometric or arithmetic template of that photograph”. https://www.welfare.ie/en/downloads/DEASP_Comprehensive_Guide_to_SAFE_Registration_and_the_PSC.pdf
It does not use advanced facial mapping cameras when taking the photos as part of the SAFE registration process.

APPENDIX 1 &2 from biometric blog

Public Services Card Debate Resumes.

 

 

Just when people thought the questions and concerns surrounding the Public Services Card (PSC) had been forgotten about, the debate and mystery about this card resume.  So what’s it all about?

Most of you will remember some controversy about this card at the time it was introduced, and it initially focused on one theory in relation to its introduction. For many, it represented no more than the introduction of an identity card by stealth. The government vehemently denied this, and different Ministers for Social Protection (Burton, Varadkar, and Doherty) regularly appeared in the media to explain and defend the purposes behind its introduction and certify its bona fides. It was just a convenient card with no other purposes than to cut down on benefit fraud and streamline operations. Everything now should work more cost-effectively and taxpayer money would be saved.

Nevertheless,  ‘Big Brother is watching’ theory persisted. As time moved on the card began to be scrutinised more, especially in the light of data protection legislation and amid issues of concern from that aspect, which were beginning to be raised by Digital Rights Ireland and others. Prior to the introduction of GDPR, there was an increasing awareness of the changes in data protection that were just around the corner. When GDPR came into force it was clear that now the PSC could be re-examined from a whole new perspective. Indeed, GDPR facilitated a more robust questioning of the purposes and validity of the card’s introduction. We acknowledge the enhanced powers under the GDPR are not to be applied to incidents that occurred prior to May 2018. To highlight the strengthening of these powers since the  GDPR,  our analysis is done through the lens of these changes.    When other bodies, in most cases unconnected to the granting or withdrawal of social welfare or pensions, began to insist on the card being produced to access other services, the questioning intensified. (At one point, both the Passport Office and National Driving Licence Service demanded the PSC).

 

The Lawful Basis for the PSC.

 Art. 6 (1) (a-f) GDPR lays out in clear terms the lawful bases that need to be established before processing personal data. In this context, the Government has repeatedly referred to the legislation that they rely on as a lawful basis.  Section 247 (c) of the Social Welfare Consolidation Act 2005, as inserted by Section  11, Social Welfare and Pensions ( Miscellaneous Provisions) Act 2013,  is most cited by officials as the legislation underpinning the PSC. However, other legislation also stands in support of the PSC and its operation.

Legislative Support for the PSC.

 Any power to issue a PSC is given under S.263 (1) of the Social Welfare  Consolidation Act 2005, which was then substituted by S. 9 (1),  Social Welfare and Pensions Act 2010. Some of the important terms in S. 9 include a reference to the information inscribed on the card and further information stored electronically on it. Section 263 of the 2005 act sets out finer details concerning the card and expressly states the minister may request the person to present themselves at a specified place, provide certain documentation, have a photograph taken and provide a signature in electronic form. It also clarifies the type of information that will be stored on the card.  This includes the person’s date of birth, gender, primary account number, the expiry date of card and card service code electronically encoded on the card and any other information that may be prescribed either inscribed or encoded on the card. Therefore, more personal data can be added to the card when the Minister sees fit.

Schedule 5 of the 2005 act gives a list of ‘specified bodies’ that may use the PSC for the purposes of a transaction. A conclusion in this regard is that unless a body is a ‘specified body’ and on this list, it cannot demand the PSC. All the information that is referenced is personal data, within the meaning of Art. 4 GDPR and, therefore, requires a lawful basis prior to any processing operation.

 So is there a lawful basis for the PSC? 

An examination of the foregoing legislation, cited in support of the legality of the PSC, would support a lawful basis for processing under Art.6 (1) (c), GDPR. There is no doubting its lawful basis under Section 2D of the earlier Data Protection Acts.    Had GDPR been in force, another lawful  basis could be found under Art. 6 (1) (e).  This is referring to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Here there is a relationship back to the  Social Welfare Consolidation Act which places the controller (The Dept.) under the lawful obligation. One legitimate question is whether the processing is ‘necessary’ for the performance of the task or in the exercise of official authority. A public body cannot ( generally) avail of the ‘legitimate interest’ lawful basis under Art. 6 (1)  and so any ‘specified body’ under schedule 5 will have to have a lawful basis other than this basis.

It is important to bear in mind that the legitimate interest basis cannot be used to override the interests or fundamental rights and freedoms of the data subject. Undoubtedly, this includes rights under the European Convention on Human Rights and the European Charter. In the context of the PSC,   privacy rights and data protection rights are the foremost of these rights. While the PSC may have a lawful basis, there is the consideration of some other criteria to assess the validity of the PSC and its associated personal data processing. The introduction of the card would have satisfied the legal basis required under the old Data Protection Acts 1988 and 2003. It would also have satisfied GDPR, had it been in effect. Our purpose in examining through the lens of GDPR is to emphasise the lower data protection standards applicable pre- GDPR. Despite these lower standards, the PSC had no lawful basis under Section  2A of the Data Protection Acts 1998 and 2003 to process the personal data of individuals for any transactions with bodies other than DEASP.  

Some Other Important Criteria.

Articles 7 and 8 of the European Union Charter of Fundamental Rights guarantee the right to respect for private life and the right to protection of personal data respectively. Any limitation that may be imposed on the exercise of these rights must under Art.52 (1) of the Charter:

(a) be provided for by law:

(b) be necessary to meet some objectives of general interest;

(c) be proportionate.

Where a less intrusive measure can be taken to achieve the same stated objective, then the less intrusive measure must be taken. This is also in line with the data minimisation principle. Whether the card is necessary to meet an objective, such as countering social welfare fraud, is certainly debatable at least. Is it proportionate to the aims, especially when viewed through the lens of individual rights?  Are there safeguards to defend these rights? Even if the PSC passes the tests it may still not be in compliance with the GDPR.

The PSC and  Data Protection Principles under GDPR.

Even where the processing of personal data conforms to EU law, in the sense of the broader EU legal environment, and has a lawful basis that complies with Art. 6 GDPR, it still has to be in accordance with data protection principles under Art. 5 GDPR. Again, the relevant law pre GDPR is contained in the Data Protection Acts 1988 and 2003. This is where the PSC is most likely to fail to comply with the GDPR.  Art. 5 (1) states personal data, “shall be processed lawfully, fairly and in a transparent manner in relation to the data subject”. The lawfulness element refers to EU law in general and not just data protection law. ‘Fairness’ is to be interpreted as ‘proportionality’ in the application of a measure. What this means is that any measure must be appropriate for attaining the objective pursued and not go beyond what is necessary to achieve it. It is the transparency element of Art. 5 which causes most problems for the PSC. Any transparency element is best read in conjunction with Arts. 12, 13 and 14, which concern the information that has to be given to the data subject regarding the processing of the personal data.

Information?

There is no evidence of data subjects being given the required information at the point of data collection, as mandated by Art. 13. The government in 2017 published a 73-page ‘Complete Guide to SAFE Registration and the Public Services Card’. It contains valuable information but very few of the applicants for a PSC are aware of the information it contains. It is the information under Art. 13 (1) and (2) that they should be made aware of,  and it is not information they should have to seek out. A report on the PSC was recently sent to the government and is not being disclosed at present. One likelihood is that the card failed, particularly under the transparency element. Anecdotal evidence suggests most people were just told to turn up at a certain date and time, and that their photographs would be taken. No other information was offered.

Purposes?

Art. 5 (1) (b) is also likely to be problematic for the PSC. It states that data must be, “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. Again, it directly relates back to transparency. People (i.e., the data subjects) must be made aware of the specific purposes of personal data processing. Combating welfare fraud seems somewhat unrelated to obtaining a driving licence.

Problems for the PSC are likely to surface under Art. 5 (1) (e).  Personal data shall be, “kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed…”  So how long is necessary for the PSC?  It has been apparent for quite some time that the personal data on the PSC stays on the card and only a new photograph is required to renew it every seven years. When a card is issued to persons, it is likely that the card will be theirs for life, irrespective of any need to access services in the future. Again, any information regarding retention periods is not being conveyed to PSC applicants.

There is no doubting the failure of the PSC card regime to meet the current transparency standards of the GDPR. It would also fail the standards of the Data Protection Acts 1988 and 2003. The office of the DPC is completing a report on the PSC that pre-dates the GDPR. This report will only focus on the law applicable at the time.  Ultimately, conclusions in that report would be very different had GDPR been in effect when the report was commenced. Looking at it in the light of GDPR, as we have done, focuses on inherent weaknesses and flaws when judged under the higher GDPR standards. Any complaints post- GDPR, are now judged by these higher standards.

In the next blog, we will discuss the PSC from the ‘Special Categories’ perspective and focus on the Biometric data dimension.

Patrick Rowland, GDPRXpert.ie

Data protection consultants, GDPRXpert, are based in Carlow/Kilkenny and Mayo, offering a nationwide service.

Visit www.gdprxpert.ie for more information.

 

 

 

 

Latest News