The DPC is not infallible, and so it is wise to remember that data controllers have legal rights.
There is no doubt that much time has been spent in the media and on this forum in debating aspects of the Public Services Card. Data protection consultants GDPRXpert first reported on this in a blog way back in 15 Feb 2019. We rightly predicted the main conclusions resulting from the recent investigation by the office of the DPC into the legitimacy of the Public Services Card. Some of the concerns that the DPC was likely to focus on in the continuing contentious debate were highlighted.
At that time many feared the PSC represented the introduction of a national identity card by stealth. GDPRXpert wrote at the time that “The government vehemently denied this, and different Ministers for Social Protection (Burton, Varadkar, and Doherty) regularly appeared in the media to explain and defend the purposes behind its introduction and certify its bona fides. It was just a convenient card with no other purposes than to cut down on benefit fraud and streamline operations. Everything now should work more cost-effectively and taxpayer money would be saved.” There is still little impediment standing in the way of its use as a de facto national identity card (See Adrian Weckler, “National ID Card Isn’t Dead” SINDO, Aug.18, 2019).
There was a follow up on PSC and biometric data on 21 Feb. On 22 Aug. data protection consultants, GDPRXpert, discussed the DPC findings into the investigation of the PSC. A report was issued and recommendations were made to the Govt.
Three central issues were to the fore in the report:
The lack of lawful bases for processing personal data, apart from processing by the DEASP;
Lack of transparency; ( in terms of what personal data it processes in the context of SAFE 2/PSC, for example, how that data is updated and shared with other public sector bodies for the purposes of decision-making) and
Retention of data beyond what is necessary. (In particular, the retention of supporting documentation that was demanded in support of an application was excessive.)
Data protection consultants GDPRXpert have the DEASP link to the report available now.
In total, the DPC made 8 adverse findings in relation to the card’s introduction and operation. The government disagrees with each of these findings according to Minister Doherty. When publishing the findings of her report, Dixon said the Department had 21 days to provide an update on how it was implementing the finding that it was no longer lawful to require a PSC for services other than welfare. On Sept 5 the 21 days had expired.
Minister for Employment Affairs and Social Protection Regina Doherty has said her department will not comply with any of the directions from the Data Protection Commissioner (DPC) on its Public Services Card project. “We won’t be complying with any of the instructions with regard to the findings or the instructions in the letter,” the Minister told RTÉ Radio.(https://www.irishtimes.com/news/ireland/irish-news/government-will-not-comply-with-findings-on-public-services-card-1.4021397)
The Government believes that it would be potentially unlawful to withdraw or modify the PSC. A statement confirmed that its intention is to continue to operate the PSC and the Safe 2 identity authentication process on which it is based. Despite the controversies, the PSC remains popular, with 96 percent of those surveyed saying they were either very satisfied or fairly satisfied with the process. (Irish Times, Sept 17, 2019)
The reactions to the Government ‘daring’ to challenge the findings of the DPC have been surprising. Most data protection consultants would agree that the PSC has a lawful basis, but only in relation to its use for welfare related services through the DEASP. We have previously highlighted as unlawful any demand for the card in relation to other services unrelated to DEASP, such as passport, driving licence and more. Agree or disagree, the Government, just like a private citizen, has the right to appeal findings or a decision of the DPC. To deny or question this is to deny or question a basic tenet of the rule of law: access to justice and judicial review. GDPR will always be interpreted in light of the European Charter Of Fundamental Rights and in this instance Art. 47 is the most applicable. The independence of the DPC does not mean it “cannot be subject to control or monitoring mechanisms…or to judicial review” ( Recital 118, GDPR).
Some of the groups foremost in the criticism are groups whose mission embodies supporting the rule of law. e.g. The Irish Council for Civil Liberties, but the ICCL has been opposed to the PSC from the start. Its opposition to it has been based more on ideology than on law. “This card unfairly targets economically marginalised people who depend on the State for their welfare payments. It also works in a gendered way, being a requirement for mothers collecting child benefit. Though the DPC report did not focus on these issues, ICCL believes that the structural inequality inherent in the card may well render it illegal”. (See ICCL website)
The DPC did not focus on ‘these issues’ for good reason: they are completely tangential. Opposition to the proposed body cameras, to be used by the Gardai has also been voiced by the council. Again, this seems more ideologically driven, than legally focused. In a recent journal.ie poll, over 90% of respondents had no privacy or data protection concerns about the use of body cameras by Gardai.
The DPC has never claimed to be infallible. Previous cases such as the Shatter case and the original Schrems case prove it is not. Indeed, neither has any court claimed to be infallible. A superior court overturning a lower court decision is not out of the ordinary. It is simplistic to say the lower court ‘got it wrong’ (but courts do ‘err in law’). In the majority of cases, there is at least some substantive legal validity in differing court opinions. Higher courts may overrule lower courts, but when appeals are all exhausted it has to come down to the decision of that final court. Ideally, the final decision is one that meets the highest threshold of justice and equity. Justice must be done and seen to be done.
In the context of the Government appealing the findings of the DPC, there may have been a rush to comment. At this stage, the DPC has not yet made an Enforcement Order. The chief civil servant in charge of the controversial Public Services Card project has said that his department would not be challenging findings of illegality against the card unless it was “absolutely sure that a challenge was not only appropriate but necessary”. Appearing before the Dáil Public Accounts Committee – ostensibly to discuss his department’s most recently published accounts – secretary-general of the Department of Employment Affairs and Social Protection John McKeon wouldn’t be drawn on whether or not that challenge would serve to “undermine” the office of the Data Protection Commissioner, which operates as an independent state regulator.
Again, just because the DPC operates as an independent state regulator does not mean its decisions are above legal challenge by the Government. We can question the basis of any appeal if and when it arises, but we can not question the right to appeal itself. Graham Doyle, the DPC’s Head of Communications, told TheJournal.ie that the Commission has declined the Department of Employment Affairs and Social Protection’s (DEASP) request for a meeting and plans to proceed with enforcement action. “I can confirm that we have this evening responded to the Department and have declined their request for a meeting. (https://www.thejournal.ie/data-protection-commission-psc-4797429-Sep2019/ )
We await a decision on any enforcement action to be taken by the DPC. In an upcoming blog, we will look at the architecture of enforcement actions under the GDPR and Data Protection Act 2018, with an in-depth look at the appeal processes available.
Patrick Rowland, GDPRXpert.
We are GDPR and Data Protection Consultants, with bases in Carlow/ Kilkenny and Mayo, offering a nationwide service.
For more details visit www.gdprxpert.ie