Two years ago, Privacy News Online wrote about Ireland’s plans to introduce an identity card by stealth . The Irish government pretended that its Public Services Card (PSC) was not an identity card and that its use would not be mandatory. As this blog noted back then, that clearly wasn’t true, because the PSC was indispensable for many aspects of modern life in Ireland. Moreover, there were grave doubts about the privacy safeguards for the scheme. The Irish government department at the heart of the plans for the PSC and associated database, the Department of Social Protection, suffered hundreds of privacy breaches a few years back; widespread use of the identity card would give tens of thousands of public servants and contractors ready access to highly personal data – a recipe for disaster.
Despite many warnings about the dangers, the Irish government went ahead with the PSC. And, just as predicted, it has become an identity card in all but name. Its use is more or less obligatory for certain dealings with the authorities in Ireland. For example, a woman in her 70s was unable to receive her pension for 18 months because she refused to register for a PSC. But in that time there have been important developments for those fighting against the scheme. The Irish Data Protection Commission (DPC) undertook a two-year investigation into the privacy implications of the PSC:
The PSC (and the system of registration known as SAFE 2 behind it) involves the collection, storing and processing of large amounts of personal information about nearly every person in the [Irish] State. Using that information, State agencies make thousands of decisions every day that impact in very direct and significant ways on individual members of the public, from the issuing of driver’s licences or passports, to decisions to grant or suspend payments or benefits under the social protection code, to the filing of appeals against decisions about the provision of school transport. In practical terms, a person’s capacity to access public services both offline and online is now contingent, in an ever-increasing range of contexts, on obtaining and producing a PSC.
Looking at it from a data protection perspective, it can quickly be seen that, given its scale and reach, the PSC project presents significant challenges in terms of ensuring that core data protection principles are respected in its operation.
The investigation focussed on issues such as whether Irish citizens were able to exercise meaningful control over their personal information; whether safeguards and controls had been built into the system; and whether the PSC is “consistent with applicable provisions of data protection law”. The Data Protection Commission was not impressed with what it found. It issued eight “findings”, seven of which were “adverse to positions advanced by the Irish government”. That is, the DPC has found that “there is, or has been, non-compliance with the applicable provisions of data protection law.”
There were two main elements to the “adverse” findings. One was that there was no legal basis for the PSC card to be used beyond social welfare payments. It could not, therefore, be used as a general identity card, however much the Irish government might secretly want that. Specifically, other parts of the government could not insist that applicants obtained a PSC in order to use their services – for example, in order to obtain a driving license or a passport. In addition, the Irish government’s retention of information and documents submitted when applying for a PSC broke the country’s data protection laws. As a result, the records referring to some 3.2 million applicants would all have to be deleted. Despite the clear-cut nature of the findings, the Irish government has no intention of obeying the DPC’s instructions. As the Irish Times reported:
Minister for Employment Affairs and Social Protection Regina Doherty has said her department will not comply with any of the directions from the Data Protection Commissioner (DPC) on its Public Services Card project. “We won’t be complying with any of the instructions with regard to the findings or the instructions in the letter,” the Minister told RTÉ Radio on Tuesday evening. A complicated, lengthy and costly legal process now lies ahead between the DPC and the department, which on Tuesday published the long-awaited report into the Public Services Card (PSC) project by the commissioner.
That’s not the only legal challenge the Irish government will have to fend off. Digital Rights Ireland, which describes itself as a “public advocacy organisation dedicated to defending civil, human and legal rights in a digital age”, has launched the #no2psc campaign. It builds on that fact that the DPC issued its findings and instructions under an earlier Irish privacy law, which though still effective has since been superseded by the GDPR. Now that the GDPR has come into force, it gives the Data Protection Commissioner additional powers to require the government to comply, including fines of up to one million euros. Also thanks to the GDPR, Digital Rights Ireland has the option to file a legal complaint on behalf of multiple members of the public. With the #no2psc campaign, it’s hoping to gather support from more than 1,000 Public Service Card users in order to “force an end to the government’s mass abuse of personal data”. The battle over the PSC is important. On the one side, there is a government keen to introduce an identity card by stealth, and to force its citizens to use it for key operations in their lives. That unified approach will provide the authorities with constantly updated, highly personal information about what people are doing. On the other side, there are data protection officers and privacy activists who are using legal tools to stop this data grab. Although the outcome of that tussle will only affect Ireland, it is nonetheless symptomatic of many other battles around the world as the authorities try to undermine privacy in order to increase their control.
Featured image by Ireland’s Department of Service Protection.