The Gist: Not Mandatory, Not Compulsory, Not Legal
The DPC has fined the Department of Social Protection €550,000. This is the Gist.
In 2015, while at home looking after our new baby, my wife received a letter from the Department of Social Protection telling her that she needed to attend a social welfare office to be photographed for a Public Services Card or have her child benefit payment cut off.
As she did not want to drag an infant out to a government office she solved this problem the sensible way. She handed me the letter and said "Deal with that."
I then set about obliging her in her request.
Today the Data Protection Commissioner found that the Department of Social Protection
- Infringed Articles 5(1)(a), 6(1), and 9(1) GDPR by failing to identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration at the time of the inquiry;
- Having regard to the preceding finding, infringed Article 5(1)(e) GDPR by retaining biometric data collected as part of SAFE 2 registration;
- Infringed Articles 13(1)(c) and 13(2)(a) GDPR by failing to put in place suitably transparent information to data subjects as regards SAFE 2 registration; and
- Infringed Articles 35(7)(b) and (c) GDPR by failing to include certain details in the Data Protection Impact Assessment that it carried out in relation to SAFE 2 registration.
This is on top of the DPC's earlier findings that public bodies outside the Department of Social Protection couldn't insist that people accessing services had to have a PSC card.
Today's decision unravels the last patch of sand for the government's claims that the PSC card project, and its processing of all of the cardholder's biometric facial data, had a lawful basis.
Deny, Delay... become an MEP?
This is a project which has cost over €117 million euro (as of 2021). At every turn the state and Ministers have engaged in Trumpian denials of facts that were as plain as day. Perhaps to solve the problem that there was no lawful basis for biometric processing of people's faces, the then Minister Regina Doherty (now an MEP) stood up and told the Dáil "We don't collect biometric data. We collect and store photographs."
Sure. But they were photographs of people's faces. We know that's what they were because every card had the biometric photograph on the front of it.
She went further and said her Department "does not ask for or collect biometric data from its customers such as fingerprints, retinal scans or any other items that could be listed as biometric data".
You can see that strange exchange here: pic.twitter.com/rhPtRlxc4O
— Simon McGarr @Tupp_ed@mastodon.ie (@Tupp_Ed) May 3, 2018
But at the same time she was saying this the Department was changing its own references to processing biometric data in its Privacy notice- an action taken on the instruction of its Secretary General when its Data Protection Officer was 'on leave'.
And it was awarding one of the PSC contracts to manufacture the PSC cards to a company called Biometric Card Services.
It was also tendering for the transfer of millions of biometric facial images, while the Minister was asserting it didn't collect biometric data.
The combination of the blunt denial of objective reality and the gross threat to the wellbeing of the people the Department is meant to serve has become the hallmark of the state's response to screwing up on data projects.
This is as though the Department of Education threatened to defund the education of 30% of primary school children because schools wouldn't hand over their data, while also asserting children's special-needs health data wasn't sensitive and wouldn't be treated as such. Mad idea. Who could imagine such a thing?
Regulator in a bottle
The DPC's decision today has a good headline position. They issued the biggest ever fine against a state body and confirmed it was illegal to process the biometric data under multiple sections of the GDPR.
But let's look at their list of actions they took on foot of that mass, population-scale illegal gathering and processing of biometric data.
(1) reprimanded the DSP,
(2) issued administrative fines totalling €550,000, and
(3) issued an order to the DSP requiring it to cease processing of biometric data in connection with SAFE 2 registration within 9 months of this decision if the DSP cannot identify a valid lawful basis.
So, you see number (3) there? That there is absolutely nuts. They have found the processing is illegal, after nearly a decade of the Department trying to explain why it isn't illegal.
But then they say the Department can keep illegally processing the illegally held data for another 9 months.
Sorry. On what basis can the DPC make a finding of illegal processing but also say it can keep happening?
This is turtles all the way down, where the turtles are made of comically bad decisions by state actors to keep doing or facilitating illegal things. The worst kind of turtles.
In effect, the DPC has announced 9 months of The Purge, but for your biometric data.
Here's what Digital Rights Ireland said in response;
Faced with the largest unlawful collection of sensitive biometric data Ireland has ever seen, the regulator has bottled it.
The DPC knows this biometric data processing has no lawful basis. It had to say it- at last and long after it ought to have done so.
But it just doesn't have the guts to tell the state to delete its illegal database.
And a regulator that won't regulate the state is no regulator at all.
