The Data Protection Commission (DPC) has fined the Department of Social Protection (DSP) €550,000 for breaches of privacy rules relating to the use of facial recognition technology in the registration process for the Public Services Card.
A DPC investigation found breaches of the General Data Protection Regulation (GDPR) relating to failures to identify a valid lawful basis for the collection of biometric data, the retention of biometric data collected, and failures to put in place suitably transparent information to data subjects.
The investigation, which commenced in July 2021, focussed on the processing of biometric facial templates, and usage of associated facial matching technologies, as part of the registration process for the Public Services Card, a process known as “SAFE 2 registration”.
As well as a reprimand and the €550,000 fine, the DPC has issued an order requiring the Department of Social Protection to cease the processing of biometric data in connection with SAFE 2 registration within nine months of the decision if the department cannot identify a valid lawful basis.
The DPC’s decision was made by Data Protection Commissioner Dale Sunderland and was notified to the Department of Social Protection this week.
“It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration by the DSP as a matter of principle,” said Graham Doyle, Deputy Commissioner, DPC.
“The DPC did not find any evidence of inadequate technical and organisational security measures deployed by the DSP in connection with SAFE 2 registration in the context of this inquiry,” he said.
“This inquiry was concerned with assessing whether the legislative framework presently in place for SAFE 2 registration complies with the requirements of data protection law and whether the DSP operates SAFE 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard,” Mr Doyle said.
The Department of Social Protection said it believes that it has a valid legal basis and that it does satisfy the requirements of transparency required to operate the SAFE process, including the biometric processing element.
“We note that the DPC decision does not find that there is no legal provision but that the legal provision that exists is not, in its view, clear and precise enough to satisfy the requirements of the GDPR,” a department spokesperson said.
“However, we will carefully consider the DPC decision report, in conjunction with colleagues in the Attorney General’s Office with a view to determining an appropriate response within the nine-month timeframe provided for in the decision,” it stated.
“Depending on the outcome of this consideration, this may involve appealing any enforcement notice and/or working to rectify the issues as perceived by the DPC,” the department said.
The department added that as it has been given nine months to address the issue, there are no immediate implications for users of the Public Services Card or MyGovID or anyone wishing to, register for or avail of, these services in the next nine months.
“We also note that the DPC did not find any evidence of inadequate technical and organisational security measures and that there are no examples of any person suffering damage or loss as a result of SAFE registration,” the department spokesperson said.
“On the contrary the SAFE process has directly led to a reduction in identity fraud and delivered very significant security and customer service benefits to the millions of people who use the services every day,” they added.
This inquiry followed on from a separate investigation previously carried out by the DPC into certain aspects of the DSP’s processing of personal data in connection with the issuing of Public Services Cards, which concluded in 2019.
The DSP initially brought legal proceedings against the decision of the DPC in that inquiry by way of an appeal to the Circuit Court.
That appeal was ultimately withdrawn and a joint agreement between the DPC and the DSP, as well as the final investigation report from that inquiry, were published in December 2021.
That final investigation report stated that processing of personal data, including biometric data, by the DSP in respect of SAFE 2 registration was to be addressed separately by the DPC.
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
Today’s decision is the culmination of that separate inquiry process.
The Irish Council for Civil Liberties (ICCL) said it partially welcomed the DPC’s decision but claimed it is more than a decade late and inadequate.
“For many years, ICCL and our colleagues at Digital Rights Ireland, have argued that the Public Service Card’s mandatory use of facial recognition technology is unlawful,” said Executive Director of ICCL Joe O’Brien.
“This is a partial win for the privacy and data protection rights of people living in Ireland. It confirms what we have advocated for, for many years – that the Public Services Card, which was estimated to have cost the State €100 million, trespassed upon human rights and infringed EU and Irish law.”
“This illegal database of millions of Irish people’s biometric data must be deleted,” Mr O’Brien said.
