After 15 years, the Irish Council for Civil Liberties (ICCL) partially welcomes the Data Protection Commission’s (DPC) findings today that collection of facial (biometric) data for the Public Services Card (PSC) is unlawful. However, the decision is more than a decade late and inadequate.
The decision vindicates the actions taken by ICCL and Digital Rights Ireland against the Department of Employment and Social Protection (DEASP). The Government had previously claimed that the facial records were not biometric data. Today, the DPC found that the Department unlawfully collected facial records (biometric data) from 70% of the population of Ireland over 15 years.
In addition, the Department failed to tell people why it was collecting their facial records and whether it was legal. Confirming our position for over a decade and a half about the poor data protection standards of the PSC project, the DPC today confirmed ICCL’s previous reporting that the Department failed to conduct a proper Data Protection Impact Assessment.
However, the DPC has failed to take decisive action today. Instead, it has fined the DEASP €550,000 and ordered it to stop processing the biometric data within 9 months if it cannot identify a valid lawful basis.
After 15 years this is not enough. ICCL insists on the immediate deletion of the illegal facial data database. The Department and the DPC must also explain to the Oireachtas and the public how this system was permitted to operate unlawfully for so long.
Executive Director of ICCL Joe O’Brien said:
“For many years, ICCL and our colleagues at Digital Rights Ireland have argued that the PSC’s mandatory use of facial recognition technology is unlawful.
“This is a partial win for the privacy and data protection rights of people living in Ireland. It confirms what we have advocated for, for many years – that the Public Services Card, which was estimated to have cost the State €100 million, trespassed upon human rights and infringed EU and Irish law.
“The DPC decision is over a decade late and does not go far enough. The Department effectively created a de facto national biometric ID system by stealth over 15-plus years without a proper legal foundation. This illegal database of millions of Irish people’s biometric data must be deleted.”
Olga Cronin, Senior Policy Officer at ICCL, said:
“The Department unlawfully forced vulnerable people to give it their biometric data before it would help them. It demanded data from people who needed its help to put food on the table. We should not have to trade our biometric data to access essential services to which we are already legally entitled”.
Today’s announcement also vindicates the decisions of many individuals who personally suffered after they took a stance against the unlawful collection of their biometric data and refused to hand it over. This included a woman who was denied a pension, a teacher who was denied benefits after breaking her ankle, and a firefighter who was denied a passport.
Today’s findings follow an earlier decision by the DPC that public sector bodies, other than the DEASP, could not make the PSC a precondition of accessing public services. Alternative means to provide proof of identity must be accepted and those alternatives may be online or offline.
Note to editors
The DPC’s findings are that the Department
- Unlawfully collected facial records (biometric data) from 70% of the population of Ireland over 15 years
- Held those data unlawfully
- Failed to tell Public Services Card users why it was collecting their facial records, or to show whether it was legal
- Failed to carry out an adequate Data Protection Impact Assessment by failing to assess the necessity and proportionality of the facial data collection and failing to assess the risks to the rights and freedoms of PSC users