The decision by the Minister for Social Protection Regina Doherty and Minister for Public Expenditure Paschal Donohoe to challenge the findings of the Data Protection Commission on the legality of the beleaguered Public Services Card comes as no real surprise.
After all, the State has long-term form in bone-headedly pursuing massive data collection projects that it insists are just fine, despite threats and rulings from the regulator, and despite warnings from people who are more familiar with data protection and privacy law than Ministers, the civil service or the attorney general (numerous international experts also have criticised the cardPSC).
Ireland took such a poorly reasoned and weakly justified tack for more than a decade with its data retention practices by which the State (unlawfully and for a time secretly) required that telecommunications operators store years of Irish people's revealing communications metadata, just in case someone might commit a crime some day, reversing the democratic norm of not gathering evidence without an actual reason.
This was a story I covered for years here, and not a very sexy story either. Data retention involved explaining dullish things such as call records and technical standards, countering the deceptive official arguments that metadata was not really sensitive data at all, and its false logic that if you have nothing to hide you have nothing to fear, and trying to make intangible data understood as a source of concrete risk.
All these elements, complex and covert, make it difficult to grasp the significance of state and corporate data surveillance, benignly presented as a way of providing better services or preventing crime.
And that’s exactly what states and corporations rely on, sometimes with an exploitative agenda but equally out of genuine ignorance. Something seems like a great idea and is pursued without having anyone with the requisite skills or knowledge consider the data privacy ramifications or the legality.
Mission creep
The Public Services Card has all the hallmarks of just such a project. Initially conceived as a limited card within a single department, in recent years the project bloated into a cross-department identification card. This is a well-recognised phenomenon of attempted normalisation, called “mission creep”.
On Wednesday, the Minister, Regina Doherty told RTÉ’s Morning Ireland that while the departments had the highest respect for the regulator (cough), it would appeal its findings against the card. The departments would continue to refuse to publish the commission’s report, or the departments’ legal advice that the regulator was acting outside its legal remit. Bizarrely, she even argued that withdrawing the card from use would itself be unlawful.
Numerous data experts have challenged all these points, along with this outrageous lack of departmental transparency. Barrister and chairman of Digital Rights Ireland TJ McIntyre posted on Twitter: “This is an unprecedented situation in which a government department (and serial data protection offender) simply refuses to respect the decisions of the regulator.”
Previous data protection commissioner Billy Hawkes had highlighted serious problems and breaches in the Department of Social Welfare, and in 2010 his office explicitly warned against casually putting together three ultra-sensitive personal identifiers in such a vulnerable location.
“We would be concerned that the inclusion of a photograph, a signature and a number such as the PPSN on the cards could serve for the card to be considered to be a de facto national ID card,” a spokesman said. All three are on the current Public Services Card.
Major shift
Introduction of an identity card is a major shift in public policy that needs Dáil and civil society debate – before, not after, the fact.
The regulator’s job is to enforce EU-level data protection laws that protect citizens in crucial areas of personal privacy, against state and corporate data deception and misuse. The State’s refusal to recognise a ruling, while also failing to release the report or its legal defence to the Irish people, is state arrogance at its most disturbing.
It is equally concerning that the regulator will not itself publish the report. Numerous data protection legal experts have stated publicly that they see no legal restraint on doing so.
None of this engenders public trust, or sets a good tone for Ireland’s role as the main European regulator of big tech.
The taxpayer picks up the bill on both sides, too, because taxes ultimately will fund the departments’ challenges, and the regulator’s defence of same.
The debacle is boiling down to the exact same and sorry overreach concerns involved in the failed data retention policy: state secrecy, misdirection, denial, delay.
And where did that end up? Before the European Court of Justice, which, in a rare action, threw out the entire EU Data Retention Directive in 2014.
It seems the Public Services Card is now on that same journey to an inevitable slapdown in the courts – at all our expense.