Mick Wallace (Wexford, Independent) | Oireachtas source

I move amendment No. 4:

In page 10, between lines 21 and 22, to insert the following:“(6) A specified body may not make presentation of a public services card or access to a person’s public service identity the exclusive basis by which a person may verify their identity in order to conduct a transaction or access a service.”.

I want to say a few words on the amendment, so I can resubmit it and speak on it in the Chamber. I want to acknowledge the huge amount of work done by Senator Higgins and her efforts to improve the Bill. I acknowledged on Second Stage that the Minister and his Department engaged with Senator Higgins and either accepted many of her amendments or came back with Government amendments to improve the Bill. There are still a lot of issues with the Bill as passed by the Seanad and our amendments seek to address these issues.

Many of the Minister amendments today seem to seek to row back on the amendments he accepted in the Seanad. The problems with the Bill that our amendments try to address mostly relate to how our Bill, particularly in section 7, interacts with the Social Welfare (Consolidation) Act 2005. The Minister of State, when summing up on Second Stage, dismissed our arguments in relation to this Act but this Bill will, whether the Minister of State admits it or not, consolidates the State's prolonged attempt to coerce the citizens to agree to large scale processing of their data - the Government's attempt to finally provide a legal basis for this kind of data processing. A number of times during the Seanad debate the Minister openly admitted that the Bill was an attempt to provide a legal basis for something that was already happening. He openly admitted that the kind of large scale processing of personal data that the State has been engaged in for many years is, basically, still illegal. The GDPR, however, will still make this type of coerced consent illegal even if the Government passes this Bill without our amendments and the State will still be open to considerable fines for violation of the GDPR.

Prior to the GDPR, EU Directive 95/46 made coerced consent, illegal and the law around consent has been strengthened further with GDPR. Article 4(11) of the GDPR clearly sets out one of the requirements of valid consent in that it must be "freely given". The Article 29 Working Party published guidelines on consent in November 2017 to guide people in relation to the consent requirements in GDPR. It states: "[A]s a general rule, the GDPR prescribes that if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid." The data subject must, therefore, have control over his or her personal data and must not be coerced into consenting. Withholding a pension payment from an elderly woman for 18 months because she refused to register for a public services card is clearly coerced consent and a form of State coercion. Withholding basic State services from people because they object to the "once-only" principle and large scale, ad hocdata sharing, is coerced consent.

I hear many people say they have nothing to hide and they do not care who has access to their data, so why should we be worried about this. We would argue they are missing the point. The Minister and many others will say that the administration of public services needs to be efficient. I totally agree with that. However, there is a basic legal and human right to privacy, for example, in the EU Charter of Human Rights, and even if people do not really care about this right or say they have nothing to hide, it still exists. We cannot be selective in how we respect and observe basic human rights. The State should not act illegally, and we should not tolerate the State wilfully and openly acting illegally, even if we do not specifically put much pass on data privacy. We should not tolerate State coercion, in any forms.

When explaining his decision to refuse Senator Higgins’s same amendment in the Seanad, the Minister explained his decision by saying that he could not accept amendments that would be in direct conflict with provisions relating to the public services card set out in existing legislation, referring to the Social Welfare Consolidation Act 2005. However, amendments Nos. 4 and 7 are not in conflict with the Social Welfare Consolidation Act.

This Bill interacts in a hugely significant way with the Social Welfare Consolidation Act 2005. Section 247C of the Social Welfare Consolidation Act, as amended, states that the Minister may require any person receiving a benefit to satisfy the Minister as to his or her identity. This, of course, is a completely reasonable requirement. Section 247C(3) of the Act specifies the manner in which the Minister of State may be satisfied. It essentially describes the Standard Authentication Framework Environment 2, SAFE 2, verification process for registering a person’s identity. The problem we have with what the State is trying to do here, however, is that the aim of the public services card and the SAFE 2 process is not just verification. The aim is to coerce consent to data sharing and to enable the creation of a massive database of citizens’ data, otherwise known as the single customer view.

However, section 247C(3) of the Social Welfare Consolidation Act does not state that the purpose of going through the verification process, or SAFE 2, is to have one's data entered into a national database or that one's data will be shared with 150 other public, specified bodies. Section 247C(1) also makes it clear that the purpose of the verification process described is "to satisfy the Minister as to his or her identity". Once the person’s identity has been verified and once the Minister is satisfied as to the person’s identity, there is absolutely no legal basis for any more processing of that person’s data, unless one has obtained that person’s consent. This Bill is the Government’s way to establish this legal basis.

The point of our amendments Nos. 4, 7 and 16 is provide a solution to this practice of coercing consent, so that a person does not have to register for a public services card or agree to the processing of their public service identity dataset to access basic services. There has to be an alternative.

As I said, we do not have a problem with the SAFE 2 verification process per se. Verification of identity is obviously essential. However, the State has, with the public services card, created a bizarre situation where verification of identity leads inevitably to large scale sharing of personal data. We either need to separate the two, verification of identity and large scale data processing, or we need to provide an alternative to the public services card as a processing of verification.

Amendment No. 5 proposes to use the definition of data sharing provided by Digital Rights Ireland and Castlebridge Associates in their joint submission on the proposals for the Bill. One of the bigger problems with the Bill, as initiated, was that it failed to distinguish whether the sharing to which it referred was a case by case exchange of data for a specific purpose, or the creation of large scale databases like the single customer view with no specific purpose. The Minister introduced a Government amendment on Report Stage in the Seanad that I acknowledge went some way towards addressing the lack of specificity in terms of an understanding of what constitutes data sharing. Section 19 of the Bill, which states what a data sharing agreement shall contain, now states that the agreement must specify whether the information being shared relates to individual data subjects or classes of data subjects, and whether the sharing will be on a once-off or an ongoing basis.