Mick Wallace (Wexford, Independent) | Oireachtas source

One could be forgiven for suspecting that the Government and some Departments simply either do not understand privacy and data protection issues or choose to ignore them.

I say this because some things the State has been up to for the last years in the knowledge that the GDPR is on its way, including the public services card, PSC, the single customer view, CCTV schemes and the Health Identifiers Act, have been extremely surprising. I will address a remarkable statement made by the Minister in the Seanad on Committee Stage about proportionality. The Minister claimed we cannot have references to proportionality in the Bill because it would make certain schemes already in place and operational illegal. That is a remarkable statement. Necessity and proportionality is already the law in Ireland in this context and the Minister's statement suggests that the Government wants to continue to ignore the huge problems with schemes like the public services card and certain CCTV schemes after the GDPR comes into force and that the Data Protection Bill is an attempt to carve out exemptions to the GDPR rather than honour its terms and spirit.

Article 4 of the GDPR defines consent. Consent must be freely given and cannot be coerced. Recital 42 of the GDPR gives us further guidance on how we should interpret this definition of consent. It says "Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment." Withholding a pension payment from an elderly woman for 18 months because she refused to register for a public services card is a form of State coercion. Forcing people to get a PSC to get a passport or driving licence is forced, coerced consent. Coerced consent has never been legal but surely in the light of the GDPR and its own Data Protection Bill, the Government will be obliged to act on one of the biggest data sharing projects in the history of the State, namely, the single customer view and the related public services card.

I obtained correspondence between the Office of the Data Protection Commissioner and the Department of Employment Affairs and Social Protection about the PSC a few months ago, under freedom of information, FOI, provisions. The assistant data protection commissioner wrote to the then Department of Social Protection in August 2017 about a data sharing agreement between the Department of Social Protection and the Road Safety Authority, RSA. The assistant commissioner's email asked if the Department would confirm that no processing of personal data has taken place to date, that is, data shared by the Road Safety Authority to the Department of Social Protection and matched to the Department's record to identify individuals who do not have a PSC but are SAFE authenticated. The assistant commissioner is referring to the fact that in August 2017, the Department of Social Protection started to invite people who had obtained a driving licence to complete SAFE 2 registration by post and get a public services card. More specifically, since August last year, the RSA has been sharing personal data with the Department of Employment Affairs and Social Protection without the consent of the data subjects. In other words, the Department gets the names, addresses etc. from the RSA in order that it can then contact these people but without any consent being given to the RSA by its customers to share these data. The assistant commissioner's email indicates that he had serious reservations about this. In response to questions I submitted to the Minister for Employment Affairs and Social Protection, she claims that legal basis for this data sharing is provided in the Social Welfare Consolidation Act 2005. The Minister in this case is either ignoring or simply does not understand the 2015 Bara judgment by the European Court of Justice.

However, even leaving the Bara judgment aside, it is very hard to understand why the Government has continued to plough ahead with this kind of data-sharing when it surely knows the GDPR prohibits it. These concerns are clearly reflected in the assistant commissioner's correspondence to the Department. He sent two emails to the same high-ranking official in the Department of Social Protection on 31 August 2017. The FOI documents received by my office worryingly do not contain any replies to his questions. His second email stated that he sought confirmation as to whether this was a consultation of a proposed data-sharing arrangement or whether the arrangement already was operational, and that the status of the data-sharing project was important and potentially would affect how the Office of the Data Protection Commissioner would manage its engagement with the Department of Employment Affairs and Social Protection. We know from these FOI emails that the Department told the Office of the Data Protection Commissioner in July 2017 that the Department would write to those whose data it received from the RSA, asking for their consent to use these data to update the Department's records and to complete the registration process for a PSC. The phrase "provide their consent" is bolded in the email, indicating that the Department has some understanding of the importance of consent with regard to data-sharing. Yet the Department completely fails to understand the problem of the RSA sharing data with the Department of Employment Affairs and Social Protection without the RSA's own clients' consent, even though the assistant commissioner clearly flagged this issue in emails in August 2017. The Data Protection Commissioner has since opened and indeed extended a near-unprecedented formal section 10 investigation into the public services card. To not at the very least pause or suspend the expansion of the PSC and single customer view pending this investigation and the introduction of the GDPR is madness. The State is likely to face enormous fines and compensation payments relating to the PSC under the GDPR.

Section 31(d) of the Garda Síochána (Policing Authority and Miscellaneous Provisions) Act bestows responsibility to publish guidelines in respect of CCTV cameras on the Policing Authority. I wrote to the Policing Authority this month about the use of automated numberplate recognition and facial recognition cameras as part of the Department of Justice and Equality's community-based CCTV grant aid scheme. The Policing Authority confirmed that, rather strangely, the authority has not yet issued any guidelines under section 38 of the Act and that neither had the Department issued guidelines before the authority was established. The Policing Authority also stated in its reply to me that the authority has no role relating to the technical specifications of the CCTV camera. Neither the Minister nor the authority seem to have any responsibility for this. Section 2 of the existing Data Protection Act requires that data are "adequate, relevant and not excessive" for the purpose for which they are collected. In other words, data collected should be proportionate. I do not dispute that CCTV can be useful in detecting and preventing crime and antisocial behaviour and I understand why rural communities in particular might feel safe with them in place. However, CCTV systems must be able to pass a proportionality test as otherwise, they simply amount to surveillance and are fundamentally illegal. According to the guidelines issued by the Data Protection Commissioner, under the principle of proportionality, the Office of the Data Protection Commissioner would expect that a data controller would have carried out detailed assessments as to how the use of CCTV would meet proportionality requirements, including carrying out a privacy impact assessment. Privacy impact assessments will be a legal necessity under the GDPR.

I submitted an FOI request recently to Limerick City and County Council, looking for the council's privacy impact assessment for its CCTV scheme, funded by the Department of Justice and Equality, as part of the community-based CCTV scheme. CCTV camera installations, including automated numberplate and facial recognition cameras, began in Limerick in November last year and the CCTV scheme is due to go live by the end of this month. My FOI request was refused only two weeks ago on the basis that the privacy impact assessment was not yet finalised and was still in draft form. Publicly available information on the Limerick scheme shows proposals for what is known as deep learning and artificial intelligence to be overlaid on a network of cameras that count footfall, keep a record of the registration of every passing car 24 hours a day, and can recognise faces and patterns. Section 38 of the Garda Síochána Act clearly specifies that CCTV schemes should only be authorised for securing public order and safety in public places, yet Limerick City and County Council has publicly stated that its scheme will go much further than that. The Limerick solicitor and digital rights expert, Rossa McMahon, has said of the scheme, "It is not an exaggeration to say that the Council is installing technology used by authoritarian police states like China." The council tendered for the scheme over a year ago and has already bought numerous high-specification cameras and related equipment for 14 locations in the county. The GDPR dictates that data protection safeguards must be designed into products and services from the earliest stage of development.

Limerick City and County Council's privacy impact assessment now can only be a box-ticking exercise and in that sense will be utterly pointless. This is a €500,000 scheme and sets a dangerous precedent on disregard for proportionality with regard to data sharing. As I mentioned already, the Minister claimed in the Seanad debate on this Bill that we cannot have references to proportionality in the Bill because it would make certain schemes already in place and operational illegal. It is hard not to conclude that the Minister wants to continue to turn a blind eye to already existing problems and to use the Bill to undermine the rights of data subjects under the GDPR.

See this speech in context