Evidence continues to mount that the beleaguered and ill-considered public services card (PSC) is the wannabe cross-departmental project that has become too big and too costly to fail. And for that, we will all pay – literally and figuratively.
With its decision last week to legally challenge the Data Protection Commission's (DPC) formal enforcement notice – issued in December after the department failed to comply with the regulator's damning August report on the card project – the Department of Social Protection signalled it has entered a "do or die" legal long haul over the PSC.
The Department of Social Protection, from which the card emanated, informed the Dáil's Public Accounts Committee last year that the card project had cost some €68 million by that point. But the DPC's long-awaited report found the card non-compliant with data protection and privacy considerations on seven of eight points the department had put forward in its defence during an investigation that began in 2017.
The report stated there was no legal basis for departments other than social protection to mandate service users to register for the card. The card had at various points been mandatory for people looking to avail of a range of services through other Government departments – including taking the written driver’s test, applying for citizenship, or obtaining a first passport.
The report outlined “obvious and significant deficits in terms of logic and consistency” for when the card was required. It also found a serious lack of transparency, and required changes in how the project is run. But it did allow the continued use of the PSC for services within social protection.
Notably, other departments beyond the PSC’s two most ardent advocates – social protection, and public expenditure and reform – have quietly abandoned use of the card in line with the DPC’s findings.
It is worth noting that social protection has not challenged the factual basis for the findings in the report, but only the enforcement notice that has followed months later. Wilfully or not, the department failed to bring a judicial appeal to dispute the report’s findings within the required three-month deadline.
For its own part, the DPC decided not to issue an enforcement notice until after the judicial appeal period ran out in November.
Undercutting the DPC in its most significant domestic decision would be an international own goal for the Government
Certainly, the department will have zero moral authority if it is the case that it recognised internally that it could not object to the DPC's factual findings of problems with the card and its use in ways that violate the data protection rights of Irish citizens, but wagered it might get away with a legal loophole to keep the PSC in operation.
The potential loophole is that the DPC's investigation began before the General Data Protection Regulation (GDPR) was enacted in May 2018, so a decision based on the GDPR cannot be enforced retrospectively for this particular investigation.
The department may also have calculated that it was safer appealing the enforcement order in the Circuit Court, where any decision can only be appealed to the High Court. A judicial review could have been appealed to the Supreme Court, presided over by Chief Justice Frank Clarke, who has shown expansive interest and knowledge in privacy-related cases in the past.
Either way, by taking a decision when it did, for a legal process that will rumble on for months, the department will – as well as running up a larger taxpayer bill – almost certainly kick the entire PSC issue into the long grass, where it will sit festering until after the upcoming general election. Possibly someone else’s problem, then.
If the courts ultimately side with the department purely on the basis of a legal loophole, rather than the concrete finding of facts, we can all look on the crass cynicism of the Government ministers who made this determination – contravening and ignoring the actual rights and protections that its own citizens are now afforded under EU law – and despair.
Undercutting the DPC in its most significant domestic decision to date would also be an international own goal for the Government as it argues that the DPC provides a robust, balanced, and respected regulatory regime for multinational companies. Sauce for the goose is not needed for the gander, apparently.
Ultimately, regardless of this appeal, if the public services card is a clear violation of current data protection law, as so many Irish and international data protection experts have long argued, future Irish governments will be open to all the legal challenges any citizen issued the card might care to bring under the protections of the GDPR – and payment of any consequent damages.
Because GDPR will still exist, despite the loophole that might undermine DPC enforcement of this one report.