State must justify introduction of public services card
Card project will fail unless mass harvesting of personal data conforms to EU privacy laws
The public services card, introduced as a means of combating welfare fraud, has turned into the standard identity verification scheme to be used to access all public services in Ireland. Through the card registration process, detailed personal information is collected from millions of people resident in Ireland and stored and shared among at least 120 public-sector bodies.
During the registration process a photo of each cardholder is taken in a format that allows automatic software verification that the presenter is who they say they are. It appears that the card framework provides for the collection of further information including PPSN, date of birth, fingerprint and iris scans. It also seems likely that use of the card will expand beyond public services into the private sphere and that legislation will be passed to make failure to produce the card to a member of An Garda Síochána a criminal offence.
A remarkable feature of the public services card project and the systematic collection of vast amounts of personal data on virtually the entire population is that it has been introduced by stealth without any significant public consultation or debate. Government Ministers are now struggling to justify the rationale for the project and to explain why public services are being denied to individuals for refusing to register for a card that is supposedly not mandatory.
Spurred by data-protection and privacy concerns, the Data Protection Commissioner has intervened, calling on the Department of Social Protection to set out in detail the factual description of the public services card, how personal data will be processed and shared, and the specific legal basis for it.
So how can the processing of large amounts of personal data be legally justified?
The starting point is that the European Union places a high value on fundamental rights to data protection and privacy. Any processing of personal data is seen as a limitation on these rights no matter whether the information concerned is sensitive or whether individuals have been inconvenienced in any way.
While the rights to data protection and privacy are not absolute, they may be limited only in certain circumstances according to article 52 of the EU Charter of Fundamental Rights. If we assume that the public services card is provided for under Irish law and that the interference with fundamental rights is not so severe as to entirely prevent individuals exercising their rights then to be legally justified the framework for the card must satisfy three strict criteria.
First, the processing of personal data must meet an objective of general interest recognised by EU law. The objective of general interest provides the background against which the appropriateness of the card is measured and requires a detailed factual analysis as well as objective scientific evidence demonstrating the problem to be addressed and the importance to society that this problem be solved. The extent to which there is a logical link between the card and the stated objective is crucial to understanding whether it is legal or not.
Second, the necessity of the card must be demonstrated. Rather than some form of abstract legal test, necessity is a fact-based inquiry as to the direct link between the card and the problem to be solved by it. From a privacy perspective, the card must demonstrably be the least intrusive way of solving the problem that it is designed to address.
Each particular aspect of the card is subject to this test. For example, the card may be necessary to combat welfare fraud but this in and of itself does not make it necessary for some other purpose such as, for example, to obtain a driving licence. Each use case requires a separate justification.
Third and finally, if the card is considered necessary, it must also be proportionate to its aims. In other words, a balance needs to be struck between the card and the intended aim or result to be achieved. If necessary, safeguards must be introduced to reduce the risk to individuals.
The bottom line is that the State cannot simply introduce measures such as the public services card which process the personal data of the entire population without demonstrating that it is necessary to meet a recognised public interest objective, and that it is a necessary and proportionate measure when all the facts are taken into account.
There is a growing list of measures that have been overturned by the European courts on privacy grounds including the retention of bulk telecommunications data, the US Safe Harbour programme and the exchange of air passenger details with Canada.
Unless the State can demonstrate that all aspects of the public services card are justified under EU law it is inevitable that it will join this list.
Fred Logue is a partner at FP Logue Solicitors