The Data Protection Commission (DPC) has ruled that the government broke EU law in the way that it used facial recognition technology in the registration process for Public Services Cards.
The Department for Social Protection’s SAFE2 registration process is mandatory for anyone applying for a card. The Public Services Card is essential for accessing a range of services including state benefits.
After an investigation stretching back four years, the Data Protection Commission has now ordered the department to cease processing biometric data and pay a fine of more than half a million Euro.
The DPC says the government’s system failed to “identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration”
In doing so, the Department for Social Protection broke GDPR – EU data protection law.
“The facial matching technology used by the DSP involves the creation of biometric data relating to a very substantial proportion of the population. The scale and intrusive nature of the processing requires precise legal justification. In such circumstances, it is established European case law that legislation which is precise and foreseeable is necessary to ensure protection against arbitrary interferences with the rights of individuals”, the Data Protection Commission says.
“The rollout of Safe 2 registration has resulted in the ongoing collection, storage and processing of highly sensitive personal data, including biometric data consisting of facial templates, on a large scale by the DSP. Under the GDPR, biometric data is categorised as special category data to which higher protections and safeguards must be applied. In 2021, the DSP held biometric facial templates relating to 70 percent of the population of the State.”
Whilst the DPC did not find fault with the system, including no suggestion that there have been any data breaches, the DPC believes the department failed to present a sufficient legal basis for collecting large amounts of personal data.
In response to the conclusions of the DPC, the Department of Social Protection said in a statement:
“The Department believes that it has a valid legal basis and that it does satisfy the requirements of transparency required to operate the SAFE process, including the biometric processing element. We note that the DPC decision does not find that there is no legal provision but that the legal provision that exists is not, in its view, clear and precise enough to satisfy the requirements of the GDPR.
However, we will carefully consider the DPC decision report, in conjunction with colleagues in the Attorney General’s Office with a view to determining an appropriate response within the nine-month timeframe provided for in the decision. Depending on the outcome of this consideration, this may involve appealing any enforcement notice and/or working to rectify the issues as perceived by the DPC.
In the meantime, we note that the decision allows the Department nine months to identify a valid legal basis and therefore has no immediate implications for users of the PSC or MyGovID or anyone wishing to, register for or avail of, these services in the next nine months.
We also note that the DPC did not find any evidence of inadequate technical and organisational security measures and that there are no examples of any person suffering damage or loss as a result of SAFE registration. On the contrary the SAFE process has directly led to a reduction in identity fraud and delivered very significant security and customer service benefits to the millions of people who use the services every day.
In that context the Department will give careful consideration to the DPC report and is committed, in the interest of service providers and users, and taking due account of the DPC findings, to assuring the continued availability of the SAFE process including the biometric processing element.
Pending the full consideration of the DPC decision and the receipt of Attorney General advices the Department will be making no further comment.”