GDPR hovers over the continuing standoff between a government department and the Data Protection Commission, writes Cianan Brennan.
You get the impression that neither side in the ongoing battle between the Department of Social Protection and the Data Protection Commission (DPC) for our data has any real clarity about where they’re currently headed.
Last Friday, the department confirmed that it has officially appealed an enforcement notice delivered by the commissioner in December regarding the findings of illegality made by the DPC against the public services card (PSC) all the way back in August.
So, four months later, we’re exactly where we presumed we would be when Finance Minister Paschal Donohoe and Social Protection Minister Regina Doherty first stated they would be challenging the DPC’s findings on September 3.
How and why has it taken us this long to get here?
We can start by considering what we know for certain, although doing so doesn’t entirely explain what is happening.
Probably the most significant thing to occur over the past four months was the decision by multiple other departments and agencies to rescind the PSC as an obligatory requirement for their services.
The other most noteworthy, if intangible, thing about the extended period of time before the DPC finally took action was the lengthy nature of that time period itself — a delay that assuredly did not go unnoticed in the corridors of power.
We can infer two things from the above.
Firstly, the Government as a whole was in no way comfortable enough with the legality of the PSC to leave it as a compulsory requirement for sundry important public services; and secondly, there were and are problems with enforcement.
What are those problems?
Well, while we’re now firmly in the era of GDPR, and have been since May 2018, the PSC probe began some timebefore that date, and was carried out under the auspices of the prior Data Protection Acts of 1988 and 2003.
This is more understandable when you remember that the whole project wasn’t supposed to take anything like as long as the two years it did. But the fact remains that the DPC’s powers, and the Government’s vulnerability, would appear to be more pronounced under the newer law.
We know that the Department of Social Protection, in a strategy that was fundamentally cynical but perhaps understandable, didn’t believe that any DPC enforcement would have ‘teeth’because its investigation was carried out under the wrong law.
“Given that the acts are no longer operative since the coming into force of the 2018 Act, the department requires clarity as to the precise legal basis for any such enforcement requirement,” John McKeon, secretary general for the Department of Social Protection, said in a letter to the DPC on September 6.
We can guess that the DPC must have struggled mightily with enforcement also, simply because it took so long. It contrasts starkly with the confidence with which the findings of the original report were presented back in August. It’s certainly not beyond the bonds of plausibility to think that the decision to enforce was made because to not do so would look bad having repeatedly vowed to match the department cut for cut.
Then you consider the manner of the State’s challenge — a straightforward appeal in the Circuit Court, as opposed to an application for judicial review in the High Court. Speaking to experts ahead of the State taking action, it was broadly expected that the latter would be more likely to succeed as a straightforward challenge to the procedures by which the DPC reached its conclusions.
However, a judicial review could also lead to the precedent of the DPC’s every decision being called into question — less than ideal given its heightened role in regulating the many big-data behemoths stationed in Ireland.
Instead, the State has opted for a straightforward legal challenge on matters of privacy law. You might imagine that’s a sign that the department was reluctant to go the judicial review route. Except that the Department of Social Protection currently has a live judicial review action (filed last July) against the DPC in motion regarding a decision it made concerning the gathering of data for child benefit provision purposes.
And from the sounds of things, that action isn’t going as well as the DPC might like.
Confused? You’re not the only one.
All we can really say for certain is that the process that’s now been set in motion is likely to take a number of years, will probably end up before a European court, and will cost the taxpayer in excess of €1m (at least). So it’s hard to see how either side is in a brilliant position.
But then you remember that the State’s appeal will comfortably extend the whole interminable saga beyond the shelf life of the current Government (and probably that of a number of senior civil servants who have been up to their neck in the PSC paddling pool for years now). From that point of view the whole shebang makes a lot more sense.
It’s important to remember one thing however. The spectre of GDPR hovers above this whole misadventure, like a big binary sword of Damocles.
Even if the DPC were to lose the PSC court challenge, the option to investigate the project under GDPR still remains. And that’s a battle the Government seems a lot less likely to win.