A digital rights advocacy body is to bring the country’s first “mass action” against the State regarding alleged infringements of the EU’s General Data Protection Regulation (GDPR) in the case of the Public Services Card (PSC).
Digital Rights Ireland (DRI) has launched its #no2psc campaign, which will see the group make a complaint to the Data Protection Commissioner on behalf of citizens that cardholders’ rights have been breached en masse under GDPR.
GDPR, which came into effect in May 2018, . The regulation gives data watchdogs far much increased powers in terms of enforcing data protection law.
Government bodies in Ireland here are liable for fines of €1m apiece should they be found to have breached EU data protection law.
While class action lawsuits can not be taken as part of the Irish legal framework, Article 80 of GDPR allows for multiple citizens to engage a not-for-profit organisation to represent their interests in the public interest for the first time.
“It’s not correct to call it a class action, as we have not sought to be certified to represent a group; it’s more like a multiparty action,” DRI director Antoin Ó Lachtnain told the Irish Examiner.
So if our case is closed that doesn’t mean that other people’s cases are closed. We would call it a mass action.
In order to sign up for the action, people who either have or have had a PSC can give their details, including PSC number, via DRI’s campaign portal online. They also must give their PSC number.
Data Protection Commissioner Helen Dixon recently published her long-awaited report into the PSC, which ruled that the card is unlawful when used for processing data in terms of State services other than welfare, for which the card was originally designed.
As the State has since indicated that it will challenge Commissioner HelenMs Dixon’s findings, a notice of enforcement on the part of the Data Protection Commission (DPC) is expected to issue within the next two weeks.
However, that investigation was carried out under the old Data Protection Acts, which predate GDPR, as the inquiry began prior to May 2018.
“We will go to the DPC under GDPR,” said Mr Ó Lachtnain.
“The DPC has stronger powers to ask for the processing to stop under the new regulation.”
He said that the “basic claim” of the action “is that privacy rights were violated by collecting data under the PSC and sharing it with other departments”.
Mr Ó Lachtnain added that the action is planned for escalation “very quickly”, with DRI chair TJ McIntyre saying that the body hopes to join more than 1,000 people to the action in order “to force an end to the Government’s mass abuse of personal data”.
“We will progress this next week and people can add their name even after we’ve brought the complaint,” said Mr Ó Lachtnain.
DRI confirmed that people can still access their welfare services and payments using their PSC even if they should join their name to the action.
Mr Ó Lachtnain said the issue of civil liability for the PSC project could be affected by the mass action.
“It’s certainly something that could arise in the future,” he said. “A negative finding from the DPC could have implications in terms of civil liability.”
That idea stems from the suggestion that if the State is found to have breached citizens’ rights under GDPR with the PSC, then Government departments could be liable for compensation payouts in the hundreds of millions due to 3.2m cards having been issued to date.
“The PSC has become a stealth national ID card,” Mr McIntyre said.
“More and more public bodies are demanding service users present a PSC. Using the PSC as a national ID card with no underpinning legislation or safeguards for members of the public is simply illegal.”