In other words, it has comprehensively lost them both.

What it shows more than anything, however, is that if the State is given an inch of legislative wiggle-room, it will take a mile of liberties with regard to its own citizens’ data and their rights.

In something of an open-ended decision, the commission concluded that the Department of Social Protection, the overarching owner of the 13-year-old PSC project, had infringed the rights of complainant and employment rights expert Martin McMahon in gathering and sharing
information pertaining to his use of his free travel pass PSC.

To recap the case quickly, in November 2019, Mr McMahon complained to the DPC that each time he used his PSC pass on public transport, it appeared to be recording his data. Little did he know just how much data it was recording, and what was being done with it.

It subsequently emerged that the card was being used to record times, dates, routes, length of journey, geographic location of journey, type of journey, and — most egregious of all — a unique identifying number which could be used to re-identify the holder of the pass. Not only that, said data was also being shared between the national Transport Authority( NTA) and the Department of Social Protection.

The reasons for that were reasonable — the NTA needed to be reimbursed by the department for the number of journeys being taken using the pass, given it is a welfare scheme. The sheer range of the data being collected was not reasonable however.

It is interesting to recall the context of the time. In August 2019, the DPC had concluded a two-year investigation of the card which concluded that all data which had been gathered on its then 3.2m users had to be deleted, and that mandating the use of the card for services other than that of welfare was illegal.

The decision created uproar. The department waited two weeks before taking the matter to the courts. The then minister Regina Doherty’s
oft-cited “incredibly strong” legal advice was that the department had done nothing wrong. The matter then safely sat for a further two years before the case was settled with the DPC at the 11th hour.

That settlement saw the department finally acknowledge that Irish people could not be forced to get a PSC in order to access a service like renewing a passport or a driving licence.

At the time of Mr McMahon’s complaint, however, the department was locked in a legal cold war with the DPC.

And three months after the complaint was made, the then acting-minister Ms Doherty (she had lost her seat in the February 2020 election) ordered that all of the historic data which had been sent from the NTA to the department should be deleted.

That decision was a prescient one however. In May 2020 the department recommenced receiving data from the NTA regarding the use of the free travel pass, albeit in a much diluted form.

The DPC concluded last week, after a three-year-long investigation, that Mr McMahon’s GDPR-rights had been breached both via the excessive nature of the data-gathering and the fact the department had not told him when he got his pass that his data would be shared between bodies. 

However, it also said that no penalty nor order need be applied as the department had already gotten its house in order by reducing the dataset, and because travel pass users are now informed when their card is issued that their data is being recorded and shared.

In ‘welcoming’ the DPC’s decision this week, the department noted that it had received no penalty or enforcement order for its infringements.

That doesn’t mean that the matter ends there necessarily. In its decision the DPC notes that the department could be held liable in the courts by individuals who have seen a complaint upheld and are so inclined. There is little precedent for the success of such actions however.

What is perhaps a more interesting aspect of this decision however is a question — why? Why did the department decide to gather all the
information that it did? What was its purpose? I think I know the answer to that question. It did it because it thought it could without consequence.

There are similar precedents with regard to data rights to be found across the spectrum of the public service.

One of them, the ill-fated decision to make the PSC mandatory for access to crucial State services like medical benefits and passport applications, was dreamt up by the Government in 2013 and ended with the aforementioned battle in the courts between Social Protection and the DPC.

Millions paid in legal fees for something that every single privacy law expert you could think of had said was unlawful.

Another was the decision by Limerick County Council in recent years to install hundreds of CCTV cameras around the local authority area without getting permission to do so, because, well, why not. That move led to the harshest slapdown the DPC has delivered to any State body, and a hefty fine.

Sources close to that investigation indicated at the time that Limerick had done what it did because the powers that be basically did not know what data protection is. That’s an argument that worked better 30 years ago than it does now.

You may wonder what the big deal is, sure isn’t the PSC useful in terms of accessing services, especially online? And the answer is yes, it is useful (albeit far more so in recent times than in its early years).

But there are nonetheless myriad problems with it. The chief problem is that Ireland has never effectively legislated for the PSC’s ubiquitousness, mainly given it was never initially intended when first mooted back in the 2000s for what it is now being used for. It was originally supposed to be a welfare card.

If you are going to do something complicated, do it right and do it with a view to the long-term — that’s a lesson that Ireland could truly do with
learning. As I said, there have now been two investigations into the PSC, and the State has de facto lost them both.

There is one more to come, and it concerns the biometric nature or otherwise of the PSC. Put more simply, does the photo on every PSC constitute a uniquely identifiable data point? Most people would probably answer yes to that question. Social Protection on the other hand has twisted itself into knots for the past three years in order to answer in the negative.

Biometric data is specially protected under GDPR — it cannot be processed without being legislated for, with the possibility of severe penalties.

I wouldn’t pre-empt the decision — the report was due many months ago which is rarely a good sign. But as I said, the department is now zero for two in terms of PSC investigations. And if the biometric one goes awry, it’s hard to see how the card survives.