That particular spat was more than a little unedifying, ending up in a wholesale climbdown on the part of the Department of Social Protection in December 2021. 

However, yesterday’s decision by the commission to fine the department €550,000 and order it to suspend the biometric processing of the public’s data via the card should be even more seismic.

€550,000 is five times the amount of the next-largest fine for breach of GDPR by a public body, and more than half of the maximum allowable.

Puzzling defence of the indefensible

Six years is a long time, however, and the world is a different place now.

This time round, the State may be more willing to take its punishment from its own regulator.

That in itself would be borderline farcical.

The government — former social protection minister Regina Doherty being probably the most noteworthy culprit — argued for years that the card did not carry biometric data, despite it being plainly obvious to anyone with common sense that it did — in this case, a photo used for facial matching.

Why did it do so? Because it couldn’t afford not to. 

Having stated until it was blue in the face that black was indeed white, to change tack in any way would have been legally disastrous.

Why the government of the day couldn’t just hold its hands up and admit fault in the first place, rather than spending hundreds of thousands of euro in taxpayers’ money defending the indefensible, we may never definitively know.

However, we can speculate. The card is deeply ingrained in Irish society now, but that wasn’t the case to quite the same extent in 2019.

Furthermore, back then GDPR was brand new. It was so new that the initial investigation into the public service card was carried out under Ireland’s previous Data Protection Act.

Under that act, the commission had far fewer teeth to impose fines.

GDPR is now a firmly embedded, if not universally beloved, EU policy.

Maybe in 2019 it was felt the time wasn’t right for the government to eat crow on its ambitious biometric card venture.

Range of views in data protection community

Those we polled yesterday across Ireland’s niche data protection community had different views as to whether or not the Government, in the guise of the Department of Social Protection, will go the legal route once more. One said: 

The circumstances have changed. The data protection and GDPR landscape is much clearer now than it was under the old act.

“It seems more likely than not that this is one that won’t be challenged, at least not in court.”

However, there was little consensus.

“For years, they [the department] have been shouting that there is no biometric data on the card. Now this decision from the regulator is unequivocal that there is. Can they really back down from that? Would that be in character?” a second expert asked.

DPC will defend its decision 'very robustly'

Should the Government press the nuclear button once more and appeal the decision to the courts, deciding commissioner Dale Sunderland has made it clear that “we will very robustly defend our decision”. He said: 

We are well used to this. It is a feature of our system. 

There are other puzzling aspects to yesterday’s decision, not least the sheer length of time it took.

The biometrics investigation had been set in train even before the 2019 decision, which dealt specifically with whether or not the government had the right to make the card mandatory for public services such as passport applications, yet it was only officially commenced in July of 2021.

It then took four more years to complete, during which time the card has become ever more embedded in Irish society. That is surely an inordinate amount of time to take over a key investigation concerning personal data.

“This was a complex inquiry with complex issues,” Mr Sunderland said.

“The resources these inquiries take are just extraordinary. This one took a bit of time,” he added, while allowing “it’s probably a bit longer than we would have liked”.

Digital Rights Ireland, whose initial complaint spurred the investigations back in 2017, professed itself “concerned” at the length of time it had taken to finalise the probe. A spokesperson added that the decision “leaves the Government in a very serious situation”, given it has spent “hundreds of millions of euro on an illegal public service card project”.

Mr Sunderland stressed, however, that “the important thing is that it [the investigation] is done now”.

Asked whether the world had moved on in the last six years, he said: “The principles haven’t.”