December 12, 2021
Resolution Of Proceedings | The Cat Herder, Volume 4, Issue 48
| |
| December 12 · Issue #161 · View online |
|
|
The unexpected end of Act I of the Public Services Card saga. Other regulator news. Next week’s newsletter will be the last Cat Herder of the year and will with any luck be some kind of best / worst of collection and some reading for the holiday period. 😼
|
|
|
Howes added: “The problem with the introduction of any of these things is that it often happens without … the community being fully aware of what could be involved. There’s often function creep, where a scientific technique is introduced for one reason, and gradually starts being used for other purposes that weren’t agreed to initially.
|
How Australian police will use DNA sequencing to predict what suspects look like | Australian police and policing | The Guardian
Technology a ‘gamechanger’ for forensic science but raises privacy and racial profiling issues
|
|
|
Does this sound in any way familiar? A government department or agency strongly denying something related to data collection, centralisation, retention?
|
The ministry has strongly denied the project amounts to a centralised pregnancy register, with a spokesperson saying the changes are simply part of wide-ranging digitalisation project that will update the way data about a multitude of conditions, including allergies, is stored.
|
Poland plans to set up register of pregnancies to report miscarriages | Poland | The Guardian
Proposed register would come into effect in January, a year after near-total ban on abortion
|
|
|
|
DPC welcomes resolution of proceedings relating to the Public Services Card | 10/12/2021 | Data Protection Commission
|
Firstly, credit is due to many people and organisations in finally ensuring the Irish state (reluctantly, very reluctantly) respects the data protection rights of millions.
|
Digital Rights Ireland, the Irish Council for Civil Liberties, Pavee Point, Simon McGarr, the small number of tenacious journalists who stuck with this story over the years despite a seeming lack of interest from editors, legislators such as Senator Alice-Mary Higgins, and more all deserve acknowledgement for standing up for the data protection rights of individuals in the face of determined if frequently incoherent state opposition.
|
Rather than write a straight bit of commentary about what happened on Friday I though I’d collect a few fragments from over the years and attempt to hang a few points off those.
|
We’ll start and finish with the former minister for employment affairs and social protection Regina Doherty. Which feels appropriate. In case you were wondering, the name of this section will absolutely not be changing as a result of Friday’s events. It is far too good a phrase to give up. As noted by Daragh O Brien on Twitter, what the state should learn from this situation is that compliance with data protection law “is both mandatory AND compulsory.” |
|
|
|
|
I welcome the DPC’s agreement to accept the Department’s right to process SAFE applications for all public services and the use of MyGovIDs as the sole way to access public services online. When the original DPC report was published, there were competing legal viewpoints and we did seek to discuss and find a resolution with the Commission at that time. I am pleased to see, even this late stage, that a resolution around these differences has been reached.
|
As with many moments along the road to Friday’s full retreat by her former department, it’s impossible to tell whether this is a deliberate misrepresentation of what happened or if it is based on a genuine belief that this is an accurate representation of what happened. Remember, two years ago the legal advice the minister had received was “incredibly strong”. At one point she even ventured the opinion that her department might be breaking the law if it didn’t continue its fight with the regulator. Yet her former department abandoned its appeal on Friday on the proverbial court steps, leaving the incredibly strong legal advice unheard. |
NB: When Senator Doherty says “we did seek to discuss and find a resolution with the Commission at that time” what she is referring to is an attempt by her department to subvert the DPC’s investigative processes which was quite rightly rebuffed.
|
|
|
2. We Create Our Own Reality
|
This exchange between a senior official from the Department of Employment Affairs and Social Protection and Senator Alice-Mary Higgins during a session of the Joint Oireachtas Committee on Social Protection in February 2018 captures, in a small way, the blunt refusal to accept reality, and cause and effect, and the continuous attempts to try and bend and warp reality to conform to what the department wanted it to be.
|
Mr Tim Duggan: Deputy Brady asked about the Data Protection Commissioner and the responses to the 47 questions that she issued to the Department back in September. We produced a comprehensive guide, which is an amalgam of a number of things. It covers all of the questions the Data Protection Commissioner asked plus many of the issues that we felt were arising in the media and political coverage of the project at the time. As a consequence we put that comprehensive guide together. We furnished it to the Data Protection Commissioner in October of last year, and we have not heard whether she has any difficulty with any of the responses provided in that guide since.
Alice-Mary Higgins: Did she not initiate the investigation following the responses?
Mr Tim Duggan: She did; it was approximately one month or five weeks later.
Alice-Mary Higgins: Is that not indicative of a response?
Mr Tim Duggan: I do not accept that that was a response to the comprehensive guide being produced. She has not responded to the Department on the quality or otherwise of the responses in the comprehensive guide.
|
A gentleman by the name of Karl Rove once said -
|
We’re an empire now, and when we act, we create our own reality. And while you’re studying that reality - judiciously, as you will - we’ll act again, creating other new realities, which you can study too, and that’s how things will sort out. We’re history’s actors… and you, all of you, will be left to just study what we do.
|
|
|
|
|
|
|
|
Regina Doherty says she’ll publish all documents on the Public Services Card once her office “has finished engagements” with the DPC about it, which is within next week... says she has “exceptionally strong” legal advice saying card is being used exactly as Dermot Ahern intended
|
|
|
|
Mr Ahern retired from politics in February 2011.
|
The Taoiseach took this a bit further, suggesting that his Fine Gael-led government was merely doing the bidding of an entire Fianna Fáil of Christmases past.
|
Speaking about the report’s findings, Varadkar said: “We disagree with it. I think anyone who actually reads the law for themselves will understand why we disagree with her interpretation of it. We believe the law brought in by Fianna Fáil back in 1998 and then 2005 is robust, and adequate for it. And that’s why we’ll be able to appeal the findings. “And you know, we are a democracy. And in a democracy, anyone has the right to appeal findings they don’t agree with. And that’s all we will do.”
|
|
|
|
|
4. “I was literally tearing my hair out.”
|
I spent at least eight hours trying to read the Social Welfare Consolidation Act 2005 in order to check whether the law actually said what the grid in the appendix to the guide published by the Department of Employment Affairs and Social Protection claimed that it said. I was literally tearing my hair out. That Act, as we said in our submissions, has been amended by five different Acts, or at least, five amending Acts have been referred to by the Department. In order to try to read it, one has to go onto www.irishstatutebook.ie and find the text of the Social Welfare Consolidation Act 2005. The original 2005 Act can be seen there. Then, one must click on the list of amendments, statutory instruments etc. This leads to a list which must include more than 1,000 amendments, as there are already about 350 sections in the Act, practically all of which have been amended in some way, shape or form.
|
|
|
|
|
5. Investigation? What Investigation?
|
A feature of this saga which is common to other fine data protection messes the Irish state has gotten itself into over the years is the ability of senior officials to plough ahead with their plans regardless of any external factors. A sensible option would have been to pause expansion of the system while it was under investigation, for both legal and financial reasons. But that is preceisely the opposite of what happened.
|
SENIOR CIVIL SERVANTS within government departments were told earlier this year to look at making the PSC a potential replacement for the Medical Card. This direction in June came at a time when the government will have been aware of the draft report from the Data Protection Commissioner which found that making the PSC mandatory for anything other than welfare was illegal. The findings of this draft were reinforced with the final report completed last month and published this week. Furthermore, civil servants were also told to prepare a “detailed plan for advancing the PSC as an age card”.
|
|
|
|
|
|
|
following a public consultation in late 2014, a draft piece of primary legislation that would cover government data-sharing projects was drawn up and approved by the Government in the middle of 2015. But in October of last year, a ruling by the Court of Justice of the European Union in the Romanian case of Smaranda Bara, appeared to blow much of that plan out of the water … that should have sent the Government’s data-sharing project, driven mainly by the Department of Public Expenditure and Reform and the Department of Social Protection, back to the drawing board. The drafting of legislation is still under way. Yet a number of massive Government data-sharing projects have continued apace – almost as if the European ruling in Bara had not happened.
|
|
|
This piece provoked a reaction in the form of a letter to the editor from Robert Watt, who was at that point Secretary General of the Department of Public Expenditure and Reform. Which, it should not be forgotten, is the department primarily responsible for driving the PSC/MyGovID project. The Department of (Employment Affairs and) Social Protection was the most convenient instrument available to get entries into the biometric database.
|
It should also not be forgotten that the second part of the DPC’s initial investigation which covers the processing of biometric data and the facial recognition system used by the Department of Social Protection is still to be finalised. There is also a separate investigation into the Department of Public Expenditure and Reform.
|
|
|
The Department of Public Expenditure and Reform will continue to ensure that data-sharing only takes place in a way that fully aligns with data-protection responsibilities, that protects citizens and that contributes to the improvement of public service delivery.
|
|
|
7. It’s To Prevent Terrorism & Welfare Fraud Is Over
|
The most common reason offered up to justify the existence of the card and its underlying database was fraud prevention in the welfare system. Occasionally some public bodies attempted to use the amount of money which had already been spent on the system as a justification in itself.
|
When the state really put an effort into expanding the use of the card into areas beyond social welfare things got weird.
|
A seemingly haphazard list of services which would require a PSC was drawn up. A student grant application. A school grant appeal. Access to the Department of Agriculture’s agfood.ie portal. A school transport appeal. Passport applications and renewals.
|
This last one took us deep into the realms of reality-bending and ultimately led to the Department of Foreign Affairs refusing to accept DPER and DEASP’s assertions that a situation in which an individual had to have a Public Services Card in order to get a passport while simultaneously requiring a passport in order to get a Public Services Card made perfect sense.
|
Always on the lookout for more faces for the database, the OGCIO within DPER thought about doling out the card to institutional abuse victims. “[s]urvivors of institutional abuse at religious schools applying for redress were identified as an “opportunity” to introduce the public services card, internal government documents have revealed.” |
Public Services Cards were issued to transition year students in an attempt to make up the numbers of cards issued and avoid a penalty clause in the contract the state had with the card manufacturer. A company called Biometric Card Services manufactured the cards. This company changed its name to remove the word “biometric” when its contract was renewed. This was of course entirely coincidental and had nothing to with the minister’s insistence over a prolonged period that her department did not process biometric data. Also coincidental was the department quietly changing its data protection notice a few days after Ms. Doherty lost her Dáil seat in the 2020 general election to acknowledge that it did, in fact, process biometric data.
|
But back to fraud prevention, and terrorism. Paschal Donohoe, then the Minister for Public Expenditure and Reform, provided a brand new justification to The Irish Times in May 2017. Minister for Public Expenditure Paschal Donohoe told The Irish Times the rationale for needing the card for passport applications was “very simple”. “Given the increase in acts of terrorism over the last several years, every democratic country should be obliged to deploy the most robust means of authenticated travel across borders that it has available.”
|
Later the same year Mr Donohoe even penned an op-ed in The Irish Times which asserted the “use of the PSC has already driven fraud out of the welfare system”. Which doesn’t appear to be the case judging by the Department of Social Protection’s annual reports since then. |
The PSC / MyGovID project has spanned multiple governments and all along the line it has been marked by a parade of ministers willing to say things at the behest of their officials which do not stand up to very much scrutiny.
|
|
|
8. Now Might Be A Time For Optimism?
|
The dropping of the Department of Social Protection’s legal challenge to the DPC may indeed represent a seismic shift in the Government’s attitude to data protection, one of the key modern concerns for most western democracies
|
Firstly the Department of Social Protection has not as yet apologised to any of the people whose rights it infringed. Nor, during this entire process, does it seem to have noticed the key issue revolved around the rights of individuals. It regarded this as a fight it needed to engage in with the regulator over some abstract data which it wanted to do things with, saving face and asserting itself.
|
Secondly we need only look at the increasingly bizarre behaviour of the Department of Children in relation to fulfilling Subject Access Requests made to it for personal data contained in the archive of the Mother and Baby Homes Commission of Investigation. Last year this department conducted a bewildering u-turn after an attempt to position a piece of domestic legislation outside the established principles of EU law (primacy, necessity, proportionality and so on) and the scope of the GDPR, an EU Regulation which, like all EU Regulations, has direct effect. The Commission of Investigation (Mother and Baby Homes and certain related Matters) Records, and another Matter, Act 2020 was enacted last October. During the severely truncated debates on this Bill the mininster had insisted the GDPR did not apply to the records held in the database. Yet over a year on from that commitment we find the department’s SAR car idling at the end of a cul-de-sac with the minister refusing to engage reverse, having been directed there by a faulty GPS in the form of advice from frequent-data-protection-strugglers Tusla, who pointed the department in the direction of a Statutory Instrument dating back to the year before Italia ‘90. Why the department thought to ask Tusla for data protection advice and then accept that advice is a mystery. While the numbers of individuals affected in this instance is smaller than those affected by the PSC/MyGovID blanket data retention issue it is beyond dispute that these are the most high profile Subject Access Requests to have ever been made in this country. That the department has fumbled them and is wilfully ignoring its obligation to set aside the non-compliant domestic legislation does not indicate to me that the Irish State’s attitude to data protection is shifting at any noticeable pace.
|
|
|
9. There Is An Investigation, But It’s Not The Investigation You Think It is
|
Finally, we go once more to the former Minister for Employment Affairs and Social Protection. Until yesterday I had never seen this bizarre assertion which Regina Doherty made in the Seanad in December 2018.
|
Furthermore, the investigation the Data Protection Commissioner is undertaking is not against the Department of Employment Affairs and Social Protection. I cannot actually speak about it because she has asked me not to, but I cannot allow the Senator put on the record of this House that the Office of the Data Protection Commissioner has grave concerns with the Department of Employment Affairs and Social Protection. It does not. That will be transparent when the Data Protection Commissioner issues her report.
|
We shall presumably never hear any more about this other investigation which the then minister could not speak about as she had been sworn to secrecy by Helen Dixon.
|
The Data Protection Commission has shipped a lot of criticism in recent times, not all of it warranted or well-founded, some of it unnecessarily histrionic. This is a significant achievement for the DPC in compelling an intransigent public sector data controller to abide by the law.
|
We’ll leave it there for now with the Public Services Card. A peculiar and far from finished tale. A years-long attempt to flex state power with no legal underpinning. A years-long attempt to ignore the rights of millions and the supervisory authority responsible for overseeing the vindication of those rights.
|
|
|
Nope. But no doubt our own CyberCzar will suggest similar once they’re installed.
|
|
|
|
The esafety commissioner's office suggests there are ways tech companies can estimate users' ages without collecting personal info. Hmmm. https://t.co/G24nNfeusB
|
|
|
|
|
|
|
|
Some MEPs wrote a letter to Didier Reynders and Helen McEntee about this. |
|
|
Feedback on the DPC draft decision provided by the Norwegian Datatilsynet as part of the Article 60 process somehow morphed into a letter. |
Tobias Judin, the Datatilsynet’s Head of International posted a message on his LinkedIn page which begins “Cat’s out of the bag: We firmly disagree with a legal interpretation made by the Data Protection Commission Ireland. However strongly we may feel, this is nonetheless still a professional disagreement between colleagues. Over the last few days, the integrity of Irish colleagues has unfortunately been called into question. I want to speak out against this.” |
|
|
The DPC announced it had “submitted a draft decision in an inquiry into Instagram to other Concerned Supervisory Authorities across the EU on Friday last, December 3rd.” |
|
|
“One of the five directors at Belgium’s Data Protection Authority (GBA) is resigning amid questioning from the European Commission, citing the same “lack of independence” that the Commission also lists among its top concerns”, the Brussels Times reported during the week. |
|
|
The Dutch DPA “imposed a €2.75 million fine on the Dutch Tax Administration. The fine was imposed because for many years the Tax Administration processed data on the (dual) nationality of childcare benefit applicants in an unlawful, discriminatory and therefore improper manner. This constituted serious violations of the General Data Protection Regulation (GDPR)”. |
|
|
|
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
The unexpected end of Act I of the Public Services Card saga. Other regulator news. Next week’s newsletter will be the last Cat Herder of the year and will with any luck be some kind of best / worst of collection and some reading for the holiday period.
😼
Technology a ‘gamechanger’ for forensic science but raises privacy and racial profiling issues
—
Does this sound in any way familiar? A government department or agency strongly denying something related to data collection, centralisation, retention?
Proposed register would come into effect in January, a year after near-total ban on abortion
Firstly, credit is due to many people and organisations in finally ensuring the Irish state (reluctantly, very reluctantly) respects the data protection rights of millions.
Digital Rights Ireland, the Irish Council for Civil Liberties, Pavee Point, Simon McGarr, the small number of tenacious journalists who stuck with this story over the years despite a seeming lack of interest from editors, legislators such as Senator Alice-Mary Higgins, and more all deserve acknowledgement for standing up for the data protection rights of individuals in the face of determined if frequently incoherent state opposition.
Rather than write a straight bit of commentary about what happened on Friday I though I’d collect a few fragments from over the years and attempt to hang a few points off those.
We’ll start and finish with the former minister for employment affairs and social protection Regina Doherty. Which feels appropriate. In case you were wondering, the name of this section will absolutely not be changing as a result of Friday’s events. It is far too good a phrase to give up. As noted by Daragh O Brien on Twitter, what the state should learn from this situation is that compliance with data protection law “is both mandatory AND compulsory.”
1. Incredibly Strong
In a surprising move the former minister issued a statement on the agreement reached on Friday, despite her former department having already issued its own unapologetic and spinny statement. Here’s Senator Doherty’s statement in full
As with many moments along the road to Friday’s full retreat by her former department, it’s impossible to tell whether this is a deliberate misrepresentation of what happened or if it is based on a genuine belief that this is an accurate representation of what happened. Remember, two years ago the legal advice the minister had received was “incredibly strong”. At one point she even ventured the opinion that her department might be breaking the law if it didn’t continue its fight with the regulator. Yet her former department abandoned its appeal on Friday on the proverbial court steps, leaving the incredibly strong legal advice unheard.
NB: When Senator Doherty says “we did seek to discuss and find a resolution with the Commission at that time” what she is referring to is an attempt by her department to subvert the DPC’s investigative processes which was quite rightly rebuffed.
—
2. We Create Our Own Reality
This exchange between a senior official from the Department of Employment Affairs and Social Protection and Senator Alice-Mary Higgins during a session of the Joint Oireachtas Committee on Social Protection in February 2018 captures, in a small way, the blunt refusal to accept reality, and cause and effect, and the continuous attempts to try and bend and warp reality to conform to what the department wanted it to be.
A gentleman by the name of Karl Rove once said -
—
3. Dermot Ahern Did This
Mr Ahern retired from politics in February 2011.
The Taoiseach took this a bit further, suggesting that his Fine Gael-led government was merely doing the bidding of an entire Fianna Fáil of Christmases past.
The Journal: ‘Taoiseach: 'Anyone that reads the law will understand why we disagree with the Data Commissioner’s report’‘, September 14th, 2019
—
4. “I was literally tearing my hair out.”
Dr. Maeve O'Rourke at the Joint Oireachtas Committee on Employment Affairs and Social Welfare describing the experience of a legal expert when trying to locate the legal basis in the law the Taoiseach was so confident of he was inviting all and sundry to read it.
—
5. Investigation? What Investigation?
A feature of this saga which is common to other fine data protection messes the Irish state has gotten itself into over the years is the ability of senior officials to plough ahead with their plans regardless of any external factors. A sensible option would have been to pause expansion of the system while it was under investigation, for both legal and financial reasons. But that is preceisely the opposite of what happened.
The Journal: ‘Civil servants were told to look at replacing the Medical Card with the Public Services Card’
—
6. Half A Decade Ago
Irish Times: ‘Government continues data-sharing projects despite EU ruling’, December 8th, 2016
This piece provoked a reaction in the form of a letter to the editor from Robert Watt, who was at that point Secretary General of the Department of Public Expenditure and Reform. Which, it should not be forgotten, is the department primarily responsible for driving the PSC/MyGovID project. The Department of (Employment Affairs and) Social Protection was the most convenient instrument available to get entries into the biometric database.
It should also not be forgotten that the second part of the DPC’s initial investigation which covers the processing of biometric data and the facial recognition system used by the Department of Social Protection is still to be finalised. There is also a separate investigation into the Department of Public Expenditure and Reform.
Mr Watt’s letter concludes with a paragraph which has not aged well.
—
7. It’s To Prevent Terrorism & Welfare Fraud Is Over
The most common reason offered up to justify the existence of the card and its underlying database was fraud prevention in the welfare system. Occasionally some public bodies attempted to use the amount of money which had already been spent on the system as a justification in itself.
When the state really put an effort into expanding the use of the card into areas beyond social welfare things got weird.
A seemingly haphazard list of services which would require a PSC was drawn up. A student grant application. A school grant appeal. Access to the Department of Agriculture’s agfood.ie portal. A school transport appeal. Passport applications and renewals.
This last one took us deep into the realms of reality-bending and ultimately led to the Department of Foreign Affairs refusing to accept DPER and DEASP’s assertions that a situation in which an individual had to have a Public Services Card in order to get a passport while simultaneously requiring a passport in order to get a Public Services Card made perfect sense.
Always on the lookout for more faces for the database, the OGCIO within DPER thought about doling out the card to institutional abuse victims. “[s]urvivors of institutional abuse at religious schools applying for redress were identified as an “opportunity” to introduce the public services card, internal government documents have revealed.”
Public Services Cards were issued to transition year students in an attempt to make up the numbers of cards issued and avoid a penalty clause in the contract the state had with the card manufacturer.
A company called Biometric Card Services manufactured the cards. This company changed its name to remove the word “biometric” when its contract was renewed.
This was of course entirely coincidental and had nothing to with the minister’s insistence over a prolonged period that her department did not process biometric data. Also coincidental was the department quietly changing its data protection notice a few days after Ms. Doherty lost her Dáil seat in the 2020 general election to acknowledge that it did, in fact, process biometric data.
But back to fraud prevention, and terrorism. Paschal Donohoe, then the Minister for Public Expenditure and Reform, provided a brand new justification to The Irish Times in May 2017.
Later the same year Mr Donohoe even penned an op-ed in The Irish Times which asserted the “use of the PSC has already driven fraud out of the welfare system”. Which doesn’t appear to be the case judging by the Department of Social Protection’s annual reports since then.
The PSC / MyGovID project has spanned multiple governments and all along the line it has been marked by a parade of ministers willing to say things at the behest of their officials which do not stand up to very much scrutiny.
—
8. Now Might Be A Time For Optimism?
I am not as optimistic as the writer of this piece in The Examiner, for a number of reasons.
Firstly the Department of Social Protection has not as yet apologised to any of the people whose rights it infringed. Nor, during this entire process, does it seem to have noticed the key issue revolved around the rights of individuals. It regarded this as a fight it needed to engage in with the regulator over some abstract data which it wanted to do things with, saving face and asserting itself.
Secondly we need only look at the increasingly bizarre behaviour of the Department of Children in relation to fulfilling Subject Access Requests made to it for personal data contained in the archive of the Mother and Baby Homes Commission of Investigation. Last year this department conducted a bewildering u-turn after an attempt to position a piece of domestic legislation outside the established principles of EU law (primacy, necessity, proportionality and so on) and the scope of the GDPR, an EU Regulation which, like all EU Regulations, has direct effect.
The Commission of Investigation (Mother and Baby Homes and certain related Matters) Records, and another Matter, Act 2020 was enacted last October. During the severely truncated debates on this Bill the mininster had insisted the GDPR did not apply to the records held in the database.
Two days afterwards the government announced the GDPR did, in fact, apply to the records held in the archive and committed to allowing people to access their information from his department via the Subject Access Request process.
Yet over a year on from that commitment we find the department’s SAR car idling at the end of a cul-de-sac with the minister refusing to engage reverse, having been directed there by a faulty GPS in the form of advice from frequent-data-protection-strugglers Tusla, who pointed the department in the direction of a Statutory Instrument dating back to the year before Italia ‘90. Why the department thought to ask Tusla for data protection advice and then accept that advice is a mystery.
The outcome is an investigation by the European Commission as explained in Simon McGarr’s Gist from earlier this week.
While the numbers of individuals affected in this instance is smaller than those affected by the PSC/MyGovID blanket data retention issue it is beyond dispute that these are the most high profile Subject Access Requests to have ever been made in this country. That the department has fumbled them and is wilfully ignoring its obligation to set aside the non-compliant domestic legislation does not indicate to me that the Irish State’s attitude to data protection is shifting at any noticeable pace.
—
9. There Is An Investigation, But It’s Not The Investigation You Think It is
Finally, we go once more to the former Minister for Employment Affairs and Social Protection. Until yesterday I had never seen this bizarre assertion which Regina Doherty made in the Seanad in December 2018.
We shall presumably never hear any more about this other investigation which the then minister could not speak about as she had been sworn to secrecy by Helen Dixon.
The Data Protection Commission has shipped a lot of criticism in recent times, not all of it warranted or well-founded, some of it unnecessarily histrionic. This is a significant achievement for the DPC in compelling an intransigent public sector data controller to abide by the law.
We’ll leave it there for now with the Public Services Card. A peculiar and far from finished tale. A years-long attempt to flex state power with no legal underpinning. A years-long attempt to ignore the rights of millions and the supervisory authority responsible for overseeing the vindication of those rights.
Nope. But no doubt our own CyberCzar will suggest similar once they’re installed.
https://twitter.com/joshgnosis/status/1468074708834816001
The war of many letters and stunts continued with Max Schrems accusing the DPC of lobbying other members of the EDPB. Using a somewhat elastic definition of lobbying since this is a process the DPC is formally a part of.
Some MEPs wrote a letter to Didier Reynders and Helen McEntee about this.
The DPC released its own statement denying any impropriety.
Feedback on the DPC draft decision provided by the Norwegian Datatilsynet as part of the Article 60 process somehow morphed into a letter.
Tobias Judin, the Datatilsynet’s Head of International posted a message on his LinkedIn page which begins “Cat’s out of the bag: We firmly disagree with a legal interpretation made by the Data Protection Commission Ireland. However strongly we may feel, this is nonetheless still a professional disagreement between colleagues. Over the last few days, the integrity of Irish colleagues has unfortunately been called into question. I want to speak out against this.”
—
The DPC announced it had “submitted a draft decision in an inquiry into Instagram to other Concerned Supervisory Authorities across the EU on Friday last, December 3rd.”
—
“One of the five directors at Belgium’s Data Protection Authority (GBA) is resigning amid questioning from the European Commission, citing the same “lack of independence” that the Commission also lists among its top concerns”, the Brussels Times reported during the week.
—
The Dutch DPA “imposed a €2.75 million fine on the Dutch Tax Administration. The fine was imposed because for many years the Tax Administration processed data on the (dual) nationality of childcare benefit applicants in an unlawful, discriminatory and therefore improper manner. This constituted serious violations of the General Data Protection Regulation (GDPR)”.
—
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
