Louise O'Reilly: Pause Biometric ID Amendments

Thanks very much to our witnesses. I suppose I have concerns, huge ones, I've put them on the record already, not just in relation to this legislation, and it strikes me that maybe when the DPC have expressed such very serious concerns that now is not the time to be adding to legislation, in fact now is the time to be pausing that to reflect, and I know yourselves you've looked for a review, which I think should happen before we start. adding to it, I'm conscious that there is an appeal in place, and I don't want to cross over that in any way, but can I just ask a question in relation to voluntary, and I mean everybody had a good giggle when they couldn't explain the difference between mandatory, compulsory, etc. but I'm wondering in terms of, just take for an example the free travel pass, you can't use that without the, so in that case in order to access what is a lawful entitlement that a person has worked, you know, in most cases worked all their life for, it's not massive, but it is something for older people, and it's certainly considered by the government as a budgetary measure, but I'm just wondering, that's not voluntary, that's compulsory if you want to use, I mean is that the definition, because I struggle with that, because to me if you're an older person and you have a right to access that, you should have a right to access it, whether or not you choose to share your biometric data, or indeed give it to be put in, I'm sure what people regard as a safe place, but perhaps may not be that safe place. So I suppose in response to that I would go back to our findings in 2019, in the first DPC investigation into the public services card, where the finding was that there was a legal basis, there is a legal basis in the Social Welfare Consolidation Act for the Department of Social Protection to mandate the use of the card only for transactions with that department. I suppose the key finding in terms of mandatory, not compulsory, as you mentioned, was in relation to whether other public service bodies have an entitlement to require the public services card, and the finding was that they do not, and in the agreed published position of the DPC and the department in 2021, it was agreed that only the Department of Social Protection can rely on the public services card as the only method of transacting a service. Other public service bodies may request this, but cannot require it as the only one. So the ability to require the card is limited in our understanding to the provision of services directly by the Department of Social Protection, not to other departments. And when you say services, is it possible that that legal basis would extend to access and social welfare? Exactly, so the provision of a service transaction, I can't recall the precise definition of what a service is in the Act. Okay, so that's deeply concerning, I should tell you that now. Dr Ferries, you say that, you quote from the LSE study, and I've had some interaction with that myself, it's difficult to create a national ID system in a way that doesn't undermine privacy, legality and public trust. Can you just say what makes it difficult, and have steps been taken by the Irish government in this instance to ensure that the ID system is brought in in a way that doesn't undermine privacy, legality and public trust? Thanks for that. I think the principal difficulty here in Ireland is that from a legality perspective there is this emphasis on consent, but from a policy perspective we're seeing the slow function creep of the card into a sort of de facto requirement in various areas. If we all get used to having a public services card, and indeed 70% of the population in Ireland now has one despite the unresolved illegality of its biometric system, that expectation becomes put into practice in society irrespective of the dad protection laws that we're also good at reading every day. So that normalisation of the illegal system is a serious concern. And again, the infrastructure of the card itself is at risk of function creep and expansive use across services simply by nature of how it's being built. There are protections in place depending on who's in charge, but as we've seen geopolitically and amongst our neighbours, those protections can disappear very quickly. So instead of passing these amendments, Dr Ferries, would you have a suggestion as to what could be done? Because obviously there's these amendments, more could be tacked on, we know that. What should we be doing to ensure that the system functions and functions correctly? I mean, you don't put words in your mouth. So my understanding of what you said was, if I was trying to get there, it wouldn't start from here, and you might be better to go back to the start. Would that be correct? It would be correct to say that I'm perplexed as to why amendments are being passed at this stage, given the system's unresolved legality, rights and discrimination concerns. There are very specific matters before this government about the face surveillance aspects of the card and the important findings from the data protection commission. Why aren't these being attended to in the first instance rather than barriers against this illegal systems use being taken down through Head 7? Thank you. Just to the DPC, the concern is around privacy and data retention and all of those things, and I don't mean this disrespectfully to any one individual official working there, but let's be frank, some places have not exactly covered themselves in glory when it comes to handling people's data and their biometric data. It is something now that people are getting more and more concerned about. Given that you found that there was no legal basis, to me, that's incredibly serious. So I really question why we're here discussing, adding to something that could potentially on appeal be found if your position is upheld. In the event that your position is upheld, what would your advice be to us as the committee, but also to the department? I suppose if the decision is upheld and there's a finding of unlawful processing of biometric data and related infringements, we would go back to the position in the outcome of that inquiry, which was a nine month period to the department to address those discrepancies, which would be through legislation and also operational amendments. So was anything done in the nine months that you gave them the last time, just in terms of legislation? No, there's been no legislative amendment. As I mentioned to a previous question, there was preliminary engagement, but at that point the decision was appealed. So any consultation or discussion of amendments of the legislation in relation to biometrics and safety processing, there's been nothing further. So we would expect to be back in that position. We've made it very clear that we're happy within that nine month or whatever period to engage with the department on bringing the legislation into a place that's in compliance with data protection law and with the jurisprudence of the court of justice, and also to assist in the operationalisation. As I mentioned, we're happy to assist with reviewing data protection impact assessments and get it to the place of compliance, but I suppose pending the outcome of the appeal. And is there anything that you can do, I mean just in terms of ensuring that, you know, I understand you work with them and all of that is good, but just in terms of, is there a penalty for the state if that's upheld or who would it fall to to enforce the penalty? I don't think there's data protection police as it were, but I'm just wondering where would that sit? Sure, so the DPC does have the capacity to fine public bodies. It's more limited than it is for a private sector. And I mentioned the Department of Health inquiry where a financial penalty was imposed. How much was that? I think in the region of €29,000. I'm not sure I could be wrong on that, I don't have the figures. But that figure then goes through the courts for collection and ultimately goes back into the exchequer. Sorry, thank you.