IRELAND’S MAJOR DATA watchdog has fined the Department of Social Protection €550,000 following a major investigation into its use of facial recognition technology linked to the Public Services Card.

The Data Protection Commission (DPC) inquiry, launched in July 2021, examined the DSP’s ‘SAFE 2′ registration process, which requires applicants to submit biometric facial data used for facial matching as part of their card application.

The Public Services Card is needed for accessing many welfare and public services, including applications for Child Benefit, Jobseeker’s Benefit and driving licences.

A sample Public Services Card. Department of Social Protection Department of Social Protection

‘SAFE 2′ registration has led to the Department of Social Protection holding biometric facial templates for about 70% of Ireland’s population, making it one of the largest biometric data collections in the country.

The DPC inquiry found that the Department did not have a valid legal reason to collect or keep this sensitive facial data.

According to the DPC, the Department also failed to clearly inform people about how their data would be used, and the Department’s privacy risk assessment was “incomplete”.

As well as the €550,000 fine, the data watchdog ordered the department to cease processing biometric data for ‘SAFE 2′ registration by March next year, unless a lawful basis is identified.

Deputy Commissioner Graham Doyle said that the DPC decision “does not challenge the principle of SAFE 2 registration itself”.

“The technical and security measures in place for handling biometric data are sound,” Doyle said in a statement.

“Our concerns relate to whether the legal framework and the way the Department of Social Protection operates the system meet the requirements of data protection law. We found clear gaps in that regard.”

The DPC emphasised the need for a clear and precise legal basis when processing such sensitive data, as required by European privacy laws (GDPR), to protect individuals from arbitrary interference with their privacy rights.

The DPC’s decision was made by Data Protection Commissioner Dale Sunderland, and was notified to the Department of Social Protection this week.

The Department of Social Protection has yet to comment on the ruling.

‘More than a decade late’

The Irish Council for Civil Liberties (ICCL), which has campaigned against the use of facial recognition in the Public Services Card for more than 15 years, welcomed the decision but described it as “more than a decade late and inadequate.”

Joe O’Brien, ICCL’s Executive Director, said the ruling “vindicates the actions taken by ICCL and Digital Rights Ireland against the Department of Employment and Social Protection”.

He said the ruling also confirmed what they had long argued – that the Department unlawfully collected facial records from millions without proper legal grounds or clear explanation.

“The Public Services Card, which was estimated to have cost the State €100 million, trespassed upon human rights and infringed EU and Irish law,” O’Brien said.

“The Department effectively created a de facto national biometric ID system by stealth over 15-plus years without a proper legal foundation. This illegal database of millions of Irish people’s biometric data must be deleted.”

Olga Cronin, Senior Policy Officer at ICCL, criticised the mandatory nature of the facial recognition process.

“The Department unlawfully forced vulnerable people to give it their biometric data before it would help them,” Cronin said.

“It demanded data from people who needed its help to put food on the table. We should not have to trade our biometric data to access essential services to which we are already legally entitled.”