The Big Tech Show: Data Protection Commissioner Helen Dixon on her decision to halt plans for national identity card through stealth
This week, Adrian sits down for a long, in-depth discussion with Data Protection Commissioner Helen Dixon on why she stopped the government from making its Public Services Card into a national identity card through the backdoor.
After years of controversy, this week her office ruled that the PSC card cannot be used as a necessary form of identification for services outside the Department of Employment Affairs and Social Protection.
The move effectively puts a halt to any plans the government had of making the Public Services Card a ‘national identity card’ through stealth.
“The Department does not have a legal basis for processing personal data when it's in the case of a person who's seeking to avail of a service with the public sector body other than the Department itself,” she tells Adrian.
However, she stopped short of saying that the Public Services Card must be scrapped.
“Any cards that have been issued, their validity is not in question by anything we've found in this report,” she said.
“They can continue to be used in the context of availing of free travel or availing of benefits that a person is claiming from the Department.”
Dixon qualifies this by saying that the PSC can be used voluntarily by a citizen as a valid proof.
“If someone optionally brings their public services card to renew their driver's license, there is no issue with that. But what we're saying is that it must be an option. A public sector body cannot now require someone who doesn't already have one, to go and procure one in order to avail of their service.”
The PSC has been criticised by civil liberties groups who claim it is an attempt by the government to create a national identity card by stealth.
Earlier this year, UN special rapporteur on poverty, Professor Philip Alston, said that the PSC “runs the risk of becoming a centralised database containing intimate, personal information” that was unsafe.
Government ministers have repeatedly claimed that the PSC is a protection against fraud, identity theft and helps to cut costs. They say that the card simplifies identity registration for public services and reduces the need for duplicate forms and the repetition of processes.
However, Dixon tells Adrian that the PSC as currently constructed is overarching and is sometimes being used without good reason or legal justification.
“An example is the Department of Education’s appeal system around school transport,” she said.
“It now says that you have to procure a PSC card to make an appeal. It’s very difficult to see why that’s a requirement.”
Dixon also tells Adrian that she has opened a new investigation into the owner of The Huffington Post, Techcrunch and Yahoo. The Irish DPC office is now probing Verizon Media, formerly known as Oath, around complaints that its online media properties do not give users choice around online ‘cookies’ that track user activity online.
“It’s specifically into transparency issues,” Ms Dixon tells Adrian. “There were more 38 complaints redirected to us by other EU data protection authorities. Those authorities were in receipt of a significant volume of complaints from individuals specifically relating to services by media sites.”
She said that some of the complaints related to when “effectively there’s no choice when cookie banners are offered. The only option seems to be to click okay”.
Meanwhile, Dixon tells Adrian that her office’s first major GDPR decision relating to a multinational tech firm looks set to be about Whatsapp.
“I expect that file to land on my desk in the next fortnight,” she said.
However, it is then likely to take “months” to arrive at a formal decision due to a statutory process of “examination and analysis”.
“I'd like to say that we could do it on 48 hours, but it has to be in the order of months to be done in the way that it has to be done. I will have to allow them a period of time to respond. I would have to consider their responses.”
The WhatsApp investigation is examining whether WhatsApp has “discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies”, according to the DPC’s office.
Dixon’s office currently has 61 statutory enquiries underway under GDPR law, 21 of which are focused on tech multinational firms. These include Facebook (8), Twitter (3), Apple (3), Whatsapp (2), Instagram (1), Google (1), Linkedin (1), Quantcast (1) and Verizon Media (1).
Under GDPR law, the Irish DPC can fine a company up to 4pc of its annual turnover.
Earlier this month, US authorities fined Facebook $5bn for data privacy failings in the largest settlement of its kind to date.
However, Dixon said that while the Irish office was prepared to use the “scope” of the GDPR’s maximum 4pc fine structure, the EU process is different to the American one.
“We're not really looking at $5 billion or what the FTC has done,” she tells Adrian. “We've got to look at this fairly under the legal framework that we have. One criticism of the FTC’s decision is that it has done nothing to change Facebook’s business model or the way that Facebook will handle personal data. The decisions that we make here have to have an impact in terms of punishing any contraventions and providing a precedent for others in terms of how we say the GDPR must be applied.”