GDPR saves Catholic no Double Dipping Baptism Rule

It is a strange thing, but I learnt more about the Catholic sacrament of baptism from reading a recent decision of the Irish Data Protection Commission (DPC) than I did from my 13 years in the catholic school system.

This post is about a curious decision of the DPC made on 27 February 2023 but which only seems to have been published on the internet in the last couple of days.

It involves a trawl through Canon law and its status in Ireland, the curious rules of Catholic sacraments, and arrives at a decision which saves the Catholic church in Ireland from having to remove from its records the baptismal details of the many 1000s of people who no longer agree with their parent's decision, taken when they were days or weeks old, to enroll them in the Catholic church.

Count Me Out - Not So Fast

The story begins in the mid-2000s when a bunch of very clever people realised that you could "defect" (i.e. leave) the Catholic church via a process that was adopted by the Vatican in 2006 to help people avoid church taxes in Germany. The lads set up an award winning website that automated the process, which was used by 12,000 souls (including mé féin), before Canon law was changed effectively closing the door for those wishing to use this convenient portal between the sacred and secular worlds.

Things moved on and an individual, self described as "a nerd with some free time", tried in 2020 to use GDPR to claim (not unreasonably) that, since they were no longer Catholics, the church had no legal basis to process their personal data because it was no longer necessary to do so. Why would a private organisation want to keep detailed personal information on people who had absolutely no interest in it anymore, the thinking went.

Several individuals attempted to exercise their GDPR rights of rectification and erasure, which the church refused to do, leading to complaints to the DPC, which in turn prompted the DPC to initiate an "own volition" inquiry.

As many readers will know the DPC, like the Vatican, measures time in centuries and millennia and can never be accused of acting in haste. Therefore last year a litigant applied to the High Court to try and get the DPC to hurry up and make a decision which has now arrived.

And boy has it arrived. It's a 183 page tome, and will certainly be seen alongside the old and new testaments as one of the great religious texts of the modern era.

A reading from the second book of Helen Dixon

There are a number of curiosities in this admittedly well written and comprehensive decision.

First, given that the investigation centered around the Catholic Church, there is extensive discussion of "Canon Law" which are the internal rules of the Catholic Church. While you and I may debate whether this is actually law or whether it is no different from the rules of your local residents association, the Irish Free State Supreme Court ruled on this biting issue in the context of a dispute between a bishop and a recalcitrant parish priest (O'Callaghan v O'Sullivan [1925] I IR 90). The court held, in essence, that Canon Law is to be treated as a "foreign law" and must be proved as a matter of fact in the normal way.

(For more interesting analysis of Catholicism and the Judiciary in the early days of Ireland's independence I recommend this excellent article in the Irish Judicial Studies Journal.)

Second, although the resolution of the issues ultimately boils down to a balancing of the legitimate interests of the Catholic Church against the fundamental rights of data subjects, there is absolutely no evidence or submissions from any data subject. On the other hand there were extensive submissions from the Archbishop of Dublin. It is curious, given that there were several complainants presumably only more than willing to put the data subjects' point of view on the record, that neither their views nor those of the wider community of defecting Catholics were canvassed.

The decision found unsurprisingly that church baptismal records come within the material scope of GDPR being stored in a filing system and that, depending on the type of register and the processing the controller was the Archbishop of Dublin either individually or jointly with the parish priest in whose parish the registers are stored.

No double dipping in the baptismal font

The legal basis finding is the most interesting.

In terms of the general legal basis the DPC found that the Church has a legitimate interest per Article 6(1)(f) in processing baptismal information for everyone's entire lifetime, even after they leave, because there is a rule that you can only be baptised once and if someone presented for baptism they would need to check this via the register.

The DPC accepted that the interests pursued by the Archbishop in this regard are central to the proper functioning of key aspects of the Roman Catholic faith in Ireland.

But of course, the legitimate interest basis is inherently a balancing exercise. What about all those data subjects who never asked to be baptised but nonetheless are on registers by dint of a choice their parents made shortly after they were born?

Curiously the DPC noted recital 47 GDPR, which refers to the expectation of the data subject at the time of the collection of the personal data, and said that she was of the view that a data subject could reasonably expect the personal data to be processed for the purpose of ensuring that the data subject has been baptised and that there would be no impediment to that data subject receiving a further sacrament.

Amazing what month-old children can do isn't it?

In terms of strict necessity, there's a glitch in the matrix, because the Catholic church actually has a procedure to deal with the situation where no baptismal record exists. This means the registers are not even conclusive or strictly necessary for the double-dipping rule, you would think anyway.

In those cases the priests ask for a "sworn statement" and the individual may be "conditionally baptised".

So it's not strictly necessary to be registered, right?

Nope.

The DPC's jesuitical finding on this aspect is worth quoting:

Although these are alternative measures to achieving the legitimate interests set out by the Archbishop, I consider that these could not be equally effective alternatives to the processing undertaken by recording and retaining personal data in the Baptism Registers. Given the importance of the principle in the Catholic Church that certain sacraments may only be administered once, the reliance on statements of godparents and other witnesses instead of the official record of the Church (or indeed conditionally baptising a person without any verification as to whether they have been previously baptised), does not provide the certainty and effectiveness of the recording of Baptism Registers and is clearly only suited to exceptional occasions.

I would have thought that someone who had gone to the bother of renouncing their Catholicism would only be rushing back to mother church in exceptional circumstances, but without a shred of evidence as to how often lost sheep returned to the fold, the DPC found that an exceptional procedure would not suffice.

The DPC went on to find that Article 9(2)(d) is the legal basis for processing of special category personal data. No surprises there.

Right Reverend Data Subject Rights, Right?

Having finished the homily, the DPC went on to tidy up some loose ends with some further prayers of the faithful finding the Archbishop had breached the transparency principle (a venal sin).

Finally the DPC looked at right of rectification and right of erasure.

The right of erasure in the legitimate interest context essentially provides the opportunity for the data subject to object to the legitimate interest processing based on his or her particular situation requiring the data controller to perform an individual balancing exercise under article 21(1) GDPR and to only continue to process the personal where it demonstrates compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the data subject.

This is a tricky one for the DPC to deal with in an own-volition inquiry you might think, given that the DPC procedure only engaged with the data controller and was not a complaint investigation. Further still, the complaints that the DPC had were concerned with requests which in any event had been refused on jurisdictional grounds by the Archbishop who argued that he wasn't a controller and baptismal registers were outside the material scope of GDPR.

Undeterred, our DPC performed a miracle of transubstantiation, and turned the watery inquiry into a potent, full bodied, complaint handling exercise worthy of any Irish wedding for the purpose of giving absolution to the Archbishop.

I am of the view that the legitimate interests of the Archbishop when considered in the circumstances of these particular requests collectively also constitute “compelling”’ legitimate grounds for the purposes of Article 21(1) of the GDPR

Those of us who were starting to drift off during the third sorrowful mystery around para 752 of the decision were jolted awake.

Where were "these particular requests"? What were the particular circumstances? Were the complainants asked about this? Apart from a glancing mention on page 6 in the background section, the individual complaints were conspicuous by their entire absence in the 183 page decision. So how could the DPC say that the Archbishop had established compelling reasons which overrode the data subjects rights, regardless of whether or not you remained a Catholic?

The Concluding Rites

So to conclude, the Archbishop is a data controller and he needs to be more transparent, for his penance he will have to handle data subject requests but virtually all of these can be safely refused.

Go and announce the Gospel of the DPC.

Thanks be to the GDPR.