Necessity knows no law

Oliver Cromwell famously said that "Necessity knows no law" in apparent justification of the many atrocities carried out at his imprimatur. Thankfully we now live in a more civilised world where necessity is the law. In this post I will show how the lawfulness of processing of personal data is a lot more complex than we think.

A Member State of the European Union cannot simply pass a law permitting it to process personal data as it sees fit

Campaign of identification

Only those few of us who have truly gone off the grid can be oblivious to the Public Service Card furore that has recently exploded into the mainstream media. Reports emerged last week about an ongoing project to register the entire population for a new identification card (not a national ID card mind) and in the process collect vasts amounts of personal data including a photograph to be used for facial recognition purposes (not biometric data we are told).

So is the processing of vasts amount of personal data via the Irish Public Services Card compatible with EU data protection? That is the question.

According to senior Government ministers the card allows people to "prove that they are who they say they are" allowing the State to protect itself against welfare fraud (although there are apparently only 78 cases "in the system"). It has also emerged that within the Public Services Card framework detailed personal data about the entire Irish population may be shared widely amongst more than 100 public sector bodies for reasons which are even less clear.

How can that be legal I hear you say?

Well you are in good company. This is the same question that Ireland's Data Protection Commissioner is asking and so far there have been few answers.

The bottom line is that if processing cannot be proven to be necessary for the attainment of a genuine public interest objective, it can never be lawful

In the European Union processing of personal data is seen as a limitation the fundamental right to data protection. But this right like most other fundamental rights is not absolute. Processing personal data may be limited legally in certain circumstances where five criteria are satisfied - these are that the limitation must:

1. be provided for by law;
2. respect the essence of the fundamental right;
3. genuinely meet objectives of general interest recognised by the European Union;
4. be necessary; and
5. be proportionate.

Sounds complicated? Well that's because it is. European law values data protection at a high level and sets standards which have to be met by anyone seeking to limit those protections. To put it another way, a Member State of the European Union cannot simply pass a law permitting it to process personal data as it sees fit. Any laws governing processing of personal data must satisfy all five of the above criteria to be considered lawful.

So far not even the first criteria has been adequately documented. While the Department of Social Protection has put forward a legislative basis underscoring the collection of personal data associated with the card process, this is hotly disputed.

Is this really necessary?

Let us assume, for the moment, that the public services card is provided for by law, it does respect the essence of the fundamental right to data protection and there is a genuine public interest in the integrity of the welfare system in Ireland. These criteria may be and certainly can be established. However necessity is where the rubber hits the road, so to speak. Necessity places an obligation on the State to minimise the processing of personal data.

Necessity implies first that the public interest objective of a measure is well understood and objectively demonstrated. Second it requires the need for a assessment of the effectiveness of a measure and an investigation of whether there are less obtrusive options compared to other options for achieving the same goal. The State is then obliged to choose the option that is least intrusive. If it turns out that some processing of personal data is not necessary then that processing is not lawful.

The bottom line is that if processing cannot be proven to be necessary for the attainment of a genuine public interest objective, it can never be lawful.