Ireland’s data watchdog issues €550,000 facial recognition fine

The fine was issued against the Department for Social Protection (DSP) following an inquiry by the Data Protection Commission (DPC), the country’s data privacy regulator, which examined the department’s ‘SAFE 2’ registration process. This registration involves mandatory processing of biometric facial templates and use of associated facial matching technologies for anyone who wishes to apply for a Public Services Card (PSC) – a form of public identification required in Ireland to access a range of services, including welfare payments.

The roll-out of the card has been strongly criticised by data privacy campaigners, who argue that the government’s large-scale collection, storage and processing of biometric data is unlawful. Since 2016, all first-time passport applicants aged 18 and over that are resident in Ireland have also been required to present a PSC when making their application. By 2021, the DSP held biometric facial templates for approximately 70% of Ireland’s population.

The watchdog’s investigation into the ‘SAFE 2’ registration process began in July 2021 following a previous inquiry, which concluded in 2019. That earlier decision was appealed by the DSP but later withdrawn, leading to a joint agreement and publication of the final report in 2021.

Following the most recent inquiry, the regulator emphasised that biometric data, such as facial templates, is classified as “special category data” under the GDPR, requiring strong legal safeguards. It said that the DSP had failed to “identify a valid lawful basis” for the collection and retention of biometric data as part of the ‘SAFE 2’ registration process, issuing the department with a €550,000 administrative fine.

The regulator has also given the department nine months to identify a valid lawful basis for the use of facial scans and facial matching software in the ‘SAFE 2’ registration process, or to cease using the technology altogether.

Isabel Humburg, a Dublin-based data protection specialist at Pinsent Masons, said: “The DPC’s findings underscore the critical importance of a clear and specific legal basis when processing biometric data, which is classified as ‘special category data’ under the GDPR,” she said. “The decision highlights that even when public policy objectives are at stake – such as fraud prevention or efficient service delivery – such processing must be proportionate and be based on an appropriate lawful basis.” 

The Irish Council for Civil Liberties (ICCL) partially welcomed the regulator’s decision, but said it was long overdue and called for the DSP to delete its database of biometric data.

Humburg said the decision underlines the importance of collecting and retaining the public’s data in a way that is fully data protection-compliant: “This decision reinforces that convenience or administrative efficiency cannot override the fundamental rights of individuals, particularly when the technology in question affects a large portion of the population, as was the case with the SAFE 2 registration system, and in circumstances where SAFE 2 registration was mandatory in order to access essential public services, such as welfare payments.”

Commenting on the inquiry, Andreas Carney, data protection and technology expert at Pinsent Masons’ Dublin office, said: “The full decision is yet to be published by the DPC, so we do not have the full details as yet. However, the commentary from the DPC indicates a wider issue for the government and the Department of Social Protection, which is that the DPC seems to have identified deficiencies in the legislative framework currently in place for SAFE 2 registration (contained within social welfare legislation), as well as how the department operates SAFE 2 registration. Both will have to re-examine the framework and operational implementation in the context of the legal basis available to them for processing this special category data. Necessity of processing and proportionality are likely to be key factors in this.”