Ireland’s lawmakers are debating a new bill titled the Data Sharing and Governance Bill 2018 that seeks to “provide a generalised legal basis for the sharing of data between public bodies” and establish “base registries” that will facilitate said sharing of data.
During a debate on 26th June 2018, Patrick O’Donovan, the Minister of State for Public Procurement, Open Government and eGovernment, seemingly determined public bodies can infer consent if an individual has previously sought a service from the state.
In full, O’Donovan stated:
“That principle is accepted. It is a once only principle where if a person is availing of a service, it could be inferred that there is consent already contained in that by virtue of the fact that they have presented themselves to look for that particular support or service from the State.”
He then went onto say, “It must be borne in mind that this is already happening. We are trying to put a legal basis on it at the moment and what we are doing here is proportionate, reasonable and having clear regard to making sure that there are safeguards in place that are tested and can be tested.”
The disclosure “that this is already happening” will likely be of concern to privacy advocates.
In response to his statement, Senator Alice-Mary Higgins stated, “The Minister of State said consent can be inferred. It cannot. In many of the functions consent is not inferred and is not even relevant in the case of some functions of public bodies but there are other functions of public bodies where consent is relevant and is required under the GDPR.”
Under the GDPR, and if consent is the lawful basis under which an organization or public body has chosen to process an individual’s data, consent “should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of [their] personal data.”
The debate is one of many that have likely occurred across EU member states about the practicalities of public authorities collecting data from their citizens.
We reported last week that many British lawmakers (MPs) are relying on the “public interest” basis under the GDPR to process data on visitors to their constituency websites.
As provided by the GDPR, British lawmakers provided further clarification on what is meant by “public interest” in the Data Protection Act 2018 (DPA).
Under the DPA, “public interest” is partly defined as “promoting democratic engagement”, a term that now features in MPs’ privacy policies as a basis for processing visitors’ data.
The ICO has previously expressed concern about the “democratic engagement” provision in the DPA and described it as “very wide.”
Moreover, we also recently reported that the EU’s website, Europa.eu, is serving third-party content and spreadsheets containing hundreds of names and email addresses. EU institutions don’t need to comply with the GDPR but a regulation that’s set to come into force later this year.
Under this regulation, the European Data Protection Supervisor (EDPS) will be able to fine EU institutions 50,000 EUR per infringement and up to a maximum of 500,000 EUR, however it can only do so as a “last resort.”
Under the GDPR, private organizations can be fined up to 20 million EUR or 4 percent of revenue, whichever is higher.
Earlier this year the Digital, Culture, Media and Sport committee questioned Facebook on its data protection practices.