Irish govt fined €550k over biometric data compliance, ordered to address deficiencies

Ireland’s Data Protection Commission (DPC) has concluded a long-running investigation into the Department of Social Protection (DSP) and found the agency in breach of several key provisions of the General Data Protection Regulation (GDPR) for its use of face biometric templates and biometric matching in the issuance of Public Services Cards (PSC).

The decision follows an inquiry that was launched in July 2021 and carries a formal reprimand, a €550,000 fine, and a conditional order requiring DSP to halt all biometric data processing under SAFE 2 registration if it cannot establish a lawful basis within nine months.

This marks one of the more significant enforcement actions taken by DPC in recent years and underscores growing regulatory scrutiny over the use of biometric technologies by public institutions.

The inquiry centered on the department’s SAFE 2 registration process which uses facial biometric matching technologies to verify identity for PSC applicants. This process was found to involve the widespread and ongoing processing of highly sensitive biometric data without a legally sufficient basis under GDPR. In 2021, DSP was in possession of face biometric data for approximately 70 percent of Ireland’s population, a scale DPC said necessitated strict legal safeguards.

This latest investigation follows a previous DPC probe into aspects of the PSC program that concluded in 2019. DSP appealed the findings of that inquiry but ultimately withdrew the appeal. A joint agreement between the DPC and DSP was published in December 2021, noting that biometric aspects of SAFE 2 would be subject to a separate and more focused investigation.

DPC determined that the SAFE 2 process failed to meet the legal thresholds required for processing special category data under GDPR. It also found that the retention of biometric data violated the GDPR and that DSP had not provided adequate transparency to data subjects. Moreover, the department’s Data Protection Impact Assessment was found deficient as it lacked critical details about the nature and scope of the data processing involved.

Deputy Commissioner Graham Doyle said that DPC’s findings should not be misconstrued as a rejection of the SAFE 2 registration process itself, nor was there any evidence of inadequate security measures. Rather, the inquiry assessed whether the legal and procedural frameworks supporting biometric processing within SAFE 2 meet data protection standards. According to Doyle, the deficiencies identified reflect a failure to ensure that the legislative underpinning for such sensitive data processing is both clear and legally robust.

“It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration by the DSP as a matter of principle,” Doyle said. “The DPC did not find any evidence of inadequate technical and organizational security measures deployed by the DSP in connection with SAFE 2 registration in the context of this inquiry.”

“This inquiry was concerned with assessing whether the legislative framework presently in place for SAFE 2 registration complies with the requirements of data protection law and whether the DSP operates SAFE 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard,” Doyle added.

Under European law, biometric data such as facial templates is treated as “special category” data, meaning it is subject to heightened protections due to its potential to uniquely identify individuals. The scale of data collection by DSP, combined with the mandatory nature of SAFE 2 registration for accessing social welfare services, raised red flags about consent, proportionality, and the absence of clear statutory authority.

Legal experts and privacy advocates are likely to view the decision as a watershed moment for biometric regulation in Ireland, particularly in the public sector. It reaffirms the principle that technological efficiency and public policy objectives must not override the fundamental rights of individuals under the GDPR.

While the decision does not immediately halt the SAFE 2 registration process, it casts doubt on its continued use in its current form. If DSP cannot establish a legally sound framework by early 2026, it will be legally obligated to cease biometric data processing related to the PSC, raising questions about the future of the card as a gateway to social services.

Article Topics

biometric data  |  biometric matching  |  biometric template  |  biometrics  |  data collection  |  GDPR  |  Ireland