Latest news with #ReginaDoherty
Irish Examiner
13-06-2025
- Politics
- Irish Examiner
Cianan Brennan: Why didn't government admit its error with biometric public services cards?
Six years ago, the Data Protection Commission (DPC) went mano-a-mano with the government of the day over the infamous public services card, and ended up in a long legal war of attrition. That battle involved a simple question: Could the card be used as a catch-all portal for citizens accessing the State's services, regardless of their wishes? That particular spat was more than a little unedifying, ending up in a wholesale climbdown on the part of the Department of Social Protection in December 2021. However, yesterday's decision by the commission to fine the department €550,000 and order it to suspend the biometric processing of the public's data via the card should be even more seismic. €550,000 is five times the amount of the next-largest fine for breach of GDPR by a public body, and more than half of the maximum allowable. Puzzling defence of the indefensible Six years is a long time, however, and the world is a different place now. This time round, the State may be more willing to take its punishment from its own regulator. That in itself would be borderline farcical. The government — former social protection minister Regina Doherty being probably the most noteworthy culprit — argued for years that the card did not carry biometric data, despite it being plainly obvious to anyone with common sense that it did — in this case, a photo used for facial matching. Why did the State spend hundreds of thousands of euro in taxpayers' money defending the indefensible? The answer may be because it couldn't afford not to. Why did it do so? Because it couldn't afford not to. Having stated until it was blue in the face that black was indeed white, to change tack in any way would have been legally disastrous. Why the government of the day couldn't just hold its hands up and admit fault in the first place, rather than spending hundreds of thousands of euro in taxpayers' money defending the indefensible, we may never definitively know. However, we can speculate. The card is deeply ingrained in Irish society now, but that wasn't the case to quite the same extent in 2019. Furthermore, back then GDPR was brand new. It was so new that the initial investigation into the public service card was carried out under Ireland's previous Data Protection Act. Under that act, the commission had far fewer teeth to impose fines. GDPR is now a firmly embedded, if not universally beloved, EU policy. Maybe in 2019 it was felt the time wasn't right for the government to eat crow on its ambitious biometric card venture. Range of views in data protection community Those we polled yesterday across Ireland's niche data protection community had different views as to whether or not the Government, in the guise of the Department of Social Protection, will go the legal route once more. One said: The circumstances have changed. The data protection and GDPR landscape is much clearer now than it was under the old act. 'It seems more likely than not that this is one that won't be challenged, at least not in court.' However, there was little consensus. 'For years, they [the department] have been shouting that there is no biometric data on the card. Now this decision from the regulator is unequivocal that there is. Can they really back down from that? Would that be in character?' a second expert asked. DPC will defend its decision 'very robustly' Should the Government press the nuclear button once more and appeal the decision to the courts, deciding commissioner Dale Sutherland has made it clear that 'we will very robustly defend our decision'. He said: We are well used to this. It is a feature of our system. There are other puzzling aspects to yesterday's decision, not least the sheer length of time it took. The biometrics investigation had been set in train even before the 2019 decision, which dealt specifically with whether or not the government had the right to make the card mandatory for public services such as passport applications, yet it was only officially commenced in July of 2021. It then took four more years to complete, during which time the card has become ever more embedded in Irish society. That is surely an inordinate amount of time to take over a key investigation concerning personal data. 'This was a complex inquiry with complex issues,' Mr Sutherland said. 'The resources these inquiries take are just extraordinary. This one took a bit of time,' he added, while allowing 'it's probably a bit longer than we would have liked'. Digital Rights Ireland, whose initial complaint spurred the investigations back in 2017, professed itself 'concerned' at the length of time it had taken to finalise the probe. A spokesperson added that the decision 'leaves the Government in a very serious situation', given it has spent 'hundreds of millions of euro on an illegal public service card project'. Mr Sutherland stressed, however, that 'the important thing is that it [the investigation] is done now'. Asked whether the world had moved on in the last six years, he said: 'The principles haven't.'
Irish Independent
12-06-2025
- Politics
- Irish Independent
Government fined €550,000 by privacy regulator and warned over facial scans for Public Services Card
The Government department has also been ordered to stop the practice and cease using its biometric database by April of next year, unless it finds a correct legal basis under which to do it. The Department, the regulator said, holds biometric data on at least 70pc of the population here. It has been engaged in the 'ongoing collection, storage and processing of highly sensitive personal data, including biometric data consisting of facial templates, on a large scale', according to the DPC. The Public Services Card has been a privacy battleground between the Government and the regulator for years. While ministers and civil servants insist that it's necessary to bring more efficiency into public services, with facial scans being required to protect against fraud, critics have consistently labelled it an attempt to introduce a national identity card through the back door. In 2017, the then Social Protection Minister, Regina Doherty, infamously described it as being 'not compulsory but mandatory'. In 2021, the Irish privacy regulator began an investigation into what the Department was doing with regard to biometric facial templates and its usage of associated facial matching technologies as part of the registration process for the Public Services Card. The registration process, known as 'SAFE 2 registration', typically involves the submission of a digital photo of someone to make sure they're not already registered or claiming benefits under another identity. Under European GDPR law, biometric data is categorised as 'special category data' to which higher protections and safeguards must be applied. 'SAFE 2 registration is mandatory for anyone who wishes to apply for a Public Services Card,' said the DPC. ADVERTISEMENT 'Persons who do not submit to such processing cannot access DSP services, including welfare payments.' However the Department said it believes there is a legal basis to operate the process, but that the legal provision is 'not in it view, clear and precise enough to satisfy the requirements of the GDPR'. it said that it 'will carefully consider the DPC decision report, in conjunction with colleagues in the Attoreny General's Office with a view to determining an appropriate response within the nine-month timeframe'. It said that depending on the outcome, it may appeal any enforcement notice or work to rectify the issues as perceived by the DPC. The Department said that the DPC 'did not find any evidence of inadequate technical and organisational security measures. "There are no examples of any person suffering damage or loss as a result of SAFE registration.' It insisted that the process has led to a reduction in identity fraud and offered 'security and customer service benefits'. There are no immediate implications for users of the card or MyGov ID, according to the Department, and during the nine-month period the process will continue. The regulator had looked at whether the Department of Social Protection had a 'lawful basis' for collecting and retaining biometric data 'for the purposes of conducting facial matching' as part of this SAFE 2 registration. It also examined the Department had complied with transparency obligations and had carried out an adequate Data Protection Impact Assessment (DPIA) as part of SAFE 2 registration. It found the Department liable on all counts, by 'failing to identify a valid lawful basis for the collection of biometric data in connection with SAFE 2 registration' and, thus, incorrectly 'retaining biometric data collected' as part of the process. The watchdog said that it also 'failed to put in place suitably transparent information' to citizens and failed to include certain details in the DPIA it carried out. 'In light of the infringements identified above, the DPC has reprimanded the DSP, issued administrative fines totalling €550,000 and issued an order to the DSP requiring it to cease processing of biometric data in connection with SAFE 2 registration within nine months of this decision if the DSP cannot identify a valid lawful basis,' said the privacy regulator. However, the regulator did not suggest there was any security risk to the sensitive facial scans stored. 'The DPC did not find any evidence of inadequate technical and organisational security measures deployed by the DSP in connection with SAFE 2 registration in the context of this inquiry,' said Graham Doyle, deputy commissioner of the DPC. 'It is important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration by the DSP as a matter of principle. "This inquiry was concerned with assessing whether the legislative framework presently in place for SAFE 2 registration complies with the requirements of data protection law and whether the DSP operates SAFE 2 registration in a data protection-compliant manner, and the findings announced today identify a number of deficiencies in this regard.'
Irish Daily Mirror
17-05-2025
- Entertainment
- Irish Daily Mirror
Ongoing investigation into Ticketmaster and Oasis branded 'Supersonic failure'
The length of time it is taking the consumer watchdog to investigate Ticketmaster following complaints over dodgy dynamic pricing for Oasis tickets has been branded a "Supersonic failure". The Irish Mirror can reveal that eight months after the investigation started, the Competition and Consumer Protection Commission has still not finished its work. The CCPC said on September 6 it had opened an investigation into Ticketmaster Ireland and its handling of the sale of Oasis tickets on the weekend of August 31, 2024. It followed a review of more than 100 complaints received by the CCPC. Tickets for Oasis' reunion gigs, which will take place in Croke Park on August 16 and 17, were snapped up despite fans' complaints about the prices. Tickets were to be priced from €86.50 to €150 before service charge. However, some ticket prices ended up rising to more than €400 due to Ticketmaster's "in-demand" prices. Despite the probe being opened in September, the CCPC has confirmed to The Irish Mirror the investigation has not yet finished. A spokeswoman said: "We will provide an update when we are in a position to do so." Fine Gael MEP Regina Doherty, who was one of the first to call for a probe, told us the length of time the CCPC investigation is taking is not acceptable. She said: "Eight months on and still no outcome is a total Supersonic failure. "The CCPC needs to stop dragging its heels and deliver clarity for the thousands of fans." Brian McHugh, chair of the CCPC, had stated last September that if consumer protection laws were broken, the body would take action.
Irish Independent
17-05-2025
- Business
- Irish Independent
EU ‘blocking' Irish plan to make Big Tech firms vet ads for scams
According to Fine Gael MEP Regina Doherty, Big Tech companies could be required to ensure financial ads are coming from registered providers as part of the reform of the Payment Services Regulation which is currently underway. 'However it appears that the European Commission is blocking moves to include verification of financial services ads,' she said. The Department of Finance sent a proposal to Brussels on February 14, which pointed out that ads for financial services are often the first link in the fraud chain. 'Measures to ensure the legitimacy of financial services advertisements on social media platforms and search engines are therefore required,' it said. The requirement to verify the identity of advertisers, ensuring they are registered financial-service providers, would be limited to very large online platforms (VLOPs) or search engines. 'This is reflective of the fact that some of these entities, such as Google and Meta, are already doing this on a pilot basis in several countries,' the department added. Several members of the Government, including Taoiseach Micheál Martin, have been used in fake ads by scammers. At one point the Taoiseach took a High Court action against Google seeking information about the people behind fake ads for cryptocurrency that used his image. Ms Doherty said more than three in four Irish adults come across suspicious online activity each month, and fraudsters are exploiting citizens while platforms stand idly by. 'The EU Digital Services Act merely obliges platforms to react after the damage has already been done. That is not good enough. It is entirely avoidable harm,' she said. 'Such incidents are hard to track and almost impossible to rectify after they happen. The Digital Services Act provides requirements for platforms to take down harmful or illegal content once these have been reported. But it creates few proactive obligations on platforms prior to publication or even reporting by individuals. 'The position that platforms are not required to verify the veracity of financial advertisements undermines the importance of shared liability and responsibility between platforms, citizens and financial institutions that is vital if we are truly to make progress in tackling online scams.' ADVERTISEMENT The MEP said criminals involved in online scams should be held responsible, but so should the platforms that profit from user engagement. She added that it was time for the European Commission to 'wake up to the reality and put consumers first'. This week, The Wall Street Journal reported on an 'epidemic of scams' on social media platforms, with criminals 'flooding' Instagram and Facebook with fake ads and marketplace listings. It said Meta's social networks are the primary staging ground for fraud rings operating from China, Sri Lanka, Vietnam and the Philippines. In its memo to Brussels, the Department of Finance said its proposal had 'received a positive response from other member states and industry bodies'. The Financial Times has reported that about half of EU countries have expressed support for Ireland's idea. While the European Commission says it does not comment on issues relating to ongoing negotiations on legislative proposals, the FT quoted EU diplomats as saying that the European Commission's believes making Big Tech vet online ads would contravene the Digital Services Act.
Engadget
08-05-2025
- Business
- Engadget
Ireland is pitching a law to force big tech companies to vet ads before publication
Ireland has pitched a law to force tech companies to vet ads before publishing them, according to reporting by Financial Times . This is part of a larger push by the EU Commission to make tech entities responsible for financial fraud that occurs on their platforms. It also comes as President Trump has begun pushing the EU to scale back regulation of big American tech companies . While a proposal by the EU Commission would indeed put companies on the hook for financial fraud, Ireland's plan hopes to get ahead of all that. It looks to stop fraudulent ads before they are even published. The Irish finance ministry submitted an amendment to the current EU proposal that would force tech platforms to check the legitimacy of advertisers before posting their ads. To view this content, you'll need to update your privacy settings. Please click here and view the "Content and social-media partners" setting to do so. The amendment would also make it so only registered financial service providers could post these types of ads. The Bank of Ireland says that more than 75 percent of losses last year came from investment fraud that were often linked to ads placed on social media. These ads can be posted at any time and, more importantly, taken down at any time. This allows the publishers to avoid legal scrutiny after the damage has been done. Data indicates that online scammers defrauded Europeans out of nearly $5 billion in 2022 . "We can't leave glaringly obvious holes in legislation that are allowing criminals to defraud people of their life savings," said Regina Doherty, an Irish lawmaker. Google has declined to discuss this measure, but told FT that it fights "financial fraud in ads through our tools, people and policies." It is true that it operates a financial services certification program to help combat fraud. Meta has declined to comment. We've pinged both companies and will update this post if we hear back. Around half of EU countries have expressed support for Ireland's proposed amendment, though there is a hurdle to overcome. The EU Commission already has a provision in the Digital Services Act that says that tech companies aren't required to broadly monitor content, though proponents of the Irish initiative have countered that the requirement to vet advertisers could be designed in such a way that conforms with current law.
