The Data Protection Commission has hit the State with a €550,000 fine, the largest GDPR penalty for a public body, for processing people’s biometric data without a legal basis via the Public Services Card.
The DPC said that the Government must now discontinue processing such data using the PSC within 9 months unless it can find a legal basis for doing so.
Biometric data refers to any information that can identify a person by their physical characteristics — for example, via a fingerprint or, in the PSC case, a photograph.
The State has long denied that the PSC uses biometric data, despite a person’s photograph appearing on every version of the card. It has instead argued that it creates an “arithmetic template” from the photo for processing purposes — a method it claims does not constitute biometric data.
Such data is classified as special category personal data under the EU’s General Data Protection Regulation (GDPR), meaning it must be explicitly permitted in a country’s laws to be processed legally.
There is no single law on Ireland’s statute books governing the PSC. Its various uses are allegedly permitted through dozens of amendments to the 2005 Social Welfare Consolidation Act.
In addition to the €550,000 fine — five times greater than the next largest penalty for a public body — and the order to stop processing biometric data, the DPC also issued an official reprimand to the Department of Social Protection.
The Commission found that the card violated GDPR by failing to identify a legal basis for processing biometric data, retaining that data without justification, and not ensuring sufficient transparency about how the data would be used during registration.
Deputy Commissioner with the DPC Graham Doyle said that it is “important to note that none of the findings of infringement identified, nor the corrective powers exercised by the DPC, pertain to the rollout of SAFE 2 registration (the technical process by which PSC data is first collated and then stored) by the DSP as a matter of principle”.
He added that the investigation focused solely on how the PSC’s biometric process complies with the GDPR, noting that “the findings announced today identify a number of deficiencies in this regard.”
It remains unclear what will happen next. However, if the Government accepts the report, it will finally need to introduce specific legislation through the Oireachtas to legalize the PSC.
The Department of Social Protection declined to comment.
In announcing its conclusions the DPC has brought to a close its lengthiest domestic data protection saga, one which had lasted close to 8 years.
By announcing its conclusions, the DPC has ended its longest domestic data protection investigation—a process that lasted nearly eight years.
In August 2019, the DPC ruled that the State had no lawful basis for making the PSC — originally conceived in the 2000s as a welfare benefits card by the Department of Social Protection — mandatory for all public services.
That decision led to a prolonged legal battle between the State and one of its own regulators. The dispute ended in a December 2021 settlement, with the DPC’s findings left unchallenged but the State continuing with the PSC project—albeit without mandatory requirements.
A separate investigation into the biometric nature of the card ran concurrently with the original report. Initially, it was expected that this investigation would publish its findings by the end of 2019.
While the conclusions of the biometric investigation are not surprising, today’s publication comes nearly six years later than anticipated.
The PSC is now used daily by millions of Irish citizens—not just for receiving welfare payments, but also for services such as renewing driving licences and accessing the National Childcare Scheme.
