Irish Lawmakers Realizing The GDPR's Consent Requirements Seem A Bit Onerous, Want To 'Infer' Consent
from the oh-wait,-that-takes-work dept
Once again, we find lawmakers who seemingly championed "strong privacy" rules like the GDPR suddenly freaking out when they realize such laws might apply to government bodies as well. Once again, we have Jason Smith at Indivigital to thank for highlighting the latest mess. This time it involves Irish lawmakers trying to figure out how different government agencies can share data between those agencies in order to provide better services. But, here's the problem: doing so without "consent" would seem to violate the basic concepts of the GDPR, so the Minister of State for Public Procurement, Open Government and eGovernment, Patrick O'Donovan, decided to try to take the easy way out and say that the government should be able to "infer" consent, if someone made use of the government service in the past:
“That principle is accepted. It is a once only principle where if a person is availing of a service, it could be inferred that there is consent already contained in that by virtue of the fact that they have presented themselves to look for that particular support or service from the State.”
Now, personally, I agree that this seems like a perfectly reasonable standard for inferring consent under most reasonable conditions. But the problem is that the GDPR generally does not view things that way. This is yet another example of where people who view privacy through a singular lens of "don't do anything at all with my data," often fail to realize how extreme that position is, and how it limits perfectly normal functions.
But, in this case, it comes across as just another example of where governments are saying, "do as I say, not as I do..."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: consent, data privacy, data protection, eu, gdpr, ireland, patrick o'donovan, privacy
Reader Comments
The First Word
“Disagree completely
I don't think that it's reasonable to assume that just because I use one government service, that they should be able to share that data with other services.And I think that we do need to take an extreme position with privacy, since once your data is shared, it's not possible to unshare it.
If they want to share data, they can ask permission explicitly. I see nothing wrong with that.
Subscribe: RSS
View by: Time | Thread
Disagree completely
And I think that we do need to take an extreme position with privacy, since once your data is shared, it's not possible to unshare it.
If they want to share data, they can ask permission explicitly. I see nothing wrong with that.
[ link to this | view in chronology ]
Re: Disagree completely
[ link to this | view in chronology ]
Re: Disagree completely
As an example, Canadian tax forms for years have had two checkboxes on the front page: 1) Are you a citizen? 2) If yes, can we register you to vote?
It's a reasonable way to get people registered. All you have to do is check a box to consent; there's no real burden here that would justify automatic or opt-out sharing.
What are the Irish examples? The linked web page is not loading.
[ link to this | view in chronology ]
Voter registration is bollocks
Here in Switzerland, when you're a citizen above the age of 18, you're a voter. Always. You don't have to "register" or whatever nonsense. You're already registered as citizen, why would you need to re-register to partake in your rights as citizen?
[ link to this | view in chronology ]
Re: Voter registration is bollocks
[ link to this | view in chronology ]
Re: Re: Voter registration is bollocks
And also so that you can choose which political party's members-only elections (i.e., primaries) you are permitted to participate in.
[ link to this | view in chronology ]
Re: Voter registration is bollocks
In Canada, they'll mail you a voter card to tell you where to vote, and it can be used as proof of address. Those who haven't pre-registered can still vote, if they have other proof.
[ link to this | view in chronology ]
Contractual Basis?
Just for fun, let's assume GDPR applies to them in full.
If a person's request to a government agency necessarily requires processing, there is a basis for this in the GDPR already: to perform under a contract.
The government could probably use this basis for all processing that is actually necessary to fulfill the constituent's request.
Legitimate interests might justify some analysis thereof. Sharing... I don't know if legitimate interests justifies sharing information among agencies.
At any rate, even if you could just infer consent, you'd have a new problem: your basis for processing is now consent, which is very inconvenient. Consent under GDPR is always revocable and cannot be made contingent on providing the service, which means all the government agencies sharing information on the basis of consent would need to tag all such data with some identifier which allows them to find and delete it later if the constituent revokes!
Good thing they don't subject themselves to the GDPR rules that they think are so great when applied to everyone else! ( ͡° ͜ʖ ͡°)
[ link to this | view in chronology ]
NO MEANS NO!
You can not infer consent, because consent can be withdrawn at any time and you have to honor that!
They want the right to ruin everyone else who told them the law was stupid & is trying to live up to a standard they decided they don't have to, because they are special.
If the law does not apply to EVERYONE the law is broken.
[ link to this | view in chronology ]
Re:
But that data you are wearing is sooo provocative!
[ link to this | view in chronology ]
Once a RED light meant stop. Period.
Now, due to political intervention a RED light means stop and the turn right on red.
Before one could walk across the street.
Now if one attempts to walk across the street the only safe time is when there are no cars present because there is always some nut case that will turn the corner at 40 MPH.
Privacy is the same way. It is all or nothing. If there are exceptions to the rule some one will exploit those exception to such an extent that there is none.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Problem with privacy is there's a lot of "supposed to"s that can't be undone once the cat's out of the bag.
[ link to this | view in chronology ]
Re:
1) A red light still means stop.
2) Political intervention? Insufficient data. Traffic safety is sorta their job - no?
3) It was never safe to cross a street without due diligence.
These are not examples of government overreach.
[ link to this | view in chronology ]
Re:
The red light still means stop. It used to also mean "don't go", unconditionally; it's only this part that's changed. AFAIK, it's illegal everywhere to turn right at a red light without first stopping. This could be better enforced; in many areas it's illegal to run a yellow light when safe to stop, and I've never seen that enforced either.
[ link to this | view in chronology ]
Re: Intervention
[ link to this | view in chronology ]
If they "infer" consent with this, then they'll want to infer consent with the next thing, and the next, and the next...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Open the floodgates
[ link to this | view in chronology ]
Re: Open the floodgates
[ link to this | view in chronology ]
In the US of course if they followed this, then the NSA and everyone else has access automatically with government approval and no public oversight at all. Kinda sounds like what we have now.
[ link to this | view in chronology ]
Despite Medi-Cal normally going through the same agency as Food Stamps...it doesn't in the case of the Obamacare expansion (or did not back when I was getting it in 2014).
I was trying desperately to determine how to apply to Obamacare Medi-Cal, when I got a letter telling me I qualified based on info from my food stamps. And while that mess is due to mismanagement, the ability to disseminate my information to other agencies to determine my qualifications for other services, and speed up intake to my other services is excellent.
That said, they need to do what everyone should be doing, explaining to me the savings in my time and effort if we allow different agencies to access my info, allow me to opt-in to sharing my data on a per agency basis, and provide easy opt out tools, at least an easy phone number to manage my data prefrences.
[ link to this | view in chronology ]
All your data is belong to us
[ link to this | view in chronology ]
Opt out of sharing?
But obviously many disagree.
For me, whether sharing is OK depends on the data. Lots of things I'm fine with being shared, as I consider them more-or-less public info.
Other things, not.
It should be up to me - and each citizen - which data falls in which category.
So - how about a checkbox?:
[x] OK to share this data for (some reasonably limited set of related purposes)
[ ] Not OK to share this data for any other purpose
[ link to this | view in chronology ]
Re: Opt out of sharing?
Do you think that paying utility bills late means that you will should be forced into paying more for a loan?
Do you think your genetic makeup is a basis for determining how much you should pay for health insurance?
Stay tuned for answers to these questions and more.
... I do not think the situation is as cut 'n dried as you imply.
[ link to this | view in chronology ]
Re: Re: Opt out of sharing?
(b) Yes, of course. (Tho I object to the word "forced". Nobody is "forced" to take a loan. But surely payment history goes to the riskiness of the loan, and I do expect lenders to take that into account in their offers.)
(c) Yes, obviously. This directly predicts expected medical expenses.
[ link to this | view in chronology ]
Re: Opt out of sharing?
As I read it the problem isn't that it can make sense, but that the standards they are using aren't consistent.
Could Facebook 'infer' consent or are they required to get a clear and unambiguous granting of permission?
Is Google allowed to 'infer' that someone who's used their service for one thing has consented to that information being used for another thing, or are they likewise required to get explicit permission for any given use?
If they want to say that it's fine for the government to 'infer' consent, then unless they are willing to grant that same ability to companies and individuals running impacted platforms they're being hypocritical in using two sets of interpretations of the law, one for them, and one for everyone else.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Notice how Mansick doesn't distinguish between gov't and corps?
Gov't will do with your data pretty much whatever wants, de facto. -- Oh, part of it may be intended to clog up the system and deny benefits, but that's often what gov't wishes.
[ link to this | view in chronology ]
What was the name of your failed band?
[ link to this | view in chronology ]
Different if done on a computer?
One problem I remember was that the department rental agent would not let us go into certain houses. The reason was that they knew those were used by drug dealers and they were scared to go in there.
Being a naive IT guy and not well versed in the public sector, I suggested telling the police. Oh no, I was told, we have strict privacy guidelines so we cannot do that.
The privacy concerns were so onerous that I could not even obtain the tenants' names so that my we could send a personalised letter telling them that we were to do maintenance on the property. And that was sharing information within the same govt department.
Now I don't know what the situation is in Ireland, but certainly in Australia govt departments have privacy guidelines that preclude sharing information.
However, I would not be surprised if things are different for information gathered on the internet, because it's on a computer.
[ link to this | view in chronology ]