Irish Lawmakers Realizing The GDPR's Consent Requirements Seem A Bit Onerous, Want To 'Infer' Consent

from the oh-wait,-that-takes-work dept

Once again, we find lawmakers who seemingly championed "strong privacy" rules like the GDPR suddenly freaking out when they realize such laws might apply to government bodies as well. Once again, we have Jason Smith at Indivigital to thank for highlighting the latest mess. This time it involves Irish lawmakers trying to figure out how different government agencies can share data between those agencies in order to provide better services. But, here's the problem: doing so without "consent" would seem to violate the basic concepts of the GDPR, so the Minister of State for Public Procurement, Open Government and eGovernment, Patrick O'Donovan, decided to try to take the easy way out and say that the government should be able to "infer" consent, if someone made use of the government service in the past:

“That principle is accepted. It is a once only principle where if a person is availing of a service, it could be inferred that there is consent already contained in that by virtue of the fact that they have presented themselves to look for that particular support or service from the State.”

Now, personally, I agree that this seems like a perfectly reasonable standard for inferring consent under most reasonable conditions. But the problem is that the GDPR generally does not view things that way. This is yet another example of where people who view privacy through a singular lens of "don't do anything at all with my data," often fail to realize how extreme that position is, and how it limits perfectly normal functions.

But, in this case, it comes across as just another example of where governments are saying, "do as I say, not as I do..."

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: consent, data privacy, data protection, eu, gdpr, ireland, patrick o'donovan, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    football, 20 Jul 2018 @ 3:41am

    Disagree completely

    I don't think that it's reasonable to assume that just because I use one government service, that they should be able to share that data with other services.
    And I think that we do need to take an extreme position with privacy, since once your data is shared, it's not possible to unshare it.
    If they want to share data, they can ask permission explicitly. I see nothing wrong with that.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Jul 2018 @ 10:00am

      Re: Disagree completely

      I disagree with the bit about "limiting perfectly normal functions" being accidental or bad. I know what's considered "perfectly normal" these days; much of that is exactly what I want to prevent.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Jul 2018 @ 10:39am

      Re: Disagree completely

      As an example, Canadian tax forms for years have had two checkboxes on the front page: 1) Are you a citizen? 2) If yes, can we register you to vote?

      It's a reasonable way to get people registered. All you have to do is check a box to consent; there's no real burden here that would justify automatic or opt-out sharing.

      What are the Irish examples? The linked web page is not loading.

      link to this | view in chronology ]

      • icon
        Seegras (profile), 21 Jul 2018 @ 2:10pm

        Voter registration is bollocks

        I don't understand this even the slightest.

        Here in Switzerland, when you're a citizen above the age of 18, you're a voter. Always. You don't have to "register" or whatever nonsense. You're already registered as citizen, why would you need to re-register to partake in your rights as citizen?

        link to this | view in chronology ]

        • identicon
          Immersive, 22 Jul 2018 @ 2:25am

          Re: Voter registration is bollocks

          Quite simply, so your agency is not usurped by someone else claiming to be you at the ballot box. In other words, to prevent identity 'theft'.

          link to this | view in chronology ]

          • icon
            The Wanderer (profile), 22 Jul 2018 @ 4:06am

            Re: Re: Voter registration is bollocks

            (Which, just to note, would be more legitimately referred to as "identity fraud".)

            And also so that you can choose which political party's members-only elections (i.e., primaries) you are permitted to participate in.

            link to this | view in chronology ]

        • identicon
          Anonymous Coward, 22 Jul 2018 @ 9:28pm

          Re: Voter registration is bollocks

          You don't have to "register" or whatever nonsense. You're already registered as citizen, why would you need to re-register to partake in your rights as citizen?

          In Canada, they'll mail you a voter card to tell you where to vote, and it can be used as proof of address. Those who haven't pre-registered can still vote, if they have other proof.

          link to this | view in chronology ]

  • icon
    tdlawyer (profile), 20 Jul 2018 @ 4:21am

    Contractual Basis?

    Just for fun, let's assume GDPR applies to them in full.

    If a person's request to a government agency necessarily requires processing, there is a basis for this in the GDPR already: to perform under a contract.

    The government could probably use this basis for all processing that is actually necessary to fulfill the constituent's request.

    Legitimate interests might justify some analysis thereof. Sharing... I don't know if legitimate interests justifies sharing information among agencies.

    At any rate, even if you could just infer consent, you'd have a new problem: your basis for processing is now consent, which is very inconvenient. Consent under GDPR is always revocable and cannot be made contingent on providing the service, which means all the government agencies sharing information on the basis of consent would need to tag all such data with some identifier which allows them to find and delete it later if the constituent revokes!

    Good thing they don't subject themselves to the GDPR rules that they think are so great when applied to everyone else! ( ͡° ͜ʖ ͡°)

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 20 Jul 2018 @ 5:07am

    Consent is easy...
    NO MEANS NO!
    You can not infer consent, because consent can be withdrawn at any time and you have to honor that!

    They want the right to ruin everyone else who told them the law was stupid & is trying to live up to a standard they decided they don't have to, because they are special.

    If the law does not apply to EVERYONE the law is broken.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Jul 2018 @ 9:27am

      Re:

      "Consent is easy... NO MEANS NO!"

      But that data you are wearing is sooo provocative!

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jul 2018 @ 5:55am

    Some rules only work in the extreme.

    Once a RED light meant stop. Period.

    Now, due to political intervention a RED light means stop and the turn right on red.

    Before one could walk across the street.

    Now if one attempts to walk across the street the only safe time is when there are no cars present because there is always some nut case that will turn the corner at 40 MPH.

    Privacy is the same way. It is all or nothing. If there are exceptions to the rule some one will exploit those exception to such an extent that there is none.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Jul 2018 @ 6:24am

      Re:

      Hey I'm not a nutcase... I'm qualifying.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Jul 2018 @ 8:29am

      Re:

      You are still *supposed* to stop before turning right on red. Too many people don't, just as too many people turning left on an unprotected turn don't yield to opposite traffic turning right.

      Problem with privacy is there's a lot of "supposed to"s that can't be undone once the cat's out of the bag.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Jul 2018 @ 9:32am

      Re:

      I see your point, but the examples are weak.

      1) A red light still means stop.
      2) Political intervention? Insufficient data. Traffic safety is sorta their job - no?
      3) It was never safe to cross a street without due diligence.

      These are not examples of government overreach.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Jul 2018 @ 10:08am

      Re:

      Once a RED light meant stop. Period. Now, due to political intervention a RED light means stop and the turn right on red.

      The red light still means stop. It used to also mean "don't go", unconditionally; it's only this part that's changed. AFAIK, it's illegal everywhere to turn right at a red light without first stopping. This could be better enforced; in many areas it's illegal to run a yellow light when safe to stop, and I've never seen that enforced either.

      link to this | view in chronology ]

    • icon
      Gary (profile), 20 Jul 2018 @ 12:16pm

      Re: Intervention

      Wait, are you saying that right on red is government overreach and we don't need government interfering with our traffic rules?

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jul 2018 @ 6:12am

    Once they get that foot in the door, they won't stop.
    If they "infer" consent with this, then they'll want to infer consent with the next thing, and the next, and the next...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jul 2018 @ 7:29am

    Not sure what all the fuss is about. Hard to believe that a government agency can't find legal justification for the processing in question under the recognized bases of "legal obligation", "vital interests", "public task", or "legitimate interests."

    link to this | view in chronology ]

    • identicon
      Talmyr, 24 Jul 2018 @ 5:53am

      Re:

      That's how the NHS in the UK is managing to keep functioning and not grind to a halt. Consent goes a long way, but within reason - it's not consent for the health service to do anything it wants, only what is appropriate and proportional.

      link to this | view in chronology ]

  • icon
    Ninja (profile), 20 Jul 2018 @ 7:42am

    If the law doesn't include such inferred consent then it's illegal and if they run with this "infer" thing it's just another selectively enforced piece of crap. *grabs popcorn* Anybody want some?

    link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 20 Jul 2018 @ 7:54am

    Open the floodgates

    When someone starts to infer the right to share data, they will then infer with whom they can share that data with. The chain of inferences then becomes unmanageable and the data will then become universally known. There needs to be some limits to any suggestion of inference, the problem then becomes how to control those. Look at how our browsing habits and third party knowledge has become 'we own all your data'. This isn't right.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jul 2018 @ 8:41am

    As soon as you grant inferred consent, the government will make sure that all it's various branches have that consent. That is hardly the purpose of privacy to give everyone and their brother access to data by using one service.

    In the US of course if they followed this, then the NSA and everyone else has access automatically with government approval and no public oversight at all. Kinda sounds like what we have now.

    link to this | view in chronology ]

  • icon
    James Burkhardt (profile), 20 Jul 2018 @ 8:54am

    A lot of people complain about this, but it makes some sense. I used to get food stamps, when my income warranted it. At the same time, I used to get Medi-Cal (Californian Medicaid) under the Obamacare expansion.

    Despite Medi-Cal normally going through the same agency as Food Stamps...it doesn't in the case of the Obamacare expansion (or did not back when I was getting it in 2014).

    I was trying desperately to determine how to apply to Obamacare Medi-Cal, when I got a letter telling me I qualified based on info from my food stamps. And while that mess is due to mismanagement, the ability to disseminate my information to other agencies to determine my qualifications for other services, and speed up intake to my other services is excellent.

    That said, they need to do what everyone should be doing, explaining to me the savings in my time and effort if we allow different agencies to access my info, allow me to opt-in to sharing my data on a per agency basis, and provide easy opt out tools, at least an easy phone number to manage my data prefrences.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jul 2018 @ 9:37am

    Inferred consent in this case, is ridiculous no matter how you look at it.

    All your data is belong to us

    link to this | view in chronology ]

  • icon
    OldMugwump (profile), 20 Jul 2018 @ 11:46am

    Opt out of sharing?

    I'm pretty much with Mike here - under most circumstances "inferred" consent seems reasonable.

    But obviously many disagree.

    For me, whether sharing is OK depends on the data. Lots of things I'm fine with being shared, as I consider them more-or-less public info.

    Other things, not.

    It should be up to me - and each citizen - which data falls in which category.

    So - how about a checkbox?:

    [x] OK to share this data for (some reasonably limited set of related purposes)

    [ ] Not OK to share this data for any other purpose

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Jul 2018 @ 2:42pm

      Re: Opt out of sharing?

      Do you think that your credit rating has anything at all to do with your capability to properly and safely operate a motor vehicle?

      Do you think that paying utility bills late means that you will should be forced into paying more for a loan?

      Do you think your genetic makeup is a basis for determining how much you should pay for health insurance?

      Stay tuned for answers to these questions and more.

      ... I do not think the situation is as cut 'n dried as you imply.

      link to this | view in chronology ]

      • icon
        OldMugwump (profile), 26 Jul 2018 @ 9:07am

        Re: Re: Opt out of sharing?

        (a) A little bit, but not much. (People who are irresponsible with credit are probably more likely to be irresponsible with driving too. But I don't expect a very strong correlation.)

        (b) Yes, of course. (Tho I object to the word "forced". Nobody is "forced" to take a loan. But surely payment history goes to the riskiness of the loan, and I do expect lenders to take that into account in their offers.)

        (c) Yes, obviously. This directly predicts expected medical expenses.

        link to this | view in chronology ]

    • icon
      That One Guy (profile), 20 Jul 2018 @ 3:07pm

      Re: Opt out of sharing?

      As I read it the problem isn't that it can make sense, but that the standards they are using aren't consistent.

      Could Facebook 'infer' consent or are they required to get a clear and unambiguous granting of permission?

      Is Google allowed to 'infer' that someone who's used their service for one thing has consented to that information being used for another thing, or are they likewise required to get explicit permission for any given use?

      If they want to say that it's fine for the government to 'infer' consent, then unless they are willing to grant that same ability to companies and individuals running impacted platforms they're being hypocritical in using two sets of interpretations of the law, one for them, and one for everyone else.

      link to this | view in chronology ]

  • icon
    Advocate (profile), 20 Jul 2018 @ 4:42pm

    It's kind of like in 'merka where "cruel and unusual" is meaningless because even torture is "usual" now.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jul 2018 @ 6:18pm

    Notice how Mansick doesn't distinguish between gov't and corps?

    I don't think that he can.

    Gov't will do with your data pretty much whatever wants, de facto. -- Oh, part of it may be intended to clog up the system and deny benefits, but that's often what gov't wishes.

    link to this | view in chronology ]

  • identicon
    Ed, 20 Jul 2018 @ 7:17pm

    Different if done on a computer?

    Years ago, I was doing some db work for a state public housing department in Australia. This involved identifying housing that required maintenance or refurbishing (anything from new kitchen to painting walls) and assigning that work to an approved contractor.

    One problem I remember was that the department rental agent would not let us go into certain houses. The reason was that they knew those were used by drug dealers and they were scared to go in there.

    Being a naive IT guy and not well versed in the public sector, I suggested telling the police. Oh no, I was told, we have strict privacy guidelines so we cannot do that.

    The privacy concerns were so onerous that I could not even obtain the tenants' names so that my we could send a personalised letter telling them that we were to do maintenance on the property. And that was sharing information within the same govt department.

    Now I don't know what the situation is in Ireland, but certainly in Australia govt departments have privacy guidelines that preclude sharing information.

    However, I would not be surprised if things are different for information gathered on the internet, because it's on a computer.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.