Irish Lawmakers Realizing The GDPR's Consent Requirements Seem A Bit Onerous, Want To 'Infer' Consent

from the oh-wait,-that-takes-work dept

Once again, we find lawmakers who seemingly championed “strong privacy” rules like the GDPR suddenly freaking out when they realize such laws might apply to government bodies as well. Once again, we have Jason Smith at Indivigital to thank for highlighting the latest mess. This time it involves Irish lawmakers trying to figure out how different government agencies can share data between those agencies in order to provide better services. But, here’s the problem: doing so without “consent” would seem to violate the basic concepts of the GDPR, so the Minister of State for Public Procurement, Open Government and eGovernment, Patrick O’Donovan, decided to try to take the easy way out and say that the government should be able to “infer” consent, if someone made use of the government service in the past:

?That principle is accepted. It is a once only principle where if a person is availing of a service, it could be inferred that there is consent already contained in that by virtue of the fact that they have presented themselves to look for that particular support or service from the State.?

Now, personally, I agree that this seems like a perfectly reasonable standard for inferring consent under most reasonable conditions. But the problem is that the GDPR generally does not view things that way. This is yet another example of where people who view privacy through a singular lens of “don’t do anything at all with my data,” often fail to realize how extreme that position is, and how it limits perfectly normal functions.

But, in this case, it comes across as just another example of where governments are saying, “do as I say, not as I do…”

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Irish Lawmakers Realizing The GDPR's Consent Requirements Seem A Bit Onerous, Want To 'Infer' Consent”

Subscribe: RSS Leave a comment
33 Comments
football says:

Disagree completely

I don’t think that it’s reasonable to assume that just because I use one government service, that they should be able to share that data with other services.
And I think that we do need to take an extreme position with privacy, since once your data is shared, it’s not possible to unshare it.
If they want to share data, they can ask permission explicitly. I see nothing wrong with that.

Anonymous Coward says:

Re: Disagree completely

As an example, Canadian tax forms for years have had two checkboxes on the front page:
1) Are you a citizen?
2) If yes, can we register you to vote?

It’s a reasonable way to get people registered. All you have to do is check a box to consent; there’s no real burden here that would justify automatic or opt-out sharing.

What are the Irish examples? The linked web page is not loading.

Seegras (profile) says:

Re: Re: Voter registration is bollocks

I don’t understand this even the slightest.

Here in Switzerland, when you’re a citizen above the age of 18, you’re a voter. Always. You don’t have to “register” or whatever nonsense. You’re already registered as citizen, why would you need to re-register to partake in your rights as citizen?

Anonymous Coward says:

Re: Re: Re: Voter registration is bollocks

You don’t have to "register" or whatever nonsense. You’re already registered as citizen, why would you need to re-register to partake in your rights as citizen?

In Canada, they’ll mail you a voter card to tell you where to vote, and it can be used as proof of address. Those who haven’t pre-registered can still vote, if they have other proof.

tdlawyer (profile) says:

Contractual Basis?

Just for fun, let’s assume GDPR applies to them in full.

If a person’s request to a government agency necessarily requires processing, there is a basis for this in the GDPR already: to perform under a contract.

The government could probably use this basis for all processing that is actually necessary to fulfill the constituent’s request.

Legitimate interests might justify some analysis thereof. Sharing… I don’t know if legitimate interests justifies sharing information among agencies.

At any rate, even if you could just infer consent, you’d have a new problem: your basis for processing is now consent, which is very inconvenient. Consent under GDPR is always revocable and cannot be made contingent on providing the service, which means all the government agencies sharing information on the basis of consent would need to tag all such data with some identifier which allows them to find and delete it later if the constituent revokes!

Good thing they don’t subject themselves to the GDPR rules that they think are so great when applied to everyone else! ( ͡° ͜ʖ ͡°)

That Anonymous Coward (profile) says:

Consent is easy…
NO MEANS NO!
You can not infer consent, because consent can be withdrawn at any time and you have to honor that!

They want the right to ruin everyone else who told them the law was stupid & is trying to live up to a standard they decided they don’t have to, because they are special.

If the law does not apply to EVERYONE the law is broken.

Anonymous Coward says:

Some rules only work in the extreme.

Once a RED light meant stop. Period.

Now, due to political intervention a RED light means stop and the turn right on red.

Before one could walk across the street.

Now if one attempts to walk across the street the only safe time is when there are no cars present because there is always some nut case that will turn the corner at 40 MPH.

Privacy is the same way. It is all or nothing. If there are exceptions to the rule some one will exploit those exception to such an extent that there is none.

Anonymous Coward says:

Re: Re:

You are still supposed to stop before turning right on red. Too many people don’t, just as too many people turning left on an unprotected turn don’t yield to opposite traffic turning right.

Problem with privacy is there’s a lot of “supposed to”s that can’t be undone once the cat’s out of the bag.

Anonymous Coward says:

Re: Re:

Once a RED light meant stop. Period.
Now, due to political intervention a RED light means stop and the turn right on red.

The red light still means stop. It used to also mean "don’t go", unconditionally; it’s only this part that’s changed. AFAIK, it’s illegal everywhere to turn right at a red light without first stopping. This could be better enforced; in many areas it’s illegal to run a yellow light when safe to stop, and I’ve never seen that enforced either.

Anonymous Anonymous Coward (profile) says:

Open the floodgates

When someone starts to infer the right to share data, they will then infer with whom they can share that data with. The chain of inferences then becomes unmanageable and the data will then become universally known. There needs to be some limits to any suggestion of inference, the problem then becomes how to control those. Look at how our browsing habits and third party knowledge has become ‘we own all your data’. This isn’t right.

Anonymous Coward says:

As soon as you grant inferred consent, the government will make sure that all it’s various branches have that consent. That is hardly the purpose of privacy to give everyone and their brother access to data by using one service.

In the US of course if they followed this, then the NSA and everyone else has access automatically with government approval and no public oversight at all. Kinda sounds like what we have now.

James Burkhardt (profile) says:

A lot of people complain about this, but it makes some sense. I used to get food stamps, when my income warranted it. At the same time, I used to get Medi-Cal (Californian Medicaid) under the Obamacare expansion.

Despite Medi-Cal normally going through the same agency as Food Stamps…it doesn’t in the case of the Obamacare expansion (or did not back when I was getting it in 2014).

I was trying desperately to determine how to apply to Obamacare Medi-Cal, when I got a letter telling me I qualified based on info from my food stamps. And while that mess is due to mismanagement, the ability to disseminate my information to other agencies to determine my qualifications for other services, and speed up intake to my other services is excellent.

That said, they need to do what everyone should be doing, explaining to me the savings in my time and effort if we allow different agencies to access my info, allow me to opt-in to sharing my data on a per agency basis, and provide easy opt out tools, at least an easy phone number to manage my data prefrences.

OldMugwump (profile) says:

Opt out of sharing?

I’m pretty much with Mike here – under most circumstances “inferred” consent seems reasonable.

But obviously many disagree.

For me, whether sharing is OK depends on the data. Lots of things I’m fine with being shared, as I consider them more-or-less public info.

Other things, not.

It should be up to me – and each citizen – which data falls in which category.

So – how about a checkbox?:

[x] OK to share this data for (some reasonably limited set of related purposes)

[ ] Not OK to share this data for any other purpose

Anonymous Coward says:

Re: Opt out of sharing?

Do you think that your credit rating has anything at all to do with your capability to properly and safely operate a motor vehicle?

Do you think that paying utility bills late means that you will should be forced into paying more for a loan?

Do you think your genetic makeup is a basis for determining how much you should pay for health insurance?

Stay tuned for answers to these questions and more.

… I do not think the situation is as cut ‘n dried as you imply.

OldMugwump (profile) says:

Re: Re: Opt out of sharing?

(a) A little bit, but not much. (People who are irresponsible with credit are probably more likely to be irresponsible with driving too. But I don’t expect a very strong correlation.)

(b) Yes, of course. (Tho I object to the word “forced”. Nobody is “forced” to take a loan. But surely payment history goes to the riskiness of the loan, and I do expect lenders to take that into account in their offers.)

(c) Yes, obviously. This directly predicts expected medical expenses.

That One Guy (profile) says:

Re: Opt out of sharing?

As I read it the problem isn’t that it can make sense, but that the standards they are using aren’t consistent.

Could Facebook ‘infer’ consent or are they required to get a clear and unambiguous granting of permission?

Is Google allowed to ‘infer’ that someone who’s used their service for one thing has consented to that information being used for another thing, or are they likewise required to get explicit permission for any given use?

If they want to say that it’s fine for the government to ‘infer’ consent, then unless they are willing to grant that same ability to companies and individuals running impacted platforms they’re being hypocritical in using two sets of interpretations of the law, one for them, and one for everyone else.

Ed (profile) says:

Different if done on a computer?

Years ago, I was doing some db work for a state public housing department in Australia. This involved identifying housing that required maintenance or refurbishing (anything from new kitchen to painting walls) and assigning that work to an approved contractor.

One problem I remember was that the department rental agent would not let us go into certain houses. The reason was that they knew those were used by drug dealers and they were scared to go in there.

Being a naive IT guy and not well versed in the public sector, I suggested telling the police. Oh no, I was told, we have strict privacy guidelines so we cannot do that.

The privacy concerns were so onerous that I could not even obtain the tenants’ names so that my we could send a personalised letter telling them that we were to do maintenance on the property. And that was sharing information within the same govt department.

Now I don’t know what the situation is in Ireland, but certainly in Australia govt departments have privacy guidelines that preclude sharing information.

However, I would not be surprised if things are different for information gathered on the internet, because it’s on a computer.

Leave a Reply to harry potter Cancel reply

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...