Irish State Forced to Confront Illegal Biometric Database as Digital ID Expansion Looms
Ireland is now confronting one of the most significant privacy and civil liberties controversies of the decade: the State’s collection and retention of citizens’ biometric data through the Public Services Card (PSC) system, and the planned expansion of an online identity authentication service—MyGovID—built on that same system.
Illegal Biometric Data Collection Confirmed
In June 2025, the Data Protection Commission (DPC) concluded a long‑running investigation into the Department of Employment Affairs and Social Protection’s (DSP) SAFE 2 registration process, part of issuing Public Services Cards. The DPC found that the Department:
Failed to identify a valid lawful basis under the EU General Data Protection Regulation (GDPR) to collect biometric facial templates from applicants;
Unlawfully retained that biometric data, categorised as sensitive “special category data” under GDPR;
Failed to provide adequate transparency to citizens about how their data was used;
Failed to conduct an adequate Data Protection Impact Assessment (DPIA) in relation to this processing. Homepage | Data Protection Commission+1
The scale of this biometric database is substantial: by 2021, the DSP held biometric facial templates for about 70 per cent of Ireland’s population—millions of people—derived through the Public Services Card registration process that was mandatory for access to certain State benefits and services. Law Society of Ireland
As part of its decision, the regulator reprimanded the Department, imposed a €550,000 fine, and ordered the State to cease biometric processing within nine months unless a valid, lawful basis can be established. Homepage | Data Protection Commission
Civil liberties groups have labelled the decision important but insufficient, arguing that this “illegal” biometric database should be deleted immediately rather than allowed to persist while the government attempts to retrofit legality. ICCL
What This Means for Digital Identity in Ireland
The biometric database controversy is not an isolated technical issue. The Government is currently pushing forward with an expansion of online identity infrastructure centring on MyGovID, an authentication service that allows Irish residents to log in to public services online.
MyGovID is the official online identity platform run by the Department of Social Protection, intended for people aged 16 and over who wish to access Government services digitally. ICCL
This system does not currently have specific statutory legal footing in Irish law and has been operated on a pilot or administrative basis. Irish Legal News
Because MyGovID links to the Public Services Card and its underlying biometric verification process, critics argue that its very foundation is legally shaky given the DPC’s finding that the biometric collection was unlawful. Biometric Update
Government sources confirm that MyGovID will likely serve as the basis for a forthcoming government digital wallet, part of broader online identity strategy and child online safety policies, including proposed age verification mechanisms for social media platforms. The Irish Times
Civil Liberties Concerns and State Power
Privacy and digital rights advocates—such as the Irish Council for Civil Liberties (ICCL) and Digital Rights Ireland (DRI)—have raised alarm about this trajectory. These groups warn that:
Linking online identity and biometric databases expands State surveillance capacity without clear legal protection;
Extending MyGovID to private services such as social media could effectively force citizens to reveal government‑linked identity for broad parts of their online life;
Such integration risks undermining digital anonymity, a cornerstone of free speech and personal autonomy online. Irish Legal News+1
ICCL has explicitly called for urgent clarification from the Minister responsible, noting that expanding MyGovID—based on a system already flagged as illegal by the data regulator—raises serious constitutional and human‑rights concerns. ICCL
DRI echoed this concern, welcoming the DPC’s fine but condemning the regulatory timeline that allows the illegal processing to continue pending potential legislative fixes, and urging cardholders to assert their rights. Digital Rights Ireland
Security, Control, and the Future of Digital Identity
Beyond legality, there are security and risk considerations. Biometric identifiers—like facial templates—are inherently non‑revocable: unlike a password, you cannot reset your face. A breach of a biometric database therefore represents a permanent compromise of identity credentials. While the DPC’s investigation focused on lawful basis rather than technical safeguards, critics argue that the sheer size and sensitivity of the database present a systemic risk. Law Society of Ireland
Supporters of digital identity systems assert that they can streamline access to services, reduce fraud, and provide convenience. However, legal and rights experts stress that fundamental protections must be in place first.
What Citizens Should Know and Do
For citizens concerned about their biometric rights:
You have the right to raise a complaint with the Data Protection Commission under GDPR, including seeking deletion of biometric data that was processed unlawfully;
Government may attempt to establish new legal foundations for biometric and digital identity processing, but public debate and legislative scrutiny remain essential;
Civil liberties groups urge voluntary participation, lawful processing frameworks, independent audits, and real offline alternatives for individuals who choose not to enrol. Irish Legal News
Ireland is at a crossroads: as the State pushes digital identity broader into everyday life, the boundaries between public services and personal autonomy are under scrutiny. If online identity becomes pervasive without robust legal guardrails, freedom of movement, expression, and privacy could increasingly hinge on compliance with systems that lack clear statutory authority and whose foundations have been found unlawful.
Aaron Joyce, Newswire, L.T.T Media; Newsdesk; January 7, 2026
