Ireland has been building up searchable lists of the names and addresses of it’s Naturalised citizens- people who swear an oath of allegiance to the state in a moving ceremony held in the National Conference Centre. Then the state has been publishing lists of these new citizens’ name and address (and also their childrens’ name and address, marked in public to identify them as minors) on the internet.

The Irish Times broke this story today and there has already been a response from the Data Protection Commissioner’s office.

A very poor response.

The Data Protection Commissioner’s deputy Commissioner says that it is not a breach of Data Protection laws, on the grounds that there is a legislative basis for publication.

There are two problems with that. Firstly, the legislative provision he is referring to (Section 18(2) of the Irish Nationality and Citizenship Act 1956) simply requires for some notice to be published:

“(2) A certificate of naturalisation shall be in the prescribed form and be issued on payment of the prescribed fee, and notice of issue shall be published in the prescribed manner in Iris Oifigiúil.”

The suggestion that that should include the name, address and whether the person was of full age or a minor is only found in a subordinate Statutory Instrument (SI 284/2011).

So, the grounding legislation doesn’t require the divulging of new citizens’ personal data and the SI that does can be changed by the stroke of a pen.

But there is a further issue, which the reported response by the Data Protection Commissioner’s Office completely fails to take into account.

If either the 1956 Act or the 2011 Statutory Instrument are in conflict with the Data Protection Directive then it is the EU law which is superior. And, as was confirmed in the CJEU judgment in Digital Rights Ireland, data protection rights (which are also protected by the Charter of Fundamental Rights) can only be legitimately infringed upon where doing so is necessary and proportionate for the stated purpose of the infringement.

Here, neither the 1956 Act or the 2011 Statutory Instrument give any stated reason why publication of citizens’ names and addresses and their status as an adult or a minor should happen.

Therefore, the publication is neither necessary and or proportionate and is in conflict with the EU Directive and the Charter, which forms part of the EU Treaties.

If there is a domestic law which is in conflict with a superior EU law, it is a duty of all emanations of the state to, themselves, dis-apply the domestic law.

Therefore the legislative basis defence for this publication should simply fall away, as the legislation itself is dis-applied by the Data Protection Commissioner’s Office (both as an emanation of the state and as, ultimately, a creature and protector of EU law).

Without a defence of legislative basis, it is hard to see what other justification the State could advance for publishing on the internet the names and addresses of our newest citizens, and that of their children.

That the DPC’s office does not seem to have been in a position to provide this analysis itself raises serious concerns.

Further reading: Daragh O’Brien has written an excellent piece this morning on the same topic taking issue with some of the other reasons given by the Data Protection Commissioner’s office for their refusal to act.