Revenue asked the Department of Social Protection to investigate 1,616 pandemic unemployment payment (PUP) recipients last year, but questions have arisen about sharing of citizens’ data between state agencies.
Over the last three years, case-specific enquiries, where customer data was given to the Department’s Special Investigations Unit by Revenue, went from 1,403 cases in 2019 to 1,212 cases in 2020 and then rose to 1,616 last year. So far this year there have been 641 case-specific enquiries.
The Minister of Finance Paschal Donohoe told Social Democrats co-leader Catherine Murphy that Revenue and the Department of Social Protection “enjoy very close working relations” and he defended the sharing of citizens’ data.
“The Government believe the Taxes Consolidation Act 1997 permits Revenue to disclose taxpayer information where the disclosure is permitted by another enactment and specifically permits Revenue to disclose taxpayer information where a Revenue officer has a suspicion that a criminal offence has been committed but only to an investigation authority, such as the Department of Social Protection.”
Mr Donohoe said the mutual exchange of data is a “critical component in the effective and efficient functioning of both organisations”:
Given the importance of taxpayer confidentiality to its activities, compliance with data protection (including GDPR) obligations is a major consideration for Revenue.
“I am advised that Revenue continually reviews its data exchange arrangements, even where these are long-standing ones, to ensure that they are in keeping with best practice.”
However, GDPR expert and solicitor Simon McGarr said domestic legislation on the issue is overridden by European law and therefore the Government’s actions could be incompatible with European law.
He pointed to a ruling in 2015 by the Court of Justice of the European Union (CJEU) against Romania, known as the Bara case, which stated: “On the protection of individuals with regard to the processing of personal data and on the free movement of such data, must be interpreted as precluding national measures … which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing.”
Mr McGarr said: “The Court of Justice of the European Union found on the Bara case that national legislation which provided for data sharing without meeting the requirements for transparency, by informing the citizens of the transfer before it happened, was incompatible with EU law.
“No distinction was drawn between primary or secondary legislation in that court decision.
“The State has known that this data sharing has been condemned by the CJEU since Bara was 2015, and any national legislation which purports to allow for such sharing has to be set aside by all state bodies.”