DRI defends the right of individuals to control how their personal information is collected, used, and shared by organizations and governments. European and Irish laws protect individuals’ privacy, and defending these vital rights against big tech and government infringement is fundamental to our advocacy work.

#No2PSC

In 2011, the Department of Employment Affairs and Social Protection launched the Public Services Card (PSC) in order to streamline access to public services in Ireland. The legislation that created the PSC specified it was to be optional and used primarily for social welfare. Despite this limited legal scope, the government made it increasingly difficult for citizens to access public services like driving licenses, student grants and passports without one. To enable this, they facilitated the transfer of millions of PSC users’ data between departments, in direct contravention of Irish law and of the GDPR.

In 2019, DRI launched the #No2PSC campaign to force an end to this illegal abuse of over three million PSC users’ data. #No2PSC signed up over 17,000 PSC holders as official complainants to the Data Protection Commission in Ireland’s first large-scale “mass action” under Article 80 of the GDPR.

Impact: In 2021, the Government agreed the PSC was no longer compulsory for services outside of the Department of Social Welfare. In June 2025, the DPC declared that collecting and processing biometric data (specifically facial scans) for the PSC was illegal. The DPC fined the Department of Social Protection €550,000, the largest fine ever levied against a Government department in Irish history, and ordered a stop to the processing of data within 9 months, unless a lawful basis is established.

Schrems and Safe Harbor

In a 2013 complaint to the Irish Data Protection Commissioner, Austrian privacy advocate Max Schrems argued that Facebook Ireland’s transfer of EU citizens’ data to Facebook US under the Safe Harbor framework did not provide adequate protection of EU users’ data, especially in light of Edward Snowden’s disclosures about U.S. surveillance programs.

DRI was joined as a party in the case before the Irish High Court as an amicus curiae (friend of the court) when the case was referred to the Court of Justice of the EU (CJEU). DRI advocated to the CJEU in favor of stricter enforcement of Facebook user’s data privacy under the EU Charter of Fundamental Rights.

Impact: In a landmark judgment, the CJEU upheld DRI’s position and invalidated the entire Safe Harbor framework. It found that Safe Harbor failed to ensure adequate protection of 315 million EU users’ data, violating their EU privacy rights.