Passport photo company to change data privacy policy

Photo-Me to keep personal data within EU, not outside European Economic Area

The Department of Foreign Affairs said the new online passport application service had cost €904,000 to date. Photograph: Bryan O’Brien
The Department of Foreign Affairs said the new online passport application service had cost €904,000 to date. Photograph: Bryan O’Brien

The only company currently providing approved passport photos for the State’s new online passport application service is to change its privacy policy, after initially indicating it may process citizens’ personal information outside the European Economic Area (EEA).

Such processing can potentially breach EU privacy laws, which generally ban the processing of personal data outside the EEA unless certain legal safeguards are in place.

Photo-Me, which is behind the passportphoto.ie website linked directly from the Department of Foreign Affairs site, told The Irish Times following queries that it is changing its privacy policy and will only process citizens’ personal information in Europe.

Minister for Foreign Affairs Charlie Flanagan launched the State's online service last month, describing it as "a safe, fast and convenient way to renew your passport" and praising it as "one of the most significant innovations in customer service over the past 15 years".

READ SOME MORE

Applicants may now submit their passport application digitally, attaching a photo with the correct technical specifications. Those who opt to use one of the Photo-Me booths around the State are issued with a code to input online with their passport application.

The company’s privacy policy says: “We may transfer and process any personal information you provide to us to countries outside the European Economic Area whose laws may not afford the same level of protection to your personal information.”

However, the company said it was not processing Irish citizens’ passport pictures outside the EEA. Managing director of Photo-Me Patrick Brennan said the privacy statement was a generic statement covering a group policy and that it was now being redrafted. The draft new privacy policy now states that “all personal data is held within the EU”.

Commercial service

Photo-Me Ireland, which is part of a group operating more than 26,000 photo booths in 15 countries, was the only commercial service that met the Department of Foreign Affairs's technical requirements for the passport photos.

Individuals may also take their own once they meet the correct specifications.

In a statement, the Department of Foreign Affairs said the new online passport application service had cost €904,000 to date.

It said it did not have a commercial contract with Photo-Me and did not purchase digital photo services.

“The arrangement between the department and digital photo providers is that the provider captures a photograph in the normal way and makes this photo available to the customer for onwards digital transmission to the Passport Service,” it added.

“The photograph providers undertake all the work in terms of the operation and management of the service and bear all costs associated with the service that a customer uses to obtain a digital passport photograph.”

Photo-Me was the first digital photo provider that had offered its services to the public “in a manner that the department can facilitate”, it said.

“Additional photo providers may also soon provide this service to the public.”

The department also said its online passport application service had been “extensively security tested and meets the highest international standards, and personal data will be fully protected”.

“The service is supported by a sophisticated facial recognition system that can readily spot identity theft. In addition, there are links to a single customer view that provides identity-related information drawn from other government departments within the provisions of data protection legislation.”

In all processing of personal data Photo-Me and other future providers were “legally obliged to comply with the requirements of the Data Protection Acts . . . as well as all applicable Irish, EU and other data protection legislation.”