Can You Leave the Catholic Church Using GDPR?

a church cross

25 May 2018 was one hell of a day for Ireland. We Repealed the Eighth Amendment and paved the way for the women of Ireland to have bodily autonomy. It was a massive stride forward. It was a stride forward from an Ireland where the Catholic church dictated how things are done, though I still read many articles and quotes from religious leaders who claimed I had sinned by voting Yes. Me? Sin? Are ye mad!

Fortunately, on 25 May 2018 the EU also brought into force new data protection laws known as the General Data Protection Regulation which empowers EU citizens with improved rights over their own data. I wonder if GDPR could somehow absolve me of my sins and help me leave the church. First things first, can’t I just leave?

How to Defect from the Catholic Church: Easier Said Than Done

Reforms by Pope John Paul II back in 2006 formalised how to leave the Catholic church. It was a proper method of fully defecting from the church and the reason for it was super simple. In Germany, people who themselves did not relate in any way to the Catholic church were still forced to pay a 1% tax collected by the Government which benefitted the church. Ensure people were no longer forced to pay this tax even when they no longer related to religion, some floodgates opened.

An Irish website was set up called for the sole purpose of encouraging people to leave the Catholic church. Over 12,000 people downloaded a Declaration of Defection from the website, allowing them to leave the Catholic church. However, changes to canon law in 2009 more or less closed this loophole and the site struggled to continue operating.

If you wanted to leave the Catholic church, you had just missed your chance.

GDPR and Leaving the Catholic Church

When you think GDPR, you probably think about emails about those damned privacy policy updates and how every site in the world now asks you about cookies. However, GDPR reaches far beyond the modern and the technical. GDPR is about all data which can be related to an individual. Does GDPR apply to churches? Absolutely, they handle and process data just the same as big brands and companies around the world do. It recently emerged that Facebook actually has more followers than the Catholic church, so why wouldn’t they be bound by the exact same regulations?

Back in 2009, I wasn’t really worried about religion. I knew I wasn’t religious but I also wasn’t too bothered about it in general. I was a student in college and to be quite frank, I wasn’t bothered about a whole lot at all. My reason for defecting from the church comes much more recently.

A Born Sinner: Repeal the Eighth

I think we can all agree that the recent referendum to repeal the Eighth Amendment from the Constitution of Ireland was a pretty emotional time for our wee island. Back before I rattled out articles on gadgets, I was studying the history of Ireland’s national identity and how it was firmly built upon women and them holding a certain position in the country. Personally, I feel that repealing the eight was Ireland moving on and away from women being second-class citizens in Ireland.

Amid the emotional fallout of the referendum, I was rather disgusted to see some comments from religious leaders within the Catholic church. This article will remain respectful and I promise that’ll likely be as harsh as my wording gets from here on in.

The Bishop of Elphin, Kevin Doran, stated that practising Catholics should who voted yes in the referendum should seek confession.

Right, I’m not a practising Catholic, but even having my name recorded somewhere that I’m Catholic made me a little bit too close to sin for my liking. Rather than absolve myself of sin through a confession, I decided to absolve myself of religion through GDPR.

No, I’m Not an Atheist

I just wanted to make a small point here. I’m not an atheist. Like Neil deGrasse Tyson, I’d rather be considered nothing at all, but if I was to related to something, I’d be Agnostic. The mother of all “on the fence” stances.

I do think there’s a chance something amazing happens after death, but also accept there’s a chance nothing happens. Ultimately, I believe there’s no way anyone on this planet can understand what happens after we die, because we’re all alive. Duh.

How Can GDPR Help You Leave the Church?

Because I’m a nerd with some free time, I found myself perusing the EU’s GDPR documentation. Seriously, leave it beside the toilet, you’ll get through it in no time. Anyway, when reading through it I couldn’t find any reason the church should be allowed to hold my records without my consent. I actually found reasons I considered to be more compelling towards these records being destroyed altogether.

Why Was the Data Collected?

The second principle of GDPR states data should be,

collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Considering I no longer want anything to be Catholic or have anything to do with the Catholic church, what reason would they have for holding my data? Now, without giving anything away, there is more to this principle regarding holding data for archival and historical reasons; more on that later.

Minimise Data Storage Where Possible

If a company or organisation holds your data, they should only hold the absolute minimum they require in order to achieve the reason the data was collected in the first place. That might be confusing, but generally speaking, if I don’t want to be in the Catholic church, there’s no reason for them to have my data. Minimisation means they shouldn’t keep it.

Data Should Be Kept Accurate and Up To Date

This one is a doozy in my eyes. GDPR states quite clearly that any stored data should be kept up to date and accurate. Efforts to highlight inaccuracies should be taken seriously and be acted upon without delay. Honestly, here’s the actual wording from GDPR. Data should be kept,

accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay

Sounds like a slam dunk right? I no longer consider myself to be Catholic but church records say otherwise. That’s inaccurate and should be updated. Right, let’s keep moving.

When is Processing Allowed?

Processing can mean a whole range of things. Modern-day processing means handling email addresses and the likes, but it can also relate to the storage of information. The Catholic church is processing my personal data without my permission. Actually, they are processing my data in opposition to my expressed wishes that I have nothing to do with them. Oops, I’m getting ahead of myself. More on that in a bit.

The Right to Be Forgotten

This one is really simple. First of all, there are two terms to need to know:

  • Data Controller
  • Data Subject

When it comes to me and the Catholic church, they are the Data Controller and I’m the Data Subject.

GDPR states the Data Subject has to right to have all personal data the held by a Data Controller deleted and the Data Controller should delete immediately when one of several conditions apply. Here are the ones I found most interesting:

  • personal data is no longer required to achieve the original reason the data was collected for in the first place
  • the Data Subject withdraws their consent and there is no other legal grounds for processing

With everything I had learned about GDPR, I felt I had a pretty decent case which could have me removed from the Catholic church. They held baptismal records which stated I was Catholic. I could no longer defect from the church as the canon laws were changed, but maybe GDPR could help me out.

Attempt 1: Data Access and Deletion Request

It all seemed straightforward. I just needed to contact the Bishop where I was baptised, the Diocese of Ossory and request he removes my records from the Parish record.

I’ll be completely honest – the Diocese were fantastic communicators and handled everything promptly. While the ultimate goal was not achieved, progress has been made.

Dermot Farrell, the Bishop of Ossory, wrote to me stating he respected my desire to no longer be associated with the Catholic church. He made a note on register held at the Diocesan office but conceded he could not delete or alter the original records as they are of historical and archival significance.

I’m a trained historian who loves nothing more than good historical records. But I’m also a modernist embracing technology

These left me feeling extremely divided. I’m a somewhat trained historian who loves nothing more than good historical records. You know, books and all that good stuff.

But I’m also a modernist embracing technology in an ever-adapting world where people should have the right to control their own own records and data; within reason.

My own personal conclusion on this matter is that my data relating to my person is being held within a private club against my wishes. Worse still, this data is not accurate and doesn’t describe who I am. In fact, that data was acquired without baby me’s consent!

Church records, in my eyes, are not records akin to the census or local government records like birth and death certs. While GDPR does allow for processing of data considered to be of historical or archival significance, why should the Catholic church, an organisation which is my eyes is no different to a brand I no longer choose to interact with, be allowed to maintain records on me without my consent?

this is no different to that lapsed gym membership I no longer use

To me, this is no different to that lapsed gym membership I no longer use. I’m not going every week, I’m not taking part and there’s no reason for the Catholic church to have a record of me being here in the past.

Attempt 2: Sure, Let’s Ask the Data Protection Commissioner

There’s a chance that there’s some law which does consider church records to be of historical significance. And that’s fine. I’ll have to gear up for a different battle on that front. However, if there’s no such law that the Catholic church is not above GDPR and my request has not been handled correctly.

Again, I want to reiterate that my request was handled promptly and with nothing but respect from all parties and I do wish for this continue, especially from my side. But I will be raising this with the Data Protection Commissioner to check why I cannot fully have all records of my past membership to the Catholic church deleted completely.

Update #1: The Data Protection Commission is Taking This Seriously

Okay, I’m not trying to be dramatic as I’m sure the Data Protection Commission takes everything seriously. However, I haven’t been laughed out the door and they’ve even requested additional information in order to assess my case in more detail. The most recent update has been that I’ve been assigned a case officer and that’ll I’ll hear back within the next few months. It might take some time, but stay tuned.

Update #2: I’m Not Alone

The Data Protection Commission is bound to a commitment to update me on progress every sixty days or so. As this is the case, I’ve received two fairly generic updates from the assigned DPC Case Officer. While somewhat generic, the responses do outline how seriously they are taking this.

this raises a number of very important and complex issues under data protection law

In their update, the DPC emphasises that “the matter at the heart of [my] complaint raises a number of very important and complex issues under data protection law”. The email also informed me that I’m not alone and that the DPC has received a number of similar complaints.

the Data Protection Commission has sought external legal advice

As a result, the Data Protection Commission has sought external legal advice and is undertaking a wider analysis of the issue to clarify a number of points under both national and EU law.

They’ve promised I’ll be kept up to date on the matter too so I’ll keep you posted too. Thanks to everyone who has sent me messages to date! I’ve been inundated with direct messages regarding this and have done my best to respond to everyone. Thanks for your support – fingers crossed this ends in a result.

Update #3: The Complexities

The DPC are brilliant communicators and have once again updated me on my request to have my data deleted from church records. This time, I’ve received some additional info around why this is such a complicated issue.

Right now, the DPC is trying to identify who the Data Controller is in this situation. My guess is this could be anyone from the Diocese of Ossory to the Vatican. From the local parish priest to the pope himself. Who knows?

Once that’s cleared up the DPC will start their own inquiry. Now, this won’t be based purely on my case, but will instead take an eagle’s view look at all the cases involving the church. As I mentioned earlier, I’m not alone in this one.

This inquiry is where things will get very interesting as it will be this inquiry which seeks to find out if there is an obligation on the data controller to erase personal data contained in church records when requested, or whether any exemptions may apply.

Update #4: One Year In – The End is Nigh

It’s been a year since I submitted my request to the Data Protection Commissioner regards how the church is handling my personal data. While a conclusion has yet to be reached, it would appear that we’re at the final step before a grand finale.

As mentioned in a previous update, the DPC was seeking external legal advice to consider their next steps. That legal advice has landed. Praise the…..whatever it that agnostic people like myself praise. The DPC is currently considering this legal advice and now I await another update which will be issued within the next three months. I’m hopeful it won’t be the full of the three months and I’m hopeful the next update is the resolution I was seeking.

Update #5: The DPC Steps Up The Game

Ok, so my update of “the end is nigh” was way premature. However, there have been some exciting updates. First of all, my journey to leave the church has become front-page news in the Sunday Times. This comes following the most recent update sent to me from the DPC. Basically, they have confirmed that they are proceeding with an investigation into how the church handles records on an “own volition” basis. This means the investigation is linked to my case, but it’s not purely because of my case. The DPC is examining “the circumstances of the storage and retention of church records of data subjects who no longer wish to have their personal data processed in any or all church registers”.

Their goal with this investigation is to “ascertain whether an infringement has occurred or is occurring of the GDPR or a provision of the Act”. Interestingly, even though my original complaint relates to the Diocese of Ossory, the DPC is targeting the Archdiocese of Dublin.

While I won’t be privy to the outcome of this specific investigation, the DPC believes the results of this investigation will “substantially overlap with, and influence the outcome of, [my] complaint”.

Update #6: Questions To The Archdiocese of Dublin

Generally speaking, the DPC offers some kind of update every three months. After counting on my fingers an embarrassing number of times I worked out I was due an update. It’s no secret that the DPC in Ireland is snowed under. As the base of operations for the entire EU they have to deal with Facebook’s carry on, on top of everything else.

Anyway, I emailed saying surely it’s time for another update. I was right. While it was nothing exciting, it’s at least another date to mark in the calendar.

I was reminded that “the DPC’s own volition Inquiry into the Archdiocese of Dublin was ongoing”. While my own complaint is technically against the Diocese of Ossory, what happens in Dublin will set a precedent. The DPC then confirmed that “as part of this ongoing Inquiry, [the DPC] has raised further questions with the Archdiocese; to which a response is expected on or before 15th October 2020.

Update #7: It’s Been Over 1000 Days

I’ve written a new article to give an update on the story so far. I’ll continue to keep this one updated with the latest news.

Sit tight folks.

Update #8: Best Of Buds

I’m taking a brief break from hitting my head off a wall to give you the latest update I received this morning (7th May 2021).

“Further to my correspondence of the 04 February 2021, I can confirm that the Data Protection Commission has put a further series of questions to the Archbishop; the response to which will help inform the outcome of this Inquiry. The DPC, will, handle your complaint based on the outcome of the Inquiry”.

I’m having visions of the Commissioner and the Archbishop sitting back together sipping cocktails and having a right old laugh at their handling of personal data. It truly feels like minimal effort is being made here by both parties. The fact I’m getting updates from the DPC almost to the day of the three-monthly commitment shows that progress in the complaint isn’t a priority. Ticking boxes is.

The church’s Canon Law is not above Civil Law. This should have been a slam duck mistreatment of personal data. But the DPC is just kicking the can down the road and avoiding dealing with the problem. After watching the Oireachtas Committee Meeting on this topic many share that belief.

Ads To Pay The Bills
Previous articleGoogle And HSE Investigating Android COVID Tracking App Battery Issues
Next article83,000 People Uninstalled Irish COVID Tracker App
Founding Editor of Goosed, Marty is a massive fan of tech making life easier. You'll often find him testing something new, brewing beer or finding some new foodie spots in Dublin, Ireland. - Find me on Threads