An Account of Recent Domestic Data Protection Developments

‘’Digital is sophisticated enough to combine Security, Convenience and Personal Privacy’’.

Stéphane Nappo’s phrase has been converted to reality in the likes of the GDPR, which has revolutionized the data protection framework by unifying the preceding system and expanding it on an EU scale. Despite the GDPR being a relatively recent phenomenon, we can already observe its resulting innovations locally, especially with regards to sanctioning and interpretation.

In the Information and Data Protection Commissioner’s Statistics of Notified Breaches for 2018 and 2019, a consistence frequency increase in breach notifications may be observed since the implementation date of the GDPR, especially in the first months following implementation. In 2019, fewer imposed administrative fines have been recorded, however the recorded proportion of number of fines to incurred amounts in fines reflect the higher sanctioning standards of the GDPR.

Even if at minimal recorded numbers, administrative fines have been incurred both by the private and public sector.   The most notable imposed fine is that incurred in the  ‘Lands Authority Personal Data Breach’, reported in the IDPC’s Press Release dated February 18th of this year. This breach occurred within the ‘Lands Authority’ online platform, which authority forms a part of the state’s executive branch. In this case, thousands of users of the platform’s online services, were subjected to a major breach resulting in the publication of their personal information leading to their direct or indirect identification. This included email correspondence, identity cards and affidavits amongst other information which were all made accessible through search engine results, exposing personal information globally. The grounds for the case was Article 32 of the GDPR, being one of the major substantive changes to the Data Protection framework, by increasing the expected standards of diligence in the application of adequate technical and organisational methods.

Another noticeable element here is the administrative fine of 5,000 Euros.  Whilst one may consider this as a relatively low fine in proportion to the 10 million and 20 million euro benchmarks, one must take into consideration mitigation in maximum sanctioning afforded to public bodies and authorities. This is established by Article 83(3) of the GDPR which decreases the thresholds applicable to such bodies and authorities substantially.  Hence, here we must consider the fine imposed against a 25,000 euro maximum stipulated for lower tier breaches. By proportion to the pre-GDPR maximum of 500 euros, this administrative fine is still an indicative element of the increased significance of the new framework. In issuing the fine, the IDPC considered the full cooperation offered by the Authority during the investigation, which to some extent balanced out the compelling element of lack of diligence in the application of Article 32, as well as an 11 month delay of notification occurring due to the breach going unnoticed.

Although the GDPR adapted the data protection framework to a broader digital application, in recent months the coinciding principles to the earlier framework have still experienced advancement in interpretation and application under the previous framework. For instance, we may note that the Information and Data Protection Appeals Tribunal has extended the definition of journalism to bloggers who substantially exercise the same data processing and freedom of a journalist, hence extending the application of the applicable derogations. In this same case, the tribunal also takes a thorough approach in defining the idea of public interest, and its qualification by necessity to a democratic society. In the Doreen Camilleri claims, we also see the application of data protection legislation to the field of employment, wherein the tribunal undertook the task of interpreting the definition of ‘personal data’ itself, especially in light of the conflict between identification and ownership of data. In this case, the controller, being the employer, had effective and legal ownership of the data, even though the email address in question held the data subject’s name. Moreover, we also see the application of the legal basis of public interest and legal obligation. In a parallel claim made by the same plaintiff, the tribunal also tackled the right of access to reports showing scope and means of processing for the purpose of disciplinary actions, complaints and termination, as allowed by the old data protection laws.

With the first year of GDPR implementation having elapsed, this overlook of local data protection milestones sheds light on the impact the new EU approach has left. We observe how data protection standards have become more demanding on holders of data, especially on companies whose means allow them to reach higher standards of protection.  Through the increased sanctioning regime, in addition to the aforementioned obligations on part of the controllers or processors, the GDPR has managed to establish itself as one of the leading and strictest data protection frameworks, creating a new global standard to be observed.

For more information on the GDPR
Get in touch with us

📧  ybusuttil@easl.com.mt

📞2166 1273

Share this post?

Get in
Touch

+356 2166 1273