Lawyer says law regulating travel insolvency fund ‘breaks the spirit of data privacy’

The client information which travel agents are being required to provide to the Malta Tourism Authority (MTA) is excessive and “breaks the spirit of data privacy” which is a fundamental human right, a data privacy lawyer told The Shift News.

The authority is obliging agents to provide clients’ personal information, including their ID card number, along with the costs and details of their accommodation, travel, and other services.

Lawyer Michael Zammit Maempel told The Shift News that he is “sceptical” on the process and its compatibility with the general principles of data protection laws.

Travel agents expressed their apprehension about providing the board running the insolvency fund – which many agents refused to participate in – with data which goes beyond the guidelines stipulated by law.

“There have been numerous judgements pronounced by both the European Court of Justice, and the European Court of Human Rights that have shot down administrative systems that collected personal data in a disproportionate manner, regardless of the laudable aims they sought to achieve.  This sounds like a likely candidate for one of these cases.”

The data privacy lawyer said that in order to reach the objective of protecting the end-customer and to provide a form of state-managed travel insurance, “it is not necessary for the passenger data to be passed on to a state entity such as the MTA,” he said.

Zammit Maempel added that the law, especially the General Data Protection Regulation (GDPR) which comes into force this coming May, “is very clear about the principle of proportionality – that is to say that in order to reach a particular objective, the processes you use need to be proportionate to that objective.”

According to the law, the certificate shall include “at least” all prepaid amount made by the consumer, dates of travel, “and any other details which are relevant to the package ordered and, or purchased by the client, such as information on the accommodation provider if applicable.”

Moreover, the law says the Board “shall have full access to the system, and to any information transpiring therefrom”, giving rise to concerns over the possible mishandling of information.

Zammit Maempel said that the law regulating the fund – the Package Travel Insolvency Fund Regulations – is somewhat objectionable, because it doesn’t afford the individual traveller the choice to pass their personal data on to the MTA Board or not.

“This is excessive, because individuals should always be afforded the option to consent to the processing of personal data, unless there’s a supervening reason, such as national security or the individual’s own vital interests, that enjoys priority.”

“Let’s make an analogy with private travel insurance.  If I want to take out an insurance policy to cover my trip abroad, it’s at my discretion to do so.  This means that if my travel agent goes bust, I make a claim with my private travel insurer and I get paid from there.  Why is there any justifiable reason why the MTA should also be given my data, given that I have no intention of making a claim from the Insolvency Fund?  Why shouldn’t I be given the option of not passing on my data to the Insolvency Fund?” Zammit Maempel asked.

Pointing out that travel agents are faced with the penalty of not having their licenses renewed unless they comply with this system, Zammit Maempel said the agents have no choice but to pass this personal data to the Insolvency Fund.

“Who suffers in all this?  Clearly, the individual, because there is a disproportionate and indiscriminate volume of personal data that is being passed on to the MTA that is incompatible with the objective that it is trying to achieve,” he said.

The Information and Data Protection Commission (IDPC) is currently looking into the matter to ensure there is no breach.

“This Office is in the process of setting up a meeting with the MTA to discuss, inter alia, the overall processing operation, the envisaged online central system, retention timeframes, access, safeguards and, most importantly, establish whether the processing of such information is in accordance with data protection rules,” an IDPC spokesperson told The Shift News in December.