The violation of Data Protection Laws in Malta resulted in 30 fines of less than €5,000 in seven years, according to a Freedom of Information (FOI) request published by Transparency Malta.
Thirty breaches amounted to fines totalling only €40,000 over seven years. The fines range from €23.29 to €250, and from €1,000 to €2,000.
The highest fine was €5,000, penalising the Lands Authority in 2019 for a massive breach of personal data of more than 5,000 users who made use of its online services, exposed by The Shift and The Times of Malta.
Anyone who had filed an application with the Lands Authority in 2017 and 2018 risked having his personal data, including identity cards and passports, publicly available on Google after a massive breach from the Authority’s website. The individual responsible for the breach, Keith Mintoff, moved on to handle sensitive data in an even more senior role at the Malta Financial Services Authority.
That same year, HSBC Bank was also slapped with a €5,000 fine after it was found to have illegally monitored the transactions of an employee, who was also an active trade union member.
Transparency Malta asked for copies of decisions for which fines were imposed “under any data protection law applicable to Malta, currently or in the past”. More than 80% of the fines were related to violations relating to weak security systems.
Just this week, news of a massive data breach broke as the personal details of more than 337,000 Maltese citizens, including their ID Card numbers, dates of birth and what appears to be their political preferences were leaked online by C-Planet IT Solutions. A class action was announced on Friday by Repubblika and the Daphne Caruana Galizia Foundation to assist those impacted by the leak.
The company at the centre of the data leak belongs to Philip Farrugia, the brother-in-law of Parliamentary Secretary for EU Funds Stefan Zrinzo Azzopardi.
Any internet user could access the backend of Zrinzo Azzopardi’s former law firm’s (SZA Law Firm, now rebranded 360 Legal) management system, bypassing any passwords. This gave free access to the law firm’s complete client list, details of pending bills, confidential client meeting notes and jobs, as well as the law firm’s financial details by merely clicking on Google search hits.
Transparency Malta published the list received, most of which are heavily redacted. The Data Commissioner’s Office justified this by saying it “would have a substantial adverse effect on the proper and efficient conduct of the operations of a public authority”.
Transparency Malta points out that the Information and Data Protection Commissioner (IDPC) imposed a fine related to violation of the right of access (to copies of the personal data processed) only once, even though it has been reported that public authorities like the Social Security Department or Identity Malta were found to be in breach of the GDPR, including data subjects’ rights.
The Freedom of Information Act states that the IDPC must produce an annual report on its findings that must be sent to the Justice Minister to be tabled in parliament. No such reports are available.