A European Center for Digital Rights, noyb, has filed a complaint against C-Planet IT Solutions, the company responsible for the leaked database of voters’ data in Malta.
It follows the class action suit filed by NGO Repubblika and the Daphne Caruana Galizia Foundation to seek redress for 337,384 Maltese voters who were affected by the leak.
News of a massive voter data breach first surfaced last April showing the leaked data included mobile and fixed telephone numbers, dates of birth and a numerical identifier indicating each individual’s political opinion.
C-Planet IT Solutions, the IT company responsible for the database, appears to be connected to the Labour Party. The company in question is owned by Philip Farrugia, a former production director at the Labour Party media, One Productions. He is also the brother-in-law of Parliamentary Secretary for EU funds Stefan Zrinzo Azzopardi whose own client data was leaked showing his client list and its ties to the Labour Party.
“The sensitivity of political opinions is obvious. The Cambridge Analytica scandal showed how easy it is to influence voters on social media. Even outside of electoral periods, this information can be extremely harmful for the individuals. Imagine if your neighbours, colleagues, future employers, landlords, know your political opinions. This is not the kind of society we want to live in”, said Romain Robert, senior lawyer at noyb.
While the class action by the two Maltese NGOs was filed in October, noyb has now filed a complaint in parallel over the multiple EU data protection law violations.
The IDPC’s investigation will determine whether C-Planet was acting on behalf of a political party or another political organisation. noyb requested the Maltese data protection authority to issue a fine of up to €10 million, considering that the leaked database contained the personal data and political opinion of about 98% of the Maltese electorate.
“This case shows that data protection laws are not just protecting individuals from big tech companies. The GDPR also requires that human recklessness is remedied. Collecting and storing voting preferences of almost the entire population and then leaving it available online is not acceptable,” the NGO added.
Those affected by the breach were never officially informed of their right to hold government accountable and demand compensation, as is required by law.
The Shift has revealed that despite the controversy, ARMS Ltd awarded a direct order to C-Planet for “professional services” but refused to divulge information on the nature and level of security of services when questioned.
ARMS Ltd is a private limited liability company, set up as a joint venture between the Enemalta Corporation (EMC) and the Water Services Corporation (WSC). As such, it holds personal data on every household in Malta. This raised concern on whether the data held by ARMS Ltd had been compromised as a result of its contract with C-Planet.
C-Planet also provides IT services to various local councils across the island.