COMNET Conference

Legal Frameworks for ICTs

Regulating Privacy

COMNET 2013 - MALTA - 07.03.2013

Ian DeguaraHead - Technical

Office of the Information and Data Protection Commissioner

MALTA

Fact Sheet - DPA

Role of the Commissioner

Recent Developments

Conclusive Remarks

1

2

3

4

COMNET 2013 - MALTA - 07.03.2013

Fact Sheet – DPA

COMNET 2013 - MALTA - 07.03.2013

Fact Sheet – Data Protection Authority

COMNET 2013 - MALTA - 07.03.2013

Legislative Background

Right to privacy – a fundamental human right established under article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms;

European Convention Act (Cap. 319) makes provision for the substantive articles contained in the European Convention;

CoE Convention 108 on the protection of individuals with regard to the automatic processing of personal data; ratified in Feb ‘03;

Directive 95/46/EC; faithfully transposed under the Data Protection Act (Cap.440); brought fully into force on 15 July 2003;

Subsidiary legislation on, inter alia, the processing of personal data in

the electronic communications sector and by the Police.

Organisation

The Commissioner enjoys a distinct legal personality and is not subject to the direction or control of any other person or authority;

The Commissioner has the power of investigation, the power to engage in legal proceedings and the power of enforcement;

The Commissioner regulates both public and private sector;

Human resources - small staff built on teamwork who are generalists but with a specialisation (legal, IT and management);

Financial resources - by means of a parliamentary allocation (amounting to 50% of total revenue) in the form of a subvention. Notification fees and fines deriving from administrative penalties accrue as revenue to the Office’s coffers;

Volume of work – more than 10,000 notification forms received, an average of 45 official complaints received annually, 25 telephone queries per week and 50 monthly queries received by email;

Fact Sheet – Data Protection Authority

COMNET 2013 - MALTA - 07.03.2013

Fact Sheet – Data Protection Authority

Organisation

Raising awareness is one of the main functions of the Office which is primarily achieved by:

- delivering presentations;

- penning newspapers articles;

- participating in radio & TV interviews;

- posting information on the portal;

- holding sectorial meetings;

- activities of the annual Data Protection Day;

- liasing closely with the Data Protection Unit within OPM (a dedicated unit responsible to facilitate and coordinate the implementation of data protection in the public service);

As of April 2010 the Commissioner was vested with the additional functions and responsibilities emanating from the provisions of the Freedom of Information Act; brought into force on 1 Sept 2012.

COMNET 2013 - MALTA - 07.03.2013

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

The Commissioner is the sole National Supervisory Authority.

The Commissioner regulates both the private and public sector.

The Commissioner enjoys independence similar to that of a judge.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

The Commissioner is responsible for the independent supervision of the data processing, including processing of law enforcement agencies by:

- ensuring compliance with the relevant instruments (Conventions/ Decisions) and data protection legislation; - ensuring that the citizen’s right of access, rectification and blocking is being respected;

- where there is refusal of such right, receiving and deciding an appeal by the data subject;

- carrying out such verifications and inspections as may be required.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Independence

The Information and Data Protection Commissioner –

is appointed by the Prime Minister after having consulted the Leader of the Opposition;

holds office for a period of 5 years and is eligible for reappointment on the expiration of his term of office;

can only be removed by a motion of the Prime Minister upon an address of the House of Representatives supported by the votes of not less than two-thirds of all the members;

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Independence

may not hold any other office of profit; Article 37 of Act amended in December 2003;

takes oath of office before the Attorney General to carry

out duties without fear or favour;

is not subject to the direction or control of any other person or authority.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Independence

The Commissioner has a distinct legal personality and is capable of:

- entering into contracts;

- acquiring, holding and disposing of any kind of property for the purposes of his functions;

- suing and being sued;

- doing all such transactions as are incidental or conducive to the exercise of his functions.

Funding voted by the House of Representatives in the general estimates as a subvention.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Functions

The functions of the Data Protection Commissioner include:

to require the notification of processing operations and to keep a public register of such operations;

to exercise control and verification of whether the processing is carried out fairly and lawfully;

to intervene where a data subject is not allowed right of access by a data controller;

to verify the lawful processing of personal data falling under Article 13 of the Directive (secrecy, national security, etc.) - at the request of the data subject;

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Functions

to receive reports, claims and complaints by data subjects taking remedial action where necessary;

to encourage the drawing up of codes of conduct by the various sectors;

to bring to the knowledge of the general public the provisions of the Act and to give advice to any person where it is required;

to advise Government on any legislative measures in relation to his functions; and

to collaborate with supervisory authorities of other countries.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Power of Investigation

To enable investigation the Commissioner has the right to -

- access personal data being processed;

- obtain information and documentation on the processing of personal data and its security;

- enter and search any premises with the same powers as are vested in the executive police.

Inspections may also be carried out at Law Enforcement Authorities subject to the Commissioner’s written authorisation. The outcome is reported directly and solely

to the Commissioner.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Power of Intervention

The Commissioner may order –

rectification where data is unlawfully processed;

a data controller to stop processing personal data (except

for storage):

- when rectification is not effected;

- when sufficient information cannot be obtained following an access request; or

- if the urgency of the matter so requires.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Power of Intervention

The Commissioner has also the power to issue a notice for erasure.

The notice may be appealed to the Court of Appeal within 15 days.

The notice becomes effective:

- after 15 days if no appeal is lodged; or

- after the Court of Appeal affirms the erasure order,

in case of an appeal.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

The Commissioner may institute proceedings in a Court of law and may appear before the Appeals Tribunal and the Court of Appeal.

Similarly any person aggrieved by a decision of the Commissioner may appeal to the Data Protection Appeals Tribunal -

in writing; within 30 days from notification of the decision; on any of the following grounds -

- a material error concerning the facts;- a material procedural error;- an error of law;- some material illegality, including unreasonableness or

lack of proportionality.

Power to Engage in Legal Proceedings

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Power to Engage in Legal Proceedings

Recourse to the Court of Appeal shall also lie to a party or to the Commissioner where they feel aggrieved from a decision of the Tribunal -

within 30 days from the decision; and

only on a question of law.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Power to Engage in Legal Proceedings

The Commissioner shall commence proceedings against any personwho –

provides untrue information to data subjects or to the Commissioner;

processes personal data in contravention of the criteria required to process - - sensitive personal data;

- data relating to criminal records or security measures;

illegally transfers personal data to a third country;

omits to give notification as required by law or provides untrue information in such notification.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Power of Enforcement

Penalties following court proceedings

On conviction a person may be liable to:

- a fine not exceeding €23,290;

- imprisonment for a term not exceeding six months;

OR

- both such fine and imprisonment.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Power of Enforcement

Administrative fines may be imposed by the Commissioner by an order in writing to the data controller, where –

- personal data is processed in an unlawful manner;

- appropriate security measures are not in place;

- a person does not comply with a lawful request relevant to an investigation by the Commissioner.

An administrative fine shall not exceed €23,290 for each violation, and €2,329 for each day during which a violation continues.

Role of the Commissioner

COMNET 2013 - MALTA - 07.03.2013

Recent Developments

COMNET 2013 - MALTA - 07.03.2013

Technological progress and globalisation have changed the way personal data is collected, accessed and used;

Common trends nowadays include internet profiling, behavioural and location based advertising;

Information is becoming increasingly exposed and vulnerable leading to security breaches, hacking or other unlawful action especially on the online environment;

Initiatives at EU level aimed towards facilitating information processing or exchange to enhance security and justice;

Privacy challenges are constantly on the increase;

Reform of the EU data protection legislative framework;

Recent Developments

COMNET 2013 - MALTA - 07.03.2013

On 25th January 2012, the EC proposed a comprehensive reform of the 1995 Data Protection Directive;

The main objective was to strengthen online privacy rights, boost Europe’s digital agenda and ensure a harmonised environment across the EU;

A regulation was considered to be the most appropriate legal instrument; direct applicability reduces legal fragmentation and provides more legal certainty;

The proposal introduces new rights and obligations, including:

- the right to be forgotten; - data protection by design and default; - personal data breach notification; - data protection impact assessment;

Recent Developments

COMNET 2013 - MALTA - 07.03.2013

Recent Developments

COMNET 2013 - MALTA - 07.03.2013

The proposed regulation also provides for:

- the setting up European Data Protection Board;

- hefty administrative sanctions;

- the adoption of implementing acts by the EC;

- a transition period of two years for the implementation of the provisions following its entry into force;

State of play – The Working Party on Information Exchange

and Data Protection (DAPIX) are progressing steadily on the article by article analysis of the proposed regulation.

No official date has been established for the adoption of such proposal. A possible date might be the end of 2013.

Conclusive Remarks

COMNET 2013 - MALTA - 07.03.2013

Information has become a fundamental tool for private and public sector entities;

Data Protection rights should be safeguarded;

Close collaboration between all stakeholders such as the Industry, Law Enforcement Agencies and the Commissioner to ensure effective data protection;

Education and awareness are the fundamentals to create a relationship of mutual trust.

Conclusive Remarks

COMNET 2013 - MALTA - 07.03.2013

CREATING THE RIGHT BALANCE BETWEEN

Need or Obligation for Data Processing

Data Protection Principles and Rights

Conclusive Remarks

COMNET 2013 - MALTA - 07.03.2013

Thank you!

Office of the Information and Data Protection Commissioner

Tel: (+356) 2328 7100 E-Mail: idpc.info@gov.mt Portal: www.idpc.gov.mt

The Floor is now open for discussion/questions

Contact Details

COMNET 2013 - MALTA - 07.03.2013