Maltese voter data leaked online. noyb files complaint.

12 November 2020

Data breach in Malta: complaint against C-Planet filed

noyb has filed a complaint against C-Planet IT Solutions, the company responsible for the leaked database of voter’s data in Malta. In parallel, the NGOs Daphne Foundation and Repubblika initiated a class action for those affected.

An unbelievable data leak. News of a massive voter data breach first surfaced beginning of April 2020 in an article published by Times of Malta. The personal data of 337,384 Maltese voters was freely available online. The leaked personal information included mobile and fixed telephone numbers, dates of birth and a numerical identifier indicating each individual’s political opinion (social democrat or conservative). C-Planet IT Solutions, the IT company responsible for the database, appears to be connected to the Labour Party, which is in government in Malta since 2017. The detailed responsibilities will have to be investigated by the Maltese Data Protection Commissioner (IDPC).

The sensitivity of political opinions is obvious. The Cambride Analytica scandal showed how easy it is to influence voters on social media. Even outside of electoral periods, this information can be extremely harmful for the individuals. Imagine if your neighbours, colleagues, future employers, landlords, know your political opinions. This is not the kind of society we want to live in”, Romain Robert, senior lawyer at noyb.

Coordination with Maltese NGOs. noyb has cooperated with two NGOs – the Daphne Foundation and Repubblika – in their class action against C-Planet IT Solutions. While the class action was filed in October, noyb filed a complaint in parallel over the multiple EU data protection law violations.

Up to €20 Mio in fines. The IDPC’s investigation will determine whether C-Planet was acting on behalf of a political party or another political organisation. noyb requested the Maltese data protection authority to issue a fine of up to €20 million, considering that the leaked database contained the personal data and political opinion of about 98% of the Maltese electorate.

This case shows that data protection laws are not just protecting individuals from big tech companies. The GDPR also requires that human recklessness is remedied. Collecting and storing voting preferences of almost the entire population and then leaving it available online is not acceptable.”, Romain Robert, senior lawyer at noyb.