Massive political data leak in Malta

27 May 2020
Malta data breach

After a massive leak of the voter’s list showing the voting preferences, addresses, phone numbers and dates of birth of a majority of the Maltese population, will assist the Daphne Foundation and Repubblika in their class action and file complaints about the data breach in various EU Member States

Massive privacy violations of voters’ data. At the end of March 2020, independent Maltese media reported that a database containing 337,384 records of Maltese voters’ personal information had been freely accessible online for at least a year. The data did not only include the fields available in the published electoral register but also included mobile and fixed telephone numbers, dates of birth, polling booth and polling box numbers, and a numerical identifier indicating an individuals political affiliation.

How could this happen? Maltese voters are enrolled in the Maltese electoral register, which is maintained by the Electoral Commission – a body set up by the Maltese Constitution and whose role it is to maintain the register and organise local, national and European Parliament elections. Around the end of March it was discovered that, C-Planet IT Solutions, an IT company connected to the Labour Party to have stored a copy of the electoral register in an open directory, which was indexed by Google. The database was unprotected and accessible to anyone with a web browser, reported the Times of Malta.

Data protection and democracy. After the Cambridge Analytica scandal, everyone understands the fundamental role of data protection in a democracy, especially when the data at stake include political opinions. As a principle, the GDPR prohibits the processing of data revealing political opinions. What is even more worrying is the total lack of protection of these data which were publicly accessible by everyone.

"In a democracy, we cannot accept the processing of political data spiralling out of control. Political parties in particular should not be using voters' information for purposes other than what the law permits them to do. Could you imagine your political preferences being used to deny you access to a public service or an employment opportunity?" – Romain ROBERT, data protection lawyer at noyb.

Civil society in Malta reacts. Against this context, two NGOs – the Daphne Foundation and Repubblika have teamed up and organised a platform that allows citizens affected by this data breach to sue C-Planet IT Solutions Limited and any other entity involved. An investigation has been launched by the Maltese DPA, but the class action targets civil damages, including moral damages. The Daphne Caruana Galizia Foundation set up a tool that allows everyone to check what information was collected on themWe invite everyone wanting to join the collective action to visit the FAQ. Also, if you want to join a complaint filed by noyb outside Malta, please contact us at