Data Breach in Malta: Company must disclose source within 20 days or face penalties
The Maltese Data Protection Authority (IDPC) has taken decisive action against C-PLANET, the IT company responsible for a voter data breach in Malta. Following a second complaint filed by noyb, the IDPC has ordered C-PLANET to reveal the specific details regarding the collection of data belonging to Maltese citizens within a strict 20-day deadline. If the company does not comply with this order they will face a “dissuasive” fine.
- Blog post: Political data breach in Malta, C-Planet refuses right to access and information
- Decision by the IDPC
Initial Complaint. In November 2020, noyb filed a complaint against C-PLANET IT Solutions following a significant data leak compromising voter information in Malta. The breach exposed sensitive details, including telephone numbers, dates of birth, voting intentions, and party affiliations of over 330,000 individuals, so almost all voters in Malta.
Initial IDPC Decision. In January 2020, the IDPC imposed a fine of €65,000 on C-PLANET, taking into account the severe impact on affected individuals and the substantial risk to their fundamental rights and freedoms. Additionally, a collective action led by the Daphne Foundation and Repubblika against C-PLANET is currently underway.
Unidentified Data Source. Despite the IDPC's initial decision, the origin of the data remains unknown to the complainants. The IDPC's ruling did not address the origin of the data and redacted the names of C-PLANET's clients, from whom the company claimed to have obtained the data.
"It is worrying that a private company can secretly collect data on political opinions without having to explain their motives and methods, particularly within a European Union country." -Romain Robert, data protection lawyer at noyb
Continued Lack of Transparency. Following the first IDPC decision, Maltese voters were still left in the dark regarding the original source of their personal and political data. In collaboration with noyb, an affected individual submitted a formal request to C-PLANET, seeking disclosure of any information pertaining to the data's origin. However, C-PLANET refused to provide an answer, citing the cessation of data processing and an ongoing investigation. Consequently, noyb lodged a second complaint with the IDPC, urging the Maltese data protection authority to enforce transparency obligations on C-PLANET.
Second IDPC Decision. The IDPC's decision stems from the initial complaint lodged by noyb, which accused C-PLANET of breaching Article 15 GDPR. Specifically, C-PLANET failed to provide the complainant with a copy of their personal data and relevant information pertaining to the breached database. In light of these findings, the IDPC has mandated the IT company to give the complainant a copy of their data. Additionally, C-PLANET is required to provide comprehensive details about the collected information, including its origin.
Compliance Deadline. C-PLANET has been granted a non-negotiable 20-day period to comply with the IDPC's order by promptly delivering the requested information to the complainant. If the company fails to provide this information they will face a fine that is both "proportionate and dissuasive" under the GDPR, as per the IDPC's decision.