Rapid advances in technology have transformed the world into a global community and nowadays everything is at a touch of a button away. These developments in technology have seen a large amount of data being processed and therefore we should ensure that data is more protected. Our Government has been at the forefront of civil rights in Europe, and data protection is another civil right which is as important as any other civil right. As the recent controversy regarding our correct decision to apply the current Data Protection Act with regards to Court Judgments shows, more awareness needs to be raised on the matter in order to inform the general public and stakeholders about the importance of these developments.
Within this context, the EU has drafted a law which will give unprecedented rights in relation to data protection in our continent. While, as a rule, the processing of data is an important activity which leads to a lot of positive results, the citizen must be given the right to challenge the processing of his or her data in cases where disproportionate burdens are being or can be created. It is our duty as legislators to be on the forefront of change in this field.
After years of debate, we are finally getting closer to a much-needed reform to our laws concerning data protection. The current Data Protection Act, which transposes the EU Directive 95/46, entered into force in 2003. This legislation will be completely replaced by a new Data Protection Act, which will transpose the General Data Protection Regulation (GDPR), and therefore the new Act will be catering for national rules as indicated in the Regulation which will enter into force before the end of the month. Parliament is currently discussing the relevant bill, which is already at second reading stage.
This Regulation is a result of developments evolving through the years, which include developments found in the information and technology sector. These developments facilitate the possibility of processing considerable volumes of personal data, be it on an organisational level or on a global one.
Decisions taken by the European Courts of Justice in relation to data protection have also considered the ‘spirit’ of this new Regulation. The recent Google case, for instance, has been the forerunner for the right to be forgotten, which basically provides citizens with the right to request that their personal data be removed from online search engines in order to "silence past events in life that are no longer occurring."
The appeal structures which have to be provided by relevant authorities within the EU to individuals have also been given prominence by the European Courts of Justice. Thanks to the Schrems case, it has emerged that a country like the US was not able to provide an adequate level of protection to individuals, especially when taking into consideration the fact that in these kind of cases, no judicial remedy mechanisms in relation to data were available. Even though the safe harbour principles between the US and the EU could provide a level of protection in the transfer of personal data, US organisation had legal obligation conflicts in the context of law enforcement authorities. The European Court decision, which eventually led to the new EU-US Privacy Shield agreement, reaffirms that data protection rights are a substantial part of the fundamental rights regime of the EU.
Considerable merit goes to current Justice Commissioner Vera Jourova who literally has left no stone unturned in order to push forward change in this crucial sector.
These decisions have shown how much the need for data protection rights have increased in a European context in the past years. In fact, the General Regulation on Data Protection should also be considered in light of other developments in relation to this sector, including the Directive of Law Enforcement Authorities which includes provisions that go hand in hand with those in the Regulation, as well as developments which led to the Passenger Name Record Directive (which is also currently being transposed in our laws). Other European laws were declared null by the European Courts of Justice, due to the lack of limiting processes and lack of judicial remedies in the access to this data – which is another example of the levels expected to be reached in relation to the privacy of individuals.
The current reform process was started in January 2012 and was concluded in April 2016. Government has been working towards conformity to this Regulation, which is providing a common set of rules which will apply directly to all Member States. Despite the direct applicability of this Regulation, in some cases it permits Member States to adopt their own national rules so that each country will be able to legislate certain sectors in a specific way, for example when it comes to freedom of expression. Thus, under the new Data Protection Act, a secondary legislation will be issued. This will cover the Law Enforcement Directive, which is called the Police Directive, the consent of youths between the ages of 13 and 16 in relation to the use of online information and social services, and other areas such as access restrictions as provided by the regulation.
Incidentally, following consultation with the Commissioner for Children, Malta will be setting the age of consent of youths to the online world to 13 years. We believe in the empowerment of youths and in their right to access to online information and social services.
The Ministry for Justice together with the Ministry for Home Affairs have worked tirelessly towards the best implimentation of the Police Directive. This also is an important law which leads to the protection of personal data, whilst making sure that public security remains paramount. At the same time, the Police will be working in the context of the Passenger Name Record law which regulates the data processing of passengers and also safeguards national security.
The Government is also seeing to its obligations which arise from this Regulation, amongst which one finds the obligation to strengthen its structures through the role of data protection officers. This role is reflected in all the Ministries, Departments and entities, as being asked by the Regulation. This is an established role which ensures that all processes regarding details of individuals are conforming to the regulation, which encourages transparency and the access of information to individuals who require services from Ministries, Departments and entities. The structures within the Ministry for Justice which have been set up to safeguard conformity to this Regulation and laws in relation to it will remain available to provide all the necessary information needed and to support and guide Ministries, Department and entities as needed. During the past two years a lot of work was being done in relation to training and to raise awareness on this subject, as well as the changes which this Regulation will bring about. All of this will definitely keep on going even when the Regulation will be applied directly.
The Commissioner’s Officer for Information and Data Protection – the regulatory authority in this field - has also worked to disseminate information within the private sector and even with the general public. The new law will establish this office and the Commissioner’s duties, and will also introduce the role of Deputy Commissioner which was not present in the Data Protection legislation so far. The new law is also introducing more regulated methods of how the Tribunal is to work in relation to Data Protection.
The legal framework will be ready by 25 May so that we will be able to welcome new challenges in the data protection context. Our country has gained a strong momentum in the economic sector, which in turn translates into an increase in data protection processing. The Government is ready to ensure that the changes being done in this sector will be done in a sustainable manner and that it will keep in mind the importance for balance between the needs of personal data processes and the privacy of individuals.