In a judgment delivered on 5^th October 2018, in the names of Doreen Camilleri vs Information and Data Protection Commissioner (IDPC), the Maltese Court of Appeal (Inferior Jurisdiction) decided that the appellant’s personal data had not been processed according to law and that an employee’s email address constituted personal data.   

The appellant was employed with the European Union Programme Agency (the “Agency”) and on the 8^th of February 2016 she had informed the Permanent Secretary of the Ministry responsible for Education and Employment that her employment was going to be terminated. According to evidence submitted, on the 9^th of February 2016, the Agency had requested the Malta Information Technology Agency (“MITA”) to change the password of the appellant’s mailbox. The appellant was not informed of this request and the appellant’s password was changed on the same day on which the request had been made. Following this, on the 15^th February 2016 the appellant complained to MITA that she was unable to access her own inbox. The appellant subsequently filed a complaint with the Information and Data Protection Commissioner, claiming, inter alia, a breach of data protection rights, the alteration of her password under false pretences by third parties and potential abuse of her corporate email account. Pursuant to a decision dated the 17^th June 2016, the IDPC held that “whereas the Commissioner recognises the fact that, in the employment context any computer hardware and access to any electronic communication and network service, including but not limited to electronic mail, internet, internal servers and archive folders are considered to be the property of the employer who regulates their use for the ultimate legitimate interest of the business and administrative activity.”

The appellant appealed this decision before the Information and Data Protection Appeals Tribunal. On the 24^th October 2017, the Information and Data Protection Appeals Tribunal (the “Tribunal”) rejected the appellant’s appeal on the basis that the Agency had processed the appellant’s personal data in accordance with the provisions of the law. In this respect the Tribunal held that the processing was carried out in compliance with a legal obligation to which the data controller was subject, and that the processing was necessary for the performance of an activity carried out in the public interest or in the exercise of official authority. This decision was overturned by the Court of Appeal (Inferior Jurisdiction) following an appeal lodged by the appellant. 

Firstly, the Court of Appeal considered that a person’s name constitutes personal data within the meaning of the Data Protection Act (Chapter 440 of the Laws of Malta)[1]. The Court further noted that at no point in its deliberations did the Tribunal suggest that the processing of one’s email address does not constitute the processing of personal data in accordance with applicable data protection legislation. To this effect, the Court cited Article 2 of the then Data Protection Act (Chapter 440 of the Laws of Malta), which defined ‘personal data’ as “any information relating to an identified or identifiable natural person. The Court of Appeal noted that the appellant’s email contained her name and surname, which therefore qualified as personal data. In its decision the Tribunal had concluded that the use of the appellant’s email address was justified in order to ensure compliance with legal obligations imposed upon the Agency and in order to protect the public interest. The Court analysed the Tribunal’s references to Articles 9(c) and (e) of the then Data Protection Act (Chapter 440 of the Laws of Malta) and considered that no evidence had been brought by the Agency to the effect that the processing of the appellant’s personal data was required in order to ensure compliance with legal obligations imposed upon it.

The Court of Appeal also rejected the Tribunal’s contention that the processing of the appellant’s personal data was necessary for the performance of an activity carried out in the public interest or in the exercise of the Agency’s official authority. On this last point, the Court of Appeal, noted that in order to process personal data on this legal basis, the processing must be necessary for the performance of an activity carried out in the public interest or in the exercise of the Agency’s authority. The Court of Appeal did not agree with the Tribunal’s decision that the processing of data was carried out according to good practice and that the Agency had followed MITA’s established procedures which provided for sufficient security measures.

To this end the Court of Appeal established that (i) the Agency did not follow the procedures established by MITA and (ii) when MITA was made aware of the appellant’s complaint, MITA immediately blocked access to the appellant’s email account. The Court of Appeal concluded that the Agency had no legal basis to make a request in the appellant’s name to change the password of her email account. Furthermore, the Court of Appeal held that whilst the email account belonged to the employer, the email address which contained the name of the appellant is to be considered personal data.

Finally, the Court of Appeal held that while every case is to be assessed on its own merits, in this particular case the Court held that there was processing of personal data since the email address contained the employee’s name.  For the reasons outlined in the judgment, the Court of Appeal revoked the decision of the Tribunal and decided that the processing of personal data was not carried out in accordance with the provisions of the Law.

 

Dr Lara Pace is an Associate at Ganado Advocates