Privacy can be defined as “the state or condition of being free from being observed or disturbed by other people”. It equates to the right to be left alone, the right of an individual to decide what to reveal about him/herself and is therefore closely linked to Data Protection. As such, the right to privacy is a fundamental human right enshrined in the 1950 Convention for the Protection of Human Rights and Fundamental Freedomswhich states that “everyone has the right to respect for his private and family life”. In Malta and all other EU Member States, the same right is protected under the Constitution.
Privacy concerns arise in a number of situations, ranging from invasive bodily procedures (e.g. genetic testing, drug testing, cavity searches), invasion of territory (including searches, video surveillance, identity checks), collection and handling of personal data and surveillance of communications. Specific laws generally deal with the situation at hand and supplement the regulation of privacy as a fundamental human right.
Within European Union, data protection legislation is the primary way in which an individual’s privacy is protected. The European Union’s main pieces of legislation in this respect are the Data Protection Directive (Directive 95/46/EC), the E-Communications Privacy Directive (Directive 2002/58/EC) and the Communications Data Retention Directive (Directive 2006/24/EC).
In Malta these directives have been transposed through the Data Protection Act (Chapter 440 of the Laws of Malta) and subsidiary legislation enacted thereunder, as well as through the Electronic Communications (Personal Data and Protection of Privacy) Regulations (Chapter 399.25 of the Laws of Malta). The relevant regulators in this respect are the Malta Data Protection Commissioner and, in some matters relating to communications privacy, the Malta Communications Authority.
Currently, a major overhaul of current EU data protection rules is being debated at the EU level. Updates regarding this discussion will be posted on our website.
The EU Data Protection Directive relates to the manner in which the processing of an individual’s data (the ‘Data Subject’) is carried out by a third party, known as the ‘Data Processor’. ‘Processing’ occurs in every situation where such information is collected, recorded, reproduced, stored, adapted, altered or disclosed – therefore almost any situation where an individual’s data is handled would be regulated.
Generally, a Data Processor must notify the Data Protection Commissioner prior to processing any personal data. Additionally, Data Processing must be carried out in accordance with the so-called Eight Principles. Briefly stated, these mandate that data must be:
- Fairlyand lawfully processed;
- Processed for specified, explicit and legitimate purposes;
- Adequate, relevant and not excessive;
- Accurateand up-to-date;
- Not kept for longer than necessary;
- Processed in accordance with data subject’s rights;
- Kept secure from unauthorised access/destruction;
- Not transferred to countries outside EEA unless the recipient country has an adequate level of data protection.
The law allows a number of exceptions to, and derogations from, the abovementioned rules. The Data Subject is also granted the following rights:
- to access personal data;
- to prevent processing (on compelling legitimate grounds);
- to prevent processing for direct marketing;
- to reject automated decision-making;
- to compensation;
- to rectification, blocking, erasure & destruction;
- to ask the relevant data commissioner to assess whether any law has been contravened.
The EU E-Communications Privacy Directive deals with the right to privacy in the electronic communications sector, namely the protection given to data which is being transmitted over electronic communication networks. Consequently, it regulates matters such as when surveillance of telephone and Internet traffic can occur, treatment of location data and content data, the circumstances in which unsolicited direct marketing communications (otherwise known as ‘SPAM’) can be sent and the insertion of ‘cookies’ onto an end-user’s equipment.
This directive also makes provision for issues such as caller line identification (or “Caller ID”), itemised billing and directories for electronic communications services (e.g. the choice of a user as to whether he wants to be included in a public directory).
Unlike the Data Protection Directive, which specifically protects only individuals’ data, the E-Privacy Directive protects legal persons; therefore even a company can make a complaint if it has been affected by a breach of the E-Privacy Directive (or the laws transposing it).
Oftentimes, people carry out activities without regard to the fact that such an activity is regulated. Taking a picture of someone, allowing people to register on your website, sending an email with another person’s information to a recipient outside the European Union, sending marketing communications, monitoring an employee’s email communications, and installing a camera on your premises are mundane examples of activities which can, in some circumstances, be in breach of data protection legislation. Such breaches can carry hefty penalties and in severe cases, also criminal liability.
one’s obligations when handling data can be a complex matter. Understanding one’s rights as a Data Subject is also an intricate affair, especially where the numerous exceptions and derogations in the law may operate against the right holder.
In this area, Equinox offers the following services:
- Notification procedures;
- General advice relating to your operations and how to remain compliant with data protection legislation;
- Data protection audits, ‘gap analyses’ and compliance recommendations;
- Drafting and review of privacy policies for websites;
- Drafting and review of website terms and conditions to ensure compliance with data protection legislation;
- Drafting of privacy clauses in employment contracts;
- Drafting of HR policies in relation to privacy and data protection measures, e-mail and Internet monitoring;
- Drafting contracts for cross-border data transfers;
- Assistance in relation to privacy, data protection laws and freedom of information laws;
- Assistance in relation to procedures for data subject access requests and security breaches;
- Liaising with data protection authorities and other relevant regulators.