MITLA Information Seminar - Social Media and Employment: the legal implications

The Malta Information technology Law Association (MITLA) shall be organising an Information Seminar relating to Social Media and Employment: the legal implications on the 20th November 2015 at 1445hrs at Smartcity Malta.

The incredible growth in popularity of social media platforms such as Facebook, Twitter and LinkedIn has truly changed almost every aspect of human life as we know it. In this regard, the Maltese workplace is no exception and social media use at the office and in HR-related matters is constantly creating novel legal scenarios which are challenging, interesting and potentially treacherous. This information seminar shall be touching upon a wide range of legal issues ranging from Data Protection and Privacy, to Intellectual Property and Employment legislation, discussing the wide use of such platforms in the workplace and providing the attendees with useful tips, guidelines and information to deal with these issues in a practical manner which is compliant with applicable legislation.

Who should attend:

The event is recommended for an audience that is interested in development of ICT and Employment Law. In general: HR Professionals, Recruiters, Human Resource Managers, Consultants, Lawyers, ICT Professionals, Auditors, Management Level Executives, Academics and Students, Compliance Officers, Contract Managers and Senior Executives. Although this seminar is in essence a legal one, all efforts shall be taken to ensure that the seminar is informative, practical and useful to professionals working in both legal and non-legal environments.

Why should you attend?

The seminar will give attendees a general overview of the legal issues at play and an understanding of the risks created by Social Media use at work, bringing attendees up to speed with these realities which at times may be taken for granted. The seminar also aims to equip attendees with the information and tools needed to act to protect their company’s rights, reputation and image while at the same time respecting the limits imposed by applicable legislation in a Maltese context.

Download the complete conference programme including speaker profiles and session abstracts by clicking this link: http://www.mitla.org.mt/wp/wp-content/uploads/2015/10/MITLA-Social-Media-and-Employment1.pdf

Where?

The event will be held in Meeting Room 6 at SmartCity Malta, SCM1001, Ricasoli, Malta.
Follow this Directional Map to SmartCity Malta if you’re unsure how to reach the conference location.

MITLA - Data Protection Event

The Malta Information Technology Law Association (www.mitla.org.mt) is organising on information seminar entitled ‘Data Protection at a crossroads: re-inventing wheels or chasing windmills?’

The seminar will feature high-level international and local experts in the field of privacy and data protection and shall provide an update on the latest legislative proposals currently discussed as well as analyse the impact that the Proposed EU General Data Protection Regulation will have on current data protection  and information practices. 

The proposed new EU General Data Protection Regulation aims at bringing current data protection legislation in line with recent technological and social developments. But will the strengthening of concepts such as the right to be forgotten, data portability, privacy by design and privacy by default inhibit technological innovation?  Are our businesses ready for this new privacy landscape where the data subject will take centre stage? Will the new Regulation succeed in raising our appreciation for data privacy?

The event will be held on the 1^st of April 2015 at SmartCity Malta and starts at 1pm.  A copy of the programme is hereby attached. The event is being supported by Microsoft.

More information about the event as well as booking information can be found at http://www.mitla.org.mt/conference. Spaces are limited so early booking is recommended.

Kill Bill Shock

Can our monthly risks of receiving high bills for our electronic communications be completely eradicated?

The phenomenon of Unexpected High Bills (UHB), also commonly known as Bill Shock, is fairly common in the electronic communications sector. The wide availability of fast mobile data further augmented this problem, especially when one puts into the equation our dependency on mobile electronic communications and the constant roll-out of new products on the market. But whilst quite a lot of legislative effort has been put into controlling the cross-border roaming sector, new technologies are continuously challenging the local landscapes.

Only a few weeks ago, the British tabloids reported the story of Paula Cochrane who managed to rack up a bill of over 1,200 Pounds with her mobile operator and this mostly through the use of emoticons in her sms. Even though under a fairly generous 40 quid monthly plan, Cochrane was flabbergasted to be informed that she was being charged data prices for the emoticons that she was innocently sending as part of her sms. The ever-changing technology has, irrespective of improved consumer legislation within the telecoms sector and the varied European attempts to limit bill shock, created new challenges on how we can be sure that we don’t suffer cardiac arrest when opening our telecom bills.

From a European perspective, Bill Shock was mostly traditionally associated with mobile data usage whilst roaming outside of Malta. The high charges related to mobile data usage came as a complete surprise to others whist it deterred some of us of making full use of our devices when abroad. This does not mean that sending SMS and making and receiving calls when abroad was cheap. 

As from 2007, pursuant to Regulation (EC) No. 717/2007, better known as the Roaming Regulations, the European legislators have ensured that roaming prices in Europe, for data, calls and SMS would be controlled. First introduced under Vivianne Redding, the Roaming Regulations introduced the concept of compulsory capping with the ultimate intent of making such services more affordable across European borders. The Regulations have been amended and improved throughout the past years, in an effort to reflect demands of consumers. In 2012, Internet roaming price caps where introduced and as of July 2014, general prices on all services have been further slashed. Needless to say, since 2007, retail price reductions across calls, data and sms went down by over 80%. Furthermore, within the same time period, data roaming brew by a whopping 630% whilst data roaming prices are now up to 91% cheaper than they were in 2007.

But the lowering of prices did not automatically resolve bill shock.  Controlling prices would only reduce the tendency towards bill shock and not eliminating it in its entirety. A different legislative approach was required. This was partly addressed by means of Regulation (EC) No. 544/2009 which introduced, as part of other amendments to the Roaming Regulations, the obligation on service providers to implement a 50 Euros monthly cut-off mechanism on roaming. Such cut-off mechanism would need to be enabled by default and it was up to the consumer to instruct his service provider and decide whether to leave such cut-off mechanism enabled from the very start. 

The complete removal of roaming charges has been quite high on the European agenda for the past few years when the principle of Roam like at Home (RLAH) gained strong momentum under the watch of Commissioner Neelie Kroes as part of the Connected Continent Regulation. The legislative proposals submitted by the Commission were overwhelmingly approved by the European Parliament in April of last year and everything seemed to be on track to have roaming charges abolished by 2016. 

However, a proverbial Italian torpedo hit the proposals when Italy took the EU presidency last year. Italy suggested a number of changes to the proposals which were approved by the EU Parliament especially through the proposed introduction of a fair use limit. The Italians argued that one had to proceed with caution in the total elimination of roaming charges as this could have detrimental effect on the market. The arguments raised were not without any merit as the total removal could push consumers towards ‘operator shopping’. A Maltese consumer, currently connected with a Maltese operator and subject to Maltese pricing could decide to purchase his mobile services from another EU jurisdiction where consumer prices and the packages available are available for less. This would essentially mean that, with the removal of all roaming charges, the Maltese consumer could be using his Romanian service whilst being comfortably at home in Mosta without incurring any additional costs. The introduction of a Fair Use Limit mechanism would essentially curb such practices but it is still not certain how these schemes will function and what limits and restrictions will be imposed. The elimination of roaming charges by 2016 is increasingly turning into a mirage whilst a long glide path seems to be more realistic.

The convergence of products and the take up of mobile data has again placed UHB or bill shock at centre stage. But whilst a lot of work has been done to limit bill shock from a roaming point of view, various cracks are still appearing in the specific local domestic usage. Paula Cochrane is just one example of a recurring phenomenon of how sometimes we are still being juiced through our innocent telecom use.

Through the Bashdoor

Computer hacking is nothing new but as attacks become more common, is our law ready for them?

Computer hacking is not old as the world itself but it is surely becoming a common occurrence. The latest incidents involving the Bash bug has again highlighted the fact that irrespective of all our information security investments, we are still at risk. But whilst the attacks against computer systems change, the law remains constant. Can the law on its own sort out the Bashdoor mess?

Bashdoor, also known as Shellshock, is a security bug in the Unix Bash shell only discovered in September 2014. Unix Bash, which is also adopted in Linux and Mac OS environments, is very commonly used in a myriad of applications such as web servers and the latest bug discovery has exposed such applications to malicious code that can be run through the Bash command line or script and which, simply put, can open up such applications or systems to unauthorised access and modification through rogue code injection. Millions of computers, tablets, smartphones and other central systems are at risk. Credit card details, whole databases can be stolen.

Once Bashdoor reached the public domain, cybercriminals reacted very quickly and within hours they were already creating botnets on affected computers in order to launch DDOS attacks from such compromised machines. By the end of September, it was reported that around 1.5 million daily attacks and probes were being tracked through honeypots.

Bash, a free Unix based command-line shell software, has been available since around 1992 and its incredible how this bug, or coding flaw, remained undiscovered for almost 22 years! Thousands of servers have been compromised in a matter of days. The ease with which Bashdoor can be utilised, and the simple ability to run injected code in various systems and servers has made Bashdoor far more lethal than Heartbleed bug which was originally reported earlier this year which circled around a flaw in Open SSL encryption. Differing from Heartbleed which enabled hackers to spy on machines, Shellshock enables hackers to take over the whole system and modify them at will. It can potentially grant hackers access to every device connected to the internet. Scary indeed.

Various foreign government agencies also reacted quickly and rated Bashdoor as a high possible threat also in light of the fact that several critical national infrastructures make use of the Bash software and therefore make them immune to the threat. Software patches to try and minimise the impact of the bug have been released but some of these patches were incomplete and it will always be unclear how many systems will not be updated with the latest patches and will remain vulnerable.

The possibilities posed through the utilization of the Bashdoor bug for unauthorised access and modification of computing devices is almost unprecedented. But whilst security companies are scrambling to patch all systems and software, our criminal law is very clear in relation to such activities. In this sense, the Bashdoor threat is not introducing anything novel on the legal front but the mere scale of the technical vulnerability cannot be underestimated.

The unauthorised access or modification of computing systems, software and data is regulated under Article 337C of our Criminal Code. Introduced in 2001, this Article largely replicates the provisions contained in the Council of Europe Cybercrime Convention which Malta only fully ratified in 2012.

Article 337C is very exhaustive and encapsulates various actions which could lead to the unauthorised access and modification offence. In fact, this Article stipulates that an offence would occur if anyone, without proper authorisation, uses a computer or any other device or equipment to access any data, software or supporting documentation held in that computer or on any other computer, or uses, copies or modifies any such data, software or supporting documentation. The same Article also includes the criminalisation of any unauthorised activity aimed at preventing or hindering access to any data, software or supporting documentation as well as the hindering or impairment of the functioning or operation of a computer system, software or data including the actual taking over or making use of any data, software or supporting documentation. The installation, alteration, damage, destruction, variation or addition to any data, software or supporting documentation without prior authorization is also a criminal offence under the same Article 337C of our Criminal Code.

The ‘beauty’ of Article 337C lies in its technological neutrality in the sense that irrespective of the technology used, including the latest attacks such as Shellshock, the law criminalises the act itself. The way that Shellshock works, that is through remote code injection and execution, is pretty simple and scary. However our criminal laws already sufficiently cater for such situations, irrespective of how technological complex (or simple) these attacks are carried out.

The reality alas is far more complex than the word of the law and this this particularly applies in the field of information technology. The real challenge lies not in whether criminal laws would apply but whether the law enforcement agencies have sufficient resources to prosecute the ever increasing number of cybercrime incidents being reported. In the meantime, you’d better patch up.

Malta Information Technology Law Association Set Up

A number of legal professionals specialized and locally active in the field of ICT Law, together with representatives of  the largest audit firms and electronic communications service providers in Malta grouped together to set up the Malta Information Technology Law Association (MITLA).

MITLA has been set up in order to promote the advancement and development of the various branches of information technology law, including computer law, internet law, electronic communications law, information law, electronic commerce law, remote gaming law and cybercrime, in Malta as well as to promote the advancement of Malta as an international centre of excellence in ICT Law.

As part of its activities, MITLA aims to actively research, discuss and circulate information on legal developments taking place on the international plane and within the European Union with respect to ICT Law and the knowledge economy and how Malta can benefit from such developments.

The discussion and promotion of legislative and regulatory changes and interventions related to ICT Law with national government and non-government bodies and international and regional organisations or associations will also be pursued by MITLA.

The Association will also explore opportunities for the discussion and consideration of matters of interest to its members and to undertake or assist in the preparation of legal instruments and papers in respect of such matters.

Membership within MITLA is open to legal professionals as well as auditors and accountants active or interested in the field of ICT Law, information technology professionals and students. Corporate membership is also available.

The current Executive Committee of the Association is composed of Dr. Antonio Ghio Fenech & Fenech Advocates), Dr. Gege Gatt (ICON), Dr. Joseph Borg(WH Partners), Mr. George Sammut (PwC), Mr. Russell Mifsud (KPMG) and Dr. David Gonzi (Gonzi & Associates). A full list of the Founding Members can be found on the Association’s website www.mitla.org.mt

Dr. Antonio Ghio, President of MITLA commented: “The development of Malta as an ICT center of excellence requires that local laws truly reflect the technological state of play and act as instigators and enablers for Malta’s success in this field. MITLA shall assist all stakeholders, including government, national entities and other regulatory bodies through targeted legal and technical discussions by which the experience and expertise of its members can serve the national interest. The Association will now look forward to organizing a number of meetings with such bodies so that a working agenda for the immediate future can be discussed and agreed upon”.

Further information about MITLA as well as how to become a member is available at www.mitla.org.mt.

Contact:

The Executive Committee
MITLA
SmartCity Malta,
SCM1001,
Ricasoli,
Malta

info@mitla.org.mt

The Schrems Effect

Did you ever spend more than a couple of seconds pondering on the huge amounts of data that social networks collect and process about you? Did you ever contemplate that even though you think that you have deleted your information, that data is still somewhere, being used?

The disparity in the appreciation of privacy norms across both sides of the Atlantic is something which has kept law makers very busy lately. The difference is American and EU laws when it comes to data protection is staggering and the fact that most technological companies are American has highlighted over the past years the legal challenges posed on users’s privacy. But nothing has placed the issue on the public’s radar as much as an Austrian’s law student crusade against Facebook.

Max Schrems, a young lawyer in his mid-twenties has very recently initiated a class action in Vienna against Facebook based on various privacy violations under EU law including the use of ‘like’ buttons, Graph Search, the company’s support in the US PRISM surveillance programmes as well as the storing of user information and its sharing with third-party companies. The class action has already attracted more than 60,000 Facebook users from over 100 different countries who have formally asked to join in his complaint against the Irish subsidiary of the American company. This ‘David and Goliath’ lawsuit is the largest class action against Facebook in Europe and has sent shock waves around the technological community worldwide. In particular, the present lawsuit will test at unprecedented scale how enforceable European Data Protection laws actually are.

Following a semester at Santa Clara University in California and after hearing a speech by one of Facebook’s lawyers on privacy, Schrems was appalled by the lawyer’s “limited grasp” of the severity of privacy laws in Europe. After requesting from Facebook a copy of his personal data and receiving over 1,200 pages long of information, including a history of every poke he had ever received as well as all the invitation he had received, Schrems realised that the often confusing (and at times contradictory) privacy policies put in place by Facebook did not provide the complete picture to the user of what was going on with their personal data. Schrems even went as far as comparing this “to the files that the Stasi compiled on citizens in East Germany”.

Presently there are over 1.3 billion Facebook users around the world but not all of these users would enjoy the privacy protection that EU laws provide. Since Facebook has established an Irish subsidiary in order to benefit from various tax advantages, it left itself open to the applicability of European data protection laws in relation to its users not resident in Canada and the United States. Around 80% of Facebook’s active users have in fact a contract with Facebook Ireland Ltd. Under current EU procedural rules, Schrems, as a European consumer, can take legal action at his place of residence thus rendering the Viennese Courts competent to hear the case. In practice, if Schrems were a Maltese citizen, Maltese courts would be able to hear his case even though our rules on class actions are somewhat different than in Austria.

The Austrian is not new to creating problems for Facebook. In the past few years, Schrems, through his Europe-v-facebook.org campaign has filed over twenty complaints complaints against Facebook Ireland with the Irish Data Protection Commissioner on various privacy law related breaches. The Irish courts have also decided to refer certain matters relating to the Facebook and PRISM spy programme to the European Court of Justice.

The objectives of Europe-v-facebook.org find their origins in the privacy principles that will be strengthened following the introduction of the new EU General Data Protection Regulations. The proposed new Regulations will basically fast forward the tried and tested legal norms found in the EU Data Protection Directive to the 21^st century. When introduced back in the mid-nineties, Directive 46/95/EC could not factor in the different and complex forms of data processing that social networks, cloud computing and big data brought with them. Simply put, the new Regulations attempt at fine tuning well accepted data protection commandments and make them more aligned with current technological development.

The objectives include a more pronounced appreciation and applicability of the right to oblivion meaning that users should absolutely control when and how their data is removed and deleted based on increased transparency. They also include higher dependency on opt-in schemes and ease of use to control your privacy settings through the application of the principles of privacy by design and privacy by default. These concepts all revolve around informational self-determination and the ability of the user to be really in control. Portability of data and open standards for social networks are also being strongly advocated by Europe-v-facebook.org.

The legal road towards a decision in the Schrems class action against Facebook is long.

Whilst we all question the privacy methods utilized by social networks, we hardly ever take any real action. Schrems thinks differently and his enthusiasm is spreading like grass fire. Schrems and his actions, irrespective of the final decision by the courts will surely continue to reverberate for the foreseeable future. In the meantime, like most of us, he still uses Facebook. 

Processing of Children/Student Data and the proposed revised Legal Notice – An open submission as part of the official consultation process

Introduction

The publication for public consultation of the revised version of what is now being generally referred to as LN76/2014 has essentially proved that the initial version of the said Legal Notice was far from perfect and that the reservations raised some months back were not simple scaremongering.

For my analysis of the original Legal Notice 76/2014 please read my opinion piece found at http://ictlawmalta.blogspot.com/2014/04/processing-of-childrenstudent-data-and.html.

Version 2.0 is indeed a big step towards the right direction on many fronts and is evidence of the effort and time dedicated by the Office of the Information and Data Protection Commissioner, which, in conjunction with a dedicated working group set up by the Commissioner, has looked into this issue for the past months. This is laudable and highly welcome.

Unfortunately however, not all that glitters is gold and the draft subsidiary legislation barely scratches the surface in some aspects, especially in relation to issues pertaining to research as well as re-identification of personal data used for such purposes.

LN76/2014 Version 2.0 in a nutshell

The revised version comes in the form of Regulations contained in an ad-hoc Subsidiary Legislation to be issued under the Data Protection Act. As opposed to the initial version, a Legal Notice issued under the Employment and Training Services Act, version 2.0 has been strongly linked with an enabling act which makes sense, that is the Data Protection Act.

Immediately one can note that any ID Card requirement has been removed and there is no mention of the Minister for Education as being a data controller. Instead, the draft Subsidiary Legislation distinguishes between Educational Authorities and Educational Institutions. Whilst Educational Authorities are the Directorates as established under the Education Act as well as the National Commission for Further and Higher Education, Educational Institutions refer to the schools or other institutions which control data regarding to students.  This creates the most important and valid distinction between the categories of data controllers which could process personal data regarding to students and is indeed the right approach.

The draft Subsidiary Legislation lays down how processing by Education Authorities should take place (Regulation 3) as well as processing by Educational Institutions (Regulation 4). It also provides for the recipients of data (Regulation 5), the type of consent required for processing (Regulation 6) but still contains special, and in my opinion, highly controversial, provisions regarding processing for research and statistics purposes (Regulation 7).

Version 2.0 introduces the concept of pseudo-anonymisation but also contains certain provisions regarding the re-identification of pseudonymous data following the carrying out of ‘research’ which can lead to dangerous, highly questionable processing which might not be in line with applicable EU Directives (namely EU Directive 95/46/EC), forthcoming EU Regulations (the new EU General Data Protection Regulation)as well as published opinions of the Article 29 Data Protection Working Party, especially Opinion 03/2013 on purpose limitation adopted on the 2^nd April 2013.

Scope and Background

On the 24^th August, in its introduction to the launch of the public consultation regarding the revised Legal Notice regarding the Processing of Personal Data within the Education Sector (http://msdc.gov.mt/en/Public_Consultations/MEDE/Pages/Consultations/ProcessingOfPersonalDataEducationSector.aspx) ,the Ministry for Social Dialogue, Consumer Affairs and Civil Liberties stated that:

“Government has an obligation to address deficiencies in the education system resulting in a good number of students with little or no qualifications and lack of skills or capabilities to enter the labour market. To address this deficiency, as promised in the electoral manifesto, the need is felt to enhance our educational system to include and integrate all students and avoid drop outs and early school leavers to the detriment of the students themselves and of Maltese society at large.”

The objective that no student should be left behind is indeed noble and this statement sets the stage for the purposes behind the revised version of the highly controversial Legal Notice.  In its statement, the Ministry added that:

“To implement the necessary measures, the personal data of students have to be processed but this has to be done in accordance with the Data Protection Act to reach the necessary balance between the need for processing and the right to protect and safeguard personal data.” 

As already noted, the revised version of the Legal Notice is much improved but does it strike the right, or even legal, balance between electoral promises to address certain deficiencies in our educational systems and the fundamental right to privacy of our children students? Does our Data Protection Act, and in particular the latest version of the revised Legal Notice, fully transpose the provisions and the spirit of the applicable Directives and the learned opinion of the Article 29 Data Protection Working Party? The answer, as will be further detailed below, is mixed. Is the revised text of the Legal Notice, consciously or subconsciously, “abuse” of the term ‘public interest’?

Definitions and Terminology

Sadly, the draft Subsidiary Legislation is replete with terminology that is not properly defined. Whilst I would accept that a policy document, or a strategy document, would include undefined terminology, having a legislative instrument built upon undefined terms is undesirable and which leads to textual ambiguities, especially in technical areas such as data privacy.

Terms such as “targeted policies and/or initiatives” and even “student” itself remained undefined. Other terms that suffered the same fate include “reconciliation”, “active participation in employment opportunities”, “specialised services”, “follow-up action”, “alignment of jobs”, “best interest of the students” and “re-identification of students”. Such approach could lead to reducing substantially the integrity and cohesiveness of the legal texts or, far more dangerously, be prone to wide and potentially abusive interpretations.

A Two-Tier Approach

The distinction between the roles, duties and responsibilities of Educational Institutions and Educational Authorities is the star introduction of the revised Legal Notice. This is in stark contrast with the original version of the Legal Notice where the Minister of Education and Employment became a new data controller with unrivalled rights of collection and processing of personal data relating to students. Clearly making reference to the powers already available to the Educational Authorities as found under the Education Act is also positive. But this does not necessarily mean that the powers presently available at law provide sufficient legal basis for the processing by way of “research” of student data by such Authorities and whether the revised Legal Notice should legitimise targeted decisions in relation to data subjects, irrespective of the honourable cause that lies behind such decisions.

The revised Legal Notice does provide a certain level of separation between the role of Educational Institutions and Education Authorities but a clear analysis of the legal text raises a number of legitimate concerns as to whether such separation (as further explained below) between these two different data controllers goes sufficiently far.

The proposed Regulation 3(1) regarding the processing by Educational Authorities provides that such authorities “may process personal data in relation to students and where specifically required in the best interest of the students, personal data of parents and legal guardians, may also be processed to carry out their functions as provided under the Education Act.”

Does this simply mean that such personal data can be processed to fulfil the functions as established under the Education Act (which mainly relate to the drafting of policy and strategies and which would not lead to any personal decisions affecting the data subject) or merely for the “best interests of the students”? After all, who will decide what is in the “best interest of the students”? Will this be a subjective decision by some official within the Education Authorities themselves? Will it be a politician? Surely, the Education Act, and the powers available to the Education Authorities established under such Act does not speak about the “best interests of students”.

Regulation 3 (3) of the revised Legal Notice provides that:

“Where data regarding educational attainment and ability in relation to the student held by Educational Institutions is required by the Educational Authorities in order to fulfil their functions as laid down in the Education Act, identifiable data shall be substituted by pseudonymous data, provided that any follow-up action is to be carried out by the educational institutions which transmitted the data as instructed by the Education Authorities.”

Again, the text does not provide sufficient clarity. Whilst these new powers are limited in scope by the Education Authorities’ functions as found in the Education Act, the draft Regulation 3(3) does not provide explicit and clearly understandable provision regarding who will be responsible for the substitution to pseudonymous data.

Will it be the Education Authorities or the Education Institutions? How will this be done? What technical parameters will be used? Who will oversee that such data is substituted in a way that no re-identification will be possible?

It appears that Regulation 3, especially sub-regulation (6) is introducing a concept where the Educational Authorities do act as a buffer and are responsible for the onward transmission of the student personal data to the Authorities but the text proposed is not sufficiently clear and prone to contrasting interpretations. The methodology used for the Educational Authorities to ‘decide’ as to whether any specific student requires the “benefit” of targeted/policies and/or initiatives, is also questionable.

It is also dubious what is the scope behind Regulation 3(8) which deals with national initiatives. Whilst the difference between a targeted policy and a national initiative should be clear, one cannot completely understand why personal data is required to pursue a national initiative. Does this mean that under the guise of a “national initiative”, the personal data of all students over compulsory school age in Malta will be required? Cannot the Educational Authorities forward any information they receive regarding national initiatives directly to their students who may then opt to avail of such initiatives without the need for the Education Authorities to obtain the details of such students? After all, a national initiative, is, as the name implies, national and not ‘targeted’.

A Question of Research and Public Interest

Our own Data Protection Act provides under Article 8 (b) that “personal data kept for historical, statistical or scientific purposes shall not be used for any decision concerning a data subject”. The law here is very clear. Our law further provides in Article 16 (3) that “personal data may be provided to be used for the purposes” of research and statistics and provided that the processing is necessary as stipulated in Article 9(e), “unless otherwise provided by applicable rules on secrecy and confidentiality”.

Article 9(e) of the Data Protection Act provides that personal data may be processed only if “processing is necessary for the performance of an activity that is carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed”.

The pertinent question is therefore twofold: (i) can the research/processing contemplated under the revised Legal Notice fall under Article 9(e) of the Data Protection Act and (ii) can such research be used as the basis for any decision concerning a data subject?

In order to arrive to an answer of these two questions, one has to look at the transposition of EU Directive 95/46/EC into Maltese law, the new General Data Protection Regulation and the work of the Article 29 Data Protection Working Party.

It seems that the wording used by the Maltese legislator can lead to certain vagueness of the term “research”. This vagueness is not found in the EU Directive which makes it clear that research can be of three forms: historical, statistical and scientific. Are we therefore faced with a situation where the revised Legal Notice is extending the word “research” beyond the historical, statistical and scientific realms?

This discussion gains further relevance when one looks at the text proposed in Regulation 7 of the revised Legal Notice which states that:

“(1) When processing of personal data is required for research and  statistics purposes, all identifiable data shall be rendered anonymous,  unless in the case of research, the identification of the data subject is required to fulfil the purposes of such research.

(2) Within the limits of these regulations, where, for the purposes of implementing specific targeted policies, the research being conducted would require the identification details of students, data controllers shall process such data by replacing personal identification data with pseudonymous data, and eventually limiting the re-identification of students only to those cases which specifically fall within the parameters of the target policy.”

The proposed Regulation 7 however distinguishes between processing for research carried out by the Education Authorities and processing for research carried out by other entities not being Education Authorities. In fact Regulation 7(3) provides that when other entities are carrying out research, the specific consent of the data subjects or their legal guardians/parents will be required. Furthermore, in the case of research carried out on pseudo anonymous data by other entities Regulation 7(4) stipulates that such other entities have to ensure that:

“a) personal data are not processed for any other purpose that is incompatible with the specific purpose of the targeted policy and/or initiative, and in particular not for the purpose of supporting measures or decisions with respect to the student,  either specifically related to the targeted policy and/or initiative or otherwise;

b) data enabling the attribution of information to an identified or identifiable data subject are kept separately from the other data;

c) adequate organisational and technical safeguards are in place to protect the personal data against any unlawful forms of processing;

d) personal data shall not be retained for a period which is longer than necessary and all identifiable details shall be rendered anonymous, deleted, or destroyed, following the completion of the policy and/or initiative implementation.”

It is highly questionable why the restrictions laid down in Regulation 7(4) only apply to other entities and not to the Education Authorities.

Research under EU Directive 95/46/EC

Recital 29 of the Data Protection Directive states that: “Whereas the further processing of personal data for historical, statistical or scientific purposes is not generally to be considered incompatible with the purposes for which the data have previously been collected provided that Member States furnish suitable safeguards; whereas these safeguards must in particular rule out the use of the data in support of measures or decisions regarding any particular individual”.

Recital 34 of the Data Protection Directive additionally states that “Whereas Member States must also be authorized, when justified by grounds of important public interest, to derogate from the prohibition on processing sensitive categories of data where important reasons of public interest so justify in areas such as public health and social protection - especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system - scientific research and government statistics; whereas it is incumbent on them, however, to provide specific and suitable safeguards so as to protect the fundamental rights and the privacy of individuals”.

It is immediately evident that the present Directive establishes a higher level of protection with respect to the processing sensitive personal data justified by important public interest in relation to scientific research and government statistics. To the effect, rightfully so, the revised Legal Notice provides that any research involving sensitive personal data must be pre-approved by the Information and Data Protection Commissioner.

Article 13(2) of the Data Protection Directive adds that: “Subject to adequate legal safeguards, in particular that the data are not used for taking measures or decisions regarding any particular individual, Member States may, where there is clearly no risk of breaching the privacy of the data subject, restrict by a legislative measure the rights provided for in Article 12 when data are processed solely for purposes of scientific research or are kept in personal form for a period which does not exceed the period necessary for the sole purpose of creating statistics.”

But Article 12 of the Directive only speaks about the right of access to be provided to the data subject and nothing more. This does not mean however, as confirmed by this Article, that any processing for scientific research can lead to measures or decisions regarding particular individuals as found in Article 8(b) of our own Data Protection Act. Also, will the Education Authorities actually perform scientific research or just ‘research’ in the general sense of the word?

Is this not in stark contrast with the provisions contained in Regulation 3 and 7 of the revised Legal Notice?

Research under the new EU General Data Protection Regulation

In addition to the provisions already contained in the EU Data Protection Directive, the legal basis behind processing for the purposes of research is being further strengthened under the text (as amended by the European Parliament) of the upcoming new EU General Data Protection Regulation.

Recital 126 of the EU General Data Protection Regulation provides that:

“Scientific research for the purposes of this Regulation should include fundamental research, applied research, and privately funded research and in addition should take into account the Union's objective under Article 179(1) of the Treaty on the Functioning of the European Union of achieving a European Research Area. The processing of personal data for historical, statistical and scientific research purposes should not result in personal data being processed for other purposes, unless with the consent of the data subject or on the basis of Union or Member State law.”

Emphasis is being made here on the fact that any personal decision emanating from the research would require the consent of the data subject or be taken on the basis of Member State law (as is in the case of the revised Legal Notice). It is questionable however whether the revised Legal Notice would be in line with the provision as contained in the new EU Data Protection General Regulation especially Art. 83.

Article 1(e)  of  the EU General Data Protection Regulation also provides that personal data shall, amongst others,  be “kept in a form which permits direct or indirect identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for historical, statistical or scientific research or for archive purposes in accordance with the rules and conditions of Articles 83 and 83a and if a periodic review is carried out to assess the necessity to continue the storage, and if appropriate technical and organizational measures are put in place to limit access to the data only for these purposes (storage minimisation);”

Article 83 of the EU General Data Protection Regulation then provides specific rules in relation to the processing for historical, statistical and scientific research purposes:

“In accordance with the rules set out in this Regulation, personal data may be processed for historical, statistical or scientific research purposes only if:

(a)     these purposes cannot be otherwise fulfilled by processing data which does not permit or not any longer permit the identification of the data subject;

(b)     data enabling the attribution of information to an identified or identifiable data subject is kept separately from the other information under the highest technical standards, and all necessary measures are taken to prevent unwarranted re-identification of the data subjects.”

Since, the proposed Regulation 7 of the revised Legal Notice explicitly speaks about “re-identification” and “specific targeted policies”, one seriously questions whether such provision can be considered to be in line with Art. 83 of the new EU General Data Protection Regulation as well as the prohibition contained therein to arrive to any personal decision on the data subject in light of such “research”.

Purpose Limitation, Functional Separation and the opinion of Article 29 Data Protection Working Party

Opinion 03/2013 on purpose limitation adopted on the 2^nd April 2013 by Article 29 Data Protection Working Party (the “Opinion”) provides a very detailed analysis on the concepts of purpose limitation, functional separation and their application within processing for research purposes. Such analysis is of extreme relevance to any discussion regarding the revised Legal Notice as it expounds on various issues being raised in the said Legal Notice. Of particular interest is Section III 2.3 of the Opinion specifically dealing with processing from historical, statistical or scientific purposes.

The Working Party (Pg.28) states that the present Directive 95/46/EC allows for further processing for historical, statistical and scientific research as long as the controller compensates for this change by implementing “appropriate safeguards and in particular by ensuring that the data will not be used to support measures or decisions regarding any particular individuals”. The question is therefore whether the revised Legal Notice, when dealing with research processing contains such “appropriate safeguards”. 

In my opinion, it does not.

Furthermore, the Revised Legal Notice appears to justify “measures or decisions regarding any particular individuals” as the main objective behind the research to be carried out!

Commenting on Recital 29 of the Data Protection Directive (as referred to above), Article 29 Working Party adds that (Pg 28):

“As noted in recital 29, the purpose of the safeguards is typically to 'rule out' that the data will be used to support measures or decisions regarding any particular individual. The term ‘rule out’ suggests that the safeguards should indeed be strong enough to exclude or at least minimise any risks to the data subjects.”

Here, Article 29 Working Party makes a reference to the provision contained in Article 9(3) of the Council of Europe Convention for the Protection of Individuals with regard to Automatic processing of Personal Data (Convention 108) which also allows further use for statistics or scientific research but only in cases where “there is obviously no risk of an infringement of the privacy of the data subjects”.

Unfortunately, it is my opinion that the present revised version of the Legal Notice does not go sufficiently far to remove any such risks as referred to in Article 9(3) of Convention 108.

Another statement by the Article 29 Working Party in the Opinion (pg 28) which has direct relevance to the mechanics being introduced by means of the revised Legal Notice is the following:

“In order to ensure appropriate safeguards, the term 'measures or decisions' should be interpreted in the broadest sense. First, they should be understood to cover any 'measures or decisions' irrespective of whether they are taken by the controller or by anyone else. Second, 'measures or decisions' do not only cover formal decisions and measures in a formal procedure. In other words: any relevant impact on particular individuals - either negative or positive - should be avoided.”

Irrespective of the noble scope of the revised Legal Notice, the text leads to the conclusion that the very essence of this text is to have an “impact on particular individuals” – something that Opinion recommends against.

In this sense the position of the Article 29 Working Party is crystal clear – that even the positive impact of such measures and decisions taken by Education Authorities without the full consent of the data subjects, should be avoided.

This position is further strengthened by other relevant pronouncements by the Article 29 Working Party where it distinguishes between the initial data controller (the Educational Institutions) and processing for research carried out by third parties (such as the Education Authorities):

“it will also be relevant to distinguish between situations where the further processing will be carried out by the initial data controller and those where personal data will be transferred to a third party. In this context, some research projects may require very precise protocols (rules and procedures) to ensure a strict functional separation between participants in the research and outside stakeholders. This may include technical and organisational measures, such as securely key-coding the personal data transferred and prohibiting outside stakeholders from re-identifying data subjects (as in the case of clinical trials and pharmaceutical research) and possible other measures” (Pg 29).

Sadly, the revised Legal Notice is completely void of any such “precise protocols (rules and procedures) to ensure a strict functional separation between participants”. The revised Legal Notice just distinguishes between the Education Authorities and Educational Institutions but does not provide any further guidance or procedure as being recommended by the Article 29 Working Party or ensuring the functional separation between these two bodies.

On the aspect of functional separation, the opinion states at pg 30:

“When it comes to the safeguards to be adopted, the notion of functional separation may be of particular relevance. This means that data used for statistical purposes or other research purposes should not be available to 'support measures or decisions' that are taken with regard to the individual data subjects concerned (unless specifically authorized by the individuals concerned). To comply with this requirement, controllers need to guarantee the security of the data, and take all other necessary technical and organisational measures to ensure functional separation.”

In relation to situations where pseudo-anonymisation is envisaged, the Opinion (Pg 31) provides that:  

“Partial anonymisation or partial de-identification may be the appropriate solution in some situations when complete anonymisation is not practically feasible. In these cases, various techniques (including pseudo-anonymisation, key-coding, keyed-hashing, using rotating salts, removal of direct identifiers and outliers, replacing unique IDs, introduction of 'noise', and others) should be used to reduce the risk that data subjects can be re-identified, and subsequently, that any measures or decisions can be taken in their regard. In addition, there will also often be a need to complement these techniques with other safeguards in order to adequately protect the data subjects. These include data minimisation, as well as appropriate organisational and technical measures, including effective 'data silo'-ing, to ensure functional separation.”

I contend that the revised Legal Notice, whilst introducing the concept of pseudo-anonymisation, fails to provide sufficient clarity as to how this will work in practice and what safeguards will be put in place by the different stakeholders.

The Opinion also states at Pg. 27 that “When trying to identify technical and organisational measures that qualify as appropriate  safeguards to compensate for the change of purpose, the focus often lies with the notion of isolation. Examples of the relevant measures may include, among other things, full or partial anonymisation, pseudonymisation, or aggregation of the data, privacy enhancing technologies, as well as other measures to ensure that the data cannot be used to take decisions or other actions with respect to individuals ('functional separation'). These measures are particularly relevant in the context of further use for ‘historical, statistical or scientific purposes’”.

Of particular relevance is however the pronouncement made by the Article 29 Working Party in relation to data about children. In light of the fact that most student data as contemplated in the revised Legal Notice will inevitably relate to children, one seriously has to question why the requirement of consent is not present when it comes to targeted decisions (possibly based on ‘research’) taken by Education Authorities.

In fact the Opinion clearly states that (pg32) :

“further processing of personal data concerning health, data about children, other  vulnerable individuals, or other highly sensitive information should, in principle, be permitted only with the consent of the data subject”.

Conclusion

As further highlighted in the new General Data Protection Regulation, consent is king. Unfortunately, certain aspects of processing by Education Authorities as included in the revised Legal Notice still do not require the consent of data subjects, especially when specific targeted decisions might be taken against such individuals. This has also be considered in the light of the position taken by Article 29 Working Party which opined that data about children should only be permitted with the consent of the data subject.

The text needs to further cater to strengthen the principle of functional separation in light of the concept of purpose limitation. The role of the Education Institutions as ‘buffers’ has to be increased. This can be done by ensuring that the Education Authorities would never and can never arrive to the identification or re-identification of data subjects and if any specific further targeted initiatives should be ‘offered’ to certain students, Education Authorities could, on the basis of the pseudonymous data processed, simply inform the Education Institution that they have to forward such offers to the students who would be free to opt in for such targeted schemes and consent to such processing but never in a way that the Education Authorities would be able to identify the students which are being approached by the Educational Institution.

Furthermore, a serious revision of the proposed ways in which research is carried out has to be undertaken in order to ensure there is no way in which any form of research undertaken by Education Authorities, irrespective as to whether such research is justified under the Education Act or otherwise, can lead, following re-identification to any specific decision affecting the data subject without his/her prior consent.

The various questions that the revised Legal Notice is raising in relation to personal decisions taken following research, have to be looked into not only in light of our own Data Protection Act but also the principles enshrined under EU law.

The revised Legal Notice does indeed point towards the right direction but the uncertainties and ambiguities that the present text contains have to be addressed in order to ensure that the fundamental right to privacy of students, our children, is truly safeguarded.