New European data protection law that will raise the bar for privacy in Malta

The EU’s far-reaching General Data Protection Regulation will raise the bar on data protection and introduce more regulations for businesses.

An audience heard Information and Data Protection Commissioner Saviour Cachia explain the new legal requirements that will prevent businesses from collecting data for an indefinite period of time, and that only in certain limited narrow instances will data be kept for historic purposes.

Further restrictions will take place on personal data concerning children, which means processing of such data will only be lawful if the permission of the child is obtained.

The GDPR comes into force across the EU in May, promising a new degree of transparency from data controllers on the way they process people’s data.

“It is very important to inform the data subject before any data is taken, and inform them of how long the data will be retained,” Cachia said. “If the subjects are not properly informed, the data subjects would have a right to complain.”

The IDPC’s head of compliance David Cauchi said data about individuals – through use of services such as the cloud – can often be processed sometimes in jurisdictions which do not have the best data protection regimes. “This is why the GDPR rules are being revised. The new world we are living in caused these rule changes.”

This should mean that data subjects will be granted more control of their own data, giving them a degree of decision-making on their own data. 

“Most of the powers of the Data Protection Authority are already in place and will remain the same,” David Cauchi said. “The bottom line concerns sanctions and fines – there will be situations were the Authority will have to sanction, but in most cases we prefer compliance rather than enforcement.”

Under the new GDPR, there will be a genuine choice whether individuals give data access or not. It will also be easy to withdraw consent, and consent will not be presumed either – it has to be an active decision by the data subject, and it has to be clearly in relation to specific purposes.

Other restrictions include:

Direct marketing: under the GDPR the individual can object from direct marketing. There will also be a new privacy regulation in future. The GDPR recognises that the processing of personal data for direct marketing may be required for legitimate intent, however businesses should give the right to object, and the individual can do this at any time

Transparency: under the GDPR there is an expanded right of individuals to be informed of the processing of data. Individuals now have to be informed about the retention period with regards to the processing operation.

Right to complain: Individuals should now also be informed by the data controller of their right to make a complaint. Information about the data protection officer should also be provided to the data subjects. If the individual just accepts the privacy notice without reading it, then the data controller is not responsible for this short-coming.

Right to access: The GDPR also enhanced the right of access. Individuals must be provided with a copy of their personal data, which does not reveal data about third parties.

Data breaches: Under new GDPR framework, if a data controller suffers a data breach, for example from a security incident – if it is high risk (the law specifies what is high risk), there will be the obligation to notify the Data Protection Authority within 72 hours of the breach, and in certain circumstances even the data subjects. This is a new requirement and will apply across the board. As an office, we are already receiving notifications of breaches.