Police use of traffic cameras still to be discussed with Data Protection Commissioner

A memorandum of understanding between the Police Corps and Transport Malta is still to be discussed with the Office of the Data Protection Commissioner (IDPC).

Last week, Transport Minister Ian Borg and Home Affairs Minister Michael Farrugia presided over the signing of an agreement intended to provide the police with access to the transport regulator’s network of traffic cameras.

Currently, the police need to request access to the system when this is necessary for an investigation. The agreement aims to grant the police access to the system without having to make a request, however, it is unclear what safeguards would have to be put in place to safeguard people’s privacy rights, particularly in terms of recent data protection laws.

“This office was informed about the memorandum of understanding signed between the Police and Transport Malta from media reports,” the IDPC told MaltaToday.

Asked whether the police’s use of the system needed to be limited to certain types of investigations in order for the risks of processing people’s personal data to be considered proportional to the need for the police to do their work, and therefore justified, the IDPC declined to comment given that it was as yet unclear what the agreement would entail.

“The Commissioner is currently in the process of engaging with the public bodies concerned to establish all the necessary facts about this MoU, and ensure that any processing of personal data is carried out in accordance with data protection requirements,” the IDPC said.

The applicable law will depend on exactly what personal data is processed, and how: while the General Data Protection Regulation (GDPR) generally governs personal data processing there is a specific EU directive – EU Directive 2016/680 – that deals with the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. The latter piece of legislation attempts to balance data privacy rights with competent authorities’ obligations to fight crime.

Both sets of regulations impose a vast number of obligations on entities that process personal data – whether on their own behalf, or on behalf of a third party – so as to ensure that the right to privacy is respected and safeguarded. One such obligation is that of conducting a data protection impact assessment – an exercise to establish what effects a certain activity would have on the rights and freedoms of citizens.

According to Directive 2016/680, “A data protection impact assessment should be carried out by the controller where the processing operations are likely to result in a high risk to the rights and freedoms of data subjects by virtue of their nature, scope or purposes, which should include, in particular, the measures, safeguards and mechanisms envisaged to ensure the protection of personal data and to demonstrate compliance with the law”.

Transport Malta however said it had had several meetings with the Data Protection Commissioner “since before setting up the traffic control centre”, and that it took data protection very seriously, adhering to strict procedures in order to prevent any data breach.

“In the run up to the introduction of GDPR rules by the European Union, Transport Malta engaged a specialised firm to help the Authority get in line with the new regulations, in order to further safeguard its clients from data breaches. The Authority has a Data Protection Officer who is responsible for matters relating to privacy and data protection.

“With regards to the Memorandum of Understanding, it is to be stated that the transmission of information from Transport Malta to the Police is authorised and specifically permitted by the law itself, and hence the MOU constitutes a form of written understanding which fundamentally incorporates and regulates an issue which is already established, permitted and authorised by law.”

TM pointed out that Article 37(1) of the Data Protection regulations specifically provides for the communication of information from one competent authority to another, without the need for any such communication to be authorised by the Data Protection Commissioner. 

On its part, the police said it has had lawful authority to request information from any person in possession of any information or document relevant to any criminal investigation, since 2002. “That person has a legal obligation to comply with such a request and to give the required information or document to the Police.”