A local newspaper recently carried a report implying that the Church and political parties are somehow exempt from the provisions of Malta's new Data Protection Law enacted in December 2001. The same report also indicated that a lawyer present at a public seminar swiftly pointed out that this is not a blanket exemption.

It is important that the public is informed that, in fact, neither the Catholic Church nor the political parties are given any exemption, blanket or otherwise, from the main provisions of the Data Protection Act 2001.

A careful reading of the law in question will confirm that the Church and the political parties have to notify their personal data processing operations to the Data Protection Commissioner and that citizens have the right to request the Church and political parties to access their personal data (s. 21) and amend or delete the same data (s. 22) in exactly the same way as they may act vis-à-vis the government or a private company.

The Church and the political parties are likewise subject to those provisions of the Data Protection Law that enforce security standards and the requirement of a specific purpose for the collection and processing of data as well as the need to keep only that data which is up-to-date and strictly relevant to the specific purpose for collection.

Contrary to the general impression conveyed by the newspaper report, our reading of the law would suggest that any citizen who is not a member of a political party (or the Church) and who does not come into regular contact with a political party, can request to have his data deleted forthwith. Indeed our reading of the law would further suggest that the Data Protection Commissioner is in duty bound to get the political parties to respect the provisions of the Act and, in line with s.14, compel the parties to restrict their personal data processing activities solely to their members or persons whom they regularly come in contact with.

Well over half of Malta's population does not come into regular contact with the political parties - however much the political parties would like to have regular contact with them. Therefore the political parties have no right to collect or process their data and the Data Protection Commissioner is expected to protect the privacy of ordinary citizens and fulfil his obligations by preventing the parties from collecting and processing the data of citizens who are not members of the parties and who do not belong to that tiny minority of non-members who come into regular contact with a political party.

What the Maltese law does try to exempt, through s. 14 of the Act, is the processing of sensitive personal data in certain circumstances. European law, through Art. 6 of the 1981 European Data Protection Convention and Art. 8 of EU Directive 46/95, holds that certain personal data and particularly that pertaining to religious, political or philosophical belief, ethnic origin, sexual and medical life, are especially sensitive personal data. So sensitive indeed that, under normal circumstances, these data cannot even be collected and processed using a computer.

The 1981 European Data Protection Convention provides that, in extraordinary circumstances, i.e. where the domestic law of a country explicitly sets out a number of appropriate guarantees, then such processing may be permissible. The general idea underlying these provisions of European law is that sensitive personal data deserves the type of extraordinary protection which would require the legislator of a country to take special care and make a proper effort in safeguarding such sensitive data by deliberately choosing and giving the force of law to a number of measures which would serve as appropriate guarantees should such data be collected and further processed.

The nature of such guarantees may vary but may include a) mandatory consent by the person concerned (the data-subject), b) special security requirements; c) very restricted access and use requirements; d) very limited time periods - e.g. six months - for collection and use, etc.

Malta's Data Protection Act 2001 nowhere provides such appropriate guarantees to ensure safe processing of sensitive personal data. The DPA first obeys the letter of the EU Directive 46/95 by prohibiting the processing of sensitive personal data in Section 12 and then promptly tries (in section 14) to exempt the political parties (and other "not-for-profit" organisations) from such a blanket prohibition. It does so rather inadequately however since the section merely speaks of appropriate guarantees without in any way providing such guarantees.

In this sense, the Data Protection Act 2001 merely replicates the wording of Art. 8 of the EU Directive and falls far short of the standards set out in Art. 6 of the European 1981 Data Protection Convention which requires that the guarantees are "provided for by domestic law". The term "provided for", in legal terminology, as opposed to "permitted by", means that the country concerned must make explicit and specific provisions to provide guarantees for the protection of the citizen's sensitive data should this be collected and processed.

As things stand, Malta's Data Protection Law dilutes the absolute prohibition of the processing of sensitive personal data without spelling out appropriate guarantees. By thus not meeting the requirements of Art. 6 of the 1981 European Data Protection Convention, Malta risks having any attempt of signing and ratifying this Convention rejected by the Council of Europe.

There is a ray of hope in that the minister concerned may use the powers granted in S.54 of the Data Protection Act to make regulations, thus using subsidiary legislation to specify those safeguards which the law currently fails to provide. If this happens soon enough, then both the letter and the spirit of European law will be respected. We look forward to our new Data Protection Commissioner being pro-active in this regard and take this opportunity to extend our best wishes to him in his important new role.

Dr Cannataci is Head of the Law & Information Technology Division of the Centre for Communications Technology at the University of Malta. He was a member, vice-chairman and chairman of the Council of Europe's Committee of Experts on Data Protection (CJ-PD) between 1986-2000. His books and articles on data protection law have been published internationally and he has lectured on the subject in Amsterdam, Oslo, Paris, Prague, Warsaw and the UK.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.