Dr Warren Ciantar, on behalf of Mamo TCV Advocates, recently participated in a half-day seminar organised and hosted by the Malta IT Law Association (MITLA) which was held at Smart City on the 13th April 2018. The seminar dealt with various aspects of the GDPR, including its implications in the gaming and fintech industries and was consequently attended by various stakeholders in these sectors. The background of attendees varied, with the Malta Gaming Authority, audit firms, insurance companies, gaming companies, software developers and law firms all being represented throughout the afternoon's presentations and discussions.
Dr Ciantar formed part of a panel of three speakers that explored certain aspects of the GDPR from the perspective of the fintech industry. These dealt with an array of issues such as the way in which financial institutions are dealing with the upcoming changes to data protection law as a result of the GDPR and what challenges they are facing. In particular, cybercrime was highlighted as a major concern and the fintech industry is taking action to update its technical and organisational steps and measures to manage and prevent cyber attacks. The notion of "privacy by design" was earmarked as being a crucial cornerstone of future software, in whatever context it may be applied. This has created new challenges, yet also new opportunities for software engineers to incorporate privacy into their coding from the ground up and not merely adding it on as an afterthought.
Approaching the subject from a more legal point of view, Dr Ciantar elaborated on the various grounds available at law by means of which a data controller may legally process personal data. It was emphasised how consent as a legal basis for processing ought to be avoided as much as possible, especially in the context of employment, owing to the disparity of power between the employer and the employee. Various other grounds exist which may prove more suitable, depending on the scenario at hand. These include cases where processing is required to fulfil a legal obligation or a contractual obligation; where it is in the vital interest of the data subject; when it is in the public interest; and when the data controller has a legitimate interest, which overrides the interests or fundamental rights and freedoms of the data subject. The latter ground sparked several interesting questions from audience members to Dr Ciantar, who further elucidated on how the ground of legitimate interests is established following a balancing exercise which pits the legitimate interests of the data controller against the right to privacy and right to data protection of the data subject. Such exercise must be done on a case-by-case basis, since so many factors could influence the outcome.
Another topical issue was the so-called "right to be forgotten", technically labelled by the GDPR as the "right to erasure". While the law allows a data subject to request a data controller to have the personal data held by the controller deleted, the law also contains various circumstances which do not allow such erasure to take place. First and foremost, one of the requirements listed in the GDPR must be met for the erasure to be allowed, such as: the personal data is no longer required for processing; the processing was originally based on consent which is now being withdrawn; or the processing was being done unlawfully, to name but a few. Secondly, there are certain situations where, despite one of the afore-mentioned conditions being met, the data controller shall still be allowed to retain the data and not comply with the request for erasure. These include situations where the processing of the personal data is required to fulfil a legal obligation stemming from national or EU law; where the data controller may require such personal data as a defence from a legal claim; or where the processing is in the public interest. In the event of the latter, another balancing exercise must be made between the rights to freedom of expression and information and the rights to privacy and data protection.
In the local Maltese scene this balancing exercise was called into question after it was revealed that certain online court judgments had been removed from the online registry of the Courts of Malta. Without going into the political element of the issue, Dr Ciantar described how under certain circumstances, it is acceptable that information about a data subject which is freely available online be redacted in the interest of protecting the data subject's reputation, provided that the data subject's right to privacy outweighs the public's right to know such information. This notion was recently propounded by the Court of Justice of the European Union in the case of Google Spain vs AEPD & Gonzalez (Case C-131/12), wherein the Court stated that a data subject has the right to request that Google remove certain webpages that contain personal information about them from its search results. This may be done in situations where such information is no longer relevant or of interest to the public. This right may be useful for individuals who were perhaps convicted of a minor offence many years earlier and are currently still suffering the consequences of a bad reputation due to the easy availability of information about them which may no longer actually be relevant (or justified).
For more information about the GDPR and for access to our related articles on the matter as well as GDPR resources (including the updated WP29 guidelines), please visit our mini-site that is dedicated to the GDPR. Among other things, visitors may download (free of charge) our recently updated guidelines relating to the GDPR. Unless you have already done so, we also invite you to subscribe to our GDPR mailing list so that you will receive our legal updates about the GDPR and related issues.