Listen: Malta’s data protection commissioner on three years of GDPR Author: Paul Micallef Grimaud Published on May 25, 2021 To mark the third anniversary of the General Data Protection Regulation (GDPR), Paul Micallef Grimaud met with Information and Data Protection Commissioner Ian Deguara to discuss the lessons learned and the challenges that lie ahead. The introduction of GDPR did not bring about a revolution as some may have feared, Malta’s data protection commissioner believes. “It was more of an evolution of the previous framework,” Ian Deguara said, as he however acknowledged that the business community underwent a dramatic shift in the way data protection and privacy rights were considered. As Deguara put it, the introduction of the significant fines was an alarm bell that could not go unheeded and gave no other option but for controllers and processors to start taking data protection seriously. While foreign data protection authorities have issued some very hefty fines related to GDPR breaches over the past three years (Google €50 million, H&M €35 million, TIM €27.8 million, British Airways €22 million), we have not seen a similar level of fines in Malta. The reason for this, according to Deguara, is that Malta is host to micro and small enterprises, which may process large amounts of data, and even sensitive data, but do not come close to the large multinational tech companies with respect to their data processing activities. That said, Deguara emphasised that his Office does not turn a blind eye to breaches of the law and there have been instances where relatively significant fines were imposed. Deguara believes that, generally, data controllers in Malta are well prepared and have implemented adequate procedures and security measures. This was particularly evidenced in “the advent of the [Covid-19] pandemic [where] all of us had to transfer to our desk at home, and Controllers had to ensure that they had an adequate level of security in place”. GDPR and third countries On the recent invalidation of the Privacy Shield, as a result of the Schrems II judgement by the European Court of Justice, Deguara made reference to the EDPB publications dealing with the exportation of personal data and the technical measures highlighted within them. The Privacy Shield was a framework that made it easier for US companies to receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. It was declared invalid by the ECJ in July 2020. Deguara also noted that chapter 5 of the GDPR allows data processors and controllers to rely on an adequacy decision issued by the European Commission, finding a third country or an international organisation to ensure an adequate level of data protection. The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection, with adequacy talks recently concluded with South Korea. On February 2021, the European Commission launched the procedure for the adoption of two adequacy decisions for transfers of personal data to the United Kingdom and Deguara is hopeful that an adequacy decision with respect to the UK will be issued in the coming weeks. When asked whether the GDPR needs to be recast, Deguara acknowledged challenges but said the law remains “fit for purpose”, noting that the European Commission has recently given it a clean bill of health. GDPR and Artificial Intelligence Article 22 of the GDPR prohibits the taking of certain decisions based on fully automated processing, raising questions about GDPR’s suitability to Artitficial Intelligence applications. Deguara however believes that article 22 “should not be amended”. “Although the GDPR does not cater for all the instances in digital innovation, if we have to apply the [current] principles to processing with regards to these technological advancements, we could still achieve the desired objectives,” he argued. He is, furthermore, not “envisaging any extension of the exemptions by virtue of national laws” and revealed that the European Data Protection Board (EDPB) will soon be tackling the proposed Artificial Intelligence (AI) Regulation and issuing its reactions to it. Deguara expresses a conservative view with respect to an unharmonised approach to data protection, even where the GDPR allows for this, insisting that the purpose behind the publication of any regulation, even the draft AI Regulation is to “avoid an emerging patchwork of potentially divergent rules which could hamper the seamless circulation of products and services related to AI across the EU”. GDPR and Freedom of Information The two speakers also tackled the area of Freedom of Information, which also falls within the remit of Deguara’s office. Journalists often face an overly cumbersome judicial process to gain access to a document or information, and exemptions to FOI law are often generous (and at times convenient), contrary to the spirit of journalistic freedoms and the freedom of expression. Deguara replied very openly. “The FOI legislation is what it is. To me it needs to be amended,” he said. He revealed that, as far as he is informed, the process to revise the law has commenced and he has already provided his views. One of his proposals is to remove public authorities’ right to appeal an order granting the data commissioner the right to view a document, to decide on the validity or otherwise of an FOI request. While affirming that he is “in favour of an open government” and always approaches this subject with the right of access as a given, the current law limits his powers, as opposed to the GDPR where his office has the power of search and seizure, apart from the possibility of issuing considerable fines. He did, however, wave a red flag at those who request access to documents or information that are not known to exist or could not be reasonably presumed to exist. Final comments Looking at the challenges ahead, Mr Deguara noted that these mostly derive from emerging technologies, citing DLT, blockchain and facial recognition as the greatest challenges data protection regulators will be facing over the coming months and years, which in the words of both speakers present “exciting days ahead”. This was the first episode of “Ganado Meets”, which is a series of podcasts that features discussions between lawyers from Ganado Advocates and sector leaders on matters of interest. This article was first published in the Times of Malta. Go back