Malta’s Privacy Problem: Protecting Individual Health and Data
By: Andrew Malec
Throughout Europe, data privacy concerns have grown exponentially.[1] Specifically, in Malta a new privacy problem has emerged with respect to individual personal data and COVID-19 contact tracing applications as a means of stopping the spread of the coronavirus.[2] Unlike the United States, the European Union has taken measures to quell much of the privacy problem.[3]
As governments fight to slow the spread of the coronavirus, the use of contact tracing applications has become a popular practice in many European countries, including Malta.[4] According to the World Health Organization, contract tracing is “the process of identifying, assessing, and managing people who have been exposed to a disease to prevent onward transmission.”[5] How does the application work? Individuals download the application to their mobile phone and when someone tests positive for coronavirus, the application can notify other individuals with whom a person has come in contact.[6] These contract tracing applications are the subject of concern for European Union officials, amongst other government officials.[7] Malta’s data protection legislation includes both the Data Protection Act and, as a member of the European Union, the General Data Protection Regulation (GDPR).[8] The Data Protection Act repealed a former Maltese law and expands data privacy protections including the right of a Data Protection Commissioner to “carry out investigations in the form of data protection audits and inspections, as well as demand and access personal data and data processing equipment, records, and documentation held by data controllers or data processors.”[9] Additionally, under the GDPR and the Data Protection Act, fines and other sanctions can be imposed for breaking these laws.[10]
In May 2018, the European Union passed the General Data Protection Regulation, which regulates the data collection of individual privacy data of organizations that target, collect, or process data related to people in the EU.[11] Personal data is defined as:
any information relating to an identified or identifiable natural person . . . one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.[12]
Users are entitled to several “rights” under the GDPR.[13] They have the right to be informed; the right of access to their data; the right to rectification; the right to erasure; the right to restrict processing of their data; the right to data portability; the right to object; and any rights in relation to automated decision making and profiling.[14] The GDPR defines the processing of data as:
any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The GDPR implements a full-scale approach that emphasizes individual rights and consent above all other interests.[15] The heightened level of security and attention to personal data has called into question a new privacy problem.[16]
The privacy problem arises when a person considers how much personal data is needed for these applications to function properly and help slow the spread of coronavirus.[17] Sending this personal data to a country’s government has caused a growing number of Maltese citizens to contemplate the balance between safety from the virus and protecting their personal data.[18] Many advocates of protection of personal data oppose the government’s use of these applications due to the amount of data that will need to be collected in order to be successful.[19]
In order to properly balance the need for safety and slowing the spread of coronavirus with the need for protection of personal data, the contact tracing applications will have to comply with both the GDPR and the Data Protection Act.[20] Similar to the provisions within the GDPR, Data Protection Act, and other data privacy laws around the world, the goal is transparency, knowledge, and accountability.[21] In order for consent to be effective, it must go beyond clicking “I Agree” at the bottom of a page of text that most individuals, even in the event that they read through it, cannot understand.[22] Because consent is not unambiguous or written in plain terms, many individuals cannot foresee the uses for which their data is being processed, even if they read through a privacy policy.[23] In terms of transparency and accountability, the purpose is to give a “detailed description and information about in-built privacy and security safeguards [which] must be made publicly available and analyzed.”[24] Another solution is to make the sources codes for the contact tracing applications public so as to inform the general public what data is to be used by the government and how the data that they input into the application is going to be processed.[25] This would ensure compliance with Malta’s privacy laws as well as the GDPR, which requires “app providers using personal data which is deemed high risk to the rights and freedoms of natural persons to undertake a data protection impact assessment. This includes processing on a large scale of health data, which would certainly be in the case of a contact tracing app.”[26] Still, other advocates are pushing for potentially discontinuing the use of the applications altogether once the coronavirus has been stabilized.[27] Overall, privacy concerns will continue to be on the minds of individuals who are using contact tracing applications; however, by making sure that these contract tracing applications and the government’s that authorize their use, such as Malta, adhere to the privacy laws that are in place. A balance can be struck to keep everyone’s health and data safe.
#Malta #Privacy #Data #Coronavirus #Malec #International #Law #BlogPost
[1] Woodrow Hartzog and Neil Richards, Privacy’s Constitutional Moment and the Limits of Data Protection, 61 B.C.L. Rev. 1687, 1689 (2020).
[2] Mireille Caruana, Giving Privacy a Bad Name, Malta Today (May 6, 2020).
[3] Id. at 1690.
[4] Id.
[5] Rezzan Huseyin, Tracing Apps Take Centre Stage for EU Supervisory Authorities, PDP 20 5(1) (2020).
[6] Caruana, supra note 2.
[7] Id.
[8] Ian Gauci and Michele Tufigno, 2020 GTDT: Data Protection & Privacy Malta, Gaff Tufigno Gauci Advocates (2020).
[9] Ian Gauci and Michele Tufigno, 2020 GTDT: Data Protection & Privacy Malta, Gaff Tufigno Gauci Advocates (2020); see also Mireille Caruana, Giving Privacy a Bad Name, Malta Today (May 6, 2020).
[10] Ian Gauci and Michele Tufigno, 2020 GTDT: Data Protection & Privacy Malta, Gaff Tufigno Gauci Advocates (2020).
[11] What is GDPR, the EU’s New Data Protection Law? GDPR.eu, https://gdpr.eu/what-is-gdpr/.
[12] General Data Protection Regulation (GDPR), Art. 4.
[13] What is GDPR, the EU’s New Data Protection Law? GDPR.eu, https://gdpr.eu/what-is-gdpr/.
[14] Id.
[15] Woodrow Hartzog and Neil Richards, Privacy’s Constitutional Moment and the Limits of Data Protection, 61 B.C.L. Rev. 1687, 1689 (2020).
[16] Mireille Caruana, Giving Privacy a Bad Name, Malta Today (May 6, 2020).
[17] Caruana, supra note 2.
[18] Id.
[19] Id.; see also Coronavirus: An EU Approach for Efficient Contact Tracing Apps to Support Gradual Lifting of Confinement Measures (Apr. 4 2020) https://ec.europa.eu/malta/news/coronavirus-eu-approach-efficient-contact-tracing-apps-support-gradual-lifting-confinement_mt.
[20] Mireille Caruana, Giving Privacy a Bad Name, Malta Today (May 6, 2020); see also Coronavirus: An EU Approach for Efficient Contact Tracing Apps to Support Gradual Lifting of Confinement Measures (Apr. 4 2020) https://ec.europa.eu/malta/news/coronavirus-eu-approach-efficient-contact-tracing-apps-support-gradual-lifting-confinement_mt.
[21] Mireille Caruana, Giving Privacy a Bad Name, Malta Today (May 6, 2020).
[22] Id.
[23] Barret, supra note 4, at 4.
[24] Caruana, supra note 2.
[25] Id.
[26] Id.
[27] Coronavirus: An EU Approach for Efficient Contact Tracing Apps to Support Gradual Lifting of Confinement Measures (Apr. 4 2020) https://ec.europa.eu/malta/news/coronavirus-eu-approach-efficient-contact-tracing-apps-support-gradual-lifting-confinement_mt.