An IT company that exposed the personal data of 337,384 voters has been given 20 days to release the information held on one affected individual and to explain where it sourced the data.
IT firm C-Planet IT Solutions Ltd was ordered to release the information or face a “proportionate and dissuasive” fine in a legal notice signed by Data Commissioner Ian Deguara on Tuesday.
The notice follows a request and subsequent complaint last year from academic and independent electoral candidate Arnold Cassola, who asked the firm for the data stored about them and information about its source.
The company had refused the request, citing ongoing legal proceedings. It also claimed it did not have access to the data at the time due to this being in the possession of the police and the Information and Data Protection Commission (IDPC).
In the legal notice signed on Tuesday, however, the IDPC concluded that the company “was processing the personal data pertaining to the complainant at the time of receipt of the request”.
It also noted that no evidence had been provided to back up the claim that releasing the information could jeapordise ongoing legal proceedings.
“A mere reference to an existing investigation... is certainly not sufficient to restrict the fundamental right of the complainant,” it said.
In April 2020, Times of Malta reported that a database containing personal information about the vast majority of voters in Malta and Gozo had been exposed, with C-Planet IT Solutions named as the firm involved.
The database contained the names, addresses, ID card details, phone numbers and voting intentions of 337,384 voters and, according to the online monitoring service which identified the breach, was available to access without a password or other form of authentication.
It later emerged that the database had been compiled by the Labour Party.
According to senior Labour sources at the time, the directory, which the party had codenamed ‘Local Area Network’, appeared to predate the 2013 election and had been slightly altered from the one originally used.
The Labour Party distanced itself from the breach, however, saying its own “internally controlled” system was separate from C-Planet IT Solutions and that the information held was lawful as the Electoral Commission was duty bound to pass updated information to political parties.
In October 2020, 620 claimants filed a joint lawsuit against the company, demanding compensation for the breach.
In January 2022, the Data Protection Commissioner concluded that C-Planet IT Solutions had failed to take appropriate security measures and fined the company €65,000.
In a court hearing the following month, it emerged that the data had been supplied to the firm by a former employee of travel agency Untours, a company owned by the General Workers’ Union.
C-Planet IT Solutions is owned by Philip Farrugia, the brother-in-law of Labour minister Stefan Zrinzo Azzopardi.
Zrinzo Azzopardi was president of the Labour Party between 2003 and 2013.
Cassola, who filed the original data protection complaint, said the link was grounds for the minister's resignation.
"Our political profiling was done when Zrinzo was president of Partit Laburista," Cassola said. "The Labour Party must apologise and Zrinzo must resign."