Data protection is the new legal buzzword.

It is a law which is often hastily and randomly cited, many times under a misguided impression of what it is really all about.

On June 12, the Court of Appeal (Inferior Jurisdiction) gave its judgment on appeal for case 161/2018LM in the names ‘Leo Vegas Gaming plc (C59314) ġia LeoVegas Gaming Ltd vs Il-Kummissarju għall-Informazzjoni u l-Protezzjoni tad-Data.

The judgment dealt with the distinction between the role of a data controller and a data processor and their respective obligations towards data subjects. While extremely technical, this judgment could have significant practical effects on the rights of the people involved as regards their personal data and privacy.

Here, the UK’s Information Commissioner Office received a staggering 9,729 reports against the appellant company, licensed in Malta. The reports related to unsolicited communications sent and received through mobile phones to promote the business of the company. The ICO had sent a request to Malta’s Information and Data Protection Commissioner (IDPC) to have such complaints investigated.

The IDPC gave his decision on September 17, 2017, finding that “Leo Vegas failed to provide the required evidence which is necessary to legitimise the sending of the marketing communications by its engaged or appointed affiliates”. He thus found a breach of regulation 9 of the Processing of Personal Data (Electronic Communications Sector) Regulations, which regulated unsolicited communications. As a result, it proceeded to impose an administrative fine of €5,000, due as a civil debt to the IDPC. The aforementioned company appealed this decision in front of the Information and Data Processing Tribunal.

The central point before the tribunal was whether the appellant gaming company was a data controller or not. The tribunal considered what determines whether one is a data controller or a data processor and referred to the now famous EU General Data Protection Regulation (commonly known as GDPR). According to this law, the ‘data controller’ is that (natural or legal) person that determines the purposes and means for the processing of personal data, while a ‘data processor’ is someone who processes personal data on behalf of the controller.

In the gaming sector, affiliates are an important market player for many companies. Simply put, in the online gambling industry, affiliates have the role to promote the operators’ web portals; in return, they receive a percentage or commission. The appellant company’s main point of attack against the IDPC’s decision was that the latter had decided on the basis of it being the data controller.

The central point before the tribunal was whether the appellant gaming company was a data controller or not

The tribunal analysed the gaming company-affiliate relationship and concluded that this was one in which the affiliate acted for and in the interest of the appellant company. The tribunal also made reference to the guidelines issued by the Malta Gaming Authority by which it is stated that an affiliate solely acts on behalf of the operator by driving traffic towards that operator and when such an affiliate would not have otherwise been processing that data had it not been for his relationship with the operator, then that affiliate is acting as a processor, basically meaning that the operator (that is the gaming company) is indeed the data controller.

The tribunal also referred to the contract between the appellant company and its affiliate, by which the latter two had agreed that the appellant company “exonerated itself from any liability regarding any breaches of data protection”, and other contractual clauses by which the affiliate had to refrain from spamming the appellant’s company customers and how the affiliate was “responsible for the loss or destruction of or damage to personal data”.

This is indeed of high general legal interest because many laymen and professionals seem to draft contractual terms and conditions so liberally as to forget that there is law which prevails over any contractual agreement contrary to it.

The tribunal, without spelling this out explicitly, clearly implied this fundamental principle and rightly so applied it to data protection law and its obligations on data controllers and processors, and by implication also to the rights of the data subjects themselves, especially since those rights ultimately find their source in the fundamental right to privacy and the protection of personal data.

This is quite poignant especially with regards to a contractual clause which made it explicit between the parties that in no manner is the appellant company to be considered the data controller or even a data processor.

These contractual provisions between private parties were rightly discarded as untenable at law by the Tribunal.  In the end, the Tribunal confirmed the decision of the IDPC.

Appellant company appealed to the Court of Appeal.

In its decision, the court went further in its considerations, pointing out to contractual amendments made between the appellant company and its affiliate, which came about in reaction to the tribunal’s decision.

The court eventually referred to these same amendments to solidify the case against the appellant company. The court also made reference to material by the UK’s ICO on the nature of the transactions and the data processing involved in the gaming sector and how these interrelate with data protection law. The court made such reference approving the same material.

At the end of its considerations, the court referred to the provisions under Maltese law as regards unsolicited electronic communications, being the provisions which the IDPC rested upon to give its decision. The court rightly pointed out that these were applicable in case someone leads someone else to breach them, implying the role of the data controller in this given case. In truth, the actual wording affects persons without specific reference to their nature as data controllers or data processors.

One could also argue that the actual nature of controller or processor is possibly irrelevant and that the contractual obligations involved between the appellant company and its affiliate, and their fulfilment, would on their own also have made them fall foul of the referred provisions.

In the end, the IDPC’s decision was confirmed by the Court of Appeal, and the fine imposed was upheld.

Edric Micallef Figallo is an associate at Azzopardi, Borg & Abela Advocates.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.