Issue link: https://maltatoday.uberflip.com/i/1088108
9 NEWS maltatoday | SUNDAY • 3 MARCH 2019 MASSIMO COSTA MALTA ranks ninth in the European Union for the num- ber of reported data breaches per capita, since Europe's new landmark data privacy law came into force last May. According to a report by multinational law firm DLA Piper, a total of 100 data breach incidences were re- ported to the Data Protection Commissioner in Malta, and a "surprisingly high number" of fines were reportedly im- posed. The report, published in February, takes stock of the number of data breaches noti- fied by EU member states' reg- ulators under the new General Data Protection Regulation, for the period from end May 2018 to January 2019. Up to the time the report was made, 91 fines were issued under the new GDPR regime, with not all being related to personal data breaches. The highest fine to date was of €50 million, imposed after a decision by France's data protection authority against Google, in connection with the processing of personal data for advertising purposes without valid authorisation. The majority of fines, how- ever, were of relatively low values, including a €4,800 fine issued in Austria for an un- lawful surveillance camera, and four fines in Cyprus, val- ued in total at €11,500. The number of fines report- ed in Malta – 17 – was under- lined in the report as being notably large, given the small size of the country. Since the law came into ef- fect, the survey indicates that there have been over 59,000 personal data breaches in the EU and European Economic Area (EEA) notified to regula- tors – however, there was no publicly available data for Slo- vakia, Bulgaria, Croatia, Es- tonia and Lithuania, so these countries are not factored in. The breaches ranged from relatively minor incidents – such as emails sent to the wrong recipient – to major cy- ber attacks affecting millions of people. The Netherlands, Germany and the UK had the greatest number of breach notifica- tions, with 15,400, 12,600 and 10,600 respectively. At the other end of the scale, Liechtenstein, Iceland and Cyprus had the least, with just 15, 25 and 35 respectively. When the results are weight- ed to factor in the country's population, the Netherlands leads with the most breaches notified per capita, followed by Ireland and Denmark. Malta, which had 100 noti- fied breaches, ranks ninth, with 22.3 breaches per 100,000 people, the report – which in- cludes the contribution of lo- cal law firm Mamo TCV As- sociates – says. The UK, Germany and France – countries with pop- ulations close to a hundred times that of Malta – ranked 10th, 11th and 21st respec- tively. Notification practice varies significantly The survey – which fo- cused solely on reported data breaches – notes that the per capita country rankings are "revealing". Italy, for instance, had "particularly few" breach notifications – 610 – com- pared to its large population. This, it says, "illustrates that notification practice and culture varies significantly among member states". Many organisations, have, however, given due impor- tance to the new rules, likely partly because of the risks of high sanctions for not notify- ing, it goes on to highlight. "Sweeping data breaches un- der the carpet has become a high-risk strategy under GD- PR," it said. The GDPR came into effect in May 2018, with the aim of strengthening the legal safe- guards of people's personal data, which is defined as any information that can lead to the identification of a natural person. Under GDPR, organisations and companies must notify the relevant regulators if they suffer data breaches which are likely to result in a risk of harm to the affected indi- viduals. If the breach is likely to re- sult in a high risk of harm, the individuals affected by the breach must themselves also be informed. Notifications have to be made without unnecessary delay and, where possible, not more than 72 hours after the organisation first becomes aware of the respective data breach. Sanctions for non-compli- ance of the GDPR's require- ments include two tiers of ad- ministrative fines, and can go up to as much as €20 million, or 4% of the company's global turnover, whichever is higher. Fines are not mandatory un- der the law, and should be im- posed on a discretionary case- by-case basis. mcosta@mediatoday.com.mt Malta with ninth highest rate of reported data breaches in the EU Country Per capita (/100,000) Total number Netherlands 89.8 15,400 Ireland 74.9 3,800 Denmark 53.3 3,100 Finland 45.1 2,500 Liechtenstein 38.9 15 Slovenia 35.2 740 Luxembourg 33 200 Sweden 24.9 2,500 Malta 22.3 100 UK 16.3 10,600