Collective action against C-Planet data breach

The civil society organisations Repubblika and The Daphne Caruana Galizia Foundation, assisted by noyb, are launching a joint legal action so that those persons included in the database compiled and distributed by C-Planet (IT Solutions) Limited may obtain justice.

This database contained the personally identifiable information of anyone who had the right to vote in the 2013 elections, including sensitive information such as voting intentions or party leanings. Over 330,000 private individuals are affected.

Check whether you are one of the people affected using our secure tool.

This initiative resembles a class action suit and we invite anyone who wants to participate to fill out a form, authorising us to start administering the legal action on your behalf.

You don’t need to be a member Repubblika or to have any link to The Daphne Caruana Galizia Foundation to fill out the form and join the action and we don’t expect you to share any of our advocacy campaign positions.

Frequently asked questions

1. What do these FAQs explain?

These FAQs attempt to provide simple answers to the most common questions being asked by anyone who wants to participate in the collective action. They explain the why, what and how of the collective action in front of the Maltese courts being organised and administered by Repubblika and The Daphne Caruana Galizia Foundation. We’ll be revising and updating the list whenever necessary.

This action started with the massive data breach that occurred in and before March 2020, when a Maltese technology company dumped the personal data of over 330,000 Maltese voters onto the Internet, making it publicly accessible to anyone including organised criminals, marketing companies, spammers, other business anywhere in the world, including those selling it on the black market, and other political parties in Malta.

2. What are the facts of the case?

At the end of March 2020, independent Maltese media reported that a database containing 337,384 records of Maltese voters’ personal information was freely accessible online for at least a year. This data, which included names, addresses, ID card details, dates of birth, fixed and mobile phone numbers as well as a reference to political orientation or voting preferences, was left exposed by a Maltese information technology (IT) company called C-Planet (IT-Solutions) Limited. The Times of Malta reported that this company left a large database file on a computer server, where it was openly accessible to anyone with a Web browser.

3. Who are C-Planet (IT Solutions) Limited?

C-Planet (IT Solutions) Limited is a company registered in Malta. It is owned by Philip Farrugia, who is a former production director at One Productions (the media wing of the Labour party) and is also the brother-in-law of Stefan Zrinzo Azzopardi, a Labour Party MP, the Parliamentary Secretary for EU Funds, and the former president of the Labour Party.

C-Planet has not explained how or why it had the sensitive voter data. When asked by journalists, the company merely dismissed the data in question as “old”.

C-Planet’s clients include the Office of the Prime Minister, the Health Ministry, the Home Affairs Ministry, the Ministry for Transport, the Building Construction Agency, ARMS, the Foundation for Medical Services, the Public Health Regulation Department as well as the Association of Local Councils among its clients.

C-Planet also services the former law firm of Zrinzo Azzopardi. The confidential client data of that firm was exposed as part of a separate, but similar, leak from C-Planet. This also included a breakdown of the amounts owed to the law firm by its clients, as well as details of the legal work carried out for them.

4. What personal data are we talking about?

The database contained both personal data, like your name and address, but also special category personal data such as your political preference or voting intention — which could be different to the way you voted, if you did vote. Under Malta’s privacy laws, the processing of personal data such as this, which is called ‘special category personal data’, can only be carried out in a restricted number of situations.

Additionally, the profiling of a large number of individuals based on special category personal data is strictly regulated, giving your data even higher levels of protection. It appears that the collection, use, dissemination and processing of this special category personal data was carried out in a way that violates your fundamental rights and freedoms.

5. What is the case going to be about?

This collective action is being filed on behalf of all the claimants individually, initially against C-Planet. We expect that other parties will be joined into the lawsuit at a subsequent stage. These could include any other company, political party or individual who was involved with, or has contributed towards, the violation of the protection of personal data, including any entities who may be as yet unknown.

The court will be asked to find that C-Planet, as well as any other defendant which might be included in the case as it progresses, acted in breach of the Data Protection Act, Chapter 586 of the Laws of Malta, and also in breach of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, known as GDPR) in processing such data.

The claimants will be requesting the court to award or quantify the damages that they have suffered as a result of this breach and to order the defendants who are responsible for such a breach to pay damages to all the claimants party to the action.

Most importantly, this is being done to set a strong judicial precedent on how our personal data, especially special category personal data revealing political opinions, should be collected, processed and used in Malta, including when it is processed by political parties without our consent. This case is about protecting our democracy.

6. Is this really a ‘class action’?

While class actions do exist in Malta, these are limited to a small number of specific subject matters regulated under the Collective Proceedings Act, introduced in 2012. Data protection claims do not currently fall under the Collective Proceedings Act. Our collective claim is possible because the Maltese Civil Procedure provides for what has been termed by previous court decisions in Malta as a ‘cumulative action’ (‘azzjoni kollettiva’). This provides for a situation in which two or more claimants have a right to institute an action on the same grounds in respect of the same subject matter.

Repubblika and The Daphne Caruana Galizia Foundation shall be responsible for the court costs and legal costs of this action. By enrolling in this cumulative action, you do not and will not need to pay any costs.

Please appreciate that both Repubblika and The Daphne Caruana Galizia Foundation are non-profit organisations. You can support us by making a donation.

8. Do we all need to have our own personal lawyer?

No. This cumulative action is being instituted on behalf of each of the claimants by specialist lawyers appointed for this purpose by Repubblika and The Daphne Caruana Galizia Foundation. By participating in this action you agree to use these appointed lawyers so as to facilitate the administration of instituting this landmark procedure. We’re doing this to avoid a situation where all parties engage their own lawyers, leading to increased costs and practical difficulties in administering the action. The action is being instituted by all the individuals who have been affected by this personal data breach and who have signed up to take part in the action.

Everyone who joins the case will be informed and updated throughout the proceedings on the running costs and any extraordinary costs which may be incurred. We do not expect you to pay any of these costs.

9. Why haven’t Repubblika and The Daphne Caruana Galizia Foundation simply instituted this action themselves in their own names?

Since this action concerns a serious personal data breach, the entities affected have to be natural private individuals. Repubblika and The Daphne Caruana Galizia Foundation are not natural private individuals but separate legal personalities and as such cannot ask for compensation under the GDPR or the Data Protection Act. Since the concept of class actions and class representation is not applicable to Data Protection matters, neither can the two entities represent the individuals for the purposes of instituting this action.

10. Where will the collective action be filed?

This collective action will be filed before the First Hall of The Civil Court. The judgment delivered by the First Hall is subject to Appeal before the Court of Appeal (Superior Jurisdiction).

11. How long will the case last?

We can’t provide a reasonably accurate estimation of how long the case will last. The specialist lawyers appointed for this purpose will make sure to expedite proceedings as much as possible. However, we expect all sorts of substantive and procedural delaying tactics from the defendants, including C-Planet.

12. Will I need to attend the court sittings or to testify in court?

Unless you are specifically called upon to appear through a subpoena, you will not be required to attend the court sittings. Nonetheless, you are free to do so. We’ll need to present a statement of facts, in the form of an affidavit, relating to you. We’ll assist you and you may be cross-examined upon this statement. The facts of the case are common to all participants: your personal data, including special category data, was processed illegally.

13. The Information and Data Protection Commissioner (IDPC) is already investigating this matter. Why should I bother with signing up for this cumulative action?

Complaints before the IDPC in terms of the GDPR and the local Data Protection Act are welcome, but these do not provide for monetary compensation to the people affected by this breach. The decision of the IDPC is not a court judgment. The IDPC will carry out its own investigation and can decide to order its own administrative fine on the entities involved and responsible for this unlawful personal data gathering, processing, profiling and eventual breach. It is only through such court action that moral damages can be sought by the victims, the ‘data subjects’, affected by this massive data breach.

14. So who is leading this action?

This action is being led by two civil society voluntary organisations: The Daphne Caruana Galizia Foundation and Repubblika. These two organisations will be administering the whole process together. This does not in any way give them any legal standing before the court in this matter. As explained above, this action is instituted by all the individuals who have been affected by this personal data breach and who have signed up to take part in the action.

15. Are Repubblika and The Daphne Caruana Galizia Foundation representing me?

No. In effect, anyone who submits or has already submitted the ‘collective action form’, signifying their desire to participate in the class action, will be filing this case in his or her personal capacity and will be represented by the specialist lawyers engaged for this purpose by Repubblika and The Daphne Caruana Galizia Foundation.

16. Who is being sued?

At first, the claim will be filed against C-Planet (IT Solutions) Limited. The database including personal data was held and processed by that company, on a server leased, managed and operated by them. It was leaked from that same server.

Since the leak is still being investigated and analysed, the claim may also be extended and filed against other parties involved in the illegal collection, processing, use or distribution of this special category personal data.

17. Should the court award any damages, do I get a share?

The action will be filed in such a way as to ask for a liquidation (quantification) of damages due to the individuals who are instituting the action. If the action is successful, the court will deliver a judgment awarding a specific amount of damages to the claimants and these will be due to each claimant in their own right.

Obtaining a favourable judgement does not mean that we will be able to enforce this judgment. We will soon be advising you on the nature of the procedure. Each of the claimants will only get a share of any damages awarded, if we manage to successfully enforce a favourable judgment.

18. How will I know if my data was made public?

You can check whether your personal data was leaked, and therefore made public, by using our secure tool.

19. My details were in the database leak but I don’t live in Malta. Can I still join?

Yes. If your name was included in the leaked information you can participate in the collective action, irrespective of where you reside. The GDPR makes it clear that if a data breach occurs, any victim of the breach has a right to sue. This is more so since C-Planet is a Maltese company. All you need to do to sign up is simply fill in the form.

You can sign up by filling in and submitting the collective action form with your name, address, email (if any) and telephone number, inserting your signature and date. Follow the instructions on the first page of the form to send it back to us.

21. I don’t have a printer and can’t leave the house. How can I participate?

If you do not have a printer or cannot leave the house to get the form printed, please send an email to [email protected] telling us how many copies you need and we will send you the forms by post. You can then scan or take a photograph with your mobile, tablet or digital camera and send it to that same email address.

22. Is there an English version of the form?

Yes. Skip past the Maltese version of the updated collective action form for the English version.

Still unsure? Is there a question your still have that isn’t covered by this FAQ? Please contact us.