Court of Appeal reaffirms MFSA liability in data leak case orders regulator to shoulder costs
pChief Justice Mark Chetcuti rules regulator failed to disprove responsibility for premature disclosure of confidential data to the investigative website OffshoreAlertppThe Court of Appeal has reaffirmed the Malta Financial Services Authority MFSA bears responsibility for an unauthorised disclosure of confidential data to the investigative website OffshoreAlert
ppThe decision marks the latest development in a longrunning legal battle over accountability and data protection standards within Maltas financial regulator
ppThis latest judgment delivered on Wednesday builds on an earlier ruling in May 2024 which had confirmed that the MFSA was responsible for leaking information about the licence cancellation of ES Consultancy Ltd before officially notifying the company and its directors Christian Ellul and Karl Schranz
ppIn its renewed appeal the MFSA sought to overturn the decision of the Information and Data Protection Appeals Tribunal arguing that the tribunal had acted ultra vires and relied on a forensic expert who exceeded his remit
ppThe regulator also claimed that the alleged disclosure did not amount to a personal data breach within the meaning of EU Regulation
ppThe court however dismissed all five of the MFSAs arguments describing the tribunals actions as fully within the parameters of the law
ppThe court noted that the forensic experts report commissioned jointly by the parties established that the OffshoreAlert article was uploaded on 18 November 2019 a full week before the MFSAs own publication
ppThe court said this timeline strongly indicated that information had originated from within the authority
ppThe MFSA was under a clear obligation to demonstrate that the breach was not imputable to it It failed to discharge that burden the court said
ppWhile the court stopped short of determining that the leak was deliberate it found it probable that the premature disclosure emanated from the regulators offices Only the MFSA it said possessed knowledge of the decision on 18 November 2019 the date OffshoreAlert published the story
ppThe Court also observed that Ellul and Schranzs personal details were integrally linked with their companys data meaning the Authority had a duty to ensure protection of both corporate and individual information prior to publication
ppThe Court of Appeal confirmed the Tribunals April 2024 decision in its entirety and ordered the MFSA to bear all legal costs of the proceedings
ppIn doing so the Court reaffirmed that the regulator must exercise greater diligence when handling confidential information particularly when data concerns licensed entities or individuals subject to regulatory decisions
ppThis marks the conclusion of a case that has since passed through multiple levels of review culminating in a judgment that firmly places responsibility for the leak on the MFSA
ppChief Justice Mark Chetcuti presided over the case
ppEllul and Schranz were represented by lawyers Jacob Daniel Portelli Vincent Micallef and Stephanie Abelappp
ppThe decision marks the latest development in a longrunning legal battle over accountability and data protection standards within Maltas financial regulator
ppThis latest judgment delivered on Wednesday builds on an earlier ruling in May 2024 which had confirmed that the MFSA was responsible for leaking information about the licence cancellation of ES Consultancy Ltd before officially notifying the company and its directors Christian Ellul and Karl Schranz
ppIn its renewed appeal the MFSA sought to overturn the decision of the Information and Data Protection Appeals Tribunal arguing that the tribunal had acted ultra vires and relied on a forensic expert who exceeded his remit
ppThe regulator also claimed that the alleged disclosure did not amount to a personal data breach within the meaning of EU Regulation
ppThe court however dismissed all five of the MFSAs arguments describing the tribunals actions as fully within the parameters of the law
ppThe court noted that the forensic experts report commissioned jointly by the parties established that the OffshoreAlert article was uploaded on 18 November 2019 a full week before the MFSAs own publication
ppThe court said this timeline strongly indicated that information had originated from within the authority
ppThe MFSA was under a clear obligation to demonstrate that the breach was not imputable to it It failed to discharge that burden the court said
ppWhile the court stopped short of determining that the leak was deliberate it found it probable that the premature disclosure emanated from the regulators offices Only the MFSA it said possessed knowledge of the decision on 18 November 2019 the date OffshoreAlert published the story
ppThe Court also observed that Ellul and Schranzs personal details were integrally linked with their companys data meaning the Authority had a duty to ensure protection of both corporate and individual information prior to publication
ppThe Court of Appeal confirmed the Tribunals April 2024 decision in its entirety and ordered the MFSA to bear all legal costs of the proceedings
ppIn doing so the Court reaffirmed that the regulator must exercise greater diligence when handling confidential information particularly when data concerns licensed entities or individuals subject to regulatory decisions
ppThis marks the conclusion of a case that has since passed through multiple levels of review culminating in a judgment that firmly places responsibility for the leak on the MFSA
ppChief Justice Mark Chetcuti presided over the case
ppEllul and Schranz were represented by lawyers Jacob Daniel Portelli Vincent Micallef and Stephanie Abelappp
