Introduction

Privacy is a fundamental human right. It underpins human dignity and other values such as
freedom of association and freedom of speech. It has become one of the most important human
rights of the modern age. Privacy is recognized around the world in diverse regions and cultures.
It is protected in the Universal Declaration of Human Rights, the International Covenant on Civil
and Political Rights, and in many other international and regional human rights treaties. Privacy
is a fundamental human right. It underpins human dignity and other values such as freedom of
association and freedom of speech. It has become one of the most important human rights of the
modern age. Here we review this essential human right.

The Internet seems, at first glance, a place without rules and government, a beautiful, anarchic
free-for-all beyond the bounds of government interference. In fact, of course, the Internet is as
hidebound and rule bound as most anything else, different only in its fundamental nature. From
technological constraints and rules -- basic protocols governing the functioning of data transfer --
to how domain names are assigned and what activity has been criminalized "hacking", child
pornography, etc.

Here we find two forms of code dominating the Internet: legal code (law) and machine code (the
technology supporting the Internet). It almost sounds like heresy to talk about regulation of
the Internet, but, of course, there is a structure to it, there are protocols and regulations governing
it. Regulation is both necessary and inevitable. Regulation comes from within as well -- not
imposed by government, but imposed by code itself (i.e. on a purely technical level), by how
programs run and how data is exchanged and how access is restricted or made available.

Four constraints regulate behavior: law, the market, norms, and architecture. Architecture has a
profound effect, for example filtering mechanisms that can restrict access to sites. While these
may seem desirable to allow parents, for example, to prevent their children from gaining access
to disagreeable sites they could theoretically also be installed at higher levels of the computer
chain, blocking access of certain sites for a large number of users. The Internet is very open, but
it is not completely open -- and the potential to close much of it off is increasing daily.

1
 PART 1
Code and Data Privacy

2
 1.1) According to Lessig
Privacy is a major concern on the Internet. What constitutes privacy on the Internet? Complete
anonymity is impossible. Your ISP knows all your keys on the Internet, and can easily connect
your name and address with your habits and interests. What information should be safeguarded
and how? This can be left to the market -- but the architecture of the web and of browsers makes
it difficult for users to stay properly informed. Relatively few users are aware that they are being
monitored as they skip about the Internet. Cookies are automatically placed on a user's computer,
without notification; unless users set their browser to either send a warning every time a cookie
is offered, or decline them straight-out. The burden is on users, most of whom remain blissfully
unaware of the ongoing rape of their computers and the collection of extensive private
information by companies such as Double Click.

Norms can have some influence, the norms of cyberspace are also different from (and change
differently than) those in the real world. "Privacy policies" are popular on almost all commercial
and many information sites, but study after study indicates that sites do not actually do what they
claim in these policies. Abuse is rife -- and consumers are limited in what they can do to affect
change. Government has made a great effort to regulate the Internet: pornography, gambling,
encryption (and back-doors that allow the government to "eavesdrop"). In many areas legislators
have been stymied by the Internet -- taxation of goods sold over the Internet is one area that will
certainly get a lot more attention in the near future. Government is playing by the old rules, most
of which are ill-suited for this new world.

Without concerted effort, these ever-increasing layers of control will turn the Internet from the
transformative and creative technology it has the potential to be into a perfectly controlled
medium. There are choices to be made about how this network evolves. These choices will affect
fundamentally what values are built into the network.

1.2) The Notion of Privacy

Privacy is a fundamental human right. It underpins human dignity and other values such as
freedom of association and freedom of speech. It has become one of the most important human
rights of the modern age. Privacy is recognized around the world in diverse regions and cultures.
It is protected in the Universal Declaration of Human Rights, the International Covenant on Civil
and Political Rights, and in many other international and regional human rights treaties. Privacy
is a fundamental human right. It underpins human dignity and other values such as freedom of
association and freedom of speech. It has become one of the most important human rights of the
modern age. Here we review this essential human right.

3
 1.3) The Madrid Declaration
The Madrid Declaration affirmed that privacy is a fundamental human right and reminded "all
countries of their obligations to safeguard the civil rights of their citizens and residents." It
warned that "privacy law and privacy institutions have failed to take full account of new
surveillance practices." The Declaration urged countries "that have not yet established a
comprehensive framework for privacy protection and an independent data protection authority to
do so as expeditiously as possible." The civil society groups and experts recommend a
"moratorium on the development or implementation of new systems of mass surveillance."
Finally, the Declaration called for the "establishment of a new international framework for
privacy protection, with the full participation of civil society, which is based on the rule of law,
respect for fundamental human rights, and support for democratic institutions."

1.4) Data Privacy in the European Union.

There are no privacy directives worldwide that really match that of the European Union. The
Data Protection Directive 1 sets a common level of privacy expectations and establishes a range
of rights for the data subject. What is data privacy? Data Privacy is not just, the intellectual
property or information belonging to an organization. That is covered by information security
requirements. The information needing protection (personal data) is about you (the data-subject):
who you are, what you like, your health, your lifestyle; basically it is whatever you share that is
linked to your identity. All information linked to your identity is called personally identifiable
information (PII). Data privacy is not just about “personal data needing protection”; it is about
protecting your rights and freedom as an individual, i.e., your right to privacy. With this in mind,
your personal data is collected and stored by government authorities and private enterprises, (for
the purpose of this article I refer to these entities as data holding authorities). It is the data
holding authority that is interested enough in you to be motivated to collect your personal data,
and in the case of the European Union, is required to adhere to data privacy legislation of the
member state where it is resident. For the purpose of this article and for simplicity, the lifecycle
of personal information that you share has been divided into three distinct phases: collection,
storage (and processing), and removal of personal data. The key actors for all three phases are
the data subject and the data holding authority. Before we dive in it is important to understand
that a key concept in a working data privacy model is enforceability: data subjects have rights
established in explicit rules. For example, in the EU this is made possible by the installation for
each member state a commissioner who is responsible for data privacy. The commissioner‟s
toolbox is privacy legislation, i.e., legislation that is at a minimum implemented to a level of
privacy as prescribed in the EU directive.

4
 PART 2
Privacy and Data Protection Legislation in Malta

5
2.1) Data Holding Responsibilities.

2.1.1) The Collection of Personal data

Primarily in the collection of personal data. Organizations wishing to collect and process the
personal information of data subjects are required to adhere to the following: Must inform the
data commissioner, and agree to abide by the rules that ensure that the privacy rights of the data
subject are respected. Must have assigned a data controller that is responsible for ensuring that
the personal information of the data subjects is collected, stored, and removed as per the data
privacy principles laid out by the data commissioner relating to data quality. Must not collect
personal information without the consent of the data subject. Must inform the data subject that
data collection will happen. Must inform the data subject that that personal information is being
collected for whatever reason. Must ensure that the data subject has the choice to opt-out of the
collection of personal information and/ or that which is shared with third parties Data subjects
residing in member states of the European Union.. Nonetheless, what is important when talking
about data privacy best practices is that the data subject has a choice.

2.1.2) The Storage and Processing of Personal data

The assigned controller “must implement appropriate technical and organizational measures to
protect personal data against accidental or unlawful destruction or accidental loss, alteration,
unauthorized disclosure or access.” This is the information security part. The data holding
authority must have the security mechanisms in place to ensure the confidentiality, integrity, and
availability of data stored and transmitted by the data holding authority. In addition the
requirement on the processing and storage of personal data states that the data shall: Be
processed fairly and lawfully. Be kept accurate. Be kept up-to-date. Not be transferred to a
country or territory outside the country of origin. The exception being that the. Country has an
adequate level of protections pertaining to the rights and freedoms of the data subject.

2.1.3) Storing and Holding Of Personal Data

The right for access to his personal information as a data subject is guaranteed combined with the
transparency on the processing of his personal data. What this means is that the individual can
request if his personal data is being processed, and if so, which data, and to whom the data is
being disclosed. So long as the request is reasonable, the data holding authority must comply
with the request of the data subject. The data subject can question the integrity of the data
collected. For example, if the data holding authority has not updated their records, and the data
subject has hard evidence that the personal information held is wrong, the data holding authority
must comply with the request to correct the error. The data subject has the right to object to

6
information being stored if the data is being used for activities that are outside of the scope of
what it was collected for, e.g., for marketing activities.

2.1.4) The Removal of Personal Data

Once the original purpose of collection is no longer relevant. Furthermore, the data subject has
the right to ask for the removal of personal data. This data could be sanitized for the purpose of
historical, statistical, or scientific purposes, i.e., with the removal of any links to the data
subject‟s identity. Anonymous data is not within the scope of data privacy directives such as
those found in the European Union. Where this works in practice The expectation for the right on
privacy of personal data is recognized at the highest levels in the European Union.

2.2) Data Protection and Privacy in Malta.

Primarily one should start at the Institutional Framework, Article 38 of the Constitution of Malta
namely "Protection for privacy of home or other property" prohibits arbitrary interference with
privacy, family, home, and correspondence and provides individuals with protection against
arbitrary searches and seizures.

Malta enacted the Data Protection Act in 2001, in force in 2003. The Office of the Data
Protection Commissioner, which falls under the Ministry for Justice and Home Affairs, is
charged with enforcing data protection in Malta. Pursuant to the Act, the Republic named a Data
Protection Commissioner and a Data Protection Appeals Tribunal in March 2002. The Act
outlines nine principles to ensure the protection of personal information. Data collectors must
state to individuals the specific purpose for the collection of information, and the data may not be
used for other purposes. The Act also contains accuracy requirements, mandating that
"reasonable measures" be taken to "complete, correct, block or erase data to the extent that such
data is incomplete or incorrect." The individual's "unambiguous" consent is required in order to
process personal information (absent several exceptions) and "explicit" consent it necessary in
order to process "sensitive personal data." All entities in Malta, including the Government, are
subject (with some exceptions) to the Constitution of Malta and to the Data Protection Act
(together with the relevant subsidiary legislation). The Security Services alone are not subject to
the Data Protection Act; however, a limitation to their monitoring is provided.

The Malta Communications Authority regulates the electronic communications industry as

mandated by the Electronic Communications (Regulation) Act. The Authority was established in
2001 under the authority of the Malta Communications Authority Act. One of the roles of the
Authority is to ensure freedom of communications, which may only be limited when there are
higher values at stake such as the protection of privacy or the prevention of crime. In 2003, the
Maltese Government enacted the Electronic Communications (Personal Data and Protection of
Privacy) Regulations. The Regulations contain provisions to help electronic communications

7
subscribers maintain their privacy. The Regulations require electronic communications providers
to take appropriate technical and organizational measures to safeguard the security of the
services it provides and to inform their subscribers of the existence of situations where their
information may be unintentionally made available to third parties. The Regulations also require
electronic communications carriers to provide the option of disabling caller ID functions.

2.3) Directive 2002/58/EC

Directive 2002/58/EC in the field of electronic communications has been transposed into
subsidiary legislation under both the Data Protection Act and the Electronic Communications
(Regulation) Act. The subsidiary legislation places an obligation on the Office of the Data
Protection Commissioner and the Malta Communications Authority to collaborate with the
objective of ensuring effective data protection implementation in the electronic communications
sector. In 2005, the applicability of privacy protections regarding unsolicited communications
was extended to legal aliens as well as natural citizens.

2.4) The Seditious Propaganda Act

The Press Act sets forth the boundaries of acceptable content for the press. The Act makes it
unlawful to "impute ulterior motives to the acts of the President of Malta" or to "insult, revile or
bring into hatred …the person of the President." The Act also establishes libel and slander laws.
The Seditious Propaganda (Prohibition Ordinance) makes it illegal to print material that is likely
to encourage seditious activity. The Act allows the government to obtain a warrant to intercept
and open mail suspected of containing seditious material.

2.5) The Data Protection Commissioner

The Data Protection Commissioner independently investigates complaints. He carries out
inspection or investigation and consider any complaint, has access to the premises where data is
kept; to create and maintain a public register of all processing operations being notified by Data
Controllers; to encourage the drawing up of suitable codes of conduct by the various sectors; and
to order the blocking, erasure or destruction of data, to impose a temporary or definitive ban on
processing, or to warn or admonish the controller. He can enforce the provisions of the Act and,
where there is violation, impose administrative fines or institute court proceedings where he
deems fit.

8
Conclusion

Though, one may say, much has been done, both locally and/or as a follow up to EU Directives,
when one looks at the notion of how rapidly technology changes, for example, the newest issue
with Cloud Computing, or chips inserted in the Human Body, one could be right to say that the
law, as currently written, is/and will always be ill-equipped to deal with the new frontiers of
cyberspace. The legal and regulatory issues in cyberspace according to the system on which our
other laws are based is fraught with danger. Property is not the same in cyberspace. Privacy is
not the same. Sovereignty is not the same. Indeed, very little is the same.

9
Bibliography

Bygrave, LA: “Data Protection Pursuant to the Right to Privacy in Human Rights Treaties”,
International Journal of Law & Information Technology, 1998,

Bygrave, L.A., “Privacy Protection in a Global Context – A Comparative Overview”,

Scandinavian Studies in Law, 2004,

Burkert, H: “Privacy-Enhancing Technologies: Typology, Critique, Vision”, in PE Agre & M

Rotenberg (ed.s), Technology and Privacy: The New Landscape (Cambridge, Massachusetts:
MIT Press, 1997)

Bygrave, LA & Aarø, AH: “Privacy, Personality and Publicity – An Overview of Norwegian
Law”, in M. Henry (ed.), International Privacy, Publicity and Personality Laws (London:
Butterworths, 2001)

Bygrave, LA: “Determining Applicable Law pursuant to European Data Protection Legislation”,
Computer Law & Security Report, 2000,

Bing, J: “Data protection, jurisdiction and the choice of law”, Privacy Law & Policy Reporter,
1999,

Greenleaf, G: “An Endnote on Regulating Cyberspace: Architecture vs Law?”, University of

New South Wales Law Journal, 1998,

Karanja, SK: “The Schengen Co-operation: Consequences for the Rights of EU Citizens”,
Mennesker og rettigheter, 2000,

Karanja, S.K.: “SIS II Legislative Proposals 2005: Gains and Losses!”, in G.P. Krog & A.G.B.
Bekken (eds.): Yulex 2005 (Oslo: Institutt for rettsinformatikk / Unipub, 2005)

Lessig, L: Code and Other Laws of Cyberspace (New York: Basic Books, 1999),

Reidenberg, J: “Lex Informatica: The Formulation of Information Policy Rules Through

Technology”, Texas Law Review, 1998,

Rotenberg, M: “Fair Information Practices and the Architecture of Privacy (What Larry Doesn‟t
Get)”, Stanford Technology Law Review, 2001,

Bennett, C.J. & Raab, C.D.: The Governance of Privacy. Policy instruments in global
perspective (MIT Press, 2006).

10
Bygrave, L.A.: “Electronic Agents and Privacy: A Cyberspace Odyssey 2001”, International
Journal of Law and Information Technology, 2001,

Bygrave, L.A.: “Privacy-enhancing technologies – caught between a rock and a hard place”,
Privacy Law & Policy Reporter, 2002,

Bygrave, L.A.: “Digital Rights Management and Privacy – Legal Aspects in the European
Union”, in E. Bekker et al. (eds.), Digital Rights Management: Technological, Economic, Legal
and Political Aspects (Berlin / Heidelberg: Springer, 2003),

Flaherty, D.H.:Protecting Privacy in Surveillance Societies (Chapel Hill / London: University of

North Carolina Press, 1989).

Froomkin, A.M.: “The Death of Privacy?”, Stanford Law Review, 2000,

Grijpink, J.: “Biometrics and Privacy”, Computer Law & Security Report, 2001,

Koops, B-J & Leenes, R., “„Code‟ and the Slow Erosion of Privacy”, Michigan
Telecommunications and Technology Law Review, 2005,

Kuner, C.: European Data Privacy Law and Online Business (Oxford: Oxford University Press,
2007 2nd edition).

Lessig, L: “The Law of the Horse: What Cyberlaw might Teach”, Harvard Law Review, 1999,

Olsen, T. & Mahler, T.: “Identity management and data protection law: Risk, responsibility and
compliance in „Circles of Trust‟”, Computer Law & Security Report, 2007,

Olsen, T. & Mahler, T.: “Data Protection Issues in Collaborative Identity Management:
Compliance and Responsibility in Circles of Trust” (2006),

Reidenberg, J.R.: “Resolving Conflicting International Data Privacy Rules in Cyberspace”,

Stanford Law Review, 2000,

Shaffer, G.: “Globalization and Social Protection: The Impact of E.U. and International Rules in
Ratcheting Up of U.S. Privacy Standards”, Yale Journal of International Law, 2000,

Solove, D.: “Privacy and Power: Computer Databases and Metaphors for Information Privacy”,
Stanford Law Review, 2001,

Westin A.F.: Privacy and Freedom (New York: Atheneum, 1970).

Council of Europe‟s Convention on data protection (1981) – Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data

11
EC Directive on data protection (1995) – Directive 95/46/EC of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free
movement of such data (O.J. No. L 281, 23.11.1995, 31).

EC Directive on privacy and electronic communications (2002) – Directive 2002/58/EC of 12

July 2002 concerning the processing of personal data and the protection of privacy in the
electronic communications sector_ (O.J. No. L 201, 31.07.2002, 37).

EC Directive on data retention (2006) – Directive 2006/24/EC of 15 March 2006 on the retention
of data generated or processed in connection with the provision of publicly available electronic
communications services or of public communications networks and amending Directive
2002/58/EC (O.J. No. L 105, 13.4.2006, 54).

Decision 2000/520/EC of 26.7.2000 pursuant to Directive 95/46/EC of the European Parliament

and of the Council on the adequacy of the protection provided by the safe harbor privacy
principles and related frequently asked questions issued by the US Department of Commerce
(O.J. L 215, 25.8.2000, 7).

OECD Guidelines on data protection (1980) – Guidelines Governing the Protection of Privacy
and Transborder Flows of Personal Data, adopted 23.9.1980;

OECD Guidelines on information security (2002) – Guidelines for the Security of Information
Systems and Networks: Towards a Culture of Security, adopted 25.7.2002,

UN Guidelines on data protection (1990) – Guidelines Concerning Computerized Personal Data

Files, adopted 14.12.1990;

Council Framework Decision 2008/977/JHA of 27 November 2008

Agre, Philip E. (Editor), Marc Rotenberg (Editor), Technology and Privacy : The New
Landscape, MIT Press, 1997

Burnham, David. The Rise of the Computer State: A chilling Account of the Computer's Threat
to Society. Random House, New York. 1980.

Cavoukian, Ann & Don Tapscott,Who Knows: Safeguarding Your Privacy in a Networked
World, Random House of Canada, Toronto. 1995.

Eaton, Joseph W., Card-Carrying Americans - Privacy, Security, and the National ID Card
Debate, Rowman & Littlefield, 1996.

12
Flaherty, David H., Privacy in Colonial New England 1630-1776, University Press of Virginia,
Charlottesville. (C) 1967 by David H. Flaherty;

Flaherty, David H., Privacy and Government Data Banks - An International Perspective, 1979

Garson, Barbara, The Electronic Sweatshop : How Computers Are Transforming the Office of
the Future into the Factory of the Past, Penguin USA, October 1989

Kennedy, Caroline, Ellen Alderman, The Right to Privacy, Vintage Books, 1995.
Privacy in America, seen through US case law.

Marx, Gary, Undercover - Police Surveillance in America, University of California Press, 1988
Summarizes police impacts on personal privacy.

Orwell, George. 1984. Harcourt Brace Jovanovich, 1949.

Packard, Vance. The Naked Society. David McKay Company, Inc., New York. 1964

Privacy Rights Clearinghouse, Dale Fetherling (Editor) The Privacy Rights Handbook : How to
Take Control of Your Personal Information, Avon Books, 1997

Smith, Jeff, Managing Privacy : Information Technology and Corporate America, Univ of North
Carolina Pr, June 1994.

Smith, Robert. War Stories - Accounts of Persons Victimized by Invasions of Privacy. Privacy
Journal, PO Box 28577, Providence, RI 02908. 401-274-7861. 1997.

13
Web Links
http://www.mca.org.mt/.

http://justiceservices.gov.mt/DownloadDocument.aspx?app=lom&itemid=10560....

http://www.justiceservices.gov.mt/LOM.aspx?pageid=27&mode=chrono&gotoID=399.

http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/9th_annual....

http://www.state.gov/g/drl/rls/hrrpt/2006/78827.htm.

http://www.dataprotection.gov.mt/article.aspx?art=112.

http://www.dataprotection.gov.mt/dbfile.aspx/Annual%20Report%202005.pdf.

http://ec.europa.eu/justice/policies/privacy/workinggroup/annual_reports....

http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/12th_annua....

http://justiceservices.gov.mt/DownloadDocument.aspx?app=lom&itemid=10563....

http://www.bna.com.

http://justiceservices.gov.mt/DownloadDocument.aspx?app=lom&itemid=10560....

http://justiceservices.gov.mt/DownloadDocument.aspx?app=lom&itemid=11052....

http://www.dataprotection.gov.mt/article.aspx?art=143
http://www.dataprotection.gov.mt/dbfile.aspx/LN198_2008.pdf
http://www.dataprotection.gov.mt/dbfile.aspx/LN199_2008.pdf

http://justiceservices.gov.mt/DownloadDocument.aspx?app=lom&itemid=11056....

http://www.dataprotection.gov.mt/article.aspx?art=117.

http://www.dataprotection.gov.mt/dbfile.aspx/Sample%20Privacy%20Policy.pdf.

http://www.smartmeters.com/the-news/446-ibm-bringing-smart-grid-to-malta....

http://www.timesofmalta.com/articles/view/20090505/local/enemalta-starts....

http://www.dataprotection.gov.mt/dbfile.aspx/DPCresearchguidelines.pdf

14
http://www.timesofmalta.com/articles/view/20100220/local/commission-for-....

http://ec.europa.eu/information_society/activities/sip/projects/completed/combined_nodes/malta
_supportline179/index_en.htm.

http://www.timesofmalta.com/technology/view/20080605/news/no-kidding-with-children-and-
their-mobile-phone.

http://www.vodafone.com.mt/file.aspx?f=295.

http://www.timesofmalta.com/articles/view/20071004/local/judge-bans-poli...

http://www.epractice.eu/en/document/288319

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32004R2252:E....

http://www.timesofmalta.com/articles/view/20100110/local/still-no-decisi....

http://www.justiceservices.gov.mt/DownloadDocument.aspx?app=lom&itemid=8....

http://www.independent.com.mt/news.asp?newsitemid=77029.

http://www.dataprotection.gov.mt/dbfile.aspx/Banking%20Guidelines.pdf.

http://www.dataprotection.gov.mt/dbfile.aspx/Insurance%20Guidelines.pdf.

http://www.epractice.eu/en/document/288320

http://www.ehealth.gov.mt/.

http://docs.google.com/viewer?a=v&q=cache:PpbsgGvWn6sJ:www.mjha.gov.mt/D...

http://www.timesofmalta.com/articles/view/20091201/local/pl-insists-data....

http://www.lifesitenews.com/ldn/2008/oct/08102308.html.

http://www.maltatoday.com.mt/2008/10/22/t11.html.

http://www.timesofmalta.com/articles/view/20091007/local/breach-of-data-....

http://www2.ohchr.org/english/law/index.htm.

15