Parties in parliament legally entitled to voter list by polling booth, court hears

Chief Electoral Commissioner Joseph Camilleri testifies in collective court action against C-Planet over voter data breach

Political parties in parliament are legally entitled to have a list of voters according to polling booth
Political parties in parliament are legally entitled to have a list of voters according to polling booth

Political parties in parliament are legally entitled to a list of voters according to the polling booth where they cast their vote, a court has heard.

Chief Electoral Commissioner Joseph Camilleri was testifying in front of Mr Justice Francesco Depasquale in a collective court action filed by over 620 individuals, led by the Daphne Caruana Galizia Foundation and Repubblika.

The case is against C-Planet (IT Solutions) Ltd and the court is being requested to quantify and award damages to the claimants over breaches of personal data protected under the General Data Protection Regulations (GDPR). 

The case goes back to the end of March 2020, when it was reported that a database containing 337,384 records of Maltese voters’ personal information had been freely accessible online for at least a year. This data, which included names, addresses, ID card details, dates of birth, fixed and mobile phone numbers as well as a reference to political orientation or voting preferences, was allegedly left exposed by C-Planet on the internet.

C-Planet is owned by Philip Farrugia, a former manager at One Productions and brother in law of Labour Party MP and former Labour party president Stefan Zrinzo Azzopardi.

Asked what information about the data subjects the electoral office held, Camilleri said the electoral register only contains the name, address and Identity Card number of the individuals.

“In the electoral register there is nothing else. But from there you can go into OPEV (the list of persons entitled to vote) which is accessible by the Assistant Electoral Commissioners. It will have the same information together with the serial number for the voting document.”

OPEV is password protected and had security features to ensure that only the right people could access the data.

When an election is called, the information is added to that on the Electoral Register, he said. “Like now we are preparing [for an election].” The voters are divided by polling booth and this information is published on the voting document alone, he said.

Delegates of the parties in parliament are legally entitled to be given a copy of OPEV, he added. The list used to be passed on by hand, but is now sent by email, said the witness, but was unable to say when the electronic system was introduced as he wasn’t involved at the time. “In 2013 it was used,” he affirmed.

The court asked what restrictions bound delegates on the use of the OPEV. “The Electoral Commission falls under electoral law and the delegates know they cannot make use of it beyond that stated in the law,” replied Camilleri.

Asked by the court if the system stored other data, he replied that after the complaint was made, a matching exercise was run using the 2013 electoral register and the leaked data. The result was a perfect match with the OPEV data from the 2013 general and local council election, he said. “The serial numbers matched and all the data was the same, bar the phone numbers which we did not collect.”

Lawyer Franco Galea, appearing for C-Planet pressed Camilleri on several issues regarding the manner in which copies are shared with delegates, but the witness was unable to answer offhand.

He confirmed, however, that copies are only given to delegates and not the parties.

Today, an IT officer would authorise access to data within the system, he explained but said he needed to check on how the system worked pre-2013.

Electoral commissioners have the right to request information but do not have direct access to the data, he said. The electoral register used to be sold in CD format up till 2018, added the witness.

Answering a question as to whether the Electoral system used data passed on to it by Identity Malta’s E-ID system, he said the two systems did not read off each other.

“The application is keyed in by the electoral commission…we receive a printout. The only direct access on the system is the address management system. The system is used by Identity Malta but is controlled by the Electoral Commission.”

A third database, the CDB centralised common database, was used by the police, social security department and other bodies, falls within the remit of the public registry, explained the witness.  “A week and a half ago CDB requested access to our database. We saw it as strange that they were asking us when Identity Malta had direct access to the address management system...” he said.

According to the government website, the Common Database (CdB) is “a major corporate initiative to enable common information sharing across all government entities.”

“The CdB holds information about persons, addresses, relationships between persons, streets, and councils. MITA consolidates this data from across different government bodies.

The CdB has been instrumental in aiding various entities such as Identity Malta, Police, Health, Social Security, Inland Revenue, Home Affairs, Benefit and Fraud Schools, Embassies, ARMS and the National Statistics Office. It also assists Enterprise Resource Planning (eRP), the Corporate Data Repository (CDR) and the Integrated Administration and Control System (IACS).”

The case continues in October.

Lawyers Antonio Ghio, Sarah Cannataci, Carl Grech, Michael Zammit Maempel and Deo Falzon are appearing for the plaintiffs.