Court of Appeal reaffirms MFSA liability in data leak case, orders regulator to shoulder costs

The Court of Appeal has reaffirmed the Malta Financial Services Authority (MFSA) bears responsibility for an unauthorised disclosure of confidential data to the investigative website ‘OffshoreAlert’.

The decision marks the latest development in a long-running legal battle over accountability and data protection standards within Malta’s financial regulator.

This latest judgment, delivered on Wednesday, builds on an earlier ruling in May 2024, which had confirmed that the MFSA was responsible for leaking information about the licence cancellation of E&S Consultancy Ltd before officially notifying the company and its directors, Christian Ellul and Karl Schranz.

In its renewed appeal, the MFSA sought to overturn the decision of the Information and Data Protection Appeals Tribunal, arguing that the tribunal had acted ultra vires and relied on a forensic expert who exceeded his remit.

The regulator also claimed that the alleged disclosure did not amount to a “personal data breach” within the meaning of EU Regulation.

The court, however, dismissed all five of the MFSA’s arguments, describing the tribunal’s actions as “fully within the parameters of the law”.

The court noted that the forensic expert’s report, commissioned jointly by the parties, established that the ‘OffshoreAlert’ article was uploaded on 18 November 2019, a full week before the MFSA’s own publication.

The court said this timeline “strongly indicated” that information had originated from within the authority.

“The MFSA was under a clear obligation to demonstrate that the breach was not imputable to it. It failed to discharge that burden,” the court said.

While the court stopped short of determining that the leak was deliberate, it found it probable that the premature disclosure emanated from the regulator’s offices. Only the MFSA, it said, possessed knowledge of the decision on 18 November 2019, the date OffshoreAlert published the story.

The Court also observed that Ellul and Schranz’s personal details were “integrally linked” with their company’s data, meaning the Authority had a duty to ensure protection of both corporate and individual information prior to publication.

The Court of Appeal confirmed the Tribunal’s April 2024 decision in its entirety and ordered the MFSA to bear all legal costs of the proceedings.

In doing so, the Court reaffirmed that the regulator must exercise greater diligence when handling confidential information, particularly when data concerns licensed entities or individuals subject to regulatory decisions.

This marks the conclusion of a case that has since passed through multiple levels of review, culminating in a judgment that firmly places responsibility for the leak on the MFSA.

Chief Justice Mark Chetcuti presided over the case.

Ellul and Schranz were represented by lawyers Jacob Daniel Portelli, Vincent Micallef and Stephanie Abela.