The Information and Data Protection Commissioner (IDPC) published its Annual Report for 2024 - a year that once again underscored the vital importance of protecting personal data in a rapidly evolving digital world.
The report states some key performance figures namely:
883 - Total Complaints received
112 - CCTV-related cases dominated the area of investigation
Article 6(1) was the most infringed GDPR Article
7 - Ex-officio investigations
One Stop Shop Cases:
256 - Total OSS cases of which 244 relating to the gaming sector
252 - Lead Supervisory Authority (LSA) cases
4 - Concerned Supervisory Authority (CSA) cases
Freedom of Information Applications:
Decisions notices issued: 4 were justified, 7 not justified and 2 partially justified
798 were the total number of requests received by the Public Authorities
47 - FOI Applications handled by IDPC
13 - Resolved through amicable settlement between the parties
Data Breaches:
105 - Total breaches reported
21 - Incidents reported by controllers in the education sector
61 - Cyber-attacks including phishing and ransomware
When commenting in his foreword to the Annual Report, Commissioner Ian Deguara said that in 2024, the office witnessed a significant increase in cross-border complaints, mainly relating to cases lodged with our European counterparts relating to the exercise of data protection rights with gaming operators having their main establishments in Malta.
“We have also witnessed new challenges deriving primarily from the use of artificial intelligence. More than ever, our mandate remains resolute, that is to continue with our mission to uphold the fundamental rights of individuals, ensure accountability among data controllers and processors, and provide guidance that is practical, proportionate and rooted in law,” he said.
During this past year, our office dealt with a growing number of data protection queries received from controllers operating in different sectors, and from individuals who either enquired about specific personal situations on which they required our professional feedback or otherwise about the exercise of their data protection rights. We can safely say that this increase in the number of engagement stems from an increase in public awareness of information rights.
Moreover, during the year, our office was requested to provide advice to the Government on several legislative measures concerning the protection of the rights and freedoms of natural persons in relation to the processing of personal data. By virtue of this consultation process, any legislation proposed by the Government which involves the processing of personal data passes through the diligent filters of our office which ensures that the legal instrument contains the appropriate and specific provisions to adapt the application of the rules and principles contained in the Regulation.
The subject of artificial intelligence was placed front and centre during this year, due the new responsibilities which this office will assume under the Artificial Intelligence Act. On 3 November, together with other national authorities and bodies, the Information and Data Protection Commissioner has been identified by the Government as a Fundamental Rights Authority for the purposes of article 77 of the AI Act – this role applies insofar as the processing of personal data is concerned. It is also expected that our office will be also designated as a market surveillance authority for certain high-risk AI systems as identified under Annex III of the AI Act.
“Whereas we recognised that society will benefit from AI technologies, it is essential to ensure that new technological developments are introduced in a manner that are fair, ethical, transparent and protect the fundamental rights of individuals, especially children and vulnerable persons,” said Commissioner Deguara.
In order to bring greater clarity to the application of data protection requirements in AI model training and deployment, and to reach a harmonised EU position and level playing field for industry, our Irish colleagues have requested a consistency opinion - pursuant to article 64(2) of the GDPR - from the European Data Protection Board on AI model development. The Board issued the opinion in December and this provided a unified position of three main issues, namely, the anonymity of AI models, the use of legitimate interest as a lawful basis to justify the processing of personal data, and the impact of unlawful processing in training AI model on the subsequent use of such model or system by the same controller or a separate one.
“Looking ahead, we remain steadfast in our commitment to a rights-based approach – one that ensures emerging technologies are developed and deployed in ways that are fair, transparent, and lawful. We will continue to support organisations in meeting their obligations, while placing the interests of individuals at the heart of everything we do.”
“The GDPR is working well and is standing the test of time. This clearly emerges from the report issued by the European Commission on the evaluation and review of the Regulation. The Commission examined in particular the application and functioning of Chapter V relating to the transfer of personal data to third countries or international organisations and Chapter VII on the cooperation and consistency mechanism,” Commissioner Deguara concluded.
During 2024, the office has also closely monitored the developments regarding the Procedural Regulation under the GDPR, formally known as the Regulation on additional procedural rules for the enforcement of the GDPR. This regulation aims to harmonise and streamline how cross-border data protection cases are handled within the EU. It sets out clearer rules for cooperation between national data protection authorities, particularly in the one-stop-shop mechanism, introduces timelines, transparency measures, and rights for parties under investigation, including access to documents and the right to be heard. The goal is to ensure more efficient, predictable, and fair enforcement of the GDPR across the EU.
The 2024 Annual Report is available here.
