Twitter Logo Youtube Circle Icon LinkedIn Icon

The Legal 500 Hall of Fame Icon The Legal 500 Hall of Fame highlights individuals who have received constant praise by their clients for continued excellence. The Hall of Fame highlights, to clients, the law firm partners who are at the pinnacle of the profession. In Europe, Middle East and Africa, the criteria for entry is to have been recognised by The Legal 500 as one of the elite leading lawyers for seven consecutive years. These partners are highlighted below and throughout the editorial.
Click here for more details

Malta > Legal Developments > Law firm and leading lawyer rankings



In imposing the significant fine as a result of the data breach, the UK’s ICO found, among other things, that the IICSA (which erroneously sent a bulk email using the ‘TO’ field instead of the ‘BCC’ field) failed to make use of an email account that could send separate messages to each participant and also failed to provide its staff with appropriate training and guidance.

Before clicking 'Send', check and check again!

Sending an email to the wrong recipient is perhaps one of the most common types of data breach that can occur. One example is erroneously sending a Carbon Copy ('CC') email or an email with recipients in the 'TO' field instead of a Blind Carbon Copy ('BCC') email. This can have serious implications in terms of general confidentiality obligations as well as significant implications in terms of the EU General Data Protection Regulation ('GDPR') which came into effect across the EU, including Malta, on 25th May 2018.

This is exactly what happened in February 2017 to the 'Independent Inquiry into Child Sex Abuse' ('IICSA') when an IICSA staff member sent out a bulk email to ninety (90) possible victims of child sexual abuse participating in the inquiry. Instead of sending an email to the ninety (90) participants by using the 'BCC' field (so that the participants would not see each other's details), the IICSA staff member accidentally used the 'TO' field. This revealed the email addresses of all participants to each other. Fifty-two (52) of the emails actually contained the full name of the participant.

This case was dealt with by the ICO (the UK's equivalent of the Maltese Information and Data Protection Commissioner) under the provisions and maximum penalties of the UK Data Protection Act 1998, and not the new 2018 Act which, as a result of the GDPR, has replaced it, because of the date of the breach. This notwithstanding, on 18th July 2018, the ICO imposed the significant fine of two hundred thousand (200,000) Sterling on the IICSA for causing this data breach. The ICO found, inter alia, that the IICSA failed to make use of an email account that could send separate messages to each participant and also failed to provide its staff with appropriate training and guidance.

The ICO's director of investigations, Mr. Steve Eckersley said: "This incident placed vulnerable people at risk, which is concerning. IICSA should and could have done more to ensure this did not happen."

People's email addresses can be searched via social networks and search engines, so the risk that they could be identified was significant."

With the risk of fines now going up as high as twenty (20) million euros or 4% of an organisation's worldwide annual turnover, even Maltese data controllers must take extra steps to ensure that staff members are aware of these risks as well as the broader implications of the GDPR. In all cases, before correspondence is sent out, it is crucial (now more than ever) to ensure that the recipient(s) is/are correct and that no personal data or even confidential data are accidentally disclosed to unauthorised entities.

For more information about this specific case, please visit the ICO's website at

For more information about the GDPR more generally, please visit our microsite at www.gdprmalta.comwhich will continue receiving updates on a regular basis. 

Interview with...

Law firm partners and practice heads explain how their firms are adapting to clients' changing needs

International Law Firm Networks

International comparative guides

Giving the in-house community greater insight to the law and regulations in different jurisdictions.

Select Practice Area

GC Powerlist -

International Law Firm Networks