Contributed By GTG Advocates
As a Member State of the European Union, Malta’s data protection laws include the EU’s General Data Protection Regulation (2016/679) (GDPR). Chapter 586 of the Laws of Malta, known as the Data Protection Act 2018,along with its subsidiary legislation, came into force on 28 May 2018, repealing the previous Data Protection Act of 2001. Malta is also a party to the Convention for the Protection of Individuals regarding the Automatic Processing of Personal Data (ETS.108), which came into force in 2003.
Enforcement issues are predominantly handled by the Office of the Information and Data Protection Commissioner as Malta’s supervisory authority in the field of data protection, whose responsibility is to oversee the applicability and enforcement of data protection law in accordance with the requirements of the GDPR. The Data Protection Act 2018 specifies the administrative fines that can be imposed by the Commissioner and the penalties that any person can face when found in violation of data protection laws.
Matters regarding cyber-security are, to date, regulated within the Criminal Code, under the heading ‘Of Computer Misuse,’ in the absence of dedicated legislation. The contents of this section largely reflect the provisions contained within the Council of Europe’s Cybercrime Convention, ratified by Malta in 2012. The provisions forbid unlawful access to, or use of, information including the unlawful use of a computer or other device or equipment to:
The Code also considers unauthorised activities that impede access to data, and the unlawful disclosure of data and passwords to be criminal acts, amongst others.
The Information and Data Protection Commissioner is granted powers under Article 11 of the Data Protection Act 2018 and is the supervisory authority responsible for overseeing the applicability and enforcement of data protection law in accordance with the requirements of the GDPR.
Further to the provisions of the GDPR and the Data Protection Act 2018, the Commissioner shall have the right to carry out investigations in the form of data protection audits and inspections as well as demand and access personal data, data processing equipment, records and documentation held by data controllers or data processors. The Commissioner may also request the assistance of the executive police to enter and search any premises during an investigation. Moreover, when exercising such investigative powers, the Commissioner may ask for additional information from any person deemed to be of interest. Lack of co-operation or the provision of false information may lead to criminal prosecution of such individuals.
An investigation may be initiated after reporting a breach through the Office of the Information and Data Protection Commissioner. A data controller shall notify a personal data breach to this office within 72 hours from becoming aware of the breach. Notification shall not be required in those specific cases where the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of data subjects.
Under Maltese law, the Commissioner is assigned several investigative powers and duties; the Office of the Information and Data Protection Commissioner may investigate reported breaches or suspected breaches and may impose fines, reprimands or both upon data controllers found guilty of breach of law. The Commissioner may also institute civil judicial proceedings in cases where there has been a violation of the Data Protection Act 2018. The former administrative decisions may be challenged by the aggrieved party within 20 days of the service of such decisions through Malta’s Data Protection Appeals Tribunal; decisions handed down by the Tribunal may be challenged in Malta’s Court of Appeal following the standard civil procedure of Malta’s courts.
The Commissioner may also seek the advice of and consult with any other competent authority in the exercise of its functions.
The Data Protection Act 2018 also provides for joint operations with supervisory authorities of other EU Member States. The Act refers to the GDPR in instances when the national supervisory authority is to co-operate with other supervisory counterparts. In such cases, the Commissioner is to confer its powers, including investigative ones, to members and staff of the Member States’ supervisory authorities. The Act Data Protection Act 2018 provides that such conferment of powers is to be made under the exercise and in the presence of the Commissioner.
As mentioned above, Malta adopted the Data Protection Act 2018 (Chapter 586 of the Laws of Malta) in 2018 following the repeal of its previous Act of 2001. In 2018, the European Union’s General Data Protection Regulation (2016/679) became directly applicable to all EU Member States, including Malta.
Several important events and conferences have taken place to promote the relationship between national and multinational systems. The International Conference of Data Protection and Privacy Commissioners is attended by Data Protection Commissioners from around the globe at which data protection issues are discussed on an international level.
In 2015, the Office of the Information and Data Protection Commissioner (Malta) joined the Global Privacy Enforcement Network, which is intended to foster cross-border co-operation among privacy and data protection authorities. By virtue of a Recommendation adopted in June 2007 by OECD governments, member countries were mandated to develop an informal network for the specific purpose of exchanging information and discussing practical aspects of enforcement co-operation through a dedicated online platform.
The BIIDPA (British, Irish and Islands’ Data Protection Authorities) is composed of the UK, Ireland, Cyprus, Jersey, Isle of Man, Malta, Gibraltar and Bermuda. Meetings are held on an annual basis, discussions at which are informal in nature for the exchange of useful information to ensure a consistent approach to the treatment of issues of common interest.
As noted above, Malta’s data protection law relies mostly upon the regulations, concepts and principles contained within the GDPR, following an EU model and approach. Enforcement has, to date, been less aggressive than in other EU jurisdictions; at the time of writing a number of investigations regarding significant breaches within the realm of the civil service are undergoing investigation.
Since the introduction of the GDPR, over 100 personal data breaches have been notified to the Maltese Information and Data Protection Commissioner; to date the IDPC has issued 17 fines. As appeals of the Commissioner’s decisions are not publicly available it is difficult to ascertain developments at this stage. It is expected that key developments will likely occur during 2019.
The controller and the processor shall designate a data protection officer in cases where processing is carried out by a public authority or body, except for:
The GDPR clearly states that a data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39 of the GDPR.
Personal data must be collected for specific, explicit and legitimate purposes and shall not be processed in a manner incompatible with EU law. The grounds for collection or processing shall be:
As a general rule, as laid down under Article 9 of the GDPR, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
However, Article 9(2) of the GDPR sets out a list of instances whereby such general rule would not apply, for instance when the data subject has given explicit consent, in order to protect the vital interests of the data subject, in order to establish legal claims in court of law, for reasons of public interest such as public health, scientific or historical reasons, and so on.
Under the requirements of the GDPR, controllers of data are expected to implement appropriate technical and organisational measures, at the earliest stages of the design of the processing operations, in a way that safeguards privacy and data protection principles from inception (‘data protection by design’) through to termination of processing. By default, companies should ensure that personal data is processed with the highest levels of privacy protection and according to the principles of the GDPR, so that, by default, personal data is treated with appropriate safeguards aimed at preserving the data subject’s rights and freedoms (‘data protection by default’).
The GDPR provides that controllers should be able to carry out impact assessments when using new technologies and to seek the advice of data protection officers. A Data Protection Impact Analysis (DPIA) is required whenever processing is likely to result in a high risk to the rights and freedoms of individuals. A DPIA shall be required in cases where processing results in the systematic and extensive evaluation of the personal aspects of an individual, including profiling, when processing involves the treatment of sensitive categories of personal data on a large scale, and in instances where processing involves systematic, large-scale monitoring of public areas.
The data subject has various rights that may be exercised upon the controller as enshrined in the GDPR, including:
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data that has undergone pseudonymisation, which could be attributed to a natural person by the use of additional information, should be construed to be information belonging to an identifiable natural person. Personal data that has been anonymised, and thus “does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable” may be used freely.
Restrictions on or allowances for profiling, automated decision making, online monitoring or tracking, Big Data analysis, artificial intelligence
The GDPR protects the data subject from being subjected to a decision based solely on automated processing (including profiling) that could produce significant legal effects or similarly significant effects upon the data subject.
A data subject shall only be subject to a decision based solely on automating processing when such decision is necessary for entering into, or performance of, a contract between the data subject and a data controller, is authorised by Union or Member State law to which the controller is subject, and that also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or is based on the data subject's explicit consent.
The Data Protection Act 2018 grants the data subject the right to seek legal remedy in cases where he or she believes that his or her rights under the GDPR and the Act have been infringed as a result of the processing of his or her personal data in contravention of the Regulation or the Data Protection Act 2018. Such remedy shall be sought by sworn application filed against the controller or processor before the First Hall of the Civil Court; similarly, a data subject may institute an action for damages against the controller or processor processing his or her personal data in contravention of the GDPR or the Data Protection Act 2018. The court shall have the right to determine damages, including but not limited to moral damages, as it may determine are due to the data subject.
Sensitive data is defined by the GDPR as a specific set of special categories of personal data revealing racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, genetic data, biometric data for the purposes of identifying an individual, data concerning health, data concerning a natural person’s sex life and data regarding a natural person’s sexual orientation.
Text messaging is not explicitly covered by the GDPR save as a means of direct marketing. In such circumstances, processing must be based upon the conditions for lawful processing stated by the Regulation. The Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) address data protection issues arising from the use of electronic communications networks and services and impose upon providers the implementation of appropriate safeguards to ensure the security and integrity of networks with regard to threats and incidents as well as personal data breaches.
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. These may leave traces that, when combined with unique identifiers and other information received by the servers, may be used to create profiles of natural persons and identify them.
Whilst privacy policies and cookie policies are not explicitly required, they are the means through which data controllers collecting and processing data via the internet may adequately comply with the requirement of Article 13 of the GDPR, explicitly stating the identity of the controller, the contact details of the data protection officer, the purposes of processing, the legal basis for such processing, including specific description of legitimate interests, the recipients or categories of recipients of personal data, and the intention to transfer data to territories outside the EEA. In the interests of fair and transparent data processing, privacy policies should also contain the retention period to be applied by the controller, or – where this cannot be suitably determined – the criteria that will be used to determine such retention period, the rights belonging to the data subject, including the right to withdraw consent where processing is based upon such legal grounds, the right to lodge complaints with the regulatory authority and the consequences of failure to provide personal data when such personal data is a statutory or contractual requirement or where it is necessary to enter into a contract. Privacy policies should also inform the data subject of the existence of automated decision-making, including profiling, and the logic involved as well as the possible consequence of such processing.
Cookie policies shall include most of the above-mentioned information where applicable to the technology in question, as well as the possibility of deactivating specific cookies, where such cookies are not necessary to the functionality of the website in question. Regulation 5 of the Processing of Personal Data (Electronic Communications Sector Regulations), which implements the provisions of the EU Privacy and Electronic Communications Directive (2002/58/EC), requires data controllers to obtain the data subject’s prior consent for processing his or her personal data, unless it is strictly necessary for the provision of an information society service.
Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services, or another statement or conduct that clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
The Data Protection Act 2018 and the GDPR do not contain explicit mention of social media, online platforms and online search engines. Failure to enact specific clauses regulating such media is therefore assumed to imply the applicability of the legislation imposed upon any other data controller or processor.
The right to be forgotten is enshrined in Article 17 of the GDPR. Where the controller has made personal data public and is obliged pursuant to a data subject’s request to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers that are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, that personal data. Such a requirement would also be applicable to social media applications, online search engines and online platforms.
Under the GDPR, the data subject shall have the right to receive personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller in the case where processing is based upon consent or the fulfilment of a contract and where such processing is carried out via automated means. The data subject has the right to request that the personal data in question be transmitted directly from one controller to another, where such transfer is technically feasible. The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller and must not adversely affect the rights and freedoms of others.
The GDPR clearly states that children are considered to be more vulnerable than adults with regard to matters concerning personal data. In fact, under European law, children merit specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned. The GDPR therefore states that the processing of data belonging to a minor under the age of 16 years shall only be lawful once it is authorised by the minor’s parent.
With regard to schooling, the Processing of Personal Data (Protection of Minors) Regulations (Subsidiary Legislation 586.04) stipulates that personal data relating to minors may be processed by any teacher, member of a school's administration or any other person acting in loco parentis, if this is in the best interest of the minor. In such cases, consent by the parents or legal guardian of the minor will not be required if this would be considered prejudicial to the best interest of the minor, and consequently, such persons will not have access to any personal data held in relation to the minor.
Where personal data is processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. This right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information.
The Data Protection Act 2018 itself makes no reference to the interception of communications, electronic marketing or monitoring and surveillance of individuals; on the other hand, the GDPR addresses direct marketing, but does not distinguish between electronic and non-electronic marketing. In the case of direct marketing, the data subject has the right to object to the processing of his or her data for marketing purposes.
There is, to date, no specific or uniformly applicable European legislation regulating the use and processing of personal data within the workplace, including the use of information and communication technology in the context of employment. EU Directive 95/46/EC deals with the protection of individuals with regards to the processing of personal data and free movement of such data, while Directive 2002/58/EC involves the processing of personal data and protection of privacy in the electronic communications sector. However, as mentioned-above, these EU Directives do not contain any specific provision aimed at regulating the monitoring of workers’ behaviour and correspondence. Malta relies upon its own domestic legislation to regulate the surveillance and monitoring of workers by employers, particularly the Maltese Constitution, legislation on employment, employment data protection laws, telecommunication laws and regulation and the Criminal Code, amongst others.
The Information and Data Protection Commissioner may carry out investigations in the form of data protection audits, which may serve as a means to compile evidence to support alleged breaches of law. The powers of the supervisory authority are subject to the right to judicial remedy and effective due process as set out in Maltese law.
The Data Protection Act 2018 does not apply to competent authorities engaged in the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, also including safeguarding against and prevention of threats to public security. The minister responsible for matters pertaining to data protection may issue regulations following consultation with the Information and Data Protection Commissioner and, concurrently with the minister responsible for the police force, make provisions on the processing of personal data by the competent authorities noted above.
Under Maltese law, private communications can be intercepted by the Maltese security service upon obtaining a warrant signed by the minister under the circumstances related to national security delineated in the Security Service Act. Subsidiary Legislation 586.08, titled ‘Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations’ and implementing Directive (EU) 2016/680 of the European Parliament and of the Council, addresses technical surveillance, in that it is lawful for competent authorities to collect personal data through technical surveillance or through automated means.
Under Maltese law, Chapter 391 of the Laws of Malta, known as the Security Service Act, addresses interception of communications, which by the definition provided in the same Act includes an array of activities such as surveillance. However, the Act itself makes no reference to the processing of data.
Agencies acting within the remit of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, also including safeguarding against and prevention of threats to public security may act unilaterally, save as noted above, with regard to the interception of private communications.
The Information and Data Protection Commissioner has the power to monitor and enforce the application of the GDPR and Data Protection Act 2018, to advise parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing, to provide information to any data subject concerning the exercise of their rights under the Data Protection Act 2018 and GDPR and, if appropriate, co-operate with the supervisory authorities in other Member States to that end, to handle complaints lodged by a data subject, or by a body, organisation or association, investigate the subject matter of the complaint and inform the complainant of the progress and outcome of the investigation within a reasonable period, to conduct investigations on the application of the GDPR, amongst others. Subsidiary Legislation 586.08, titled ‘Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations’ also reflects the contents of the GDPR regarding the regulation of processing activity and data subject rights.
See 3.1 Laws and Standards for Access to Data for Serious Crimes.
The transfer of personal data may be freely carried out in territories forming part of the EEA. Transfers to third countries may only take place if the third country in question ensures an adequate level of protection for personal data to be processed. Transfers to a third country that does not ensure an adequate level of protection and is not covered by an Adequacy Decision issued by the European Commission may take place where:
See 4.1 Restrictions on International Data Issues.
Maltese legislation does not provide for forced data localisation; data may be transferred outside Maltese borders and within the EEA freely, subject to the principles of the GDPR for the appropriate safeguarding of personal data. Data transfers effected outside the EEA are subject to more stringent safeguards as detailed above.
Requests made by foreign governments or with respect to foreign litigation proceedings or investigations may take place in situations where such requests are grounded in important reasons of public interest, and in circumstances where such interests are recognised under Maltese legislation or EU legislation. As previously noted, authorities acting upon their legal roles for the prevention and detection of crime, as well as the Maltese law courts, are not governed by the provisions of the Data Protection Act 2018; they are nevertheless expected to apply the principles of data protection contained within the Act and the GDPR.
Big Data refers to a large amount of data that may be analysed computationally to reveal certain trends and patterns, especially relating to human behaviour and interactions. Big Data is therefore a very valuable tool for all types of businesses to increase their customer base.
Big Data analytics has recently been under the spotlight, particularly after the introduction of the European GDPR in 2016. Naturally, the process within which Big Data is acquired has been revised, since the main purpose of this legislation is to give consumers better control of their personal data as it collected by businesses.
All Big Data being collected will now have to be stored securely. Compliance is expected, and businesses of all sizes will need to come to terms with the idea that customers will gain greater control over their own personal data – the true spirit behind the enactment of the GDPR.
Article 22 of the GDPR deals with automated individual decision-making and profiling. The GDPR protects the data subject from being subjected to a decision based solely on automated processing (including profiling), which could produce significant legal effects on the individual.
Automated decision-making may only be carried out where such processing is necessary for the entry into or performance of a contract, or authorised by Union or Member State law applicable to the controller or based on the individual’s explicit consent.
Any processing falling under the definition of automated decision-making must be clearly identified, and, if so, the data subject is to be explicitly informed of such processing. The controller shall also introduce simple ways for data subjects to request human intervention or challenge a decision as well as carry out regular checks to ensure that systems are functioning as intended.
Profiling may be defined as the use of data to evaluate certain aspects related to an individual. The main scope of such profiling is to predict an individual’s behaviour and to take certain decisions based upon such analysis.
Article 22 of the GDPR provides a number of requirements that one needs to respect to ensure the protection of data subjects being subjected to profiling. Data subjects who are being profiled have a number of rights available under the GDPR, including the right to be forgotten, the right to data portability and the right to halt such processes, which means that the processing must cease unless the controller demonstrates that the objection overrides the interests, rights and freedom of the data subject. It is important to note is that no form of profiling may be permissible on children, irrespective of age.
Once again, the implementation of GDPR has created visibility and therefore transparency of data. Various rights including the right of access (Article 15), the right to be forgotten (Article 17), as well as the right to explanation (Article 15), make data transparency a must that forces each processor of personal data to be compliant and diligent in their ways and methods. This also means that larger companies, at least when providing services to European users, must explain their algorithmic decision-making processes.
The Internet of Things (IoT) generally refers to the interconnection via the internet of computing devices embedded in everyday objects, enabling them to send and receive data. Since the GDPR applies to both personal data and personal sensitive data, it naturally has a significant effect on the IoT.
The main aspects of the GDPR that will have a substantial effect on the IoT are security breaches and consent. Owning a smart watch could, for instance, lead to a security breach if the data that is being transmitted from such smart watch infringes a person’s right to freedom. On the other hand, consent is another thing to factor in. According to the GDPR, “consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” It is important to note that in instances where the data subject has provided the controller with personal data, willingly or unwittingly, data controllers cannot presume that this data can be used; personal data shall only be used for the purposes for which it was collected.
As facial recognition collects information of an individual’s facial features, it is traditionally classified under biometric data, which is considered to fall under ‘sensitive personal data’ and is thus governed by the GDPR. To ensure GDPR compliance, one must make sure that the processing of such sensitive personal data is carried out under the conditions provided for by the GDPR. Interestingly, Member States may maintain or introduce further conditions including limitations, with regard to biometric data. No such further conditions have, to date, been implemented in Malta.
Geolocation generally refers to the process of identifying the geographical location of a person or device by means of digital information processed via the internet. Geolocation can therefore reveal personal data about its users’ location and behaviours. The GDPR imposes strict changes on how businesses might use geolocation to track data. As it stands, consent has been sufficient; however, it is understood that data controllers would need to have legitimate reasons to process such location data. The GDPR imposes an obligation on the data controller to clarify what and why this information will be collected.
Since it is in the nature and intended use of a drone to fly over and record data, principally photos and videos, the GDPR is deemed to regulate such activities that would effectively qualify as data collection and processing.
Matters regarding cyber-security are, to date, regulated within the Criminal Code, under the heading ‘Of Computer Misuse’, in the absence of dedicated legislation. The contents of this section largely reflect the provisions contained with the Council of Europe’s Cybercrime Convention, ratified by Malta in April 2012. The provisions forbid unlawful access to, or use of, information including the unlawful use of a computer or other device or equipment to:
The Code also considers unauthorised activities that impede access to data, and the unlawful disclosure of data and passwords to be criminal acts, amongst others.
The Data Protection Act 2018 and the GDPR shall be applicable with regard to matters pertaining to personal data, including personal data breaches. Operators of electronic communications systems are responsible for ascertaining the security and integrity of networks from incidents, threats and vulnerabilities, by virtue of the requisites established under the Electronic Communications Networks and Services (General) Regulations and Processing of Personal Data (Electronic Communications Sector) Regulations. A number of EU regulations and directives – such as Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (EIDAS Regulation), and Directive 2013/40/EU of European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA – are also applicable to the Maltese scenario. Malta has also recently completed the transposition of EU Directive 1148 of 2016 concerning measures for a high common level of security of network and information systems across the European Union.
The Data Protection Act 2018 authorises the Information and Data Protection Commissioner to oversee and enforce compliance of the provisions within the Data Protection Act 2018. By virtue of the GDPR, heftier fines may now be imposed. The Cyber Crime Unit, which is a specialist department within the Malta police force, is tasked with providing technical support for the detention, investigation and prosecution of crimes that involve the computer as the target or instrument of choice.
In the case of a personal data breach, the GDPR establishes reporting requirements with respect to the Information and Data Protection Commissioner that must be duly observed. Furthermore, where there is a significant risk of a security or integrity breach to a network or services, the provider must duly notify the Malta Communications Authority (MCA) of this without undue delay. Where the breach is serious and significant or in cases of failure to international connectivity, these must also be notified to the MCA, and in particular circumstances, the MCA shall also inform regulatory authorities in other Member States as well as the European Network Information Security Agency (ENISA).
The Information and Data Protection Commissioner is responsible for ascertaining and enforcing compliance of the provisions under the Data Protection Act 2018. Given the enactment of the GDPR, heftier fines may be imposed with the object of preventing non-compliance of cyber-security obligations resulting from the GDPR.
As a result of the provisions of the GDPR and the Data Protection Act 2018, the Commissioner has the right to carry out investigations through the use of data protection audits and inspections. Furthermore, it may also demand and access personal data, data processing equipment, records and documentation held by data controllers or data processors. In the case of pending investigations, the Commissioner may also request the assistance of the executive police in order to enter and search any premises, for such purposes. When such investigative powers are being exercised, the Commissioner may request additional information from any person considered to be of interest.
The Malta Financial Services Authority (MFSA) establishes the duty on financial institutions to report any security breaches to such authority and to the Maltese Central Bank, as well as the Information and Data Protection Commissioner in the case of a personal data breach. The Malta Gaming Authority requires operators in the remote gaming field to report any breaches or attacks on their systems to such authority.
In the remote gaming field, the Malta Gaming Authority may act to ascertain compliance where an operator is in breach of their information security policy and system access control policy. Administrative fines may be imposed where the operator is effectively found to be in breach. On the other hand, in the financial field, the MFSA may impose penalties on license holders that are not in compliance. These include restriction or revocation of a licence, as well as administrative penalties.
The Malta Communications Authority may be considered as another relevant key regulator. Aside from the above-mentioned role and duties, where a network security breach is considered as being in the public interest, the Malta Communications Authority may duly notify the public of this – or require the concerned undertaking to affect notification itself.
The main International standard adopted in Malta is the ISO 27001. This has been adopted by several organisations and governmental bodies in Malta to cater for their information security management operations. Other organisations can implement the provisions of this standard without acquiring the respective certification.
The adoption of this standard is performed on a voluntary basis. However, in cases where there is an obligation to maintain certain levels of cyber-security, the adoption of the standard suffices as a presumption that sufficient measures have been adopted. The GMICT Information Security Policy, which has been effective since 29 January 2019, is based on ISO 27001. It applies to the public sector, such as public administration and the government.
In the exercise of a controller’s obligations under Article 32 of the GDPR with regard to the security of the processing of personal data, the compilation of a security programme may be deemed to be an appropriate organisational measure in pursuit of fulfilment of the controller’s obligations under the same Article.
The drafting of an incident response plan should cover the appropriate measures to be taken in the event of a data breach or suspected data breach, including notification drafting procedures and the implementation of mitigating procedures in fulfilment of the GDPR’s requirements.
The GDPR specifically states the need for employee training with regard to matters pertaining to data protection. Training may be tailored to suit the roles and responsibilities of the employee in question.
As an EU Member State, Malta is part of the European Forum for Member States on public policies for security and resilience in the context of critical information infrastructure protection, aimed at fostering “the exchange between Member States of good practices, information and experience on public policy matters relevant to security and resilience” with regard to critical information infrastructure protection.
A personal data breach is defined under the GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The Data Protection Act 2018 makes no specific reference to notifications to supervisory authorities or individuals of data breaches and relies on the provisions of the GDPR.
The GDPR provides that when there is a personal data breach, the Office of the Information and Data Protection Commissioner is to be notified by the controller without undue delay and within 72 hours. Such an obligation may be lifted if the rights and freedoms of the natural persons are unlikely to be breached. In the case where the processor becomes aware of a personal data breach, the processor must inform the controller without undue delay.
In cases of high risk, the breach must also be communicated with the data subject, through a communication using clear and plain language. The controller may not be obliged to inform the data subject if appropriate technical and organisational protection measures are implemented, subsequent measures to the breach are taken, or where it would involve a disproportionate effort to notify the data subjects individually.
The Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) also provide that in cases where there is a significant risk of a breach of security or integrity of services or a network, the provider must notify the Communications Authority and any users concerned appropriately and without undue delay.
Maltese legislation does not specifically allow or forbid the implementation of practices or tools for network monitoring or cyber-security defensive measures. The implementation of such practices and tools must necessarily follow the general principle of the GDPR and the Data Protection Act 2018 within the context of processing of personal data during the exercise of such protective functions.
Cyberthreat Information Sharing Arrangements
The Cyber Crime Unit within the Malta police force is tasked with receiving information and reports regarding cyber-threats and cyber-crime, as well as providing technical assistance in the detection and investigations of crime wherein the computer is the target, or the means used.
Since the introduction of the GDPR, over 100 personal data breaches were notified to the Maltese Information and Data Protection Commissioner; the IDPC has to date issued 17 fines. It is important to note that appeals from the Commissioner’s decisions are not publicly available; it is thus difficult to ascertain developments at this stage. There are currently a number of ongoing investigations and audits being carried out by the Office of the Information and Data Protection Commissioner with regard to personal data breaches related to cyber-security incidents primarily concerning cyber-security attacks upon public and financial institutions. The findings and results of such investigation are expected to be concluded in 2019.