Law and the Regulatory Authority

Legislative framework

The primary data protection legislative text in Malta is the Data Protection Act, Chapter 586 of the Laws of Malta (“CAP 586”), which repealed and superseded the previous Data Protection Act, Chapter 440 of the Laws of Malta. CAP 586 implements Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the GDPR), since Malta is a member state of the EU.

Another notable legislative text under Maltese law is the Processing of Personal Data (Electronic Communications Sector) Regulations, Subsidiary Legislative 586.01, which implements Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the “ePrivacy Directive”).

EU Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EC) No 2006/2004 of the European Parliament and of the Council of 27 October 2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws have also been transposed into national law.

Other notable subsidiary legislation (SL) under Chapter 586 of the Laws of Malta includes the following:

• Processing of Personal Data (Protection of Minors) Regulations (SL 586.04);
• Processing of Personal Data for the purposes of the General Elections Act and the Local Councils Act Regulations (SL 586.06);
• Processing of Personal Data (Education Sector) Regulations (SL 586.07);
• Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations (SL 586.08);
• Restriction of the Data Protection (Obligations and Rights) Regulations (SL 586.09);
• Processing of Data concerning Health for Insurance Purposes Regulations (SL 586.10);
• Processing of Child’s Personal Data in relation to the Offer of Information Society Services Regulations (SL 586.11); and
• Enforcement of Rights of Data Subjects in relation to Transfers of Personal Data to a Third Country or an International Organisation Regulations (SL 586.12).

Maltese law also contains the following additional data protection and privacy-related laws:

• the Criminal Code, Chapter 9 of the Laws of Malta, Title IX, Cooperation between the National Authorities and the Office of the European Public Prosecutor;
• the Identity Card and other Identity Documents Act, Chapter 258 of the Laws of Malta, on the limitations of the use of biometric data stored on an electronic identity card;
• the Accountancy Profession Act, Chapter 281 of the Laws of Malta, on the remit and limitations of the Accountancy Board;
• the Income Tax Management Act, Chapter 372 of the Laws of Malta, on the partial or complete restriction of data subject rights, particularly the right of access, and on the limitations of the Commissioner of Inland Revenue to request special category data;
• the Credit Agreements for Consumers relating to Residential Immovable Property Regulations (SL 378.10), on the limitations of processing personal data obtained from a consumer or any other person in connection with the conclusion and management of any credit agreement, insofar as this may only be processed for the purpose of assessing the creditworthiness of the consumer or of any such other person and their ability to repay in accordance with these regulations;
• Part VIII of the Electronic Communications Networks And Services (General) Regulations (SL 399.48), on the protection of privacy, which regulate calling-line identification, among other matters.
• the Work Place (Minimum Health and Safety Requirements for the Protection of Workers from Risks resulting from Exposure to Electromagnetic Fields) Regulations (SL 424.34), on the limitations on the right of access in the context of safety risk assessments;
• the Olive Oil (Marketing Standards) (Implementing) Regulations (SL 427.101), establishing a public interest ground for the sharing of data and information by persons, natural or legal, for the purposes of the Director General’s functions;
• the Telework National Standard Order (SL 452.104), on measures, particularly concerning software, that employers of teleworkers must implement to ensure the protection of data used and processed by the teleworker in the carrying out of duties;
• the Clinical Trials Regulations (SL 458.43), pertaining to rules regulating clinical trials, including assurances on the rights of the subject to physical and mental integrity, and to the provision and protection of data concerning him or her;
• the Communication of Passenger Data by Air or Sea Carriers Order (SL 460.18), on the rules regulating the processing of personal data by the Principal Immigration Officer, including on retention periods;
• the Securitisation Act, Chapter 484 Laws of Malta, on the transfer of personal data, including to third countries without adequate levels of protection, within the context of securitisation transactions;
• the Voluntary Organisations Act, Chapter 492 of the Laws of Malta, on disclosures of personal data processed by the Commissioner for Voluntary Organisations;
• the Deployment and Use of Intelligent Transport Systems Regulations (SL 499.61), pertaining to the processing of personal data in the context of intelligent transport systems (ITS) and the preference for anonymous data in the performance of ITS applications and services;
• the Motor Vehicles (Exchange of Data) Regulations (SL 499.62), on, inter alia, retention periods of personal data processed by competent authorities;
• the Health Act, Chapter 528 of the Laws of Malta, on, inter alia, the limitation of the access right by a patient;
• the Processing of Personal Data (Secondary Processing) (Health Sector) Regulations (SL 528.10), on, inter alia, the secondary processing of personal data and health records for research activities;
• the Business Register and Information Sharing Regulations (SL 546.02), on the establishment of a business registry and, inter alia, the rule that all undertakings listed thereon (including self-employed persons) are considered as business undertakings;
• the Co-ordination of Government Inspections Act, Chapter 568 of the Laws of Malta, which provides, inter alia, that the sharing of data and the maintenance of common databases and repositories of information, as provided for by this Act to facilitate reductions in the burden of inspections on entities and individuals, shall be regarded as activities that are carried out in the public interest for the purposes of the Data Protection Act;
• the Gaming Commercial Communications Regulations (SL 583.09), on the limitation of the processing of personal data, unsolicited commercial communications and commercial communications to self-excluded players by authorised persons offering licensable games or service providers collaborating with authorised persons; and
• the Passenger Name Record (Data) Act, Chapter 584 of the Laws of Malta, which transposes Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

Maltese legislation also conforms with the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No 108), which was ratified by Malta in February 2003.

Under the European Convention Act (Chapter 319 of the Laws of Malta), the European Convention on Human Rights, including the protection afforded in respect of the right to privacy (Article 8), has been transposed into domestic Maltese law and is directly enforceable before the Maltese courts. The right to the privacy of one’s home and property and the right to freedom of expression are enshrined in the Constitution of Malta as fundamental human rights.

Furthermore, the EU Charter of Fundamental Rights, which recognises the right to privacy and the right to data protection, applies to national authorities when implementing EU law.

Fines under the GDPR regime

Whilst the GDPR provides for a maximum penalty of either EUR20 million or 4% of worldwide turnover, whichever is higher (Article 83 of the GDPR), the Malta Data Protection Act does not specifically set out the applicable administrative fines that may be imposed by the Information and Data Protection Commissioner (IDPC) for non-compliance with the GDPR regime. As the GDPR is directly applicable, the IDPC may therefore impose the administrative fines as set out in Article 83 of the Regulation.

Furthermore, and without prejudice to the above, in terms of the Data Protection Act, any person who is found guilty of the following offences shall, upon conviction, be liable to a fine of not less than EUR1,250 and not more than EUR50,000, or to imprisonment for six months, or both:

• knowingly providing false information to the IDPC when so requested by the IDPC pursuant to its investigative powers in terms of the GDPR or any other law; or
• failing to comply with any lawful request pursuant to an investigation by the IDPC.

Moreover, any person who infringes or fails to comply with SL 586.01 (the Processing of Personal Data (Electronic Communications Sector) Regulations, implementing the ePrivacy Directive) shall be liable to an administrative fine of up to EUR23,293.73 for each violation and EUR2,329.37 for each day during which such infringement persists; such fine shall be determined and imposed by the IDPC.

Data Protection Authority

Under the domestic data protection regime in Malta, the key regulators are:

• the IDPC, which is effectively the national supervisory authority in Malta in terms of the GDPR; and
• to a secondary extent, in terms of SL 586.01, the Malta Communications Authority (MCA).

Scope, duties and powers of the national supervisory authority

As the national supervisory authority, the IDPC or “Commissioner” is responsible for monitoring and enforcing the application of the provisions of CAP 586 and of any subsidiary legislation thereunder, and for enforcing the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of personal data, and to facilitate the free flow of personal data between Malta and other member states (Part V of CAP 586). The Commissioner is endowed with separate and distinct legal personality for the purposes of his or her tasks and powers, as set out therein.

In bearing the duty to carry out the tasks and powers pursuant to the scope of the GDPR (Article 58), the IDPC is designated to have complete independence in such respect and to likewise be free from external influence, whether direct or indirect, and to neither seek nor take instructions or directions from any person or entity (Article 12(1) of CAP 586).

The IDPC has the power to:

• institute civil judicial proceedings in cases where the provisions of CAP 586 or the GDPR have been or are about to be violated;
• seek the advice of, and consult with, any other competent authority in the exercise of its functions under CAP 586 and the GDPR;
• request the assistance of the executive police to enter and search any premises in the exercise of the investigative powers under Article 58 of the GDPR;
• confer powers, including investigative powers, on the seconding supervisory authority’s members or staff, in the case of joint operations with supervisory authorities of one or more other EU member states; and
• impose administrative fines.

Decisions of the Commissioner are subject to appeal before the Information and Data Protection Appeals Tribunal, and decisions of the Tribunal are subject to review before the Court of Appeal.

Co-operation with other data protection authorities

Article 15 of CAP 586 stipulates that the Commissioner may seek the advice of, and may consult with, any other competent authority in the exercise of his or her functions under CAP 586 and the GDPR, and may confer powers, including investigative powers, on the seconding supervisory authority in the event of joint operations with supervisory authorities of one or more other EU member states, provided the powers are exercised under the guidance and in the presence of the IDPC.

Under the GDPR, the IDPC must co-operate on cases with a cross-border component to ensure a consistent application of the GDPR – this being the one-stop shop mechanism.

In the context of the processing of personal data in the electronic communications sector, the IDPC is also empowered to seek the advice of, and where appropriate must consult with, the MCA in the exercise of its functions.

Article 7 of CAP 586 specifies that, in cases where genetic data, biometric data or data concerning health is required to be processed for research purposes, the IDPC shall consult an ethics committee or an institution recognised by the IDPC.

In terms of the scope of investigations and audits vis-à-vis the key local regulator, local implementation legislation does not provide substantively further (as may be the case for other EEA jurisdictions) than that provided under the GDPR (complaint basis, Article 57 and ex officio, Article 58).

Scope of data protection authority investigations and audits

CAP 586 refers to and requires that the Commissioner (as the national supervisory authority) is to perform the duties as assigned to them, under the GDPR (Article 15 of the GDPR). Accordingly, the scope of the Commissioner's role, from a domestic law point of view, in terms of their duty to handle complaints from a third party (with locus standi) and their power and duty to investigate ex officio and undertake corrective measures, does not go substantively beyond that which arises from Articles 57 and 58 of the GDPR, respectively (see Article 15(2) of the GDPR).

Artificial intelligence (AI)

The pertinent regulator for AI matters would be the Malta Digital Innovation Authority (MDIA), established by the Malta Digital Innovation Authority Act, Chapter 591 of the Laws of Malta (MDIAA).

The MDIAA stipulates that the MDIA shall endeavour “… to assist the competent data protection authorities in safeguarding the data protection rights of data subjects and assist other competent authorities in the protection of vulnerable persons and the promotion of fair competition and consumer choice” (Article 4 (2) (h)).

Domestic Administrative and Enforcement Process

Beyond the applicable articles in the GDPR, Maltese law does not go into much detail in terms of the administrative process the IDPC must follow, nor as regards legal standards or criteria in assessing the merits of an investigation, as these are left at the discretion of the Commissioner. The most relevant source is consequently the “duties assigned to him” under Article 15 of CAP 586..

Furthermore, in arriving at their decision, the Commissioner “…may seek the advice of, and may consult with, any other competent authority in the exercise of his functions under this Act and the Regulation” (Article 15.3 of CAP 586).

In terms of the relevant legal standards and criteria that empower the Commissioner to take action, Article 15(2) of CAP 586 states that the “Commissioner shall have the power to institute civil judicial proceedings in cases where the provisions of this Act or the Regulation have been or are about to be violated”. Applicable law sets a statutory objective standard rather than providing a subjective interpretation – ie, in terms of the Commissioner’s discretion or level of likelihood.

Judicial Review of Data Protection Authority Orders

Under Maltese law, prior to the imposition of a decision by the Commissioner, the parties are heard or asked to make submissions, at the investigation stage. If the respondent disagrees with the decision reached by the Commissioner, they may file an appeal with the Data Protection Appeals Tribunal within 20 days of service of such decision, insofar as it is made on the following substantive grounds (Article 26 of CAP 586):

• a material error as to the facts has been made;
• there was a material procedural error;
• an error of law has been made; or
• there was some material illegality, including unreasonableness or lack of proportionality.

The appeal procedure before the Data Protection Appeals Tribunal is undertaken in accordance with Article 26 of CAP 586, which sets out the various formalities to be observed by the appellant, the tribunal and its registry, such as time limits and the serving/submission of pertinent legal documents.

If the parties (including the IDPC) are aggrieved with an appeal decision by the Data Protection Appeals Tribunal, they may resort to the Court of Appeal, on a question of law, as constituted by Article 41(6) of the Code of Organisation and Civil Procedure, Chapter 12 of the Laws of Malta (COCP), as per Article 29 of CAP 586.

Multilateral Legislative Implementation

Further to the enactment of CAP 586 and SL 586.01 to implement the GDPR and the ePrivacy Directive, respectively, Maltese law has enacted the following in order to implement the applicable EU legislation.

• SL 586.08 (enacted in 2018) is the domestic legislation in Malta that implements Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
• SL 586.12 implements Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR.

In relation to the implementation of applicable multinational obligations in general, since Malta is an EU country, any applicable Regulations or guidance issued by the European Data Protection Board (EDPB) would also be applicable to Malta.

From a Brexit point of view, whilst Malta is home to a number of persons from the UK, the IDPC has not issued Brexit data protection-specific guidance but has reiterated the statements issued by the EDPB pertaining to Brexit.

There are organisations in Malta that may support citizens in situations of infringement of privacy or data protection, but no self-regulatory organisations have yet been set up specifically for the protection of privacy and data protection.

However, a number of NGOs have been regularly involved in public matters regarding data privacy, serving as champions for data protection matters locally. Such NGOs include the Daphne Caruana Galizia Foundation and the Malta Information Technology Law Association.

National System Characteristics

In general, Malta can be seen as implementing a more lenient system when it comes to decisions concerning data protection and privacy matters. The IDPC may often opt to issue a reprimand in lieu of a fine, and the fines issued are typically less punitive than those issued in neighbouring member states. However, recent years have seen a dramatic increase in complaints registered with the IDPC and an increase in related decisions taken by the IDPC.

Moreover, in comparison to other supervisory authorities, the IDPC does not provide as much guidance as, for instance, the UK (ICO) and France (CNIL) but heavily relies on their publications for local guidance as much as practicable. It also relies heavily on EDPB guidance on various matters.

The Maltese legislator has published Legal Notice 204 of 2023: the Enforcement of the Rights of Data Subjects in relation to Transfers of Personal Data to a Third Country or an International Organisation Regulations (now SL 586.12).

Illegal Processing of Electoral Data and Voter Preferences

The Civil Courts of Malta are currently hearing a collective action (similar in scope to a class action) regarding the illegal processing of personal data (which includes voter preferences). The case was instituted after a Maltese service provider that provided technology services to a number of entities in Malta suffered a massive data breach. The impacted data, released on the internet, included a database containing the details of all Maltese citizens who are eligible to vote as well as their voting preferences, thereby concerning special category data.

When called to testify by the plaintiffs, the Malta Electoral Commission confirmed that part of this database comprised the electoral register. However, the affected database also contained various other data fields, such as telephone numbers, but also voting preferences, which are not typically part of the electoral database. It appears therefore that there has been an amalgamation of various data sources.

Whilst the case is still ongoing, there have been several local reports that this database has been in use extensively by the Labour party (currently the party in government) to award government jobs and to check the political orientation of prospective government employees.

The case has been instituted by more than 500 Maltese citizens, who are being assisted by the NGOs Daphne Caruana Galizia Foundation and Republika. The current civil case is seeking damages against the service provider that suffered the data breach and also against the third parties who actually created the database itself.

Through its investigations and eventual decision, the IDPC has already found the service provider to be in breach of the GDPR and imposed a fine of EUR65,000. The civil case is ongoing.

Other Laws

Data Protection Officer (DPO)

Under Maltese law, the pertinent provisions on DPOs are contained in the GDPR. The appointment of a DPO is required only in cases where:

• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• the core activities of the controller or the processor consist of processing operations that, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.

The DPO is responsible for:

• informing and advising the controller or the processor and their employees on data protection provisions;
• monitoring compliance with the applicable data protection legislation and with existing policies of the controller or processor concerning the protection of personal data;
• the assignment of responsibilities, as necessary, raising awareness and training the staff involved in processing operations, and the related audits;
• providing legal advice where requested in connection with data protection impact assessments; and
• co-operating with the supervisory authority and acting as the point of contact for the supervisory authority, including consultation on any other matter, where appropriate.

Criteria necessary to authorise collection, use or processing of specific data sets

If a controller intends to process genetic, biometric or health data, in the public interest for statistical or research purposes, or where special categories of data are concerned in respect of the management of social care services and systems, including for the purposes of the management and monitoring of such, the controller must consult with the Commissioner and obtain prior authorisation before proceeding to collect and process such data (Article 7 of CAP 586).

An identity document (ID) shall only be processed when such processing is clearly justified in terms of the purposes for such, and the importance of obtaining a secure identification is identified, or for any other legal valid reason, provided that the national ID number or any other identifier of general application is only to be utilised under appropriate safeguards in terms of the GDPR (Article 8 of CAP 586). A legitimate basis to process such ID would be for anti-money laundering (AML) and combating the financing of terrorism (CFT) obligations, for instance. This specific proviso under Maltese law can be said to explicitly specify an additional criterion of data protection by design/default, therefore including pseudonymisation as a reasonable expectation, reflecting the same provisions contained in the GDPR.

In the ambit of journalism and freedom of expression, Maltese law provides the extent to which GDPR principles, data subject rights and controller and processor terms, inter alia, may be exempted from where the processing of personal data in relation to freedom of expression and information is concerned (Article 9 of CAP 586).

Privacy by design/default

Whilst Maltese data protection law does not provide detail in relation to privacy by design/default, a stipulation of such emerges from a recent amendment to SL 586.10, relating to the processing of health data. Through the amendments (via Legal Notice 107 of 2020), the processing of health data for insurance purposes is now deemed to be in the public interest, with an additional requirement that such processing shall be subject to “suitable and specific measures designed to safeguard the fundamental rights and freedoms of data subjects” (Article 4.2 of SL 586.10). This specifies a requirement to incorporate privacy by design/default (or “PbD” as sometimes abbreviated) into a specific scenario of processing under Maltese law.

“Injury” or “harm” in terms of privacy law

Although there is no specific right or provision in relation to a claim of “injury” or “harm” in terms of privacy law under the Maltese legal system, the Maltese courts have occasionally been willing (eg, in relation to a claim under tort) to provide compensation for certain kinds of privacy violations.

However, CAP 586 recognises the right for data subjects, without prejudice to their remedies available with the IDPC, to institute a civil action in front of the Maltese civil courts for damages, including but not limited to moral damages as the court may determine, due to the data subject.

Whilst Maltese privacy and data protection law has specified regulation further to the GDPR and the ePrivacy Directive, there are areas where Maltese law has not stipulated further to the regime under EU law. These currently include:

• requirements regarding the adoption of internal or external privacy policies;
• the use of data pursuant to anonymisation, de-identification or pseudonymisation;
• data subject access rights, such as erasure, correction, portability, objection to collection, use and transfer, beyond the scope of the balance with freedom of expression and statutory restrictions based upon general interests; and
• restrictions/allowances regarding profiling, microtargeting, automated decision-making, online monitoring or tracking, big data analysis, AI and algorithms (ie, pertaining to explanations and logic vis-à-vis code).

The processing of personal data constituting special categories (ie, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data or biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning a natural person’s sex life or sexual orientation) shall not be permitted unless a specific ground provided for in the GDPR is satisfied. Special rules apply to the processing of criminal conviction data and of unique numbers that identify persons.

Subsidiary legislation introduced pursuant to CAP 586 (see 1.1 Laws) in some instances provides additional detail and more specific obligations with respect to the processing of special category personal data.

Health Data

The controller must consult with the IDPC and the IDPC must consult with an ethics committee where the processing of health-related data is required on the basis of public interest. Maltese law also contains the following:

• a limitation of the access right by a patient, as per the Health Act, Chapter 528 of the Laws of Malta; and
• a stipulation in respect of the secondary processing of personal data and health records for research activities, as per the Processing of Personal Data (Secondary Processing) (Health Sector) Regulations (SL 528.10).

Employment Data

Maltese law and regulatory guidance provide the following notable instruments in relation to the protection of employees' privacy:

• Telework National Standard Order (SL 452.104), concerning privacy and employee surveillance; and
• the IDPC’s Guidelines on the data protection aspects related to the collection of employees’ COVID-19 vaccination status.

The Internet, Streaming and Video Domain

“Hate speech” is regulated as a criminal offence under Malta’s criminal law, arising from Articles 82A and 82C of the Criminal Code, Chapter 9 of the Laws of Malta.

Cookies

Maltese law does not provide regulation regarding do not track technologies or behavioural/targeted advertising, but it does regulate cookies and may naturally be interpreted to apply also to similar identifier applications.

In this respect, it is noteworthy that, whilst the conditions for the placing of cookies, or similar identifiers, entails the “right to refuse” such (apart from the provision of information) under the ePrivacy Directive, under Maltese law the requirement is the giving of “consent”.

Data Retention for Law Enforcement Purposes

Before it was repealed, the EU Data Retention Directive mandated that certain personal data had to be retained by service providers of public communications services or networks, for a prescribed number of months. The reason behind this was to facilitate law enforcement data requests, and to prevent and prosecute “serious crimes”.

The provisions of the EU Data Retention Directive transposed into Maltese law within SL 586.01 remain in force. Accordingly, under Regulation 21 of SL 586.01, a service provider of public communications services or networks must retain data for the following periods:

• communications data relating to internet access and internet e-mail for a period of six months from the date of communication; and
• communications data concerning fixed network telephony, mobile telephony and internet telephony for a period of one year from the date of communication.

The applicable Maltese subsidiary legislation regarding online marketing (SL.586.01) is in line with the ePrivacy Directive.

In relation to workplace or employment law considerations, Maltese law does not provide any specific regulatory framework further to EU data protection law.

In this respect, therefore, from an employment relationship point of view, as there is a disparity in power dynamics between the employer and the employee, consent cannot be relied upon as a lawful basis for processing, so contract performance is utilised.

The employer may also qualify the ground of legitimate interest within a contract of employment, in relation to certain matters. Nevertheless, as an EU member state, Malta is subject to EU jurisprudence and is a contracting party to the ECHR. In this respect, the 2017 judgment of the European Court of Human Rights in Bărbulescu v Romania, which related to the monitoring of an employee’s personal data, established that such monitoring of employees may be carried out in compliance with applicable legislation if it is done in a transparent manner as provided by law. Under Maltese employment law, it may be inferred that the employer has a legitimate reason to ascertain whether the agreed “hours of work” are duly undertaken. Accordingly, further to the above judgment, a degree of proportionality and due informed notice and explanation must be undertaken, with the adoption of the least intrusive monitoring and adequate safeguards and, last but not least, the qualification of legitimacy in justifying such monitoring.

Previous provisions addressing certain time/record-keeping matters in relation to employment-related data have now been repealed.

In Malta, the Whistleblower Act, Chapter 527 of the Laws of Malta, was enacted in 2013 with the intention to encourage employees to flag workplace malpractice or illegality encountered or observed. Data protection wrongdoing is included in such legislation, given the wide scope of “improper practice” defined therein. Therefore, employees may raise privacy and data protection infringements occurring within the organisation discreetly.

Legal standards further to EU law may be found in Article 15(2) of CAP 586, which states that “The Commissioner shall have the power to institute civil judicial proceedings in cases where the provisions of this Act or the Regulation have been or are about to be violated”.

A notable IDPC decision of 31 May 2023, bearing reference CDP/COMP/259/2022, concerned the arbitrary processing of data, including audio data, via a CCTV system within and around the proximity of a reception area, in relation to aggrieved workers. The subject matter notably concerned the monitoring of personnel during their work time against the raised issues of carrying out non-work-related activity during such time. The IDPC determined that such workplace monitoring breached the personnel’s privacy rights in terms of Article 5 of the GDPR and issued a fine of EUR5,000.

The EUR65,000 fine imposed on C-Planet in January 2022 remains the largest fine imposed by the IDPC, in the recent period.

The C-Planet case was undertaken as a collective claim – “class actions” do exist in the Maltese juridical system but they are limited to a small number of prescribed instances, regulated under the Collective Proceedings Act (introduced in 2012). Data protection claims do not currently fall under such statute. However, a collective claim is possible in respect of data protection matters in light of Maltese Civil Procedure, which has been termed by court jurisprudence as azzjoni kollettiva or a “cumulative action”. This was in fact the basis utilised for the collective claim of C-Planet in 2022; the case concerned the data leak of sensitive personal data pertaining to citizens’ political leanings and association, which, in the jurisdiction in question, is an immensely delicate issue. Please see 1.8 Significant Pending Changes, Hot Topics and Issues for more detail.

Besides any other statutory remedy available to the data subject, including notably the right to lodge a complaint with the IDPC, Maltese law also entitles an aggrieved data subject to institute an action for an effective judicial remedy against the controller or processor concerned, before the First Hall Civil Court, where the former believes that their rights under the GDPR or CAP 586 have been infringed (Article 30(1) of CAP 586).

Maltese law also provides that an aggrieved data subject may institute a claim for damages against a controller or processor before the First Hall Civil Court, where the processing of personal data was undertaken in contravention of the GDPR or CAP 586 (Article 30(2) of CAP 586).

The law also provides that the prescription applicable to either of the above actions must be filed within 12 months from the date the data subject became aware or ought to have reasonably become aware of the activity (Article 30(4) of CAP 586).

Maltese law also provides that moral damages may be imposed in the pursuance of a court determination of damages, which may be applicable to the data subject concerned (Article 30(3) of CAP 586).

Privacy and Law Enforcement

In terms of rights and the extent of access available to law enforcement entities regarding data in the course of preventing or prosecuting crime, certain exemptions to privacy and data protection rights apply. Article 4.(b) of the Restriction of the Data Protection (Obligations And Rights) Regulations (SL 586.09) states that any restriction of the rights of data subjects under CAP 586 and the GDPR shall (only) apply where such restrictions are necessary “for the prevention, detection, investigation and prosecution of criminal offences, including measures to combat any money laundering activity, and the execution of criminal penalties”.

Whilst SL 586.08 provides for an aspect of overriding of certain data rights in pursuance of law enforcement purposes, the legislation nevertheless reiterates the data protection principles and pertinent provisions, and accordingly appears to maintain a high threshold in relation to such.

The subsidiary legislation provides that it shall be lawful for the competent authorities to process personal data for the purposes of law enforcement, and likewise enables the collection of personal data by technical surveillance or other automated means under the pretext of such law enforcement purposes (and provided that is based on law), where “serious” crime or criminal offences are involved (Regulation 8, SL 586.08).

Maltese law further enables the obtainment of personal data by the Police, where it is required for the purpose of the investigation, detection or prosecution of “serious crime”, as per Regulation 19 et seq of SL 586.01.

Further to 2.2 Sectoral and Special Issues, SL 586.01 requires service providers of public communications services or networks to retain personal data for a period between six and 12 months, depending on the type of data involved. This emerged as a result of the now repealed Data Retention Directive, which also defined “serious crime” and qualified the threshold for processing by law enforcement.

Privacy and National Security

The primary law enabling government intelligence operations in Malta is the Security Services Act, Chapter 391 of the Laws of Malta. A notable concern is the ease of authorisation for accessing, listening, tapping into or intercepting communications in the interests of national security, explained further below.

In this respect, SL 586.01 on the Processing of Personal Data (Electronic Communications Sector) Regulations specifically lists “national security”, “defence” and “public security” as undertakings for which certain provisions in such law shall not be applicable – ie, confidentiality of communications, access to information stored in terminal equipment and privacy safeguards relating to traffic data, including in relation to location data.

Notably, persons within the judiciary have already flagged that a warrant under the Security Services Act is obtainable from the Minister concerned and not from the judicial organ, thereby rendering an authorisation not subject to the high assessment and due process of the judiciary vis-à-vis laws concerned before the granting of such warrant.

Whilst Malta is not a member of the OECD, it nonetheless follows the convention issued in terms of guidance, from a financial and economical point of view. That being said, verification of following the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities cannot be confirmed.

Privacy and Cross-Border Crime Co-operation

As the mutual sharing of data pertaining to crime across borders may naturally include personal data, it is pertinent to consider that multinational agreements between states and the requirements thereunder to require a state or organisation to share data on the basis of such increase the risk of the infringement of privacy, even if such is justified under the relevant framework.

Notable multinational agreements under which the sharing of potentially personal data from an intelligence perspective may occur include the governmental agreements between Malta and he USA, and between Malta and Saudi Arabia.

Key Privacy Concerns Regarding Crime

In a nutshell, the key privacy-related issues in connection with government access are:

• the relatively low threshold for law enforcement to legally qualify the processing of data of the purposes of the prevention, detection, investigation and prosecution of criminal offences; and
• the fact that a warrant for tapping or intercepting communications in the interests of national security may be obtained from the minister concerned, and not through the judicial system.

Further to EU data protection law, personal data that is attributable to a person within the EU or that is processed within the EU may be transferred freely within the EU territory. This may also occur in respect to third countries and international organisations if the processing to occur within such countries or organisation is able to comply with the GDPR’s requirements, ensuring adequate safeguards in terms of Chapter 5 of the GDPR.

Furthermore, “appropriate safeguards” may be met by virtue of a number of legitimising instruments, as delineated in the GDPR – notably, a Commission adequacy, standard contractual clauses (SCCs), binding corporate rules (BCRs) or other legally binding instruments (Article 46 of the GDPR).

Multilateral agreements in place by virtue of the EU may be applicable for the benefit of Malta, and therefore may facilitate cross-border transfers of data to third countries in satisfying the GDPR’s appropriate safeguards element.

In this respect, the EU-US adequacy decision issued in July 2023 effectively acts to fill in the gap for the EU-US Privacy Shield that was invalidated by the Courts of Justice of the EU (CJEU) in 2016, and hence facilitates the unhindered flow of data across the Atlantic.

In the EU data protection law sphere, notifications to one’s authority are not currently required in terms of third-country transfers. Appropriate safeguards in terms of the GDPR must be in place vis-à-vis the recipient third country where no adequacy decision for such exists.

In terms of Maltese company law, certain prescribed company-related records must be kept at the company’s registered office in Malta. However, this pertains to the originals in question, so such data may be transferred overseas insofar as such transfer complies with the application legislation, such as being done in accordance with the appropriate safeguards legitimising the regime of third countries or if the transfer does not breach any other law or legal agreement, such as client privilege or a non-disclosure, confidentiality agreement, with the original copy remaining at the registered office.

There is currently no legal obligation to share software code, algorithms, encryptions or similar technical details with the government in Malta.

Data Processing Further to Local and Foreign Court Orders

Where a controller who is subject to the GDPR and Maltese law is ordered by a court to provide data that qualifies as personal data under Maltese law, this would fall under the GDPR provision of processing personal data in compliance with a legal obligation (Article 6.(1)(c) of the GDPR).

Nevertheless, one must first assess the applicable professional confidentiality obligations, such as client privilege and to what extent there may be a justifiable ground to counter such request. Subsequently, one would need to address any lack of appropriate safeguards if the transfer is to a foreign court in a third country, as this would be contrary to the GDPR.

As a member state of the EU, Malta is subject to Council Regulation 2271/96 of 22 November 1996, which protects against the effects of the potential extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom. This consequently protects EU operators from the reach of a third country’s extraterritoriality jurisdiction, which may possibly jeopardise EU data subjects’ privacy rights, in light of the third country's differing standard of data protection to the GDPR.

Emerging Digital and Technology Issues

Biometric data

The Identity Card and other Identity Documents Act, Chapter 258 of the Laws of Malta, states that any biometric data captured may only be used as a means through which to identify a person during a transaction in which that person is engaged, and that the use of such identity verification requires the consent of the holder. Moreover, the use of such biometric data for any other purpose, including criminal investigation, is prohibited and shall constitute a breach of the Data Protection Act (Article 5.(4) CAP 258).

Drones

Malta has recently adopted the first domestic Civil Aviation National Policy, which is geared to plan for what may be termed as a future air corridor between Malta and its sister island Gozo, whilst concurrently ensuring data protection and privacy safeguards. The policy, in conjunction with the European Aviation Safety Agency’s guidelines crystalised via Commission Delegated Regulation (EU) 2019/945, provides for the deployment and commercial use of drones whilst ensuring privacy from the start – effectively privacy by design.

Facial recognition

A facial recognition project in Malta has been abandoned, presumably in light of the European Parliament’s vote to have a prohibition on live facial recognition in public spaces. With the recent guidelines from the EDPB, the EU position is rectified and clarified.

Big data analytics

Previously, big data analytics struggled to reconcile with the EU data protection law framework, due to the fact that big data analytics is in and of itself contrary to the majority of the principles of the GDPR. Nevertheless, whereas previously the pursued GDPR avenue was the compatible use of the purpose limitation principle so as to legitimately repurpose the data processing in light of “statistical purposes”, the introduction of the Data Act intends to better reconcile the ambits of the harvesting of big data with commercial and public interests, whilst duly ensuring the privacy and data protection concerns and hence maintaining a congruent interplay between such and the GDPR. No specific Maltese law addition to the GDPR exists.

Automated decision-making (ADM)

As Maltese law does not specify in addition to EU law, the pertinent legislative framework would be Article 22 of the GDPR. However, with the problematic trajectory of smart meter automated billing that has been prevalent in Malta, a domestic legal framework is also necessary.

Where an ADM process is qualified, the data subject has the right to an explanation of the result of the algorithm/processes concerned. Accordingly, data protection concerns are raised where the national entity for the processing of automated smart meter billing for energy and water consumption (the Automated Revenue Management Services Ltd – ARMS) does not acknowledge that ADM is occurring: “Your personal data will not be used for any decision solely taken on the basis of automated decision-making processes, including profiling.” This is wrong; such ADM does occur, but it is excepted under the applicable GDPR lawful bases. Accordingly, whilst EU energy law should be sufficient, domestic regulatory intervention under energy law should be undertaken to rectify ARMS’ privacy notice position with the general public to reflect that ADM is in fact occurring, and to instate the explicit data subject right to request an explanation thereof, in relation to an unmerited high consumption bill, for instance.

Apart from ensuring the correct classification of “gig” workers as employed rather than self-employed, the proposed Platform Work Directive also aims to ensure that ADM is not used by the platforms gig workers utilise for work, to their prejudice – for instance to prohibit terminations and suspensions of accounts without human oversight.

Profiling

Within a Malta context, a noteworthy point regarding the provision not to be subject to ADM, including profiling, emerges in relation to Regulation 11 of SL 586.08, which entails that law enforcement may not undertake ADM that produces legal or similarly significant effects for the purposes of preventing, investigating, detecting or Prosecuting a criminal office, unless the applicable lawful basis is duly qualified.

However, this is in stark contrast to what occurs in practice by local law enforcement, in the context of areas in Malta that are typically home to a number of third-country nationals, who may be unjustly profiled as illegal immigrants because of their residence locality. From a legal perspective, the pertinent element to qualify such profiling for law enforcement personnel would be “…unless authorised by a law to which the control is subject…”.

Whilst immigration and police law may authorise the “stop and search” of individuals suspected of committing an illegality, this must be based on reasonable suspicion. In practice, this is not generally the case since the use of profiling is typically suspected.

AI

There is currently no Maltese law that defines “artificial intelligence” but, as Malta is an EU member state, the anticipated and proposed EU AI Act will cover this domain.

It is, however, pertinent to note that the MDIA issued the following whitepaper consultations in respect of AI in 2019:

• Malta: Towards an AI Strategy – High-level policy document for public consultation;
• Malta: The Ultimate AI Launchpad – A Strategy and Vision for Artificial Intelligence in Malta 2023; and
• Malta: Towards Trustworthy AI – Malta’s Ethical AI Framework.

IoT

There is no Maltese law specifically regulating IoT. The concept previously generally fell into the legal problematic pit with big data in terms of data repurposing, but the forthcoming Data Act is anticipated to reconcile certain matters concerning the IoT in the same way as it intends to better reconcile the industry of big data closely linked with such.

Geolocation data

Whilst Maltese law provides for the standards of data protection by design in respect of geolocation (ie, general anonymisation is one of the main options for the legitimacy of processing, under SL 586.01, Regulation 7), the national secret service may be understood to have lower thresholds in terms of qualifying and legitimising processing in furtherance of such geolocation data for the above reasons.

Disinformation

In Malta, disinformation regulation from a singular perspective may be elicited from Article 82 of the Criminal Code, which criminalises the “spreading of false news”, and more widely from the Media and Defamation Act, Chapter 579 of the Laws of Malta.

For a more comprehensive regime, disinformation is regulated under the EU domain of online intermediary liability, which covers intermediaries’ duties as online gatekeepers against disinformation and misinformation emerging from the EU E-Commerce Directive. Whilst the latter placed high responsibility on online intermediaries as effective arbiters of disinformation versus freedom of expression, the forthcoming EU Digital Services Act is a long-awaited enactment in the areas of online intermediary liability and hence disinformation, by virtue of the “good Samaritan clause” to be included therein.

Deepfakes are still not specifically provided for in domestic law.

Dark patterns

Dark patterns are currently not provided for in Maltese law, but the introduction of the EU Data Act and Digital Services Act is intended to address and prohibit these accordingly.

Fiduciary duty

Under Maltese law, most regulated professions are bound by their own framework of client or patient confidentiality, thereby reducing the risk of such information being unethically utilised in privacy terms in a professional context.

In addition to the IDPC, which must keep abreast of technological advancements, the Malta Digital Innovation Authority (MDIA) is a pertinent body tasked with assisting competent data protection authorities to safeguard data protection rights, in the context of innovative technologies, although it was not primarily set up to oversee privacy and data protection compliance. In this respect, the MDIA is entrusted with the “Strategy and Vision for Artificial Intelligence in Malta 2030”.

There is nothing stopping AI from featuring as an innovative technology arrangement/service under the Innovative Technology Arrangements and Services Act (ITAS), Chapter 592 of the Laws of Malta, and thereby falling under the regime in the First Schedule thereof.

Please see 1.8 Significant Pending Changes, Hot Topics and Issues and 2.5 Enforcement and Litigation regarding significant privacy and data protection regulatory enforcement or litigation.

Due Diligence in Corporate Acquisitions

Malta does not have specific laws in relation to data protection in due diligence exercises, but it is subject to the GDPR, which stipulates indirect obligations in this respect.

In corporate and M&A transactions, the acquiring entity is typically interested in carrying out a due diligence exercise to understand the entity with which they are planning to do business (ie, whether it is and has been compliant with laws such as data protection) and to understand the inherent risk of the seller’s data assets. Whilst this may be desirable for an acquiring entity before it inherits unlawfully obtained or processed data, Article 28(1) of the GDPR mandates an obligation for controllers to ensure that the processors being engaged provide sufficient guarantees that their processing meets the GDPR standards and requirements, in addition to guaranteeing the protection of data subjects’ rights.

Typical issues encountered include the absence of written policies governing data protection and non-reported data breaches.

Parties may opt to enter into an indemnification agreement whereby the vendor would need to reimburse the fine(s) suffered by the purchaser for data protection non-compliance following acquisition. However, this does not account for an increase in insurance premiums in cases where the data protection due diligence results in existing insufficiencies and a high risk of fines.

Malta gaming licence requirements include the provision of proof of compliance with data protection security measures and prescribed standards to the Malta Gaming Authority (MGA).

The Malta Financial Services Authority (MFSA) also requires the disclosure of data protection security measures, in terms of a banking licence application, whereby the applicant would need to provide details in relation to their security policies (the Banking Rule BR/01).

Moreover, the MFSA has also established the Supervisory ICT Risk and Cybersecurity (SIRC) function, which is responsible for monitoring the data security risk profile of licence holders, including investment and financial services licence holders. In this respect, the SIRC function is responsible for carrying out onsite inspections, whereby the licence holders are obliged to disclose information related to the security risk profile. Licence holders are also expected to report data and ICT-related incidents to the MFSA, without prejudice to other applicable obligations the former may have, such as in terms of a data notification breach.

Convergence of Data Regulation and E-Commerce law

Under EU law, with the introduction of Digital Markets Act, the Digital Services Act, the Data Act and the Data Governance Act to an extent, one can note that such regimes converge in the areas of data and digital regulation with e-commerce and competition law. These legal regimes are intended to better reconcile the various competing interests, such as between privacy and the advancement of commerce and the economy.

Legal discussion and provisions are still required in relation to the substantive regulation of autonomous facilitating solutions, such as autonomous land vehicles. This is in terms of utilising “code as law” as a starting point for privacy by design and safeguarding privacy, in light of the various data privacy concerns in an IoT-connected future that is expected to include autonomous vehicles.