On 23 November 2022, Malta published its national strategy for 2022–2027 (dubbed “Digital Malta”) with the aim of positioning Malta as leader in digital transformation built around a vision of establishing digital as the key driving force for transformation. The national strategy underpinned various sectorial digital policies currently in place in Malta including Digital Innovation, eCommerce and Cyber Security. In accordance with the European Commission’s Digital Economy and Society Index (DESI) report 2025, Malta ranks seventh out of 27 EU member states for fixed broadband subscriptions with at least 1 Gbps download speeds. Malta is also one of the best-connected countries in the world. It boasts of 100% 5G coverage and 100% Fixed Very High-Capacity Network coverage. The DESI report describes Malta as having “a strong position when it comes to digital infrastructure, outperforming the EU average” and in particular as “a top performer in the digitalization of public services”. Malta also records good scores on human capital, especially because of the high numbers of ICT graduates (5.8% of graduates in Malta, versus 4.5% in the EU). The large majority (76.49% versus 57.9% in the EU) of Maltese SMEs in Malta have at least a basic level of digital intensity and perform particularly well in the use of technologies such as  data analytics and cloud solutions, which are used by 34.6% and 57.56% of enterprises in the country respectively. Malta has also focused on technologies such as blockchain and artificial intelligence. An improvement in the uptake of e-government services was also reported, with the share of e-government users reaching 88.00% versus 75.01% in the EU in 2024.

There are no key legal challenges, over and above those identified in this chapter, which are mentioned by the authors.

Income Tax Treatment

There is no specific tax regime applicable to digital services in Malta. Accordingly, any profits arising from the provision of digital services by a business are subject to the standard corporate income tax rate of 35%.

VAT Treatment

Malta follows the EU’s VAT framework. In principle, companies supplying digital services (eg, website development, web hosting, etc), are required to account for VAT on their supplies. The general VAT rule is that business-to-business (B2B) supplies within the EU, including digital services, are taxed in the customer’s jurisdiction. VAT is typically accounted for by the business customer under the reverse-charge mechanism, in accordance with the VAT rules applicable in that jurisdiction.

Domestic B2B supplies are subject to the Maltese standard VAT rate of 18%. These rules apply to most B2B digital services, including the provision of Software as a Service (SaaS). In specific cases, a reduced domestic VAT rate of 5% may apply to certain supplies made to Maltese consumers, such as specific medical accessories and publications.

Moreover, the provision of business-to-consumer (B2C) supplies is generally subject to VAT in the country where the supplier is established. However, it is to be noted that B2C electronically supplied services (ESS) are subject to VAT in the customer’s jurisdiction and not the seller’s jurisdiction. The provision of telecommunications, broadcasting and electronic B2C services would also be subject to the same VAT treatment.

Challenges Companies Face in Managing Tax Compliance in Malta

Malta follows EU VAT rules, requiring digital service providers to charge VAT based on the customer’s location rather than the seller’s. This means companies must determine whether they need to register for VAT in multiple EU states or use the One-Stop Shop (OSS) system for simplified reporting.

VAT returns must be filed quarterly, while large taxpayers may be required to file monthly. Companies must also submit Intrastat declarations for EU trade and EC Sales Lists for cross-border digital services.

Foreign companies operating in Malta via remote services, cloud computing, or AI-driven platforms may trigger Permanent Establishment (PE) status, requiring them to register for corporate tax even if they don’t have a physical office.

Income Tax Treatment

The income tax treatment outlined in 1.3 Digital Economy Taxation also applies to digital advertising services. Accordingly, revenues derived from digital advertising activities are subject to the standard Maltese corporate income tax rate of 35%, including income generated through online platforms and social media.

VAT Treatment

Local B2B digital advertising services supplied in Malta are generally subject to an 18% VAT rate. For cross-border B2B transactions, the reverse-charge mechanism typically applies, whereby the VAT liability is shifted to the recipient of the services. Meanwhile, the provision of B2C digital advertising services would be subject to the VAT rate in the supplier's country.

Challenges Companies Face in Managing Compliance in Malta

Income tax compliance

Companies in Malta are required to prepare and file an annual corporate income tax return, settle any tax due, and submit audited financial statements in accordance with local accounting standards.

Given the typically cross-border nature of digital services, income derived from such activities may give rise to double taxation considerations. For example, foreign companies providing remote services, cloud computing, or AI-driven platforms through a fixed place of business in Malta may trigger PE status.

While the determination of a fixed place of business is fact-specific and multi-faceted, the location and functional use of servers may constitute an important factor in assessing the existence of a PE. Companies found to have a PE in Malta would be required to register for corporate income tax purposes accordingly.

VAT compliance

In principle, VAT returns must be filed on a quarterly basis, although large taxpayers may be required to file monthly returns. Companies may also be required to submit Intrastat declarations for EU trade and EC Sales Lists for cross-border supplies.

Digital service providers carrying out cross-border B2C supplies are required to charge VAT based on the consumer’s location (provided these supplies qualify as ESS). As a result, companies must assess whether they are required to register for VAT in multiple EU member states or may instead use the OSS system for simplified reporting.

To ensure compliance with Maltese tax legislation applicable to digital advertising, companies are advised to adopt industry best practices, including accurate record-keeping, timely VAT registration, and the use of professional tax advisory services.

In Malta, consumer protection for digital goods and services within the TMT sector is primarily governed by the Consumer Affairs Act (Chapter 378 of the Laws of Malta). This legislation addresses unfair commercial practices, misleading advertising, and ensures consumers’ rights are upheld in digital transactions. Additionally, the Data Protection Act (Chapter 586), which implements the EU’s General Data Protection Regulation (GDPR), safeguards consumers’ personal data during digital interactions. The Electronic Commerce (General) Regulations also play a role by outlining requirements for information provision and transparency in online services. Furthermore, providers of publicly available electronic communications networks and services are required to adhere to a comprehensive set of consumer protection measures which arise from EU and national laws, and from decisions adopted by the MCA. These are derived from the Consumer Rights Regulations (S.L. 378.18) and the Electronic Communications Networks and Services (General) Regulations (S.L. 399.48).

To uphold consumer rights in the digital economy, companies should ensure transparency, protect personal data and provide easy access to a customer support line. Specifically, within the telecoms space, operators are required to adopt transparency measures, adequate after-sales services, quality of service delivery, accuracy and easily understandable bills.

The resolution of consumer complaints in Malta’s digital economy is guided by frameworks established under the Consumer Affairs Act. The Malta Competition and Consumer Affairs Authority (MCCAA) oversees consumer protection and provides mechanisms for dispute resolution. Consumers can file complaints with the MCCAA, which may mediate between the parties or refer cases to the Consumer Claims Tribunal for claims up to EUR10,000.

Legal Challenges and Opportunities

The introduction of the Markets in Crypto-Assets Act (MiCA) in Malta has significantly impacted the regulatory landscape for crypto businesses, bringing both challenges and opportunities. One major challenge is regulatory compliance, as businesses must now obtain Malta Financial Services Authority (MFSA) licensing under MiCA. This means that crypto exchanges, wallet providers, and issuers must meet strict operational, transparency and governance requirements. Additionally, anti-money laundering (AML) obligations have intensified, requiring enhanced due diligence, transaction monitoring and suspicious activity reporting under the Financial Intelligence Analysis Unit (FIAU) regulations.

Despite these challenges, Malta remains an attractive destination for crypto and blockchain businesses. The clear regulatory framework offers legal certainty for companies seeking a stable environment to develop crypto trading, tokenisation and decentralised applications. Moreover, Malta’s proactive approach to crypto regulation and AI integration positions it as a global leader in digital innovation, fostering economic growth and attracting foreign investment in blockchain-based solutions.

Regulation of Blockchain and Cryptocurrency in Malta

Malta has established a comprehensive legal framework to regulate blockchain and cryptocurrency, ensuring market integrity, investor protection and compliance with EU standards. MiCA fully transposes the EU’s MiCA Regulation, requiring crypto-asset service providers (CASPs), including exchanges, wallet providers and token issuers, to obtain MFSA licensing. Additionally, the Malta Digital Innovation Authority (MDIA) oversees blockchain technology providers, ensuring security, ethical AI integration and certification of technology arrangements. The FIAU enforces AML and counter-financing of terrorism regulations, requiring crypto businesses to implement due diligence, transaction monitoring and fraud detection mechanisms.

Cloud computing is not regulated in Malta through a single “Cloud Act”; however, a layered regulatory framework applies covering data protection, network security, and operational and financial resilience. It cuts across many industries, especially the banking and gaming sectors.

These sectors are discussed below.

Financial Services

The financial services sector is a wide sector, with different sub-sectors such as banking, insurance and investment services, all of which are subject to broadly similar rules in relation to the outsourcing of a material service or activity. Such rules are issued by the MFSA, the competent authority to regulate all matters relating to banking and finance in Malta. Generally, the use of a cloud service would be considered as material, and notification is required to be given to the MFSA prior to engaging in the use of that service. A risk assessment of the arrangement, as well as the necessary due diligence, would normally also be required to ensure that the service provider is suitable. The MFSA has also released the “Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements”, which would more generally apply to the financial services sector as a whole. These guidelines take cloud computing into account and provide a practical framework for licence holders and requirements for different cloud computing service models – such as software as a service (SaaS) or platform as a service (PaaS) – requiring communication and information systems to protect the data they handle in transit and at rest; this data must only be accessible to authorised parties as and when needed. It is also worth noting that the MFSA places significant importance on ensuring that data stored in cloud environments is adequately secured against cyber threats, and that third-party providers undergo continuous monitoring and periodic audits to verify compliance with these standards.

They further provide that confidentiality, integrity, availability, authentication and non-repudiation should form the five pillars in the design of any technology arrangement implemented by a licensed institution. Additionally, institutions are expected to maintain a robust incident response plan that includes notification to the MFSA within specified timeframes if a breach or data loss occurs in the cloud environment. Cloud computing systems must also take into consideration the ISACA’s Guiding Principles for Cloud Computing Adoption and Use.

Gaming Law

The use by a Malta-licensed gaming provider of managed information technology services is regulated in accordance with the Gaming Authorisations Regulations (Chapter 583.05, Laws of Malta) as well as the “Policy on Outsourcing by Authorised Persons”, issued by the Malta Gaming Authority (MGA), the authority which regulates the gaming sector in Malta. These legal instruments state that cloud computing services would be considered a material gaming supply, which carry a number of risks to the operation of a Malta-based gaming licensee. Thus, the MGA recommends that such service providers be assessed and approved by it as part of the pre-licensing assessment or at the post-licensing stage. Where the licensee receives material gaming supplies from a third party not approved by the MGA, the licensee must assume full regulatory responsibility for such supplies. A licensee must also have a regularly updated outsourcing policy and a written agreement with the service provider containing a number of required provisions. The agreement must specifically include clauses addressing data confidentiality, subcontracting limitation, and the right of the MGA to audit or access data stored within the cloud infrastructure. Non-compliance with these requirements can result in penalties, including the suspension or revocation of the gaming licence.

Security of Network and Information Systems

The Measures for a High Common Level of Cybersecurity across the European Union (Malta) Order, 2025 (S.L. 460.41) transposes Directive (EU) 2022/2555 (the “NIS2 Directive”) into Maltese law and introduces a number of key obligations for cloud providers operating in Malta even if the provider is established outside but offers services in Malta.

Malta has also implemented a cybersecurity strategy which has four key objectives, including the establishment of a cybersecurity governance framework, the strengthening of the fight against cybercrime and national cyber defence, improving cybersecurity awareness and education, and building upon national and international co-operation. This strategy includes periodic reviews and updates to ensure alignment with emerging cybersecurity challenges, particularly those posed by reliance on cloud infrastructures and remote working models.

Data Protection

The GDPR and the Data Protection Act (Malta) are directly relevant to the issues and compliance challenges associated with cloud computing. A key concern is that most service providers in this field provide standard terms which are not easily negotiable and thus any data protection-related provisions may not always reflect the required GDPR standards if the cloud service provider is based outside the EEA. Additionally, transfers of personal data need to comply with specific safeguards, the most common being the use of the Commission’s Standard Contractual Clauses (SCCs). The SCCs were amended in June 2021 following the Schrems II judgment which invalidated the EU-US Privacy Shield. As a result, a provider of cloud computing services established outside the EU would need to show compliance with these standards in order to be considered GDPR compliant. Furthermore, organisations must conduct a Data Protection Impact Assessment (DPIA) when processing personal data in cloud environments that involve high risks to the rights and freedoms of individuals, particularly for sensitive or large-scale datasets. This ensures that risks are identified and mitigated before engaging a cloud provider.

Projects involving big data, machine learning (ML) and AI have one common factor in that they need to make use of vast amounts of data, which may be of a personal nature. This brings about challenges in relation to the management of such personal data in compliance with the GDPR and Maltese data protection law. ML and AI also raise various other legal issues, as outlined below, together with potential solutions.

Data Protection

An AI system needs extensive data to train and develop the algorithmic models on which it operates in order to provide an accurate output. Much of this data may be personal in nature, thus compliance with the GDPR and Maltese data protection law is necessary; however, the volume of personal data processed makes compliance more complex to achieve. 

These obligations become particularly problematic in the case of ML and AI since access to and collection of personal data is generally restricted by law. Furthermore, personal data can only be processed for its original intended purpose and although the scope to reuse data for additional purposes has been widened by the Data Act, it is still limited. This legal requirement could limit the possibility of extracting new value from the combination of datasets. It should also be noted that, under the GDPR, decisions that were taken solely in an automated manner must allow for human review of that decision if it significantly affects the data subject. Additionally, the data subject has a right to an explanation as to how a decision was reached. Whilst these principles can stifle the development of ML and AI technology to some extent, they also ensure that such technology is developed in an ethical manner that respects human rights and the right to privacy of each individual. ML and AI companies and applications that involve the use of personal data can achieve trust by ensuring that they are compliant with the requirements of the GDPR, by implementing the necessary safeguards and ensuring that data protection is present at the design stage and by default.

Ethics

Closely related to the discussion of data protection is the matter of ethical development of ML and AI technologies. In October 2018, the Malta AI Taskforce was set up by the Maltese government to advise on strategies, ethics and legal issues relating to the development of such technologies. One of the documents published by the Taskforce is the Ethical AI Framework which, though it does not have the binding force of law, lays down a set of guiding principles for trustworthy AI governance. The Framework builds upon the Ethics Guidelines for Trustworthy AI, published in April 2019 by the European Commission’s High-Level Expert Group on Artificial Intelligence (AI HLEG), and adds a number of control practices which aim to guide developers and users of ML and AI technologies in terms of how the principles set out therein should be translated in practice. The Framework sets out four ethical principles for trustworthy AI, namely:

• human autonomy – humans interacting with AI systems must be able to keep full and effective self-determination over themselves;
• preventing harm – AI systems must not cause harm at any stage of their life cycle to humans, the natural environment, or other living beings;
• fairness – the development, deployment, use and operation of AI systems must be fair; and
• explicability – end users and other members of the public should be able to understand and challenge the operation of AI systems as required for the particular use case.

Malta has set up a national AI Certification Programme, based on the Framework. Certification would provide applicants with acknowledgement that their AI system has been developed in an ethically aligned, transparent and socially responsible manner, in line with the principles and control practices established by the Framework.

Liability

Liability is often an issue when it comes to ML and AI technologies. It is not easy to establish who or what is legally responsible for the non-human decision-making of a machine. The matter becomes more complicated if the hardware and software performed precisely as they were intended and without a perceptible defect or malfunction of any kind. Malta does not have a dedicated legal framework to govern liability issues relating to ML and AI per se; however, a patchwork of legal provisions addresses the matter to a significant extent. Under the Maltese law of obligations, specifically the Maltese Civil Code (Chapter 16, Laws of Malta), one finds the general concept that a person should always show reasonable care in all their actions, and the standard of reasonable care which is required is that of a reasonable man (bonus paterfamilias). The corollary is that a person who causes harm by acting in a manner which falls below this standard would be liable to compensate for such harm.

Another relevant provision under the Civil Code provides that the owner of an animal, or any person using an animal during the time that such person is using it, is liable for any damage caused by it, whether the animal was under their charge or had strayed or escaped. With regard to this latter provision, academic writers have drawn a parallel with this situation and one where an AI system behaves disruptively or uncontrollably, stating that such provisions should be used in such a case.

Furthermore, the Product Liability Directive (EU 2024/2853) explicitly covers software and AI systems as products and must be transposed into national law by December 2026. This legislation will form the backbone of AI liability in the EU and covers AI embedded in physical products (such as autonomous vehicles); stand-alone software and AI models; and updates, upgrades and machine-learning modifications.

The key legal frameworks applicable in Malta include the following.

• Data Protection Act (Chapter 586 Laws of Malta) – IoT manufacturers and service providers must ensure compliance with GDPR, particularly regarding consent, purpose limitation, data minimisation and user rights. Since it is not always feasible to obtain direct consent from users, alternative legal bases for processing data must be explored.
• The Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 586.01) – these Regulations govern the confidentiality of communications, addressing issues such as electronic tracking, consent for data collection and the security of communications.
• Data Protection Impact Assessments (DPIA) under the GDPR and the Data Protection Act (Chapter 586 Laws of Malta)  – companies deploying IoT projects must conduct DPIAs before launching a new device or service to identify and mitigate risks associated with data processing.
• EU Cybersecurity Act (Regulation (EU) 2019/881) – this regulation enhances cybersecurity across the EU by establishing a cybersecurity certification framework for ICT products, services and processes, including IoT devices.

Companies deploying IoT solutions in Malta face several compliance challenges that require careful regulatory adherence.

• Cybersecurity vulnerabilities – with no specific IoT security certification framework in place, organisations must rely on broader EU cybersecurity regulations. The Malta Cybersecurity Strategy provides guidance but lacks sector-specific standards for IoT devices, making it imperative for companies to implement their own robust security protocols.
• Spectrum allocation and numbering resources – the Malta Communications Authority (MCA) regulates spectrum allocation and numbering plans for IoT/M2M connectivity. Businesses must obtain the necessary authorisations and comply with MCA’s numbering framework to avoid service disruptions.

To effectively manage IoT deployments in Malta, companies should adopt the following governance frameworks.

• Regulatory compliance monitoring – organisations must stay updated on developments from the MCA, the Information and Data Protection Commissioner (IDPC), and other Maltese regulatory bodies to ensure continued compliance with evolving legal requirements.
• IoT device certification and standards compliance – although Malta does not have specific certification requirements, companies should voluntarily align with international security and interoperability standards such as ISO/IEC 27001 to enhance trust and market competitiveness.

Key Legal Requirements

The key legal requirements for IoT companies with respect to data sharing are as follows.

• Lawful basis for processing – IoT companies must ensure that any personal data collected and shared has a lawful basis under the Data Protection Act. This includes obtaining explicit consent from data subjects, performing tasks in the public interest, pursuing legitimate interests, etc.
• Transparency and purpose limitation – companies are required to inform data subjects about the purposes of data collection and ensure that personal data is not processed in ways incompatible with those purposes.
• Data minimisation and storage limitation – only data necessary for the specified purposes should be collected and shared, and personal data should not be retained longer than necessary.
• Data protection impact assessments (DPIA) – for high-risk data processing, such as large-scale IoT deployments, businesses must conduct a DPIA to evaluate and mitigate risks before launching new IoT services.
• Consultation with the Information and Data Protection Commissioner (IDPC) – processing biometric, genetic, or health data for public interest or research purposes requires prior consultation with the IDPC.

Thresholds

Whilst the Data Protection Act applies to all entities that process personal data in Malta or that target Maltese residents (regardless of whether it is based in Malta), specific thresholds do exist within Malta such as the following.

• Record-keeping requirements – IoT companies with fewer than 250 employees are exempt from maintaining records of processing activities unless they engage in high-risk processing, such as handling special categories of data or monitoring large-scale data processing.
• Appointment of a data protection officer (DPO) – a DPO is required if an IoT company engages in systematic monitoring of individuals on a large scale or processes special categories of data as a core activity.

Heightened Requirements

Malta imposes stricter regulations on the processing of certain categories of personal data, particularly:

• special categories of personal data as defined in Article 9 of the GDPR;
• health, biometric, and genetic data – processing these data types for statistical, scientific or research purposes requires prior authorisation from the IDPC; and
• identity documents and national identifiers – the processing of identity cards, passports or other national identifiers must be clearly justified and is permitted only under strict legal safeguards.

Audiovisual Service Requirements and Applicability – Broadcasting Licences

According to the Broadcasting Act (Chapter 350, Laws of Malta), no one may broadcast audio or video content in Malta for the entire country or any part of it without a written permit from the Malta Broadcasting Authority (MBA), nor may anyone broadcast audio or video content from Malta to any foreign country without a written permit from the MBA. The MBA may grant a broadcasting licence subject to the terms and restrictions it sees fit. These licences are likewise governed by the First Schedule of the Broadcasting Act. There are various classifications and types of licences, including:

• licences for nationwide television services;
• nationwide radio services;
• community radio services;
• digital radio services;
• satellite broadcasting services; and
• other services which may be broadcast or provided on or by an electronic communications network.

The MBA may grant a general interest broadcast content licence or a commercial broadcast content licence in relation to national television services. A general interest goal service is a television broadcasting service that commits to airing a predetermined number of general interest programmes that are under the purview of a public service broadcasting service as defined by the National Broadcasting Policy.

A general interest objective service may be either a generalist service or a niche service. The latter refers to a television broadcasting service which predominantly transmits programmes of a limited number of genres of a specialist subject matter, whilst a “generalist service” means a television broadcasting service which transmits a wide range of programme genres. On the other hand, a “commercial television broadcasting service” means a television broadcasting service that is either a generalist service or a niche service that is not subject to the obligations of a general interest objective service.

An application for a broadcasting licence must be made to the MBA through the relevant licence application, some of the details of which are discussed below:

• in the case of a new nationwide TV station, arrangements have to be made in the first place with the service providers Melita Limited and GO plc, the two TV distribution networks on the island, prior to applying for a licence from the MBA;
• in the case of digital radio broadcasting (which is further regulated by Digital Radio Broadcasting Regulations (Chapter 350.29, Laws of Malta), arrangements have to be made in the first place with the licensed digital radio broadcasting service provider DigiB Network, prior to applying for a licence from the MBA; and
• satellite uplink services are licensed by the MCA, and the initial step in this case is to complete and return an application for a satellite earth station licence.

Audiovisual Media Services

A television broadcast or an on-demand audiovisual media service both qualify as audiovisual media services. A provider of an on-demand media service generally does not need a broadcasting licence as stated under the previous heading but they must notify the MBA in writing by sending a letter to the Chairman of the MBA before offering the service. This written notification must include the following information:

• in the case of a natural person, the name, surname and address, identity card number, passport number or any other identification document as may be accepted by the MBA; and
• in the case of a legal person, the name and address of the company and of the registered office.

An audiovisual media service transmitted by a media service provider falling under the jurisdiction of Malta must comply with specific provisions of the Broadcasting Act as to the content of its transmissions, as well as other provisions which may be relevant under consumer and press laws.

Requirements for Video-Sharing Platform Providers

A supplier of a video-sharing website based in Malta is subject to Maltese law. A provider of a video-sharing platform does not need a broadcasting licence as defined under the first heading in this section but they must nevertheless notify the MBA in writing by sending a letter to the Chairperson of the MBA that includes the following information:

• in the case of a natural person, the name, surname and address, identity card number, passport number or any other identification document as may be accepted by the MBA; and
• in the case of a legal person, the name and address of the company and of the registered office.

Video-sharing platform providers falling under the jurisdiction of Malta must also comply with specific provisions of the Broadcasting Act as to the content of its transmissions, as well as other provisions that may be relevant under consumer and press laws.

Technologies and Services That Fall Within the Scope of the Telecommunications Rules

The Maltese regulatory framework is modelled on its European counterpart. It is technology neutral. The primary pieces of legislation that govern telecommunications are the Malta Communications Authority Act (Cap 418 of the Laws of Malta) and the Electronic Communications Regulation Act (ECRA) (Cap. 399 of the Laws of Malta). Subsidiary Legislation includes the Electronic Communications Networks and Services (General) Regulations (ECNSR).

In terms of the ECRA, undertakings wishing to provide telecommunications services must notify the MCA to obtain a general authorisation. An authorisation is required to operate a telecommunications network and the provision of telecommunications services. A frequency licence is required for the allocation and use of spectrum. An individual licence or general authorisation is also required for the sale and use of radio equipment.

The following categories of services need to be notified to the MCA and as such fall within the MCA’s remit:

• voice communications services;
• internet access services;
• television and radio distribution services;
• interpersonal communications services; and
• services consisting wholly or mainly in the conveyance of signals such as transmission services used for the provision of machine-to-machine services and for broadcasting.

Importation into Malta

The importation of telecommunications equipment in Malta requires an import permit that has been raised against a Certificate of Conformity in line with the regulations laid down by the European Telecommunications Standards Institute (ETSI).

Security Requirements

Regulation 28 of the ECNSR imparts obligations on publicly available electronic communications networks and services. The main obligations include:

• take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of networks and services;
• adequately manage their risks while considering the state-of-the-art technology;
• report security incidents which significantly disrupt electronic communications networks and services to the MDIA;
• the MCA may request from the providers any documentation necessary to assess the security of their networks and services; and
• the MCA may require providers to submit to a security audit.

Net Neutrality or “open internet” is applicable in the EU through Regulation (EU) 2015/2120. As Malta is an EU member state, the Regulation is directly applicable.

On the basis of the net neutrality principle, consumers control what to access and publish on the internet, without any restrictions. This means that an ISP must treat all traffic flowing over its network equally, irrespective of the content, the owner of the data, its origin or destination.

However, ISPs may need to implement traffic management policies in order to ensure the smooth running of the network. This notwithstanding, ISPs are restricted in the type of traffic management that they can apply. In fact, while doing so, ISPs need to ensure that any measures are reasonable and must satisfy the criteria of proportionality and non-discrimination.

In addition, ISPs may also implement internet access restrictions in the following exceptional circumstances:

• comply with Union and/or National law and Court Orders (eg, to block unlawful content as required by a Court Order);
• protect the integrity or security of their network (eg, to prevent cyber-attacks that occur through the spread of malicious software); or
• prevent impending network congestion that occurs temporarily and under exceptional circumstances (eg, congestion caused by a sudden and abnormal increase in the demand for specific content applications or services when compared to the average demand).

Emerging technologies such as 5G, the IoT and AI are significantly influencing Malta’s telecommunications legal framework. The MCA is actively involved in facilitating the deployment of 5G networks, recognising Malta as an ideal location for pilot studies and publishing a lightweight test and trial licensing regime to encourage innovation in this area. Furthermore, the MDIA, established in 2018, leads and advises the government on developments in innovative technologies, including AI. The MDIA has developed a national AI Strategy and is spearheading legislative changes to regulate AI in accordance with the EU’s AI Act.

Legal Considerations for Emerging Technologies in Malta’s TMT Sector

The MCA regulates spectrum allocation and 5G deployment, ensuring compliance with Malta’s National Roadmap for 5G. Companies must obtain spectrum licences and adhere to electromagnetic exposure regulations. IoT providers using machine-to-machine (M2M) communications must comply with Malta’s connectivity framework to ensure efficient numbering allocation and network security.

For AI-driven telecoms services, compliance with the Malta Digital Innovation Authority Act is essential. The MDIA certifies AI systems to ensure security and fairness, particularly for automated customer support, fraud detection and network optimisation. AI systems must align with the EU’s AI Act, preventing bias and unauthorised automated processing.

Malta enforces GDPR through the Data Protection Act (Cap. 586), requiring telecoms operators, IoT providers and AI platforms to protect personal data. The Office of the IDPC can investigate and fine companies for unlawful data use. Businesses using smart surveillance, biometric authentication, or AI-driven profiling must conduct DPIAs and ensure secure data processing in IoT networks.

The MCA is yet to issue its position on the licensing or authorisation of Direct-to-Device services.

Legal Framework Features

An entity that intends to enter into IT service agreements with another entity in Malta will be bound by the general concepts of Maltese contract law, unless the agreement stipulates that a different law should apply. As a general rule, the Civil Code (Chapter 16, Laws of Malta) provides that contracts legally entered into have the force of law for the contracting parties. Parties may go against what is stated in the general law by virtue of their agreement, unless there is a prohibition by the law itself by way of mandatory rules or because of a prohibition of public policy. IT service agreements would generally cover:

• a detailed description of the service;
• whether only services are being provided, or whether materials are also being supplied;
• the payable fees;
• term of contract and termination methods;
• ownership over any intellectual or other property produced during the term of the agreement;
• liability for the service provided and limitations thereon (usually governed by a Service Level Agreement);
• insurance;
• how changes to the agreement/services can be made;
• notifications to the other party;
• confidentiality, non-compete and non-solicitation;
• dispute resolution;
• data processing (where personal data is accessible by the IT service provider);
• independent relationship of the parties; and
• whether the contract can be transferred.

The above-mentioned provisions are relatively standard and provided that they have been agreed to by both parties, and that valid consent can be proved, a court would follow the terms of agreement between the parties when interpreting the contract, especially where the wording is unambiguous. However, lack of clarity and proper description of the expectations of the parties are the most common legal problems that have been encountered in relation to IT service agreements.

An IT service agreement will be valid even if not done in writing, but verbal contracts of this nature are most certainly not recommended.

Limitation of Liability

It is quite common for limitation of liability clauses to be included in service contracts. In this respect, it should be noted that in certain circumstances liability cannot be limited. One example is that where fraud is involved. This would invalidate the entire contract, including any limitation of liability clauses. Furthermore, Maltese jurisprudence has also held in various situations that liability cannot be limited in cases of gross negligence.

Maltese courts have on occasion also used reasoning similar to the “doctrine of fundamental breach” to invalidate limitation of liability clauses where the party commits a breach of the contract that is so fundamental that it deprives the other party of essentially the whole of the contract’s benefits. The Maltese courts have also invalidated limitation clauses on occasion simply because they were not brought to the attention of the weaker party, even though the clause itself was technically valid, although this would probably apply more readily in the case where the recipient of the IT service is a consumer. Where the IT service contract includes the provision of materials, one needs to consider that warranties against latent defects cannot always be excluded. Product liability issues may also need to be considered.

Penalty Clauses

IT services agreements frequently involve fines for non-performance or contract violations (for example, a breach of confidentiality or breach of the non-solicitation clause). Frequently, penalty clauses are pre-liquidated, so the sum due in the event of a certain violation would be specified in the contract itself. The Maltese courts would generally tend to uphold the penalty clause stipulated between the parties, unless the amount is grossly unfair to one of them. In this respect, it should be noted that the Civil Code provides that a court cannot abate or mitigate a penalty agreed between the parties except:

• if the service provider has performed the obligation in part, and the recipient of the service has expressly accepted the part so performed; or
• if the service provider has performed the obligation in part, and the part so performed is clearly useful to the recipient of the service.

In any such case, an abatement cannot be made if the recipient of the service, in undertaking to pay the penalty, has expressly waived their right to any abatement or if the penalty has been stipulated in consideration of mere delay. Therefore, it is important to consider the inclusion or otherwise of such wording in the contract.

Regulatory Matters

Under the GDPR and local data protection law, specific measures need to be put into place if personal data is to be transferred outside of the European Economic Area (EEA). Thus, should the IT service provider be based outside the EEA, and wish to access personal data held by the recipient of the service, a data processing agreement will need to be concluded in accordance with the European Commission’s Standard Contractual Clauses, unless other safeguards are in place.

Additionally, several companies that are subject to regulation demand that particular regulatory data be stored on EEA-based servers so that the appropriate regulatory authority can easily access it. The Malta Gaming Authority (MGA), which mandates that regulatory data be accessible, available and traceable, is one example. For this purpose, the MGA demands access to real-time information, which could present problems if such data is in a different jurisdiction or on the cloud. The matter can be solved by real-time replication of the data, on a live replication server in Malta, although this is not the only solution. Discussions with the MGA can serve to address these issues.

Challenges With Technology Agreements in Regulated Industries

Certain regulated industries, such as banking, insurance and gaming, are subject to greater restrictions than others due to their reliance on sensitive data, stringent compliance requirements, and potential risks to consumers and the economy. These industries are typically governed by sector-specific regulations that impose additional obligations when entering into technology agreements, including those for cloud computing, IT services and outsourcing.

Banking and insurance

The MFSA regulates the financial services sector and requires licence holders to comply with strict rules when outsourcing technology services. Key restrictions include the following.

• Materiality assessment – agreements involving critical services, such as data hosting or transaction processing, are deemed material and require prior notification or approval by the MFSA.
• Due diligence and risk management – institutions must assess the technical and financial capability of the service provider, evaluate data security measures, and ensure ongoing compliance with the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements.
• Audit and access rights – agreements must include provisions granting regulators and the institution the right to audit the service provider and access necessary data for compliance and enforcement purposes.
• Cross-border data transfers – if the technology provider operates outside the EU/EEA, agreements must ensure compliance with the GDPR, particularly regarding international data transfers.

Gaming

The MGA imposes specific restrictions on technology agreements through the Gaming Authorisations Regulations and the Policy on Outsourcing by Authorised Persons.

• Approval of service providers – cloud computing or other IT service providers offering material gaming supplies must be approved by the MGA as part of the licensing process.
• Regulatory responsibility – gaming operators remain fully responsible for outsourced services, including ensuring compliance with AML and data protection laws.
• Mandatory contractual provisions – technology agreements must include clauses addressing data confidentiality, security and service continuity in case of operational disruptions.

Healthcare

Agreements involving patient data are subject to GDPR and local health data regulations, emphasising data security, confidentiality and accountability for processing sensitive personal data.

Telecommunications

Technology agreements must comply with network and information security obligations under the NIIS Directive, with an emphasis on ensuring system availability and resilience.

Telecommunications service providers in Malta operate in a highly competitive market. Companies seeking to acquire retail telecommunications services therefore stand to be in a relatively strong bargaining position which allows them to shop around and/or be able to negotiate pricing and services. 

In the retail space, the main elements to be included within service agreements are the following.

• Term of the agreement – retail customers should seek to negotiate short term agreements that would enable them to renegotiate on price, service levels and technology refresh.
• Pricing – prices should be fixed. If that is unsuccessful, methodology for price modifications should be specified.
• SLAs – negotiating appropriate SLAs that are fit for purpose and will enable the individual customer’s needs is paramount. In particular, resolution time and service credits or pre-liquidated damages should accurately reflect the severity of the breach.
• Scalability and volume discounts – if a customer increases the scope and scale of the services being purchased, the customer should be able to benefit from better tariffs.
• Termination clauses – ensure that your contract clearly sets out one’s right to terminate the agreement where the service that is provided (or not as the case may be) does not meet the promised service or performance levels.
• Auto-renewal clauses – customers should seek to avoid such clauses as they serve to lock them in.
• Force majeure – customers should ensure that this clause does not include any unreasonable excuse for the service provider to not provide the contracted services. 

When negotiating interconnection or access agreements, the party seeking interconnection or access should in the first instance verify whether the other interconnection/access provider is regulated, in which case it is likely that the MCA has imposed access and transparency obligations on that undertaking. In the event that such obligations exist, then the likelihood is that the interconnection/access provider is under an obligation to publish a reference interconnection/access offer which, amongst other things, would typically include non-discriminatory and cost-based tariffs.

The eIDAS Regulation (Regulation (EC) 910/2014) (the “eIDAS Regulation”) permits citizens, enterprises and public authorities to use electronic identification and trust services to access online services or handle electronic transactions. Through openness, security, technical neutrality, co-operation and interoperability, the eIDAS Regulation seeks to promote the efficient flow of trade throughout the EU. To uphold these ideals, the eIDAS Regulation ensures that individuals and organisations can access public services offered online in other EU nations using their own national electronic identification schemes (eIDs) and establishes a European internal market for trust services by guaranteeing that these services will function internationally and have the same legal standing as their conventional paper-based counterparts.

The eIDAS Regulation was transposed into the Maltese eCommerce Act and the Electronic Trust Services Notification and Fees Regulations SL 426.03 by virtue of Act XXXV of 2016, which also repealed or amended all local provisions that were previously in force but were inconsistent with the eIDAS Regulation. The Regulation deals with three types of electronic signatures: standard, advanced or qualified, as detailed below.

• An advanced electronic signature (AdES) is one that meets the following requirements:
1. it is uniquely linked to the signatory;
2. it is capable of identifying the signatory;
3. it is created using electronic signature creation data that the signatory can, with a high level of confidence, use it under their sole control; and
4. it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
• A qualified electronic signature (QES) is an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures. In other words, a QES is an advanced electronic signature with a digital certificate that has been encrypted by a secure signature creation device through a qualified trust service provider (requirements for these are also in the law).

The eIDAS Regulation provides that an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures (for example, with a scanned signature, one would need to prove its validity with additional evidence). On the other hand, a qualified electronic signature has the equivalent legal effect of a handwritten signature. If a qualified electronic signature is based on a qualified certificate issued in one member state, it must be recognised as a qualified electronic signature in all other member states.

Schedule 5 of the Maltese eCommerce Act lists certain activities/areas in respect of which an electronic signature is not valid:

• the field of taxation;
• matters in relation to information society services covered by any laws relating to data protection;
• questions in relation to agreements or practices governed by competition law;
• the following activities of information society services:
1. the activities of notaries or equivalent professions to the extent that they involve a direct and specific connection with the exercise of public authority;
2. the representation of a client and defense of their interests before the courts; and
3. gambling activities which involve wagering a stake with monetary value in games of chance, including lotteries and betting transactions;
• contracts that create or transfer rights over immovable property other than leasing rights;
• contracts of suretyship granted and on collateral security furnished by persons acting for purposes outside their trade, business or profession;
• the law governing the creation, execution, amendment, variation or revocation of:
1. a will or any other testamentary instrument;
2. a trust; or
3. a power of attorney;
• any law governing the making of an affidavit or a solemn declaration, or requiring or permitting the use of one for any purpose;
• the rules, practices or procedures of a court or tribunal however so described;
• any law relating to the giving of evidence in criminal proceedings; and
• any contracts governed by family law.

In relation to trust services, the European Union Trusted Lists (EUTL) is a public list of trust service providers (TSPs) that are specifically accredited to offer certificate-based digital IDs for individuals, digital seals for businesses, and time stamping services for Qualified Electronic Signatures in compliance with the eIDAS. Each EU member state generally supervises trust service providers established in that state; however, once approved in one member state, the service provider can be provided in other EU countries and accepted as having the same level of compliance. In Malta, trust service providers are supervised by the Malta Communications Authority.

Malta has also put into place the “eIDAS Node”, which complies with the EU Interoperability Framework and allows Maltese citizens to use the digital public services of other EU member states and conversely allows European citizens access to the digital services of the Maltese government.

The gaming industry in Malta is primarily regulated by the Gaming Act (Chapter 583 of the Laws of Malta), which provides the legal framework for all gaming activities within the jurisdiction. The MGA, established under this Act, is the primary regulatory body overseeing the licensing, compliance and enforcement of gaming operations. The Gaming Act is supplemented by subsidiary legislation, which provides detailed requirements on licensing procedures, operational standards and enforcement mechanisms. The MGA has also issued industry-specific Directives and Guidelines, ensuring operators adhere to principles of fairness, transparency and player safety.

The gaming industry in Malta faces several legal challenges, including:

• balancing local regulations with European Union laws, particularly regarding cross-border operations and licensing equivalence;
• increased scrutiny under the Financial Action Task Force (FATF) recommendations has amplified obligations related to anti-money laundering and combating the financing of terrorism.
• the rise of blockchain, cryptocurrency and artificial intelligence in gaming poses novel regulatory and enforcement challenges; and
• addressing problem gambling through effective player protection measures while maintaining operator competitiveness.

In Malta, the regulation of in-game purchases, loot boxes, and similar gambling elements falls under the scope of the Gaming Act, where such features are deemed to constitute a game of chance or a game of chance and skill combined (controlled skill game). The MGA assesses whether such mechanics qualify as gambling under Maltese law, focusing on elements such as monetary value, chance and player outcomes. Operators offering such features may require a licence and must comply with relevant provisions, including those on transparency and player protection. Specific requirements address ensuring fairness, disclosure of odds and the prohibition of deceptive practices.

Under the Gaming Act, a “minor” is defined as a person under the age of 18, except in specific instances prescribed under the Act or other regulatory instruments. The Act imposes strict restrictions to protect minors from exposure to gaming activities. It is unlawful to offer, permit, entice, or otherwise enable a minor to participate in gaming activities that are restricted to adults. This prohibition extends to granting access to gaming premises, selling gaming tickets, engaging minors in the provision of gaming services, or advertising and promoting such services to minors.

Game developers and operators must ensure that their products and services comply with these provisions by implementing robust age verification mechanisms and avoiding themes, content or marketing strategies that appeal primarily to minors. Advertising and promotional activities must align with regulatory guidelines, ensuring they do not directly or indirectly target individuals under the legal gaming age.

Furthermore, the Act includes a specific provision for land-based casinos, requiring that Maltese nationals under the age of 25 be excluded from using casino gaming services, highlighting an additional layer of local age-based restrictions.

For game developers offering interactive gaming products, compliance with these legal standards necessitates designing content and advertising strategies that respect the protection of minors while ensuring alignment with the Pan European Game Information (PEGI) age-rating system and applicable GDPR provisions.

The primary regulatory body overseeing the gaming industry in Malta is the MGA, established under the Gaming Act. The MGA is responsible for the regulation, supervision and enforcement of gaming activities, ensuring that all operations within its jurisdiction comply with legal and regulatory frameworks. Its mandate covers licensing, compliance monitoring, player protection and enforcement of gaming standards, including AML and combating the financing of terrorism (CFT) measures.

Additionally, certain aspects of gaming operations may fall under the oversight of other authorities, such as the Financial Intelligence Analysis Unit (FIAU) for AML compliance and the Office of the IDPC for data protection and privacy matters.

The MGA is vested with extensive enforcement powers under the Gaming Act to ensure compliance with regulatory standards. These powers include the following.

• Issuing administrative penalties and sanctions – the MGA can impose fines, suspend or revoke licences, and issue warnings for non-compliance with licensing conditions or legal requirements.
• Conducting investigations – it has the authority to investigate licensees and gaming activities, including requesting information, conducting audits and interviewing stakeholders.
• Ceasing operations – the MGA can order operators to cease operations or suspend gaming activities in cases of serious breaches.
• Freezing assets – it can freeze funds or assets where necessary to safeguard player interests or prevent illicit activities.
• Collaborating with other authorities – the MGA works in tandem with local and international law enforcement agencies and regulatory bodies to address complex cases, including cross-border operations.

The MGA actively enforces compliance through targeted actions. Notable examples include the following.

• Licence suspensions and revocations – in recent years, the MGA has revoked several licences for serious breaches of regulatory obligations, such as failing to meet AML standards, mismanagement of player funds, or operational irregularities.
• Fines for AML/CFT non-compliance – the Authority has imposed substantial fines on licensees found in breach of the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR). For instance, enforcement actions have been taken against operators who failed to conduct adequate customer due diligence or report suspicious transactions.
• Prosecution for unlicensed operations – the MGA has taken legal action against entities offering gaming services without the required licence, demonstrating its commitment to maintaining the integrity of the regulated market.

Game developers in Malta encounter several IP challenges, including:

• copyright infringement – unauthorised copying or distribution of game assets, software or creative elements such as music, graphics or storylines;
• trade mark issues – protecting game titles, logos and branding from misuse or infringement in competitive markets;
• piracy – the illegal replication and distribution of games on third-party platforms;
• ownership disputes – determining the ownership of IP created by employees, contractors or collaborators; and
• cross-border enforcement – enforcing IP rights in a digital environment where games are accessed and distributed globally, often leading to jurisdictional complexities.

Creators in Malta have robust IP protection under local law and international agreements. Key rights include:

• copyright protection automatically granted to original works, including software, artwork, music, and storylines. Developers can enforce exclusive rights to reproduce, distribute, or modify their works;
• trade mark registration – developers can register trade marks for game titles, logos and other distinctive identifiers, protecting them from unauthorised use in virtual and physical environments;
• patent rights – although less common, game developers can patent novel technical solutions or processes, such as unique game mechanics or software innovations;
• contractual protections – developers can use licensing agreements, non-disclosure agreements (NDAs), and employment contracts to safeguard IP ownership and usage; and
• international protections – Malta’s adherence to international treaties, such as the Berne Convention and the TRIPS Agreement, provides creators with extended IP protection across member states.

Key considerations for copyright in digital and virtual assets include:

• originality – copyright protection applies to original works that demonstrate creativity, including virtual assets like in-game items, environments and characters;
• ownership – developers must clearly define IP ownership in agreements with employees, freelancers and collaborators;
• licensing – clear licensing terms are crucial for digital assets, especially when assets are sold or transferred within games;
• fair use and derivative works – developers should be mindful of potential conflicts arising from user-generated content (UGC) and the adaptation of copyrighted works; and
• global accessibility – copyright enforcement in a virtual environment requires monitoring and addressing infringement across multiple jurisdictions.

Trade mark laws in Malta extend to virtual goods and services, provided the marks meet the requirements of distinctiveness and registrability. Key applications include:

• virtual branding – developers can trade mark logos, names and slogans used within games or on associated platforms, protecting them from imitation;
• protection in virtual environments – trade marks can be enforced to prevent unauthorised use of branding in metaverses, in-game economies or virtual marketplaces;
• merchandising – trade mark protection allows developers to expand into physical and virtual merchandise while maintaining control over branding; and
• international considerations – given the global nature of virtual goods, developers must consider trade mark registration in key jurisdictions to ensure comprehensive protection.

The implications for user-generated content (UGC) on IP rights include:

• ownership and licensing – clear terms of service are critical to define ownership and licensing rights for UGC, balancing user creativity with developer control;
• infringement risks – UGC may unintentionally or deliberately infringe third-party IP rights, exposing developers to legal liabilities;
• moderation and enforcement – developers must implement robust systems to monitor and moderate UGC to prevent IP violations;
• commercialisation – when monetising UGC, developers should ensure appropriate licensing arrangements and obtain permissions where necessary; and
• moral rights – developers must consider moral rights of UGC creators, such as the right to attribution, even in commercial gaming environments.

Relevant Laws and Regulations

Data protection

The Data Protection Act (Chapter 586 of the Laws of Malta), mandates strict guidelines for the collection, processing and storage of personal data. Organisations operating within Malta, including social media platforms, must adhere to the provisions under the Data Protection Act to ensure user privacy and data security.

Advertising standards

The Consumer Affairs Act (Chapter 378 of the Laws of Malta) regulates advertising practices, prohibiting misleading and deceptive advertisements. This Act applies to all forms of advertising, including those disseminated via social media platforms.

Broadcasting Act

While primarily focused on traditional media, the Broadcasting Act (Chapter 350 of the Laws of Malta) also encompasses certain aspects of online content dissemination, ensuring that content is accurate, fair and balanced.

Copyright Act (Chapter 415)

The Copyright Act (Chapter 415 of the Laws of Malta) protects intellectual property on social media, preventing unauthorised reproduction and distribution of content such as images, videos and music.

Trademarks Act (Chapter 597)

The Trademarks Act (Chapter 597 of the Laws of Malta) ensures brand protection on social media, preventing misuse of logos, business names and slogans.

Cybersecurity Act (Regulation (EU) 2019/881)

Strengthens online security by setting EU-wide cybersecurity standards for social media platforms.

Consumer Affairs Act (Cap. 378)

The Consumer Affairs Act (Chapter 378 of the Laws of Malta) regulates advertising and influencer marketing on social media to protect consumers from misleading promotions, hidden sponsorships and online scams, ensuring transparency in e-commerce and digital transactions.

Key Legal Challenges in Malta Regarding Social Media

IP protection in the digital sphere

In Malta, the Copyright Act (Chapter 415 of the Laws of Malta) and Trademarks Act (Chapter 597 of the Laws of Malta) govern IP rights, including digital content on social media. However, enforcing these rights is challenging due to the rapid and widespread sharing of copyrighted materials across platforms.

Cybersecurity and misinformation risks

Malta’s cybersecurity framework is still evolving, with no specific social media cybersecurity law beyond existing criminal code provisions and the Cybersecurity Act (Regulation (EU) 2019/881). The lack of platform-specific legislation means that enforcement often relies on reporting mechanisms within social media platforms, which are not always effective in addressing fake accounts, deepfake technology or cyberbullying incidents.

Malta Communications Authority (MCA)

The MCA regulates electronic communications and eCommerce in Malta, ensuring compliance with online service standards. Its relevance to social media lies in monitoring ISPs and digital platforms. It has investigative and enforcement powers, including the enforcement of fines and sanctions for non-compliance with electronic communications regulations.

Office of the Information and Data Protection Commissioner (IDPC)

The IDPC enforces data protection laws, particularly under the GDPR and Malta’s Data Protection Act. It oversees social media platforms by ensuring lawful processing of personal data and user privacy compliance. It has the authority to investigate breaches, issue fines and order the cessation of unlawful data processing.

Malta Competition and Consumer Affairs Authority (MCCAA)

The MCCAA safeguards consumer rights and fair trading, including advertising and marketing on social media. It ensures that businesses and influencers comply with truthful advertising standards and avoid deceptive practices. Its enforcement powers include investigations, consumer complaints handling and legal actions against misleading online content.

The key data privacy laws and regulations applicable to communications service providers in Malta include:

• the Data Protection Act (Cap. 586 of the Laws of Malta);
• the Electronic Communications Act (Cap. 399 of the Laws of Malta); and
• the Processing of Personal Data (Electronic Communications Sector) Regulations (SL 586.01).   

In essence, the Data Protection Act governs general data processing and establishes key requirements such as lawful basis for processing and strict control on international data transfers. The Electronic Communications Act, in conjunction with SL 586.01, imposes stricter sector-specific obligations on communications content, traffic, location data and communications content.

Telecom companies face some unique data privacy challenges. Consent management can be complex as they rely on both mandatory and optional processing. They would need to show proof of consent including the purpose for which consent was given. Legacy systems might not maintain GDPR-compliant records. Service providers, by their very nature, generate very large volumes of metadata such as call data records and IP logs. Limiting processing to what is strictly necessary can prove to be challenging. User-rights compliance remains difficult where legacy systems are still in use, and governance is therefore paramount.

In handling cross-border data transfers, telecom companies must first consider the nature of the data and whether it can leave the EU. For instance, while billing data (with certain safeguards), CRM data Customer Support Records may be moved; other data (such as traffic data and location data) is tightly controlled. For permissible data transfers, service providers would rely on adequacy decisions, standard contractual clauses in conjunction with impact assessments and possibly supplementary measures such as encryption and access control.

Service providers reconcile lawful intercept obligations with data protection safeguards by limiting their role to complying with lawful orders of competent courts, tribunals regulatory authorities, police or security organs.  As such, operators rely on statutory exemptions where required by national law predominantly in cases of criminal law and national security.

Third-party vendors and cloud service providers play a critical role in data privacy compliance frameworks. Privacy risk arises not merely from the operation of an operator’s own network but increasingly from outsourced systems and shared platforms. Within the context of the GDPR, third-party vendors and cloud service providers act as data processors, while telecom companies qualify as data controllers. Clear role allocation between telecom companies and third-party vendors/cloud service providers is required. Contractual undertakings that set out technical safeguards, controls and oversight to meet GDPR and e-privacy obligations are paramount. 

The evolution of data privacy rules has a direct bearing on how communications networks are designed and operated. Indeed, telecom companies are required to comply with the minimisation principle which requires operators to collect only data which is limited to what is necessary for clearly defined purposes. This means that data processed (and stored) must be kept to a minimum and that operators should avoid retaining or repurposing data “by default”, unless there is a valid legal basis and a demonstrable operational need (for example fraud prevention, security or compliance with lawful retention obligations).

As a result, evolving privacy regulation is increasingly shaping both network infrastructure and service design. Operators must build privacy requirements into the architecture of their networks, including through privacy-by-design measures, tighter access controls, defined retention periods and stronger governance over data flows.

These requirements can result in a slower time-to-market, impacting the launch of new services. The offering of cross-border services (for example e-sim-based roaming services) are also increasingly challenging to deploy, particularly where services involve multiple jurisdictions and EU citizens. As a result, privacy considerations are embedded into the design of networks and the provision of services – resulting in increased costs. The industry is therefore shifting away from data-maximisation models towards privacy-aware platforms. Data-driven monetisation models are under increased pressure and many fail before they reach the marketing stage. In this context, forward-looking operators engage with regulators early and treat them as key stakeholders, helping to align service innovation with the applicable legal and regulatory framework from the outset.

The challenges that organisations face relate primarily to marry the strict legal obligations on consent, data minimisation and security with complex operational realities.

Systems need to be able to manage consent tracking.

• Consent must be valid.
• Consent can be easily withdrawn across different systems
• Data minimisation and purpose limitation may conflict with legacy systems which might retain large volumes of data by default.

On the other hand, operators must ensure that the systems that they employ are resilient and secure to cover networks, cloud environments and third-party vendors. Managing cross-border transfer restrictions; meeting deadlines to respond to data subject requests; timely notification of data breaches; and ensuring regulatory compliance are also significant obligations.

Digital media providers should ensure that data protection and security controls are embedded into their system designs and governance of their platforms. Their platform interfaces and back-end systems must be designed in a way that personal data use is limited to what is strictly necessary and that security and privacy defaults would apply automatically. It is essential that media platforms align legal requirements with technical architecture and product decisions early in the process.

Sharing third-party data with advertisers, analytics providers and other partners creates complex challenges from privacy, security and compliance perspectives. When an organisation shares data with third parties, it retains legal responsibility. In the first instance, these organisations need to ensure that valid consent has been obtained. Advertising and analytics activities under GDPR require explicit and granular consent. Platforms must ensure that third-party access is blocked until valid consent has been obtained. Equally, the withdrawal of consent immediately stops further data sharing. Secondly, it may be difficult to know details of (let alone control) downstream processing. This affects key issues such as retention periods and the transfer of data outside of the EU. Furthermore, many advertising and analytics providers operate globally and/or rely on cloud infrastructure outside the EU. This carries with it cross-border transfer and security challenges. Platforms must therefore employ impact assessments, where possible limit processing to the EU, employ encryption measures and implement contractual prohibitions on unauthorised access and transfers. In addition, third-party sharing creates challenges relating to accountability and incident response. This challenge should be mitigated by limiting third-party access by default and maintaining the ability to promptly disable or remove third-party integrations.

Cybersecurity regulations are having a significant impact on digital media platforms’ operations and technology agreements within the EU. Regulations such as NIS-2 require platforms to implement risk-management frameworks. Requirements consisting of monitoring and security controls are applicable. Platforms must maintain incident-detection and response capabilities together with disaster-recovery plans and meet notification timelines. These have driven substantial changes in platform architecture seeing a move to secure-by-design platforms. Technology agreements have been materially affected with the incorporation of mandatory security clauses in agreements with cloud providers, content delivery networks analytics partners and with advertisers. These clauses include maintaining security standards, audit and inspection rights, incident-notification obligations and liability for security failures. Cybersecurity compliance has become a core business and contractual issue that shapes the design of platforms, vendor selection and technology strategies.