The long-awaited General Data Protection Regulation (GDPR) finally entered into force on 25 May 2018. The GDPR is an EU regulation with direct effect in EU member states. Therefore, this is now the primary source of law regulating data protection and the processing of personal data in Malta.
That said, the GDPR allows member states some flexibility to regulate certain areas of the law within specific parameters. Accordingly, Malta recently enacted a new Data Protection Act (Chapter 586 of the Laws of Malta, which repealed and replaced the old Chapter 440), together with a set of subsidiary laws which regulate sector-specific data protection issues.
The new Chapter 586 and the collection of subsidiary laws complement and must be read with the GDPR. Therefore, it is important for all organisations – whether they are data controllers or data processors – to be aware of this comprehensive regulatory regime and not simply rely on the GDPR.
This update summarises the changes that have been brought about by the new act and the subsidiary laws in Malta. Of course, organisations established in Malta that process personal data which may be governed by the laws a foreign jurisdiction (eg, by targeting services to data subjects established in another country or processing the personal data of data subjects that reside in another country) must also be aware of any country-specific data protection laws which might affect their processing activities.
As expected, the new Data Protection Act caters for certain standard provisions. For instance, it regulates the establishment and powers of the Office of the Information and Data Protection Commissioner (IDPC) and stipulates procedural rules as to how the IDPC can investigate claims, institute prosecution and impose fines. It also regulates appeal procedures.
The new act recognises the extended regulatory reach of data protection laws in order to reflect the wider scope that the GDPR mandates. Therefore, the law now also applies to controllers and processors not established in the European Union that process the personal data of individuals (ie, data subjects) who are in Malta where the processing relates to:
- the offering of goods or services to data subjects in Malta irrespective of whether the data subject must pay for the goods or services; or
- the monitoring of data subjects' behaviour, insofar as their behaviour takes place in Malta.
Additionally, as with the old act, Chapter 586 contains special rules relating to the processing of personal data for journalistic, research, archiving, historical and statistical purposes. It also regulates certain derogations for public interest and security purposes.
However, of key interest are the following new provisions.
Consultation and prior authorisation obligations Under the new act, a data controller must consult with, and obtain prior authorisation from, the commissioner where the controller intends to process, in the public interest:
- genetic data, biometric data or data concerning health for statistical or research purposes; or
- special categories of data relating to the management of social care services and systems, including for the purposes of quality control, management information and the general national supervision and monitoring of such services and systems.
Processing of identification cards Under the GDPR, EU member states are free to set their own rules regarding the processing of national identification numbers. The new act provides that an identity document can be processed only when doing so is clearly justified, having regard to:
- the purpose of the processing;
- the importance of a secure identification; and
- any other valid reason as may be provided by law.
The new obligation set out by the GDPR and reflected in the act is that a national identity number or any other identifier of general application must be used only under appropriate safeguards to protect the rights and freedoms of the data subject.
Administrative fines for public authorities As mentioned above, the IDPC can impose the administrative fines set out in the GDPR, which can reach up to €20 million or 4% of global group turnover – whichever is higher.
The GDPR allows EU member states to determine whether administrative fines will be imposed on public and government authorities in the respective state. In Malta, the IDPC can impose administrative fines on a public or government authority; however, depending on the nature of infringement, these fines will be capped at:
- €25,000 for each violation and a possible daily fine of €25 for each day during which such violation persists; or
- €50,000 for each violation and a possible daily fine of €50 for each day during which such violation persists.
Criminal offences – fines and imprisonment In addition to the administrative fines that can be imposed in cases of GDPR infringement, the act provides that any person who knowingly provides false information to the commissioner or does not comply with any lawful request pursuant to an investigation by the commissioner will be guilty of an offence. Any conviction will result in a fine of no less than €1,250 and no more than €50,000, imprisonment for six months or both.
Of course, officers of a company should be vigilant in this regard, as this implies personal criminal liability.
Damages – including moral damages Under the old act, in addition to pursuing a complaint with the IDPC, aggrieved data subjects could institute an action for an effective judicial remedy against the controller concerned. The GDPR and the new act restate this; however, this time data processors are also in the line of fire. This remedy may include instituting a damages action against the relevant controller or processor.
Of particular interest in the Maltese scenario is how the GDPR provides that any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. As a result, the new act provides that if a court finds the controller or processor liable for the damage caused, the court will set out the amount of damages factoring in moral damages.
Moral damages in terms of data protection are novel in Malta. This concept is also somewhat testing in the context of Maltese law, which has rarely contemplated awarding moral non-pecuniary damages. How the Maltese courts will apply this in practice is not yet known. That said, caution must be exercised, as compensation will be awarded for non-material damage, such as reputational of psychological distress caused by a breach of data protection law.
Such actions are time barred after 12 months from the date on which the data subject became aware, or ought to have reasonably become aware, of such contravention – whichever is earlier.
While the GDPR allows EU member states to regulate other aspects of the law, Malta has yet to do so. For instance, the following have been left up to member states:
- Employment data – the GDPR provides that member states can regulate more specific rules to ensure the protection of employees' personal data in the employment context. However, the act contemplates no specific rules to this effect.
- Data protection officers (DPOs) – the GDPR obliges certain data controllers and processors to appoint a DPO and in so doing allows member states to designate specific instances when a DPO must be appointed. While the act provides no specific instances when a DPO must be appointed, it grants the minister for data protection the power to legislate further on this matter.
- Processing grounds – The GDPR provides that member states may maintain or introduce more specific provisions to adapt the application of the GDPR rules on processing based on a legal obligation or public interest. The act does not introduce more specific provisions.
- Special grounds – under the GDPR, member states can maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health. The act does not introduce further rules on this subject.
In addition to the new Data Protection Act, the Maltese legislature has re-enacted certain subsidiary laws that applied under the old regime. These include regulations which transposed the EU E-Privacy Directive into Maltese laws. The EU E-Privacy Directive regulates the processing of personal data in the context of e-communications and is highly relevant in the context of marketing and the use of web-cookies and similar tracking technologies, among other things. Other sector-specific regulations relate to:
- the processing of minors' personal data;
- the processing of data in the education sector; and
- the processing of data for the purposes of general elections.
Further, with the onset of the GDPR, four new subsidiary laws have been enacted:
- S.L.586.08 – these regulations were enacted to transpose the so-called 'EU Police Directive' (2016/680), which imposes data protection obligations similar to those found in the GDPR on law enforcement agencies.
- S.L.586.09 – pursuant to Article 23 of the GDPR, these regulations introduce restrictions on some data subject rights and obligations where this is necessary for:
- national security;
- the prevention or detection of criminal offences; or
- tax-related matters.
- S.L.586.10 – these regulations introduce a special rule for the insurance industry. Historically, the insurance industry has relied heavily on explicit (but mandatory) consent for the processing of health-related data. The validity of such consent was always questioned – even more so with the onset of the GDPR. These new regulations seek to address this issue by facilitating the processing of data concerning health, where such data is necessary and proportionate for the purposes of an insurance policy. Therefore, provided that certain conditions are satisfied, insurers may now rely on these regulations to process health data when this is necessary and proportionate for the purposes of the insurance policy. For instance, this derogation may be applied in circumstances where data concerning health is deemed necessary to settle insurance claims.
- S.L.586.11 – these regulations were enacted to reflect the GDPR's rules on processing child data in the context of offering information society services (ie, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of the recipient of the services). The legislature has clarified that in the absence of consent from a child's parent or legal guardian, the processing of a child's personal data in relation to information society services will be lawful only for children that are 13 years old or older. This does not alter the rules on the age of consent for entering into contracts, as that is separately governed by Maltese law.
One of the main goals of the GDPR is to consolidate and harmonise data protection laws across the European Union, introducing measures to simplify cross-border procedures (including the 'one-stop-shop' concept). Nevertheless, the reality is that EU member states still retain a degree of discretion to introduce derogations or sector-specific conditions. These vary between countries and industries, and divergences will likely increase over time.
Considering that there may be personal criminal liability for offences, compensation for real and moral damages, and significant fines imposed data controllers and processors alike now face the arduous task of staying on top of these legislative developments and remaining in touch with the ever-growing collection of 'official' guidance being issued on so many subjective aspects of the law. It is only a matter of time before some or all of these changes will be put to the test.
For further information on this topic please contact Paul Gonzi at Fenech & Fenech Advocates by telephone (+356 2124 1232) or email (firstname.lastname@example.org). The Fenech & Fenech website can be accessed at www.fenechlaw.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.