Q&A: the data protection legal framework in Malta

Law and the regulatory authority

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

As a member state of the European Union, Malta’s data protection laws include the EU’s General Data Protection Regulation (2016/679) (GDPR). Chapter 586 of the Laws of Malta, the Data Protection Act (2018), along with its subsidiary legislation, came into force on 28 May 2018, repealing the previous Data Protection Act of 2001.

Malta is also a party to the Convention for the Protection of Individuals regarding the Automatic Processing of Personal Data (ETS.108), which came into force in 2003.

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The Office of the Information and Data Protection Commissioner, appointed according to article 11 of the Data Protection Act (2018), is the supervisory authority responsible for overseeing the applicability and enforcement of data protection law in accordance with the requirements of the GDPR.

Further to the provisions of the GDPR and the Data Protection Act (2018), the Commissioner shall have the right to carry out investigations in the form of data protection audits and inspections, as well as demand and access personal data and data processing equipment, records and documentation held by data controllers or data processors. The Commissioner may also request the assistance of the executive police to enter and search any premises in the course of investigation. Moreover, when exercising such investigative powers, the Commissioner may ask for additional information from any person deemed to be of interest; lack of cooperation or the provision of false information may lead to criminal prosecution.

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

The Data Protection Act (2018) provides for joint operations with the supervisory authorities of other EU member states. The Act refers to the GDPR in instances when the national supervisory authority is to cooperate with other supervisory counterparts. In such cases, the Commissioner is to confer his or her powers, including investigative ones, to members and staff of the member states’ supervisory authorities; the Act (2018) provides that such conferment of powers is to be made under the exercise and in the presence of the Commissioner.

The GDPR envisages that data protection authorities, referred to as supervisory authorities, provide relevant information and give mutual assistance to other supervisory authorities, thus ensuring that the GDPR is implemented in a consistent manner.

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

The GDPR provides that administrative fines can be imposed pursuant to its infringement. It is also stipulated that such fines must be effective, proportionate and dissuasive. Supervisory authorities are also instructed to take into consideration several elements when imposing such fines, including but not limited to intent, gravity and degree of cooperation. Different infringements carry different administrative fines.

The Data Protection Act (2018) specifies the administrative fines that can be imposed by the Commissioner by order in writing upon the controller or processor, which fines shall be due to the Commissioner as a civil debt should such persons be found in breach of applicable data protection laws; such fines have not been capped. Fines shall not exceed €25,000 per violation in the case of public authorities or bodies. Moreover, a daily fine can be imposed by the Commissioner for each day on which the violation persists. A €5,000 fine has been imposed on a competent Maltese Authority following a major data breach. A temporary ban on the Authority’s online portal was also imposed.

With reference to criminal penalties, the Act (2018) stipulates that if a person knowingly provided false information to the Commissioner or else failed to comply with a lawful request made by the Commissioner during an investigation, that person is to be found guilty of a criminal offence and will be liable to a fine running up to €50,000, with a possible term of imprisonment for six months.

Following the coming into effect of the GDPR, several data breach notifications were made to the Maltese Commissioner, leading to the issuance of a number of fines, which up until April 2019 amounted to nearly €40,000. Most breaches reported were in the financial services sector, followed by breaches in the gaming sector and in public entities. Most of the breaches were reported to be caused by either internal non-malicious action or human error.

Scope

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The Data Protection Act (2018) provides that certain entities, persons and activities are excluded from the scope of the law and consequently the requirements of the General Data Protection Regulation (GDPR). In this case, the Act (2018) follows the provisions of the GDPR when it comes to exempt sectors and institutions. The processing of personal data for activities falling outside of the scope of Union law is excluded; data protection laws also do not apply when the government of Malta carries out activities in accordance with the scope of Chapter 2 of title 5 of the Treaty of the European Union, dealing with common foreign and security policy. Natural persons carrying out personal and household activities are also excluded from the scope of the law. Finally, competent authorities are also excluded from the scope of the law when processing data with the purpose of preventing, investigating, detecting or prosecuting criminal offences or executing criminal penalties, including the safeguarding against and the prevention of threats to public security.

It is also to be noted that the Act (2018) allows certain derogations to be made when processing personal data for scientific, historical, archiving or official statistical purposes. These derogations are only allowed if the full applicability of the law renders the achievement of the exercises in question impossible or impaired and if the data controller believes that such derogations are necessary. In addition, the Act provides that the provisions of the GDPR could be further derogated from in order to exercise the right to freedom of expression and information.

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The Data Protection Act (2018) itself makes no reference to the interception of communications, electronic marketing or monitoring and surveillance of individuals.

Subsidiary Legislation 586.08, titled Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations and implementing Directive (EU) 2016/680 of the European Parliament and of the Council, addresses technical surveillance, in that it is lawful for competent authorities to collect personal data through technical surveillance or through automated means.

Under Maltese law, Chapter 391 of the Laws of Malta, titled the Security Service Act, addresses the interception of communications, which by the definition provided in the same Act includes an array of activities such as surveillance; the act itself makes no reference to the processing of data. On the other hand, the GDPR addresses direct marketing, but does not distinguish between electronic and non-electronic marketing. In cases of direct marketing, the data subject has the right to object to the processing of their data for marketing purposes.

Identify any further laws or regulations that provide specific data protection rules for related areas.

Under Maltese law, apart from the Data Protection Act (2018), there are various subsidiary legislations implementing EU regulation or regulations issued by the Minister responsible for data protection.

• Subsidiary Legislation 586.01, titled Processing of Personal Data (Electronic Communications Sector) Regulations and implementing Directive 2002/52 EU of the European Parliament and Council, addresses the processing of data when providing publicly available electronic communications services in public communications networks in Malta and any other country.
• Subsidiary Legislation 586.06, titled Processing of Personal Data for the Purposes of the General Elections Act and the Local Councils Act Regulations, deals with the processing of data in elections held in accordance with Maltese electoral law.
• Subsidiary Legislation 586.07, titled Processing of Personal Data (Education Sector) Regulations, addresses the processing of data by educational institutions and authorities.
• Subsidiary Legislation 586.10, titled Processing of Data Concerning Health for Insurance Purposes Regulations, adds to the existing data protection law when it comes to processing data for insurance purposes and provides for lawful scenarios in which data can be collected.
• Subsidiary Legislation 586.11, titled Processing of Child’s Personal Data in Relation to the Offer of Information Society Services Regulations, provides for the minimum age (currently 13), that minors must have attained for information society services to be able to process the child’s data in the absence of parental consent.

What forms of PII are covered by the law?

The GDPR lays down rules for the protection of natural persons when their personal data is processed and makes no distinction with regard to its form. The Data Protection Act (2018) upholds the same scope of the GDPR in that data protection law applies to the processing of personal data, wholly or partly, either by automated means or otherwise, where such data is processed to form part of a filing system or is intended for such purpose.

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The Data Protection Act (2018) mirrors its provisions on the GDPR when defining its territorial scope. The Act is applicable when the processing of data occurs by a data controller (PII owner) or processor in a Maltese establishment. The Act also specifies that processing occurring in a Maltese embassy or in a High Commission situated abroad falls within the scope of the Act. Data controllers or processors not established within the EU are also bound by data protection law if the data subjects being offered goods or services are based in Malta, whether such services or goods are offered for remuneration or free of charge. Data protection law applies if data subjects situated within Malta are being monitored for their behaviour. The provisions of the Act (2018) and the GDPR also apply to data controllers processing data outside of the EU if public international law states that Maltese law is applicable in such circumstances.

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

The Data Protection Act (2018), along with the GDPR, provides for the establishment of data subject rights and stipulates when such laws are not applicable and when exclusions and derogations apply. Data protection laws apply solely to natural persons. The aforementioned law and regulation differentiate between the role of the data controller and that of the data processor, imposing different responsibilities upon each party.

Under the GDPR, the data controller must maintain documentation recording data processing undertaken by him or her, which shall be available for consultation at any time. Other measures to be taken by the controller include the implementation of and adherence to data protection policies and codes of conduct, adopting a data protection-by-design approach and ensuring that measures to safeguard data are in place through appropriate technical and organisational structures.

With reference to the data processor, the GDPR provides that personal data should only be processed by the processor following the written instructions provided by the controller. When required, a processor must demonstrate their compliance with the GDPR to the controller and supervisory bodies. Unless the controller gives his or her written consent, a processor cannot engage a sub-processor. The processor is obliged to assist the controller with regard to both data subject requests and compliance. If instructed by the controller, a processor should be able to delete data. Moreover, both parties shall cooperate with supervisory bodies and maintain records of the name and contact details of the processor, controller and data protection officer; the purpose of data processing; and the types and categories of data and data subjects in their possession, among others.

Law stated date

Give the date on which the information above is accurate.

6 May 2020