Olga Finkel and Rachel Vella Baldacchino have written an article on Digital Business in Malta, in the Q&A guide to digital business of Practical Law – a Thomson Reuters Legal Solution. The article gives a high level overview of matters relating to regulations and regulatory bodies for doing business online, setting up an online business, electronic contracts and signatures, data retention requirements, security of online transactions and personal data, licensing of domain names, jurisdiction and governing law, advertising, tax, liability for content online, insurance, and proposals for reform.

Regulatory overview

1. What are the relevant regulations for doing business online (for business-to-business and business-to-customer)?

Maltese legislation and regulations that are of direct relevance to doing both business-to-business and business-to-customer business online and in various sectors include:

  • The Electronic Commerce Act (Chapter 426 of the Laws of Malta), which deals with validity of electronic evidence, electronic contracts, liability of information society service providers and electronic signatures.
  • The Electronic Commerce (General) Regulations (Subsidiary Legislation 426.02), which, together with the E-Commerce Act, implemented the Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Electronic Commerce Directive) and Directive 99/93/EC on electronic signatures (Electronic Signatures Directive).
  • The Electronic Communications (Regulation) Act (Chapter 399 of the Laws of Malta).
  • The Electronic Communications Networks and Services (General) Regulations 2011 (Subsidiary Legislation 399.28), which, among other things, addresses data protection issues arising out of the use of electronic communications networks and services.
  • The Distance Selling (Retail Financial Services) Regulations (Subsidiary Legislation 330.07), which addresses specific issues of distance selling of financial services.
  • The Remote Gaming Regulations (Subsidiary Legislation 438.04), which deals with the provision of gambling services over the internet.

The following are also of relevance:

  • Tax Credit (Electronic Commerce) Rules (Subsidiary Legislation 123.85), which grants tax credits in certain circumstances for qualifying expenditures relating to the development of e‑commerce systems.
  • General legislation, which (unless specifically excluded or amended by other legislation), applies to online and offline transactions generally. This includes legislation dealing with:
  • general consumer protection and unfair consumer terms (such as the Consumer Affairs Act, Chapter 378 of the Laws of Malta);
  • intellectual property laws (such as the Copyright Act, Chapter 415);
  • data protection (Data Protection Act, Chapter 440);
  • general direct and indirect taxation rules;
  • defamation rules; and
  • other applicable criminal laws.
2. What regulatory bodies are responsible for passing legislation in this area?
Malta Communications Authority (MCA)

The MCA is designated as the competent authority under both the Electronic Commerce Act and the Electronic Commerce (General) Regulations (see Question 1). Electronic communications networks and services also fall under the authority of the MCA, granting it the responsibility to monitor the competitiveness of the market and to regulate, where appropriate, internet access tariffs and charges in accordance with the requirements of the EU electronic communications regulatory framework (as transposed in Malta by the Electronic Communications Regulation Act (Chapter 399 of the Laws of Malta) and subsidiary legislation).

Malta Competition and Consumer Affairs Authority (MCCAA)

The MCCAA protects, promotes and safeguards competition and consumer protection in Malta, including the digital business sector.

Consumer Affairs Council

The Consumer Affairs Council, established under the Consumer Affairs Act has the function, among others, of advising the Minister responsible for consumer affairs on:

  • Measures required for the promotion and protection of consumer interests.
  • The working and enforcement of laws that directly or indirectly affect the consumer in Malta.
Data Protection Commissioner

The Commissioner provides regulatory oversight concerning data protection and privacy.

Malta Information Technology Agency

The Agency is the entity responsible for the Maltese government’s e-services.

Setting up a business online

3. What are the common steps a company must take to set up an existing/new business online?

While it is possible to conduct online business in Malta using a non-Malta company, it may be more convenient to set up a company in Malta. The procedure for establishing a company is straightforward and only takes a few days. Tax registration and VAT registration should be obtained as well (see Question 34).

Depending on the nature of the online business, the company may need to obtain:

  • Any necessary trading licences, authorisations or permits (for example, for a financial services business or online gaming business).
  • The Malta country-code top-level domain (ccTLD) (.mt) from NIC (Malta), if a company wishes to use a local domain name (see Question 23).

In the case of business-to-consumer companies, the company must comply with European consumer law standards and place on its website, for the benefit of its customers, clear and unambiguous information on all product characteristics, including the product’s legal and commercial guarantees.

4. What are the relevant parties that an online business can expect to contract with?

Standard contracts which an online business can expect to be a party to include:

  • Web hosting and bandwidth agreements.
  • Website design agreements.
  • Employment or outsourcing contracts.
  • Non-disclosure agreements.
  • Customer contracts, which are normally done by posting terms and conditions on the website, which should be accepted by the customers.

In addition, digital merchants would normally have agreements with payment providers, to offer a variety of payment methods to their customers.

5. What are the procedures for developing and distributing an app?

When developing an app, developers must primarily consider the terms of use, policies and agreements which will be applicable to them according to the app market place (that is, Google Play, or iTunes App Store) in which they plan to publish their app and comply with them. In addition, depending on the nature of the app, developers must pay attention to potential additional restrictions or rules applicable in the jurisdictions they plan to accept customers from, such as rules regulating gaming and gambling, currency restrictions, as well as tax and customs rules.

Running a business online

Electronic contracts
6. Is it possible to form a contract electronically? If so, what are the requirements for electronic contract formation?

A contract can be formed electronically. Any offer, acceptance of an offer and any related communication, including any subsequent amendment, cancellation or revocation of the offer and the acceptance of the contract may, unless otherwise agreed by the parties to the contract, be communicated electronically (Article 9(2), Electronic Commerce Act).

Unless agreed otherwise in business-to-business contracts, where the recipient of the service places his order through technological means, an electronic contract is concluded when, after the order is placed, the recipient of the service receives from the service provider acknowledgement of the receipt of the order (Article 10, Electronic Commerce Act). The Act also provides that the order and acknowledgement of receipt are deemed to have been received when the parties to whom they are addressed are able to access them. Article 10 does not apply to contracts concluded exclusively by electronic mail or by equivalent individual communications.

In distance or off-premises contracts, consumers have 14 days to withdraw from the contract without the need to give a reason (Consumer Rights Regulation (S.L. 378.17, which implements Directive 2011/83/EU on consumer rights (Consumer Rights Directive)). There however are some exceptions to consumers’ general right to withdraw from such contracts (Regulation 18, Consumer Rights Regulation):

  • Service contracts, after the service has already performed, if the performance has begun with the consumer’s prior express consent.
  • The supply of goods which are liable to deteriorate or expire rapidly.
  • Where goods are made to the specifications of the consumer or where these are clearly personalised.

A similar cooling-off period of 14 days also applies to distance contracts concerning financial services consumers under the Distance Selling (Retail Financial Services) Regulations (S.L. 330.07), which is extended to 30 calendar days where the distance contract relates to long-term business contracts of insurance and to personal pension arrangements.

7. What laws govern contracting on the internet?

Apart from the provisions relating to general contract law in the Civil Code, contracting on the internet is governed in all its forms by the Electronic Commerce Act. Although no formal distinction is made in Maltese law between business-to-consumer and business-to-business contracts, certain legislative provisions apply to only one of the two categories of contracts:

  • Consumer protection legislation applies only to business-to-consumer contracts.
  • The Electronic Commerce Act establishes a number of exceptions in respect of “parties who are not consumers”.
  • The special jurisdictional rules under Regulation (EC) 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Brussels Regulation) establish specific rules to protect the consumer as the party deemed to be weaker and less experienced in legal matters.
  • The consumer generally has the right to sue the seller established in another member state in the place where the consumer resides.
  • In choice of law, the rules of the country where the consumer is habitually resident cannot be derogated from by agreement, provided that the professional directs his activities to or pursues commercial or professional activities in the country of the consumer (Regulation (EC) 593/2008 on the law applicable to contractual obligations (Rome I)) (see Question 27).
8. Are there any limitations in relation to electronic contracts?

The Electronic Commerce Act does not apply to:

  • Wills.
  • Trusts.
  • Powers of attorney.
  • Rights over immovable property other than leases.
  • Provisions regarding the law of persons.
  • Affidavits and solemn declarations.

All standard contract law limitations emerging under the Civil Code and other pieces of legislation that regulate contract formation will generally also be applicable to electronic contracts.

9. Are there any data retention requirements in relation to the formation of electronic contracts?

There are no specific data retention requirements in relation to the formation of electronic contracts. Nevertheless, parties are strongly advised to keep organised records to ensure clarity in the event of a dispute, which under the standard rules of limitation in Malta’s Civil Code, can be brought within a period of five years from the harmful event that is the subject of the dispute.

Moreover, companies generally must keep documents and contracts relating to their business for ten years for accounting purposes.

10. Are there any trusted site accreditations available?

A government scheme set up in 2008 in association with Malta’s Chamber of Commerce introduced a EURO-Label certification mechanism, under which a Euro-Label Trustmark is awarded to online businesses that meet European standards of quality and security once the trader has implemented the European Code of Conduct for retail transactions.

The Malta Communications Authority (MCA) operates an electronic shopping trust-mark for consumers and retailers labelled as the “eShop” scheme. This trust-mark is awarded to retailers are verified by the MCA as having implemented the eShop Code of Conduct, embodying certain rules and standards that are designed to reassure consumers that they will receive reliable and trustworthy services from the e-retailer.

A Trusted List Scheme is also maintained by the MCA for the accreditation of electronic signature certification service providers.

11. What remedies are available for breach of an electronic contract?

There are no specific remedies available to the parties to an electronic contract. Unless the terms of the electronic contract provide otherwise, a contract can generally be enforced in the same manner as standard contracts under the general civil law rules in Malta. Enforcing a breach in a cross-border contract will also be subject to the relevant private international law rules, depending on whether the contract itself is between business-to-business or business-to-consumer parties (see Question 7).


12. Does the law recognise e-signatures?
Applicable legislation

The Electronic Commerce Act is the applicable law.

Definition of e-signatures

The Electronic Commerce Act defines the term “electronic signature” as data in electronic form which is attached to, incorporated in or logically associated with other electronic data, and which serves as a method of authentication.

The Act also defines “advanced electronic signatures” as an electronic signature which is:

  • Uniquely linked to the signatory.
  • Capable of identifying the signatory.
  • Created using means that the signatory can maintain under his sole control.
  • Linked to the data to which it relates in such a manner that any subsequent change of data is detectable.
Format of e-signatures

The Electronic Commerce Act establishes that providing an electronic signature suffices to satisfy a requirement of providing a signature under Maltese law.

13. Are there any limitations on the use of e-signatures?

Limitations on the use of e-signatures under Maltese law are substantially the same as the limitations on the formation of electronic contracts (see Question 8). The Electronic Commerce Act provides rules against the misuse of e-signatures, particularly by forbidding:

  • Accessing, copying or obtaining in any other manner the signature creation device pertaining to another person for the purposes of creating an unauthorised e-signature.
  • Any other fraudulent or unlawful alteration or creation of e-signatures.

Implications of running a business online

Cyber security/privacy protection/data protection
14. Are there any laws that regulate the collection or use of personal data? To whom do the data protection laws apply?

The legislative framework regulating the collection or use of personal data and of sensitive personal data can be found under the Data Protection Act and the subsidiary legislation enacted under it, primarily the Processing of Personal Data (Electronic Communications Sector) Regulations (S.L. 440.01).

These rules apply to all data controllers (that is, entities that decide on the purpose of processing), with the following exemptions:

  • Personal data processing undertaken by a natural person in the course of a purely personal activity.
  • Processing operations concerning public security, defence, and state security (which includes economic well-being of the state when the processing operation relates to security matters).
  • Activities of the state in areas of criminal law.
15. What data is regulated?

The Data Protection Act covers the processing of personal data, including sensitive personal data. The Act defines personal data as any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to:

  • An identification number.
  • One or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

Sensitive personal data is defined as personal data that reveals:

  • Race or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Membership of a trade union.
  • Health or sex life.

However, although in most cases only data relating to physical persons is considered as “personal data” regulated under the Data Protection Act, in some instances even data relating to corporate entities is also covered, for instance, in case of privacy rules applicable to telecommunications.

The Data Protection Act provides for certain principles of data protection concerning the processing of personal data, including the requirement to provide the person with certain information, the right that person has to access his personal data and the maintenance by the Data Protection Commissioner of a register of processing operations. There are certain situations in which they do not apply (see Question 20).

16. Are there any limitations on collecting personal data? Are there any specific limitations on storage of personal data in the cloud?
Limitations on collecting and processing personal data

The current legal framework protects data subjects by setting limits on the manner in which data controllers may collect and process personal data. Data controllers must collect personal data fairly and lawfully for specified, explicit and legitimate purposes, and the data must not be processed in a way that is incompatible with these purposes. No more personal data may be processed than is necessary, and it should not be kept longer than as required for the purpose of processing.

Storage of personal data in the cloud

There are no limitations under Maltese law that are specific to the storage of personal data in the cloud. Cloud data service providers must comply with the generally recognised cybersecurity obligations of data privacy, data ownership, and data security. In addition, rules apply when personal data is transferred to cloud computing service providers located within or outside the EU:

  • Within the EU. The place of establishment of a cloud computing service provider, if located within the EU, will trigger the application of EU data protection principles, regardless of the location of the data centres themselves. If the controller is established in more than one member state, processing the data as part of its activities in these countries, the applicable law is that of each of the member states in which this processing occurs.
  • In a third country. The transfer of personal data originating in an EU member state to third countries is regulated by the Third Country (Data Protection Act) Regulations (S.L. 440.03), which implements the terms of Article 25 of Directive 95/46/EC on data protection (Data Protection Directive). Under these rules, the transfer of data to a third country may be carried out only if the third country in question ensures an adequate level of protection to personal data that the cloud computing service provider stores in centres located outside the EEA.
17. Is the use of cookies allowed? If so, what conditions apply to their use that impact system design?

The Processing of Personal Data (Electronic Communications Sector) Regulations implements the amended Directive 2009/136/EC on consumer protection and users’ rights in relation to the processing of personal data and the protection of privacy in electronic communications (Citizens’ Rights Directive). The use of cookies by an online business must comply with the rule in these regulations that allows a provider to store or gain access to information stored in the user’s terminal equipment only once the user has opted-in to this and having been provided with clear and comprehensive information as to what data is being collected and the purpose of the collection. This rule does not apply where the storage or access to data is carried out:

  • For the sole purpose of fulfilling or facilitating the transmission of a communication over an electronic communications network.
  • As may be strictly necessary for the service provider to provide an information society service explicitly requested by the user.

Due to the controversy surrounding Directive 2002/58/EC on the protection of privacy in the electronic communications sector (E-Privacy Directive), the Article 29 Data Protection Working Party was established to develop guidelines for owners of personally identifiable information (PII) in relation to the use of cookies. The guidelines establish that owners of PII who operate a website should ensure that consent is obtained before the use of cookies and that such consent should be specific, unambiguous and freely given. The Office of the Commissioner in Malta has adopted the guidelines issued by the working party, which means that any owner of PII in Malta must ensure that these requirements are followed when using cookies.

18. What measures must be taken by companies or the internet providers to guarantee the security of internet transactions?

While no general obligations exist concerning the security of internet transactions, there are several laws that require certain providers to be involved in various steps of an internet transaction to keep adequate security. This requirement, for instance, applies to providers of electronic communications and services (as far as security and integrity of networks are concerned) (Electronic Communications Networks and Services (General) Regulations 2011).

All signature certification service providers (defined as persons who issue certificates or provide other services related to electronic signatures) must, among others (Electronic Commerce Act):

  • Use trustworthy systems and products which are protected against modification.
  • Ensure the technical and cryptographic security of the processes supported by them and take measures against forgery of certificates.
  • In cases where the signature certification service provider generates signature-creation data, guarantee confidentiality during the process of generating that data.

Signature certification service providers must also use trustworthy systems to store certificates in a verifiable form, so that:

  • Only authorised persons can make entries and changes.
  • Information can be checked for authenticity.
  • Certificates are publicly available for retrieval in only those cases for which the certificate-holder’s consent has been obtained.
  • Any technical changes compromising these security requirements are apparent to the operator.

Further, under the provisions of the Data Protection Act and associated subsidiary legislation, all data controllers (that is, persons responsible for processing personal data) must ensure adequate security of data processing.

19. Is the use of encryption required or prohibited in any circumstances?

There are currently no regulations requiring or prohibiting the use of encryption.

20. Can government bodies access or compel disclosure of personal data in certain circumstances?

The data protection principles do not apply when a law specifically provides that data processing is a necessary measure in the interests of:

  • National security, defence or public security.
  • Prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for regulated professions.
  • Important economic or financial interests, including monetary, budgetary and taxation matters.
  • Monitoring, inspection or regulatory functions connected, even tangentially, with the exercise of official authority.
  • Information that is prejudicial to the protection of the individual or of the rights and freedoms of others.

Further to this, sectoral legislation exists which allows the interception or interference of any form of communication made pursuant to a warrant issued by the Minister on an application made by the national Security Service. Such warrants may be issued wherever (Security Service Act (Chapter 391 of the Laws of Malta):

  • The data that can be collected in this manner is likely to be of substantial value to the Security Service and cannot reasonably be collected by any other means.
  • Sufficient arrangements are in force to ensure that the information collected will be subject to the requisite information security arrangements.

In addition, the Data Protection (Processing of Personal Data in the Police Sector) Regulations (S.L. 440.05) ensure a high level of data protection in the Police Sector, implementing Recommendation No. R (87) 15 of the Council of Europe. Furthermore, the Processing of Personal Data (Police and Judicial Cooperation in Criminal Matters) Regulations (S.L. 440.06) provide rules for the safeguarding of the individual’s fundamental right to privacy where personal data has been transmitted or made available to competent authorities in other member states, or with other judicial bodies.

21. Are there any regulations in relation to electronic payments?

Electronic payment services are regulated under Maltese law in line with the EU payment legislative package, and payment services providers are regulated by the provisions of the Financial Institutions Act (Chapter 376 of the Laws of Malta), transposing Directive 2007/64/EC on payment services in the internal market (Payment Services Directive). As is the case with all other financial institutions operating in or from Malta, electronic payment services providers are licensed and supervised by the Malta Financial Services Authority (MFSA).

While no general obligations exist concerning the security of internet transactions as such, there are several laws that require certain providers involved in various steps of an internet transaction to keep adequate secu­rity. This requirement, for instance, applies to providers of electronic com­munications and services (as far as security and integrity of networks are concerned), under the Electronic Communications Networks and Services (General) Regulations 2011.

Transactions carried out through electronic payments systems will, in the same manner as other “relevant financial activity” under applicable money laundering regulations, be subject to ongoing monitoring, compliance and suspicious activity reporting to the Financial Intelligence Analysis Unit (FIAU). Anti-money laundering rules require that records of transactional activity be retained for at least five years from the date of completion of the activity.

Automated processing of personal data collected in the course of electronic payments activity is also subject to the data protection rules (see Questions 14 and 15). The individual about whom such personal data is kept may, at any time, make a request for:

  • Written information as to whether personal data concerning him is processed.
  • The immediate rectification, blocking, or erasure of such personal data which has not been processed according to law.


22. Are there any limitations on linking to a third party website and other practices such as framing, caching, spidering and the use of metatags?

Rules relating to linking to third party content may have copyright law implications, as well as implications depending on the terms and conditions stipulated by the owners of third-party websites regarding the use of the material hosted on their websites. If any such owner expressly stipulates that the use of links to his own website requires prior authorisation, then the absence of such permission could constitute a breach of contract tacitly entered into by the linking party on accessing the website. Maltese law does not, however, legislate explicitly on the use of internet links or of practices such as framing, caching, spidering or metatags.

Domain names

23. What regulations are there in relation to licensing of domain names?

The Malta Internet Foundation (NIC (Malta)) is responsible for the “.mt” country code top-level domain. All domain names ending with “.mt” must therefore be registered with NIC (Malta). Terms and conditions apply to obtaining and using a domain name. While it is possible for anyone to obtain an “.mt” domain name, NIC (Malta) reserves the right to refuse to register a domain name, and may for good cause, and in any event on any breach by the holder of the terms and conditions, immediately revoke the domain name from registration. There is no requirement for the holder of an “.mt” top-level domain to be established in Malta.

24. Do domain names confer any additional rights (in relation to trade marks or passing off) beyond the rights that are vested in domain names?

The mere possession or use of a domain name does not, in and of itself, confer additional rights beyond those that naturally vest in the domain name. Where, the domain name itself constitutes or reflects a trade mark, trade name or other form of intellectual property, then the rights attaching to that intellectual property also apply in respect of the domain name. Registration of another person’s trade mark as a domain name is treated as trade mark infringement (cybersquatting).

The World Intellectual Property Organisation (WIPO)’s Uniform Domain Name Dispute Resolution Police (UDRP) provides holders of trade mark rights with an administrative mechanism to efficiently resolve disputes arising out of the pre-emptive bad faith registration and use by third parties of domain names that correspond to the complainant’s intellectual property rights. Malta’s country-code top-level domain (ccTLD) has not, as yet, adopted the UDRP Policy, and the authors are not aware of any plans to do so in the near future.

25. What restrictions apply to the selection of a business name, and what is the procedure for obtaining one?

The selection of a business name may be subject to different rules under Maltese law. A partnership, limited liability, public company or Societas Europeas may be registered by any name as long as it contains the relevant designation (for example, plc for public companies) (Companies Act (Chapter 386 of the Laws of Malta). The name, however:

  • Must not be the same as that of another commercial partnership or company or so similar as to, in the opinion of the Registrar of Companies, possibly create confusion.
  • May be refused registration if in the opinion of the Registrar it is offensive or otherwise undesirable, or has been reserved for registration by another commercial partnership.

There is a similar restriction on the choice of a business name, mark, or other distinctive device used in the course of business by any trader (Commercial Code (Chapter 13 of the Laws of Malta)). These must not be capable of creating confusion with any other such name, mark or distinctive device, regardless of whether or not this has been registered in terms of the Trade Marks Act (Chapter 416 of the Laws of Malta) (Article 32, Commercial Code).

Jurisdiction and governing law

26. What rules do the courts apply to determine the jurisdiction for internet transactions (or disputes)?

Under Maltese law, parties to a contract are free to choose the law and forum applicable to the contract, provided this does not derogate from certain mandatory rules.

Within the EU, the rules established in Regulation (EU) 1215/2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Recast Brussels Regulation) apply to disputes in civil and commercial matters, including disputes arising from e-commerce transactions. In an ordinary business-to-business transaction, the fundamental principle is that unless the parties agree differently, a claimant should institute an action at the forum of the defendant. In business-to-consumer contracts, however, the consumer, as the weaker party, can generally bring proceedings against the seller established in another member state either in the country where the consumer is resident, or in the courts of the member state where the other party is domiciled. The seller, on the other hand, can only bring proceedings against a consumer in the courts of the member state in which the consumer is domiciled.

For disputes involving parties not domiciled within the EU, national jurisdictional rules established in the Code of Organisation and Civil Procedure must be considered.

27. What rules do the courts apply to determine the governing law for internet transactions (or disputes)?

Transactions or disputes involving parties not domiciled in an EU member state will generally be governed by the law agreed on in the contract’s terms and conditions.

Where the parties to the contract have not chosen the governing law, the general rule under Rome I is that the law to be applied will be determined based on the country of residence of the principal actor carrying out the contract. However, for consumer contracts between consumers and professionals, the applicable law is that of the country of residence of the consumer, provided that this is also the country where the professional carries out his activities, or to which his activities are directed. The parties are free to apply another law, as long as it provides the same level of protection to the consumer as that of his country of residence.

28. Are there any ADR/ODR options available to online traders and their customers? What remedies are available from the ADR/ODR methods?
Malta arbitration Centre

The chief local body responsible for ADR/ODR is the Malta Arbitration Centre, which functions as a centre for domestic arbitration and international commercial arbitration.

Euro-Label Malta

Through the e-Certification scheme for online businesses operated by Euro-Label Malta (there are 13 businesses certified under the scheme), consumers transacting with its members can lodge complaints against a trader awarded with the Trustmark to its Complaints Committee, which is comprised of representatives of the Malta Communications Authority (MCA), the Ministry of Infrastructure, Transport and Communications, the Consumer and Competition Division as well as from the Malta Chamber of Commerce and Enterprise.


The MCA is also empowered under the Electronic Commerce (General) Regulations (S.L. 426.02) to hear disputes between consumers and online traders, once the consumer has already lodged a complaint with the trader him or herself and has failed to reach a satisfactory conclusion.

Malta Financial Services Authority (MFSA)

Financial services consumers may resort to the Consumer Complaints Manager established within the Malta Financial Services Authority to lodge complaints against financial services providers licensed or regulated by the MFSA.

Directive 2013/11/EU

Directive 2013/11/EU on alternative dispute resolution for consumer disputes is expected to be implemented into Maltese legislation through new Consumer Alternative Dispute Resolution (General) Regulations 2015, under the Consumer Affairs Act, in the coming weeks. Malta’s obligations under this legislation include ensuring that ADR is available for all disputes concerning contractual obligations between traders and consumers (as ADR is widely acknowledged as a cheaper and quicker alternative to court litigation), where a consumer was not able to directly resolve his complaint with the trader, whether this trader is established in Malta or in another EU member state. The Complaints and Conciliation Directorate of the Office for Consumer Affairs within the Malta Competition and Consumer Affairs Authority (MCCAA) already offers a similar service, and it is proposed under the draft legal notice that this entity assumes the responsibilities of providing ADR as a residual means of recourse for complainants. Other ADR providers can also be set up, as long as they fulfil the requirements of the Directive, and are certified and monitored by a competent authority (currently proposed to be the Consumer Affairs Council).


29. What are the relevant rules on advertising goods/services online/via social media?

Maltese law does not specifically regulate advertising on the internet or via social media. However, several legislative instruments apply to advertising generally, including advertising on the internet.

Advertisement of goods and services must be in line with European consumer protection directives which have been implemented into Maltese legislation in recent years under the Consumer Affairs Act. Among these is Directive 2006/114/EC concerning misleading and comparative advertising, which protects consumers against misleading advertising and treats this as an unfair commercial practice, while comparative advertising is only permitted to the extent that it is not misleading.

30. Are there any types of services or products that are specifically regulated when advertised/sold online (for example, financial services or medications)?
Financial services

Specific rules apply to the sale of financial services online under the Distance Selling (Retail Financial Services) Regulations. These regulations establish, among others:

  • Information that must be provided to consumers.
  • A right of withdrawal.
  • A requirement for contractual terms to be provided by the supplier to the consumer in writing or another durable medium.
  • Out-of-court dispute settlement procedures.

Advertising restrictions contained in the Tobacco (Smoking Control) Act (Chapter 315 of the Laws of Malta) are expressly stated to also apply to advertising on the internet.

Online gambling

The Remote Gaming Regulations also establish restrictions on the advertising of online gambling services. These restrictions are supplemented by a directive issued by the Broadcasting Authority.

31. Are there any rules or limitations in relation to text messages/spam emails?

Since October 2003, the E-Privacy Directive has rendered unsolicited e-mails, including SMSs, illegal across member states. Under this directive, unsolicited e-mails can only be sent to individuals for direct marketing purposes and either with their prior consent or where there is an existing customer relationship. This rule has also been implemented into Malta by Article 9 of the Processing of Personal Data (Electronic Communications Sector) Regulations (S.L. 440.01).

32. Are there any language requirements in your jurisdiction for a website that targets your particular jurisdiction or whose target market includes your jurisdiction?

The Maltese Language Act (Chapter 470 of the Laws of Malta) encourages the widest possible use of the Maltese language throughout all forms of broadcasting and the media, including websites targeting the local market. However, this is not a mandatory requirement and website providers are free to offer content in any language of their choice.


33. Are sales concluded online subject to taxation?
Income tax

Income tax is payable on the supply of goods or services, irrespective of the medium through which that supply is made. Income is subject to tax in Malta at progressive rates in the case of individual suppliers, or at the standard corporate tax rate of 35% in the case of a company. Where the company acts as a supplier, the shareholders of the company may, on receiving a dividend from the company and under certain condi­tions, claim a refund of the Malta tax paid by the company.


The supply of online goods would generally be subject to VAT in Malta if the:

  • Supply is a domestic supply.
  • Goods are transported by the supplier from Malta or made available for the customer in Malta.

Different treatment applies depending on whether the cus­tomer is a business and is receiving the goods in another member state. The rate of VAT in Malta is 18%. As of 1 January 2015, Malta adopted the new EU VAT regime, which affects which country’s VAT rate will apply (see Question 34).

Tax credits

Any small or medium-sized enterprise carrying on a trade, business, profession or vocation, can apply for a tax credit where it enters into or intends to enter into a project to acquire tangible and intangible assets which (Tax Credit (Electronic Commerce) Rules (Subsidiary Legislation 123.85)):

  • Consist of computer hardware or software or website development services.
  • Are for or in connection with the development of e-commerce systems that enable the sale of tangible goods or services through business transactions processed over a publicly accessible electronic network.

The grant of such a tax credit depends on whether the enterprise meets the requirements set out in the rules and on the Malta Enterprise Corporation’s approval.

34. Where and when must online companies register for VAT and other taxes? Which country’s VAT rate will apply?
Registration and payment

The VAT Act requires a supplier to register with the Director General Tax within 30 days from the date on which the goods or services are supplied. Companies may also have an obligation to register for VAT in Malta if VAT is due in Malta in terms of the Place of Supply Rules via the reverse charge mechanism. In domestic internet sales, the supplier should add Maltese VAT (18%) to its invoices and pass this collected VAT to the VAT Department in Malta by submitting VAT returns, normally every three months.

Place of supply

As of 1 January 2015, Malta adopted the new EU VAT regime concerning business-to-customer and business-to-business supply of electronically supplied services. In both cases, the place of supply rules are now the rules of the place where the customer is established, has his permanent address, or usually resides. The place of supply of electronically supplied services, such as downloadable software, books and games, has shifted to the country of consumption, and is regulated by the VAT rules of the member state of consumption. A digital business established in Malta no longer considers its services as exempt without credit in terms of the Maltese VAT Act on services provided to parties located within the EU, but must apply the VAT rates or exemptions applicable in the member state of consumption. No VAT is charged on sales to consumers or business customers resident outside of the EU.

Protecting an online business

Liability for content online
35. What laws govern liability for website content?

The relevant laws depend on whether the website pro­vider is merely hosting the information containing such mistakes, or whether it is also responsible for the content of such information. In the lat­ter case, it is considered that the rules relating to press offences, which are applicable to pub­lishers under the Press Act (Chapter 248 of the Laws of Malta) will apply. Potential liability may result in case of defamation or where a mistake or negligence causes damage or other harm to public order or public peace. Generally, online publishers are advised to have terms and conditions limiting their liability for any errors in information published on their website.

A website content provider may also be liable to trade mark rights-holders under the respective laws governing the trade mark registration where any content is in breach of the specific protection afforded to the trade mark.

36. What legal information must a website operator provide?

Typically, a website operator must provide minimum information relating to:

  • The name of the service provider, as this might differ from the trading name employed.
  • An e-mail address.
  • A geographic address or registered office if the business is a company.
  • The operator’s VAT number, if any.

Registration or regulation under other laws, for instance a remote gaming licence granted by the Malta Gaming Authority (MGA) under the Remote Gaming Regulations (S.L. 438.04), will require the licensee to state information relating to the licence.

37. Who is liable for the content a website displays (including mistakes)?

General criminal laws apply to internet content, for example:

  • Dissemination of material contrary to public morals is prohibited gener­ally, including the internet.
  • The acquiring, keeping, putting into circulation or exporting of pornography is prohibited, even if this is done for purposes of distribution, including arguably through the internet (Article 208, Criminal Code).
  • Prohibition of defamatory material. Defamation is an offence and a person found guilty may on conviction be subject to punishment, including if the defamatory act is carried out over the internet.
38. Can an internet service provider (ISP) shut down a website, remove content, or disable linking due to the website’s content and without permission?

The position is currently unclear. The Maltese Electronic Commerce Act transposed the ambiguous “hosting” safe harbour provision of the Electronic Commerce Directive almost verbatim, and therefore whether the ISP can do this depends on the meaning attributed to “knowledge” and “awareness” under Article 14 of the Electronic Commerce Act. The courts have not, so far, pronounced on this issue. In practice, many intermediary service providers based in Malta remove contested material hosted on a web page on complaint and without court authorisation, and this practice has not as yet been challenged by the authorities or in front of the courts.


39. How should an online business be insured?

Online businesses should take into particular consideration their own specific needs and operations when thinking about insuring their activities; there is no one specific insurance formula that will cater for all entities. An ICT business, for instance, is highly recommended to seek insurance cover for:

  • Sudden and unforeseen physical loss or damage to electronic equipment.
  • Loss of data.
  • Losses resulting from total or partial interruptions in the operation of electronic equipment or of network connectivity.

Other aspects for which any business should consider seeking insurance cover include property insurance for any loss affecting any premises or offices and for liability arising in connection with the employment of its employees.


40. Are there any proposals to reform digital business law in your jurisdiction?

A current proposal that will have some impact on digital business concerns a bill providing for an Act to set up an Arbiter for Financial Services. Should this bill achieve the requisite parliamentary consent, this Act will provide for the setting up of a new ADR mechanism to resolve complaints filed by eligible financial services customers. This bill is currently at the Committee Stage of the Maltese legislative process, during which each clause of the bill is examined separately and in detail prior to moving on to the Third Reading. It is expected that the bill will be put on the Parliamentary agenda in its final legislative stages after Parliament reconvenes after its summer recess in Autumn/Winter 2015.

Online resources

Laws of Malta

W www.justiceservices.gov.mt/LOM.aspx?pageid=27&mode=chrono

Description. All of Malta’s primary laws and subsidiary legislation can be accessed at this site, administered by the Ministry for Justice, Culture and Local Government, in both Maltese and English versions. Unless stated otherwise, the Maltese version of the law is binding over the English text.