Olga Finkel has written the Malta chapter for the e-Commerce 2016 issue of Getting The Deal Through.  The chapter addresses the legal and regulatory issues within the electronic industry in Malta.


1    How can the government’s attitude and approach to internet issues best be described?

As a member state of the European Union, Malta has generally adopted legislation that aims to be technology-neutral, compliant with EU legislation, harmonised with other member states’ regimes and that, more broadly, is intended to attract business and investment and foster competition in the market. Moreover, the government leads the e-government initiative, making an ever-growing government service accessible to its citizens via electronic channels, including by means of electronic ID available to every adult citizen. The current government is continuing the work previously done in this sphere to promote e-commerce, digital services and investment in ICTs.


2    What legislation governs business on the internet?

Unless a specific legislative instrument excludes the use of the internet or amends general provisions to address specific issues associated with the use of the internet, general legislation applies to transactions equally, regardless of the channel used. Thus, legislation dealing with general consumer protection and unfair consumer terms (the Consumer Affairs Act), data protection matters (Data Protection Act), general direct and indirect taxation rules, defamation and generally criminal laws apply.

In addition, there are several specific primary and subsidiary legislative instruments dealing with e-commerce, including:

  • the Electronic Commerce Act (the E-Commerce Act) dealing with validity of electronic evidence, electronic contracts, liability of information society service providers and electronic signatures;
  • the Electronic Commerce (General) Regulations, which, together with the E-Commerce Act, implemented the EU Electronic Commerce Directive and the Electronic Signatures Directive;
  • the Electronic Communications Networks and Services (General) Regulations 2011, which, among other things, addresses data-
    protection issues arising out of the use of electronic communications networks and services;
  • the Tax Credit (Electronic Commerce) Rules, granting tax credits in certain circumstances for qualifying expenditures relating to the development of e‑commerce systems;
  • the Distance Selling (Retail Financial Services) Regulations; addressing specific issues of distance selling of financial services;
  • the Remote Gaming Regulations dealing with the provision of gambling services over the internet;
  • the Criminal Code and in particular the sections dealing with computer misuse and related offences;
  • the Public Procurement Regulations where public procurement by electronic means is involved; and
  • the Copyright Act implementing EU law on copyright and digital rights.


Regulatory bodies

3    Which regulatory bodies are responsible for the regulation of e-commerce, data protection and internet access tariffs and charges?

The Malta Communications Authority (the MCA) is designated the competent authority under both the E-Commerce Act and the Electronic Commerce (General) Regulations. Moreover, electronic communications networks and services also fall under the authority of the MCA, thereby granting it the responsibility to monitor the competitiveness of the market and regulate, where appropriate, internet access tariffs and charges in accordance with the requirements of the EU electronic communications regulatory framework as transposed in Malta by the Electronic Communications Regulation Act and subsidiary legislation.

The Malta Competition and Consumer Affairs Authority (the MCCAA) also plays an important role with respect to consumer protection in the electronic communications sector.

The Information and Data Protection Commissioner provides regulatory oversight with respect to data protection and privacy.

Finally, the Malta Information Technology Agency is the entity responsible for the Maltese government’s e-services.


4    What tests or rules are applied by the courts to determine the jurisdiction for internet-related transactions (or disputes) in cases where the defendant is resident or provides goods or services from outside the jurisdiction?

The rules relevant for the determination of jurisdiction for internet-related transactions or disputes mainly emanate from private international law, and particularly from the Brussels I and Rome II Regulations, although national jurisdictional rules established in the Code of Organisation and Civil Procedure (COCP, Chapter 12) must also be considered, in particular with regard to disputes involving a party not domiciled within the European Union.

Under Maltese law the parties to a contract are free to choose the law and forum applicable to the contract, provided this does not circumvent the mandatory rules that cannot be derogated from.

Within the EU, the rules established in Regulation 44/2001/EC (Brussels I Regulation) apply to disputes in civil and commercial matters, including disputes arising from e-commerce transactions. In case of a generic business-to-business transaction, the fundamental principle is that, unless the parties agreed differently, a plaintiff should follow the defendant and institute an action at the forum of the defendant. In case of business-to-consumer contracts, however, the consumer generally has the right to sue the seller established in another member state in the country where the consumer is resident.

Transactions or disputes involving parties not domiciled in a member state of the EU are generally governed by the law provided in the relevant terms and conditions.

With respect to non-contractual obligations and disputes arising in civil and commercial matters, the main rule under the Regulation 864/2007/EC (Rome II Regulation) is that jurisdiction will be founded where the damage occurs or is likely to occur. One should note, however, that this does not apply to, inter alia, non-contractual obligations arising out of violations of privacy and rights relating to personality, including defamation. In these cases, national jurisdictional rules apply.

While the principal rules are established as stated above, in reality it is important to analyse the facts of the case in order to establish the correct rules of jurisdiction.

Contracting on the internet

5    Is it possible to form and conclude contracts electronically? If so, how are contracts formed on the internet? Explain whether ‘click wrap’ contracts are enforceable, and if so, what requirements need to be met?

The E-Commerce Act clearly allows contracts to be formed and concluded electronically. Article 9(2) of the Act establishes that any offer, acceptance of an offer and any related communication, including any subsequent amendment, cancellation or revocation of the offer and the acceptance of the contract may, unless otherwise agreed by the parties to the contract, be communicated electronically.

Article 10 then establishes that unless otherwise agreed by the parties who are not consumers, where the recipient of the service places his order through technological means, an electronic contract is concluded when, after the order is placed, the recipient of the service receives from the service provider acknowledgement of the receipt of the order. The Act therefore clearly establishes the moment in which the contract is deemed to be concluded to prevent disputes, particularly as it propounds that the order made by the recipient and the acknowledgement of receipt are deemed to have been received when the parties to whom they are addressed are able to access them. It is important to note, however, that the contract is not considered to have been concluded as aforesaid with respect to contracts concluded exclusively by electronic mail or by equivalent individual communications.

‘Click wrap’ contracts are generally enforceable under Maltese law, provided the electronic contract provides the recipient of the service with all of the information required by law, and provided also that the service provider acknowledges receipt of the order.

Finally, one must also consider that consumer protection legislation, such as the Consumer Affairs Act and the Distance Selling Regulations also apply to electronic contracts. The requirements established in these instruments must therefore also be adhered to.

6    Are there any particular laws that govern contracting on the internet? Do these distinguish between business-to-consumer and business-to-business contracts?

Apart from the provisions relating to general contract law in the Civil Code, contracting on the internet is governed by the E-Commerce Act mentioned above. While no general formal distinction between business-to-consumer and business-to-business contracts is set out under Maltese law, certain legislative provisions apply to only one of the two categories of contracts. For instance, the consumer protection legislation applies only to business-to-consumer contracts, while the E-Commerce Act establishes a number of exceptions in respect of ‘parties who are not consumers’. In certain cases, therefore, business-to-business contracts may be approached differently from business-to-consumer contracts.

7    How does the law recognise or define digital or e-signatures?

The E-Commerce Act defines the term ‘electronic signature’ as data in electronic form which are attached to, incorporated in or logically associated with other electronic data and which serve as a method of authentication. The Act also defines advanced electronic signatures as electronic signatures which are uniquely linked to the signatory, are capable of identifying the signatory, are created using means that the signatory can maintain under his or her sole control and are linked to the data to which they relate in such a manner that any subsequent change of data is detectable.

Among other things, the Act establishes that the provision of an electronic signature suffices to satisfy the requirement of providing a signature under Maltese law.

8    Are there any data retention or software legacy requirements in relation to the formation of electronic contracts?

There are no general data retention or software legacy requirements in relation to the formation of electronic contracts. Nevertheless, parties are strongly advised to keep organised records to ensure clarity in the event of a dispute. In general, companies are required to keep documents and contracts pertaining to their business for 10 years for accounting and verification purposes.


9    What measures must be taken by companies or ISPs to guarantee the security of internet transactions?

While no general obligations exist with respect to the security of internet transactions as such, there are several laws that require certain providers involved in various steps of an internet transaction to keep adequate security. This requirement, for instance, applies to providers of electronic communications and services (as far as security and integrity of networks are concerned, as required under the Electronic Communications Networks and Services (General) Regulations 2011.

Moreover, under the E-Commerce Act, all signature certification service providers (defined as persons who issue certificates or provide other services related to electronic signatures) must, inter alia, use trustworthy systems and products that are protected against modification, ensure the technical and cryptographic security of the processes supported by them and take measures against forgery of certificates, and, in cases where the signature certification service provider generates signature-creation data, guarantee confidentiality during the process of generating such data. Signature certification service providers are also required to use
trustworthy systems to store certificates in a verifiable form such that only authorised persons can make entries and changes, information can be checked for authenticity, certificates are publicly available for retrieval in only those cases for which the certificate holder’s consent has been obtained and any technical changes compromising these security requirements are apparent to the operator.

Furthermore, under the provisions of the Data Protection Act and associated subsidiary legislation, all data controllers (persons responsible for processing personal data) must ensure adequate security of data processing.

10   As regards encrypted communications, can any authorities require private keys to be made available? Are certification authorities permitted? Are they regulated and are there any laws as to their liability?

Under article 355Q of the Criminal Code, the executive police may, in addition to seizing a computer, require any information that is contained in a computer to be delivered in a form in which it can be taken away and in which it is visible and legible. It therefore follows that they may either require private keys or the encrypted information itself to be made available.

The E-Commerce Act provides for certification authorities via the term ‘signature certification service providers’. Signature certification service providers are defined as persons who issue certificates or provide other services related to electronic signatures. The Act establishes a number of requirements that must be adhered to by such providers when issuing certificates, such as demonstrating the reliability necessary for providing signature certification services and ensuring the operation of a prompt and secure directory and a secure and immediate revocation service. With regard to liability, the Act establishes, inter alia, that signature certification service providers who issue a certificate to the public or who guarantee such certificate shall be liable for any damage caused to any person who reasonably relies on such certificate. Moreover, providers are required to maintain sufficient financial resources to operate in conformity with the requirements laid down in the Act and in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance.

The law also prohibits the unauthorised obtainment, use, creation or alteration of electronic signatures, such that doing so may result in a fine or imprisonment for a term not exceeding six months or both.

Domain names

11   What procedures are in place to regulate the licensing of domain names? Is it possible to register a country-specific domain name without being a resident in the country?

The Malta Internet Foundation (NIC (Malta)) is responsible for the ‘.mt’ country code top-level domain. All domain names ending with ‘.mt’ must therefore be registered with NIC (Malta). Terms and conditions apply when obtaining and using a domain name. While it is possible for anyone to obtain a ‘.mt’ domain name, it must be noted that NIC (Malta) reserves the right to refuse to register a domain name, and may for good cause, and in any event upon any breach by the holder of the terms and conditions, immediately revoke the domain name from registration.

12   Do domain names confer any additional rights (for instance in relation to trademarks or passing off) beyond the rights that naturally vest in the domain name?

No. The mere possession or use of a domain name does not, in and of itself, confer additional rights beyond those that naturally vest in the domain name. Where, on the other hand, the domain name itself constitutes or reflects a trademark, trade name or other form of intellectual property, then the rights attaching to that intellectual property also apply in respect of the domain name.

13   Will ownership of a trademark assist in challenging a ‘pirate’ registration of a similar domain name?

In all likelihood, the ownership of a trademark will assist in challenging the registration of such a domain name. An action for trademark infringement under the relevant provisions of applicable legislation may be instituted where the domain name is used, without the consent of the proprietor, either in Malta (in the case of a national trademark), or within the EU (in the case of a Community Trade Mark). The approach to be taken depends on whether the person uses, in the course of trade, a sign that is identical or similar with the trademark in relation to goods or services that are identical or similar with those for which it is registered and may cause likelihood of confusion on the part of the public; or whether the mark has a reputation in Malta or the Community and the use of the domain takes unfair advantage of, or is detrimental to the distinctive character or the repute of the trademark.


14   What rules govern advertising on the internet?

Maltese law does not specifically regulate advertising on the internet. However, legislative instruments and restrictions affecting advertising may, in many cases, be deemed to apply to advertising on the internet. The restrictions contained in the Tobacco (Smoking Control) Act, may, for instance, be considered to apply to advertising on the internet, particularly as it is explicitly provided that ‘advertising that is not permitted in the press and other printed publications shall not be permitted in information society services’. The Remote Gaming Regulations also establish restrictions to the advertising of online gambling services. These restrictions are supplemented by a directive issued by the Broadcasting Authority.

15   Are there any products or services that may not be advertised or types of content that are not permitted on the internet?

The general rules apply to the internet content in this respect. For instance, dissemination of material contrary to public morals is prohibited generally, and therefore also on the internet. Article 208 of the Criminal Code prohibits the acquiring, keeping, putting into circulation or exporting of pornography, even if this is done for the sake of distribution. It may therefore be argued that Maltese criminal law prohibits those subject to Maltese jurisdiction from acquiring, possessing, circulating or exporting pornography in any manner, including via the internet. Malta is a party to relevant international treaties. Another example is defamatory material:
defamation is an offence, including if carried out over the internet.

Financial services

16   Is the advertising or selling of financial services products to consumers or to businesses via the internet regulated, and, if so, by whom and how?

Yes. It is primarily controlled via the Distance Selling (Retail Financial Services) Regulations. These regulations, emanating from article 20B of the Malta Financial Services Authority Act, cement the Malta Financial Services Authority’s position as the competent authority in regard to financial services. The regulations establish, inter alia, information that must be provided to consumers, a right of withdrawal, a requirement for contractual terms to be provided by the supplier to the consumer in writing or another durable medium and out-of-court dispute settlement procedures.


17   Are ISPs liable for content displayed on their sites?

The E-Commerce Act grants protection from liability to intermediary service providers for information in respect of which they act as mere conduits, and for the provision of caching and hosting facilities. Information displayed on a website generally falls under the ‘hosting’ safe harbour provision found in article 21 of the E-Commerce Act, which provides protection from liability for damages resulting from the storage of information provided by and stored at the request of recipients of the service, as long as the provider does not have actual knowledge of the illegality of the activity, and is not aware of facts or circumstances from which illegal activity is apparent, or upon obtaining such knowledge or awareness, such provider acts expeditiously to remove or disable access to such information. The protection from liability does not apply when the recipient of the service, in providing or requesting the storage of information, is acting under the authority or control of the provider.

18   Can an ISP shut down a web page containing defamatory material without court authorisation?

The determination of this question largely depends on the meaning attributed to the terms ‘knowledge’ and ‘awareness’ under article 14 of the Maltese Electronic Commerce Act. Regrettably, the Act transposed the ‘hosting’ safe harbour provision almost verbatim, thereby carrying forward the ambiguity of the Electronic Commerce Directive in this regard. The absence of court pronouncements on the matter does not aid the situation. Practical experience shows that many intermediary service providers based in Malta do remove contested material hosted on a web page upon complaint and in the absence of court authorisation, and this practice has thus far not been challenged by the authorities or in front of the courts.

Intellectual property

19   Can a website owner link to third-party websites without permission?

This issue largely depends on the terms and conditions stipulated by the owners of third-party websites regarding the use of the material hosted on their websites. If any such owner expressly stipulates that the use of links to his or her own website requires prior authorisation, then the absence of such permission could constitute a breach of contract tacitly entered into by the ‘linking’ party upon accessing the website. Maltese law does not, however, legislate explicitly on the use of links on the internet and there is no distinction made between linking and deep-linking.

20   Can a website owner use third-party content on its website without permission from the third-party content provider?

Content hosted on websites may qualify for protection under copyright law. Article 7(1)(a) of the Maltese Copyright Act provides in this respect that the direct or indirect, temporary or permanent reproduction by any means and in any form, in whole or in part, of copyrighted work, is dependent on the copyright owner’s authorisation. To qualify for such protection, the work must be an artistic, audiovisual, literary or musical work or a database; it must have an original character; it must have been written down, recorded, fixed or otherwise reduced to material form; in the case of databases, these must, by reason of the selection or arrangement of their contents, constitute the author’s intellectual creation.

21   Can a website owner exploit the software used for a website by licensing the software to third parties?

The determination of this question depends largely on the ownership of the software being licensed to third parties. If the website owner is the software owner, then he or she may license the software to third parties in accordance with article 7 of the Maltese Copyright Act. The same does not hold for the website owner if he or she merely licenses software from a third party and the copyright belongs to that third party. In the latter case, the licensing of such software to third parties may be in violation of article 7(a), (b) and (c) of the Copyright Act.

22   Are any liabilities incurred by links to third-party websites?

Maltese law does not legislate expressly on the use of links on websites. In general, every person is liable for damage suffered by another person due to the first person’s fault, so civil liability will arise if the person claiming damages shows that the damages, which are real and quantified, have been suffered and that these damages have been caused by the defendant’s placing and maintaining links.

Data protection and privacy

23   How does the law in your jurisdiction define ‘personal data’?

The Maltese Data Protection Act defines personal data as any information relating to an identified or identifiable natural person, whereby an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. The Act also establishes a subcategory of personal data subject to more stringent regulation – sensitive personal data. In this regard, ‘sensitive personal data’ are defined as personal data that reveal race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health or sex life.

24   Does a website owner have to register with any regulator to process personal data? May a website provider sell personal data about website users to third parties?

The Maltese Data Protection Act defines ‘controller of personal data’ as a person who alone or jointly with others determines the purposes and means of the processing of personal data. Article 29 of the Act also provides that a controller of personal data must notify the information and data protection commissioner before carrying out any wholly or partially automated processing operation or set of such operations intended to serve a single purpose or several related purposes. Such notification must specify the name and address of the data controller and of any other person authorised by him or her in that behalf, the purpose of the processing, a description of the category of data subject and of the data or categories of data relating to them, the recipients or categories of recipient to whom the data might be disclosed, the proposed transfers of data to third countries, and a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken to ensure security of processing. Moreover, the controller must notify the commissioner of any changes affecting the information.

A website provider, as a controller of personal data pertaining to his or her website users, must ensure under article 7 of the Act that, inter alia, personal data are not processed for any purpose that is incompatible with that for which the information is collected. Thus if personal data are originally collected for a particular purpose not including sale of data, the provider cannot subsequently sell such personal data without the data subject’s consent.

25   If a website owner is intending to profile its customer base to target advertising on its website, is this regulated in your jurisdiction? In particular, is there an opt-out or opt-in approach to the use of cookies or similar technologies?

Generally, personal data may not be processed for purposes concerning direct marketing if the data subject gives notice to the controller of personal data that he or she opposes such processing. However, in relation to internet or electronic services, direct marketing (by means of e‑mail or SMS) and profiling may only be done with the explicit consent of the data subject (except for advertising of additional services offered by the provider itself to its current customers). In this regard, it must be noted that Regulation 9 of the Processing of Personal Data (Electronic Communications Sector) Regulations provides that publicly available electronic communications services cannot be used or allowed to be used to make unsolicited communications for the purpose of direct marketing.

The requirement for explicit consent for the use of cookies became enforceable under Maltese law by means of Legal Notice 239 of 2011. Maltese law therefore establishes an opt-in approach to the use of cookies, in line with EU law. The recitals of the relevant directive provide that users may give their consent by any appropriate method enabling a freely given, specific and informed indication of their wishes. Provided it is technically feasible and effective, in accordance with the relevant data protection legislation, consent could, for instance, be inferred from the user’s browser settings.

26   If an internet company’s server is located outside the jurisdiction, are any legal problems created when transferring and processing personal data?

Under the Data Protection Act such processing may generally only take place provided that the third country ensures an adequate level of protection. ‘Third country’ is defined as any country that at the relevant time is not a member state of the EU by the Third Country (Data Protection) Regulations (Subsidiary Legislation 440.03). This follows the reasoning that while the EU member states ensure a uniform level of protection resulting from the harmonisation of data protection legislation, third countries may not have an adequate level of protection. The adequacy of the level of protection ensured by third countries lies at the discretion of the information and data protection commissioner. Where the commissioner provides that a third country does not ensure an adequate level of protection, the transfer of personal data to such country is prohibited.

27   Does your jurisdiction have data breach notification laws?

No. There are, however, three qualifications to this statement. Article 3A of the Processing of Personal Data (Electronic Communications Sector) Regulations requires providers of publicly available electronic communications services to notify a personal data breach to the Information and Data Protection Commissioner, and, where the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or individual, to inform them without undue delay.

Regulations 55 and 56 of the Electronic Communications Networks and Services (General) Regulations require undertakings providing network elements or services to inform the Malta Communications Authority, inter alia, of any significant risk of, or actual breach of the security or integrity of the services or network, or failure or serious degradation of international connectivity.

Finally, data controllers operating in certain sectors, such as in financial services, may be required by the relevant authority to disclose any personal data or security breach.

28   Does your jurisdiction recognise or regulate the ‘right to be forgotten’?

The Maltese Data Protection Act provides that personal data may not be kept for longer than is necessary, with regard to the purposes for which it is processed. However any obligations that exist under any other law with respect to data retention should be taken into consideration, in particular prescriptive periods for bringing up actions in a court of law. Thus, as long as there is a legal requirement that justifies the right to retain the data, the data controller would not be in breach of the data protection requirement.

29   Does your jurisdiction restrict the transfer of personal data outside your jurisdiction?

Transfer of personal data outside of Malta is only permitted if it is transferred to another EU state or if it is transferred to a third country and the Information and Data Protection Commissioner is satisfied that there is a sufficient and adequate level of protection of data in that third country. If, however, a data controller is in a position to provide sufficient safeguards to the satisfaction of the Commissioner, such as contractual provisions, the Commissioner may authorise a transfer of personal data to a third country that does not provide a sufficient level of protection.


30   Is the sale of online products subject to taxation?

Income generated through the supply of online products would be subject to tax in Malta at progressive rates in the case of individual suppliers and at the standard corporate tax rate of 35 per cent in the case of a company. In the case of a company acting as a supplier, the shareholders of the company may, upon receiving a dividend from the company and upon certain conditions, claim a refund generally of 6/7 of the Malta tax paid by the company, ie, the shareholder would receive 30 per cent back.

As far as VAT is concerned we would need to distinguish between the supply of goods and the supply of services. The standard rate of VAT in Malta is that of 18 per cent.

The supply of online goods would generally be subject to VAT in Malta if the supply is a domestic supply and if the goods are transported by the supplier from Malta or made available for the customer in Malta (transport organised by the customer). Different treatment would apply if the customer is a business and receiving the goods in another member state.

As of 1 January 2015, Malta adopted the new VAT regime with respect to B2C supply of electronically supplied services. In terms of this new regime the place of supply of electronically supplied services such as downloadable software or books and games are subject to VAT in the country of consumption. B2B supplies of electronically supplied services are also subject to VAT in the member state of consumption. No VAT would be due on electronically supplied services provided to customers outside the EU.

The Tax Credit (Electronic Commerce) Rules allow any small or medium-sized enterprise carrying on a trade, business, profession or vocation, which enters into or intends to enter into a project for the acquisition of tangible and intangible assets consisting of computer hardware or software or website development services for or in connection with the development of e-commerce systems that enable the sale of tangible goods or services through business transactions processed over publicly accessible electronic networks to apply for a tax credit in accordance with the rules. The granting of such a tax credit will depend on the enterprise’s adherence to the requirements set out in the rules and on the Malta Enterprise Corporation’s approval.

31   What tax liabilities ensue from placing servers outside operators’ home jurisdictions? Does the placing of servers within a jurisdiction by a company incorporated outside the jurisdiction expose that company to local taxes?

A company incorporated abroad may be subject to tax in Malta if it operates through a permanent establishment in Malta. Malta generally follows the principles and commentaries emanating from the OECD Model Tax Convention. A server may accordingly be considered to establish a permanent establishment in Malta if it meets the requirement of creating a fixed place of business from which the foreign company operates.

A Maltese company operating through servers located in another jurisdiction may likewise be subject to tax in that other jurisdiction, if the servers would be considered as creating a permanent establishment in that jurisdiction. The Maltese company would still be subject to tax in Malta on its worldwide income.

Naturally one would need to consider the applicable double tax treaty and the interpretation given in the particular jurisdiction. Tax relief in the country of residence may generally be granted in the terms of the double tax treaty applicable or other form of tax relief. Malta offers in addition to treaty relief additional forms of double tax relief, such as the flat rate foreign tax credit and unilateral relief.

32   When and where should companies register for VAT or other sales taxes? How are domestic internet sales taxed?

The VAT Act requires a supplier to register with the Director General Tax within 30 days from the date on which the goods or services are supplied. Companies may also have an obligation to register for VAT in Malta if VAT is due in Malta in terms of the Place of Supply Rules via the reverse charge mechanism. In domestic internet sales, the supplier should add Maltese VAT (18 per cent) to its invoices and pass this collected VAT to the VAT Department in Malta by submitting VAT returns, normally every three months.

33   If an offshore company is used to supply goods over the internet, how will returns be treated for tax purposes? What transfer-pricing problems might arise from customers returning goods to an onshore retail outlet of an offshore company set up to supply the goods?

Generally, a claim for refund on VAT and any applicable duty may be granted if the product is re-exported. If the goods are returned to an outlet of the offshore company and a refund is paid to the customer, the local outlet would not be able to claim a VAT refund unless the product is exported.


34   Is it permissible to operate an online betting or gaming business from the jurisdiction?

Yes, provided the operator either obtains a licence from the Malta Gaming Authority in accordance with the provisions of the Remote Gaming Regulations, or is in possession of an equivalent authorisation by the government or competent authority of an EEA member state, or any other jurisdiction approved by the authority.

35   Are residents permitted to use online casinos and betting websites? Is any regulatory consent or age, credit or other verification required?

Yes, provided, once again, the operator either obtains a licence from the Malta Gaming Authority in accordance with the provisions of the Remote Gaming Regulations, or is in possession of an equivalent authorisation by the government or competent authority of an EEA member state, or any other jurisdiction approved by the authority.

The Remote Gaming Regulations establish a number of criteria that operators must satisfy to obtain a licence and provide lawful remote gaming services, including anti-money laundering, player protection and business integrity requirements. With respect to the protection of players, the regulations require a prospective player to register an account with a licensee, which must at least include the player’s identity, place of residence, functional e-mail address and that the player must be at least 18 years of age. Licensees are also required to verify the player’s identity, age and place of residence prior to making a payment to such player in excess of €2,329.37.


36   What are the key legal and tax issues relevant in considering the provision of services on an outsourced basis?

It is good practice to have explicit and precise provisions in an outsourcing agreement covering at least the following matters:

  • the scope of services to be provided;
  • the applicable service levels, such as time frames for fixing errors of different levels of urgency or criticality, uptime, response times for customer service;
  • the price and its inclusions and exclusions;
  • the responsibilities of the service provider and remedies (rebates, service credits, pre-liquidated damages) in case of failure to perform under the agreement;
  • the client’s responsibilities (providing information and access to systems, if necessary, responding to queries);
  • intellectual property ownership (software, data);
  • exit or termination actions (change of control, notice period, handover of data); and
  • choice of law and dispute resolution.

37   What are the rights of employees who previously carried out services that have been outsourced? Is there any right to consultation or compensation, do the rules apply to all employees within the jurisdiction?

The Maltese Employment and Industrial Relations Act provides that when a business or other undertaking is taken over from an employer, an employee in employment on the date of transfer of the undertaking shall be deemed to be in the employment of the transferee and the transferee shall take on all the rights and obligations that the transferor has towards the employee. This includes the obligation on the part of the transferee to observe the terms and conditions of any collective agreement until the date of termination or expiry of such collective agreement or the entry into force or application of another collective agreement; it also includes employees’ rights to old age, invalidity or survivors’ benefits under supplementary company pension schemes outside the provisions of the Social Security Act.

Moreover, the transferor and the transferee are obliged to inform the affected employees or their representatives, by means of a written statement to be delivered at least 15 days before the transfer is carried out or before the employees are directly affected by the transfer, whichever is earlier, about the proposed or actual date of the transfer, the reasons for such transfer, the legal, economic and social implications of the transfer for the employees and the measures envisaged in relation to them.

Non-compliance with the above-mentioned duties constitutes an offence under Maltese law. However, no right to compensation or consultation emanates from Maltese law.

Online publishing

38   When would a website provider be liable for mistakes in information that it provides online? Can it avoid liability?

The determination of this question depends on whether the website provider is merely hosting the information containing such mistakes, or whether it is also responsible for the content of such information. In the latter case, it is considered that the publisher and the rules applicable to publishers under the Press Act will apply. Potential liability may result in case of defamation or in the case where a mistake causes damage. Generally, online publishers are advised to have terms and conditions limiting their liability for mistakes in the website.

39   If a website provider includes databases on its site, can it stop other people from using or reproducing data from those databases?

Databases are eligible for protection under the Copyright Act. Pursuant to the requirements of the Database Directive (Directive 96/9/EC), databases may be protected in a number of ways.

First, a database that by reason of the selection and arrangement of its contents constitutes the author’s own intellectual creation is eligible for copyright protection as a whole. Moreover, the Copyright Act also provides for a sui generis database right, such that a database that involves a substantial investment in either the obtaining, verification or presentation of the contents of that database is protected by a database right of lesser duration than copyright. It must be noted that both copyright and the sui generis right do not extend to the contents of the database, although, if the requirements of the law are satisfied, such contents may be protected in its own right (for instance, as a literary work).

Copyright grants the holder the exclusive right to authorise or prohibit how the protected material in its totality or substantial part thereof is used in Malta, either in its original form or in any form recognisably derived from the original of, inter alia, the direct or indirect, temporary or permanent reproduction, the rental and lending, the distribution, the translation, broadcasting and performance of the work.

On the other hand, the database right grants the holder the right to authorise or prohibit acts of extraction or reutilisation of its contents, in whole or in a substantial part, evaluated qualitatively or quantitatively.

The Copyright Act establishes exceptions and limitations in respect of both categories of protection. A website’s terms and conditions would
normally state the allowed and prohibited uses of the database.

40   Are there marketing and advertising regulations affecting website providers?

No generic legislation exists in this regard, but specific rules apply to certain sectors (such as gambling).