Olga Finkel has recently written the Malta chapter for the e-Commerce 2015 issue of Getting The Deal Through.  The chapter addresses the legal and regulatory issues within the electronic industry in Malta.

General
1       How can the government’s attitude and approach to internet issues best be described?
As a member state of the European Union, Malta has generally adopted legislation that aims to be technology-neutral, compliant with EU legislation, harmonised with other member states’ regimes and that, more broadly, is intended to attract business and investment and foster competition in the market. Moreover, the government leads the e-government initiative, making an ever growing government services accessible to its citizens via electronic channels, including by means of electronic ID, available to every adult citizen. The current government continues from the work previously done in this sphere, promoting e-commerce, digital services and investment in ICTs.
Legislation
2       What legislation governs business on the internet?
Unless a specific legislative instrument excludes the use of the internet or amends general provisions to address specific issues associated with the use of the internet, general legislation applies to transactions equally, regardless of the channel used. Thus, legislation dealing with general consumer protection and unfair consumer terms (the Consumer Affairs Act, chapter 378 of the Laws of Malta), data protection matters (Data Protection Act, chapter 440), general direct and indirect taxation rules, defamation and generally criminal laws apply.
In addition, there are several specific primary and subsidiary legislative instruments dealing with e-commerce, including:
  • the Electronic Commerce Act (chapter 426 of the Laws of Malta) (the E-Commerce Act) dealing with validity of electronic evidence, electronic contracts, liability of information society service providers and electronic signatures;
  • the Electronic Commerce (General) Regulations (Subsidiary Legislation 426.02), which, together with the E-Commerce Act, implemented the EU Electronic Commerce Directive and the Electronic Signatures Directive;
  • the Electronic Communications Networks and Services (General) Regulations 2011 (Subsidiary Legislation 399.28), which, among other things, addresses data-protection issues arising out of the use of electronic communications networks and services;
  • the Tax Credit (Electronic Commerce) Rules (Subsidiary Legislation 123.85), granting tax credits in certain circumstances for qualifying expenditures relating to the development of e‑commerce systems;
  • the Distance Selling (Retail Financial Services) Regulations (Subsidiary Legislation 330.07); addressing specific issues of distance selling of financial services;
  • the Remote Gaming Regulations (Subsidiary Legislation 438.04) dealing with the provision of gambling services over the internet;
  • the Criminal Code (chapter 9 of the Laws of Malta) and in particular the sections dealing with computer misuse and related offences;
  • the Public Procurement Regulations (Subsidiary Legislation 174.04) where public procurement by electronic means is involved; and
  • the Copyright Act (chapter 415) implementing EU law on copyright and digital rights.
Regulatory bodies
3       Which regulatory bodies are responsible for the regulation of e-commerce and internet access tariffs and charges?
The Malta Communications Authority (MCA) is designated as the competent authority under both the E-Commerce Act and the Electronic Commerce (General) Regulations. Moreover, electronic communications networks and services also fall under the authority of the MCA, thereby granting it the responsibility to monitor the competitiveness of the market and regulate, where appropriate, internet access tariffs and charges in accordance with the requirements of the EU electronic communications regulatory framework as transposed in Malta by the Electronic Communications Regulation Act (chapter 399 of the Laws of Malta) and subsidiary legislation.
The Malta Competition and Consumer Affairs Authority (MCCAA) also plays an important role with respect to consumer protection in the electronic communications sector.
Additionally, the Data Protection Commissioner provides regulatory oversight with respect to data protection and privacy.
Finally, the Malta Information Technology Agency is the entity responsible for the Maltese government’s e-services.
Jurisdiction
4       What tests or rules are applied by the courts to determine the jurisdiction for internet-related transactions (or disputes) in cases where the defendant is resident or provides goods or services from outside the jurisdiction?
The rules relevant for the determination of jurisdiction for internet-related transactions or disputes mainly emanate from private international law, and particularly from the Brussels I and Rome II Regulations, although national jurisdictional rules established in the Code of Organisation and Civil Procedure (COCP, chapter 12) must also be considered, in particular with regard to disputes involving a party not domiciled within the European Union.
Under Maltese law the parties to a contract are free to choose the law and forum applicable to the contract, provided this does not circumvent the mandatory rules that cannot be derogated from.
Within the EU, the rules established in Regulation 44/2001/EC (Brussels I Regulation) apply to disputes in civil and commercial matters, including disputes arising from e-commerce transactions. In case of a generic business-to-business transaction, the fundamental principle is that, unless the parties agreed differently, a plaintiff should follow the defendant and institute an action at the forum of the defendant. In case of business-to-consumer contracts, however, the consumer generally has the right to sue the seller established in another member state in the country where the consumer is resident.
Transactions or disputes involving parties not domiciled in a member state of the EU are generally governed by the law provided in the relevant terms and conditions.
With respect to non-contractual obligations and disputes arising in civil and commercial matters, the main rule under the Regulation 864/2007/EC (Rome II Regulation) is that jurisdiction will be founded where the damage occurs or is likely to occur. One should note, however, that this does not apply to, inter alia, non-contractual obligations arising out of violations of privacy and rights relating to personality, including defamation. In these cases, national jurisdictional rules apply.
While the principal rules are established as stated above, in reality it is important to analyse the facts of the case in order to establish the correct rules of jurisdiction.
Contracting on the internet
5       Is it possible to form and conclude contracts electronically? If so, how are contracts formed on the internet? Explain whether ‘click wrap’ contracts are enforceable, and if so, what requirements need to be met?
The E-Commerce Act clearly allows contracts to be formed and concluded electronically. Article 9(2) of the Act establishes that any offer, acceptance of an offer and any related communication, including any subsequent amendment, cancellation or revocation of the offer and the acceptance of the contract may, unless otherwise agreed by the parties to the contract, be communicated electronically.
Article 10 then establishes that unless otherwise agreed by the parties who are not consumers, where the recipient of the service places his order through technological means, an electronic contract is concluded when, after the order is placed, the recipient of the service receives from the service provider acknowledgement of the receipt of the order. The Act therefore clearly establishes the moment in which the contract is deemed to be concluded to prevent disputes, particularly as it propounds that the order made by the recipient and the acknowledgement of receipt are deemed to have been received when the parties to whom they are addressed are able to access them. It is important to note, however, that the contract is not considered to have been concluded as aforesaid with respect to contracts concluded exclusively by electronic mail or by equivalent individual communications.
‘Click wrap’ contracts are generally enforceable under Maltese law, provided the electronic contract provides the recipient of the service with all of the information required by law, and provided also that the service provider acknowledges receipt of the order.
Finally, one must also consider that consumer protection legislation, such as the Consumer Affairs Act (chapter 378 of the Laws of Malta) and the Distance Selling Regulations (Subsidiary Legislation 378.08) also apply to electronic contracts. The requirements established in these instruments must therefore also be adhered to.
6       Are there any particular laws that govern contracting on the internet? Do these distinguish between business-to-consumer and business-to-business contracts?
Apart from the provisions relating to general contract law in the Civil Code, contracting on the internet is governed by the E-Commerce Act mentioned above. While no general formal distinction between business-to-consumer and business-to-business contracts is set out under Maltese law, certain legislative provisions apply to only one of the two categories of contracts. For instance, the consumer protection legislation applies only to business-to-consumer contracts, while the E-Commerce Act establishes a number of exceptions in respect of ‘parties who are not consumers’. In certain cases, therefore, business-to-business contracts may be approached differently from business-to-consumer contracts.
7       How does the law recognise or define digital or e-signatures?
The E-Commerce Act defines the term ‘electronic signature’ as data in electronic form which are attached to, incorporated in or logically associated with other electronic data and which serve as a method of authentication. The Act also defines advanced electronic signatures as electronic signatures which are uniquely linked to the signatory, are capable of identifying the signatory, are created using means that the signatory can maintain under his or her sole control and which are linked to the data to which they relate in such a manner that any subsequent change of data is detectable.
Among other things, the Act establishes that the provision of an electronic signature suffices to satisfy the requirement of providing a signature under Maltese law.
8       Are there any data retention or software legacy requirements in relation to the formation of electronic contracts?
There are no general data retention or software legacy requirements in relation to the formation of electronic contracts. Nevertheless, parties are strongly advised to keep organised records to ensure clarity in the event of a dispute. In general, companies are required to keep documents and contracts pertaining to their business for 10 years for accounting and verification purposes.
Security
9       What measures must be taken by companies or ISPs to guarantee the security of internet transactions?
While no general obligations exist with respect to the security of internet transactions as such, there are several laws that require certain providers involved in various steps of an internet transaction to keep adequate security. This requirement, for instance, applies to providers of electronic communications and services (as far as security and integrity of networks are concerned, as required under the Electronic Communications Networks and Services (General) Regulations 2011.
Moreover, under the E-Commerce Act, all signature certification service providers (defined as persons who issue certificates or provide other services related to electronic signatures) must, inter alia, use trustworthy systems and products which are protected against modification, ensure the technical and cryptographic security of the processes supported by them and take measures against forgery of certificates, and, in cases where the signature certification service provider generates signature-creation data, guarantee confidentiality during the process of generating such data. Signature certification service providers are also required to use trustworthy systems to store certificates in a verifiable form such that only authorised persons can make entries and changes, information can be checked for authenticity, certificates are publicly available for retrieval in only those cases for which the certificate-holder’s consent has been obtained and any technical changes compromising these security requirements are apparent to the operator.
Furthermore, under the provisions of the Data Protection Act and associated subsidiary legislation, all data controllers (persons responsible for processing personal data) must ensure adequate security of data processing.
10     As regards encrypted communications, can any authorities require private keys to be made available? Are certification authorities permitted? Are they regulated and are there any laws as to their liability?
Under article 355Q of the Criminal Code, the executive police may, in addition to the power of seizing a computer, require any information which is contained in a computer to be delivered in a form in which it can be taken away and in which it is visible and legible. It therefore follows that they may either require private keys or the encrypted information itself to be made available.
The E-Commerce Act provides for certification authorities via the term ‘signature certification service providers’. Signature certification service providers are defined as persons who issue certificates or provide other services related to electronic signatures. The Act establishes a number of requirements that must be adhered to by such providers when issuing certificates, such as demonstrating the reliability necessary for providing signature certification services and ensuring the operation of a prompt and secure directory and a secure and immediate revocation service. With regard to liability, the Act establishes, inter alia, that signature certification service providers who issue a certificate to the public or who guarantee such certificate shall be liable for any damage caused to any person who reasonably relies on such certificate. Moreover, providers are required to maintain sufficient financial resources to operate in conformity with the requirements laid down in the Act and in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance.
The law also prohibits the unauthorised obtainment, use, creation or alteration of electronic signatures, such that doing so may result in a fine and/or imprisonment for a term not exceeding six months.
Domain names
11     What procedures are in place to regulate the licensing of domain names? Is it possible to register a country-specific domain name without being a resident in the country?
The Malta Internet Foundation (NIC(Malta)) is responsible for the ‘.mt’ country code top-level domain. All domain names ending with ‘.mt’ must therefore be registered with NIC(Malta). Terms and conditions apply in respect of the obtainment and use a domain name. While it is possible for anyone to obtain a ‘.mt’ domain name, it must be noted that NIC(Malta) reserves the right to refuse to register a domain name, and may for good cause, and in any event upon any breach by the holder of the terms and conditions, immediately revoke the domain name from registration.
12     Do domain names confer any additional rights (for instance in relation to trademarks or passing off) beyond the rights that naturally vest in the domain name?
No. The mere possession or use of a domain name does not, in and of itself, confer additional rights beyond those that naturally vest in the domain name. Where, on the other hand, the domain name itself constitutes or reflects a trademark, trade name or other form of intellectual property, then the rights attaching to that intellectual property also apply in respect of the domain name.
13     Will ownership of a trademark assist in challenging a ‘pirate’ registration of a similar domain name?
In all likelihood, the ownership of a trademark will assist in challenging the registration of such a domain name. An action for trademark infringement under the relevant provisions of applicable legislation may be instituted where the domain name is used, without the consent of the proprietor, either in Malta (in the case of a national trademark), or within the EU (in the case of a Community Trade Mark). The approach to be taken depends on whether the person uses, in the course of trade, a sign that is identical or similar with the trademark in relation to goods or services which are identical or similar with those for which it is registered and may cause likelihood of confusion on the part of the public; or whether the mark has a reputation in Malta or the Community and the use of the domain takes unfair advantage of, or is detrimental to the distinctive character or the repute of the trademark.
Advertising
14     What rules govern advertising on the internet?
Maltese law does not specifically regulate advertising on the internet. However, legislative instruments and restrictions affecting advertising may, in many cases, be deemed to apply to advertising on the internet. The restrictions contained in the Tobacco (Smoking Control) Act (chapter 315 of the Laws of Malta), may, for instance, be considered to apply to advertising on the internet, particularly as it is explicitly provided that ‘advertising that is not permitted in the press and other printed publications shall not be permitted in information society services’. The Remote Gaming Regulations also establish restrictions to the advertising of online gambling services. These restrictions are supplemented by a directive issued by the Broadcasting Authority.
15     Are there any products or services that may not be advertised or types of content that are not permitted on the internet?
The general rules apply to the internet content in this respect. For instance, dissemination of material contrary to public morals is prohibited generally, and therefore, including on the internet. Article 208 of the Criminal Code prohibits the acquisition, keeping, putting into circulation or exportation of pornography, even if this is done for the sake of distribution. It may therefore be argued that Maltese criminal law prohibits those subject to Maltese jurisdiction from acquiring, possessing, circulating or exporting pornography in any manner, including via the internet. Malta is a party to relevant international treaties. Another example is defamatory material: defamation is an offence, includeing if carried out over the internet.
Financial services
16     Is the advertising or selling of financial services products to consumers or to businesses via the internet regulated, and, if so, by whom and how?
Yes, primarily via the Distance Selling (Retail Financial Services) Regulations. These regulations, emanating from article 20B of the Malta Financial Services Authority Act (chapter 330 of the Laws of Malta), cement the Malta Financial Services Authority’s position as the competent authority in regard to financial services. The regulations establish, inter alia, information that must be provided to consumers, a right of withdrawal, a requirement for contractual terms to be provided by the supplier to the consumer in writing or another durable medium and out-of-court dispute settlement procedures.
Defamation
17     Are ISPs liable for content displayed on their sites?
The E-Commerce Act grants protection from liability to intermediary service providers for information in respect of which they act as mere conduits, and for the provision of caching and hosting facilities. Information displayed on a website generally falls under the ‘hosting’ safe harbour provision found in article 21 of the E-Commerce Act, which provides protection from liability for damages resulting from the storage of information provided by and stored at the request of recipients of the service, as long as the provider does not have actual knowledge of the illegality of the activity, and is not aware of facts or circumstances from which illegal activity is apparent, and/or upon obtaining such knowledge or awareness, such provider acts expeditiously to remove or disable access to such information. The protection from liability does not apply when the recipient of the service, in providing and/or requesting the storage of information, is acting under the authority or control of the provider.
18     Can an ISP shut down a web page containing defamatory material without court authorisation?
The determination of this question largely depends on the meaning attributed to the terms ‘knowledge’ and ‘awareness’ under article 14 of the Maltese Electronic Commerce Act. Regrettably, the act transposed the ‘hosting’ safe harbour provision almost verbatim, thereby carrying forward the ambiguity of the Electronic Commerce Directive in this regard. The absence of court pronouncements on the matter does not aid the situation. Practical experience shows that many intermediary service providers based in Malta do remove contested material hosted on a web page upon complaint and in the absence of court authorisation, and this practice has thus far not been challenged by the authorities or in front of the courts.
Intellectual property
19     Can a website owner link to third-party websites without permission?
This issue largely depends on the terms and conditions stipulated by the owners of third-party websites regarding the use of the material hosted on their websites. If any such owner expressly stipulates that the use of links to his or her own website requires prior authorisation, then the absence of such permission could constitute a breach of contract tacitly entered into by the ‘linking’ party upon accessing the website. Maltese law does not, however, legislate explicitly on the use of links on the internet and there is no distinction between linking and deep-linking.
20     Can a website owner use third-party content on its website without permission from the third-party content provider?
         Content hosted on websites may qualify for protection under copyright law. Article 7(1)(a) of the Maltese Copyright Act provides in this respect that the direct or indirect, temporary or permanent reproduction by any means and in any form, in whole or in part, of copyrighted work, is dependent on the copyright owner’s authorisation. To qualify for such protection, the work must be an artistic, audio-visual, literary or musical work or a database; it must have an original character; it must have been written down, recorded, fixed or otherwise reduced to material form; in the case of databases, these must, by reason of the selection or arrangement of their contents, constitute the author’s intellectual creation.
21     Can a website owner exploit the software used for a website by licensing the software to third parties?
         The determination of this question depends largely on the ownership of the software being licensed to third parties. If the website owner is the software owner, then he or she may license the software to third parties in accordance with article 7 of the Maltese Copyright Act. The same does not hold for the website owner if he or she merely licenses software from a third party and the copyright belongs to that third party. In the latter case, the licensing of such software to third parties may be in violation of article 7(a), (b) and (c) of the Copyright Act.
22     Are any liabilities incurred by links to third-party websites?
         Maltese law does not legislate expressly on the use of links on websites. In general, every person is liable for damage suffered by another person due to the first person’s fault, so civil liability will arise if there person claiming damages will show that the damages, which are real and quantified, have been suffered and that these damages have been caused by the defendant’s placing and maintaining links.
Data protection and privacy
23     How does the law in your jurisdiction define ‘personal data’?
         The Data Protection Act (chapter 440 of the Laws of Malta) defines ‘personal data’ as any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
The act also establishes a subcategory of personal data subject to more stringent regulation – sensitive personal data. In this regard, ‘sensitive personal data’ are defined as personal data that reveal race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health, or sex life.
24     Does a website owner have to register with any controlling body to process personal data? May a website provider sell personal data about website users to third parties?
         The Maltese Data Protection Act defines ‘controller of personal data’ as a person who alone or jointly with others determines the purposes and means of the processing of personal data. Article 29 of the Act also provides that a controller of personal data must notify the information and data protection commissioner before carrying out any wholly or partially automated processing operation or set of such operations intended to serve a single purpose or several related purposes. Such notification must specify the name and address of the data controller and of any other person authorised by him or her in that behalf, the purpose of the processing, a description of the category of data subject and of the data or categories of data relating to them, the recipients or categories of recipient to whom the data might be disclosed, the proposed transfers of data to third countries, and a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken to ensure security of processing. Moreover, the controller must notify the commissioner of any changes affecting the information.
A website provider, as a controller of personal data pertaining to his or her website users, must ensure under article 7 of the Act that, inter alia, personal data are not processed for any purpose that is incompatible with that for which the information is collected. Thus if personal data are originally collected for a particular purpose not including sale of data, the provider cannot subsequently sell such personal data without the data subject’s consent.
25     If a website owner is intending to profile its customer base to target advertising on its website, is this regulated in your jurisdiction? In particular, is there an opt-out or opt-in approach to the use of cookies or similar technologies
Generally, personal data may not be processed for purposes concerning direct marketing if the data subject gives notice to the controller of personal data that he or she opposes such processing. However, in relation to internet/electronic services, direct marketing (by means of e‑mail or SMS) and profiling may only be done with explicit consent of the data subject (except for advertising of additional services offered by the provider itself to its current customers). In this regard, it must be noted that regulation 9 of the Processing of Personal Data (Electronic Communications Sector) Regulations provides that publicly available electronic communications services cannot be used or allowed to be used to make unsolicited communications for the purpose of direct marketing.
The requirement for explicit consent for the use of cookies became enforceable under Maltese law by means of Legal Notice 239 of 2011. Maltese law therefore establishes an opt-in approach to the use of cookies, in line with EU law. The recitals of the relevant directive provide that users may give their consent by any appropriate method enabling a freely given, specific and informed indication of their wishes. Provided it is technically feasible and effective, in accordance with the relevant data protection legislation, consent could, for instance, be inferred from the user’s browser settings.
26     If an internet company’s server is located outside the jurisdiction, are any legal problems created when transferring and processing personal data?
         Under the Data Protection Act such processing may generally only take place provided that the third country ensures an adequate level of protection. The adequacy of the level of protection ensured by third countries lies at the discretion of the information and data protection commissioner. Where the commissioner provides that a third country does not ensure an adequate level of protection, the transfer of personal data to such country is prohibited.
It is to be noted that the term ‘third country’ is defined as any country that at the relevant time is not a member state of the EU by the Third Country (Data Protection) Regulations (Subsidiary Legislation 440.03). This follows the reasoning that while the EU member states ensure a uniform level of protection resulting from the harmonisation of data protection legislation, third countries may not have an adequate level of protection.
27     Does your jurisdiction have data breach notification laws?
In general, the Data Protection Act does not oblige all data controllers to inform data protection commissioner or data subjects of security breaches, but empowers the Office of the Information and Data Protection Commissioner to obtain from data controllers, on request, information and documentation concerning data security.
There are, however, three qualifications to this statement. First, article 3A of the Processing of Personal Data (Electronic Communications Sector) Regulations requires providers of publicly available electronic communications services to notify a personal data breach to the Information and Data Protection Commissioner, and, where the personal data breach is likely to adversely affect the personal data of privacy of a subscriber or individual, such subscriber or individual, without undue delay.
Second, regulations 55 and 56 of the Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) require undertakings providing network elements or service to inform the Malta Communications Authority, inter alia, of any significant risk of a breach, or any actual, significant breach of the security or integrity of the services or network or failure or serious degradation of international connectivity.
Finally, data controllers operating in certain sectors, such as in the financial services, may be required by the relevant authority to disclose any personal data or security breach.
Taxation
28     Is the sale of online products subject to taxation?
As far as direct taxation is concerned, income tax is payable for the supply of goods or services irrespective of the medium through which that supply is made.
As far as VAT is concerned, sale of online products – such as downloadable books or software – is taxable as ‘electronically supplied services’. One has to distinguish between a sale of online products to consumers and to businesses. In case of a sale to consumers, Maltese VAT (18 per cent) will apply on sales to consumers resident within the EU and no VAT will be charged on sales to consumers resident outside the EU. In case of sale to businesses, the business-to-business (B2B) place of supply rules will apply, so that no Maltese VAT will be charged on such sale, while the business customer will have to account for VAT at the jurisdiction of its establishment if it is within the EU. No Maltese VAT applies to sales to business outside the EU.
As from 1st January 2015, the VAT rules for electronically supplied by a Malta-based supplier to consumers within the EU will be amended in line with the requirements of the Directive 2008/8/EC, so that the place of supply for be in the Member State where the customer is established.
The Tax Credit (Electronic Commerce) Rules (Subsidiary Legislation 123.85) allow any small or medium-sized enterprise carrying on a trade, business, profession or vocation, which enters into or intends to enter into a project for the acquisition of tangible and intangible assets consisting of computer hardware or software or website development services for or in connection with the development of e-commerce systems that enable the sale of tangible goods or services through business transactions processed over a publicly accessible electronic networks, to apply for a tax credit in accordance with the rules. The grant of such a tax credit will depend on the enterprise’s adherence to the requirements set out in the rules and on the Malta Enterprise Corporation’s approval.
29     What tax liabilities ensue from placing servers outside operators’ home jurisdictions? Does the placing of servers within a jurisdiction by a company incorporated outside the jurisdiction expose that company to local taxes?
A foreign-incorporated company may become subject to Maltese tax if it operates through a ‘permanent establishment’ in Malta. Generally, placing of a server or engaging a hosting provider to host a website does not constitute a permanent establishment in Malta; however, one has also to consider any applicable double taxation treaty between Malta and the jurisdiction of the company’s incorporation to determine whether Maltese tax liabilities would arise.
If a Maltese company places servers outside Malta, it should consider whether this will constitute a permanent establishment in that other jurisdiction and will make the company liable to local taxes in that jurisdiction. Liability to local taxes does not, generally, alleviate the company’s taxation in Malta, unless tax relief is sought, which is available in many cases, such as under the relevant double taxation treaties or as a unilateral tax relief.
30     When and where should companies register for VAT or other sales taxes? How are domestic internet sales taxed?
The VAT Act requires a supplier to register with the commissioner of value added tax within 30 days from the date on which the goods or services are supplied. In domestic internet sales, the supplier should add Maltese VAT (18 per cent) to its invoices and pass this collected VAT to the VAT department in Malta by submitting VAT returns, normally every three months.
31     If an offshore company is used to supply goods over the internet, how will returns be treated for tax purposes? What transfer-pricing problems might arise from customers returning goods to an onshore retail outlet of an offshore company set up to supply the goods?
Generally, if the goods remain within the country, VAT paid by the recipient of goods may not be reclaimed. The same will apply to a high street outlet of an offshore company if it refunds the goods and VAT to the recipient. It may be problematic to deduct the refund for tax purposes by the high street outlet, unless the cost can be passed to the offshore company.
Gambling
32     Is it permissible to operate an online betting or gaming business from the jurisdiction?
Yes, provided the operator either obtains a licence from the Lotteries and Gaming Authority in accordance with the provisions of the Remote Gaming Regulations (Subsidiary Legislation 438.04), or is in possession of an equivalent authorisation by the government or competent authority of an EEA member state, or any other jurisdiction approved by the authority.
33     Are residents permitted to use online casinos and betting websites? Is any regulatory consent or age, credit or other verification required?
Yes, provided, once again, the operator either obtains a licence from the Lotteries and Gaming Authority in accordance with the provisions of the Remote Gaming Regulations, or is in possession of an equivalent authorisation by the government or competent authority of an EEA member state, or any other jurisdiction approved by the authority.
The Remote Gaming Regulations establish a number of criteria that operators must satisfy to obtain a licence and provide lawful remote gaming services, including anti-money laundering, player protection and business integrity requirements. With respect to the protection of players, the regulations require a prospective player to register an account with a licensee which must at least include the player’s identity, place of residence, functional e-mail address and that the player is of at least 18 years of age. Licensees are also required to verify the player’s identity, age and place of residence prior to making a payment to such player in excess of Eur2,329.37.
Outsourcing
34     What are the key legal and tax issues relevant in considering the provision of services on an outsourced basis?
It is good practice to have explicit and precise provisions in an outsourcing agreement covering at least the following matters:
  • the scope of services to be provided;
  • the applicable service levels, such as time frames for fixing errors of different level of criticality, uptime, response tie for customer service;
  • the price and its inclusions and exclusions;
  • the responsibilities of the service provider and remedies (rebates, service credits, pre-liquidated damages) in case of failure to perform under the agreement;
  • the client’s responsibilities (providing information and access to systems, if necessary, responding to queries);
  • intellectual property ownership (software, data);
  • exit or termination actions (change of control; notice period, handover of data); and
  • choice of law and dispute resolution.
35     What are the rights of employees who previously carried out services that have been outsourced? Is there any right to consultation or compensation, do the rules apply to all employees within the jurisdiction?
The Maltese Employment and Industrial Relations Act provides that when a business or other undertaking is taken over from any employer, any employee in employment on the date of transfer of the undertaking shall be deemed to be in the employment of the transferee and the transferee shall take on all the rights and obligations which the transferor has towards the employee. This includes the obligation on the part of the transferee to observe the terms and conditions of any collective agreement until the date of termination or expiry of such collective agreement or the entry into force or application of another collective agreement; it also includes employees’ rights to old age, invalidity or survivors’ benefits under supplementary company pension schemes outside the provisions of the Social Security Act.
Moreover, the transferor and the transferee are obliged to inform the affected employees or their representatives, by means of a written statement to be delivered at least 15 days before the transfer is carried out or before the employees are directly affected by the transfer, whichever is the earlier, about the proposed or actual date of the transfer, the reasons for such transfer, the legal, economic and social implications of the transfer for the employees and the measures envisaged in relation to them.
Non-compliance with the above-mentioned duties constitutes an offence under Maltese law. However, no right to compensation or consultation emanates from Maltese law.
Online publishing
36     When would a website provider be liable for mistakes in information that it provides online? Can it avoid liability?
The determination of this question depends on whether the website provider is merely hosting the information containing such mistakes, or whether it is also responsible for the content of such information. In the latter case, it is considered the publisher and the rules applicable to publishers under the Press Act will apply. Potential liability may result in case of defamation or in case where a mistake causes damages. Generally, online publishers are advised to have terms and conditions limiting their liability for mistakes in content of the website.
37     If a website provider includes databases on its site, can it stop other people from using or reproducing data from those databases?
Databases are eligible for protection under the Copyright Act. Pursuant to the requirements of the Database Directive (Directive 96/9/EC), databases may be protected in a number of ways.
First, a database which, by reason of the selection and arrangement of its contents, constitutes the author’s own intellectual creation is eligible for copyright protection as a whole. Moreover, the Copyright Act also provides for a sui generis database right, such that a database that involves a substantial investment in either the obtaining, verification or presentation of the contents of that database is protected by a database right of lesser duration than copyright. It must be noted that both copyright and the sui generis right do not extend to the contents of the database, although, if the requirements of the law are satisfied, such contents may be protected in their own right (for instance, as literary works).
Copyright grants the holder the exclusive right to authorise or prohibit the doing in Malta in respect of the protected material in its totality or substantial part thereof, either in its original form or in any form recognisably derived from the original of, inter alia, the direct or indirect, temporary or permanent reproduction, the rental and lending, the distribution, the translation, broadcasting and performance of the work.
On the other hand, the database right grants the holder the right to authorise or prohibit acts of extraction or reutilisation of its contents, in whole or in substantial part, evaluated qualitatively or quantitatively.
The Copyright Act establishes exceptions and limitations in respect of both categories of protection. A website’s terms and conditions would normally state the allowed and prohibited uses of the database.
Accreditation:
Reproduced with permission from Law Business Research Ltd. This article was first published in Getting the Deal Through – e-Commerce 2015, (published in July 2014; contributing editor: Robert Bond, Speechly Bircham LLP). For further information please visit www.GettingTheDealThrough.com.”