Olga Finkel, Partner, and Robert Zammit, Senior Associate, together with Rachel Vella Baldacchino, Associate, have written the Malta chapter for the 2017 edition of Getting the Deal Through – Data Protection & Privacy.
Law and the regulatory authority
1 Legislative framework
Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Have any international instruments on privacy or data protection been adopted in your jurisdiction?
Malta enacted the Data Protection Act in 2001 (the Act). This, together with a number of pieces of subsidiary legislation, forms the local legislative framework for the protection of PII. The Constitution of Malta also provides for the protection of the fundamental rights and freedoms of individuals, which provides constitutional protection to the respect of privacy of every person’s home and family life.
Malta is a party to the Universal Declaration of Human Rights, to the Convention for the Protection of Individuals with regards to Automatic Processing of Personal Data and to the European Convention for the Protection of Human Rights and Fundamental Freedoms. Malta is also a member of the European Union and consequently is bound to adhere to all directives, regulations and recommendations including Directive 95/46/EC.
2 Data protection authority
Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.
The authority responsible for the implementation of data protection law is the Office of Information and Data Protection Commissioner (the Commissioner). The Commissioner has a number of functions, which include, but are not limited to:
- creating and maintaining a public register of all processing operations according to notifications submitted to him;
- exercising control and verifying whether processing is being carried in accordance with the Act and the regulations;
- issuing directions and guidelines;
- instituting civil legal proceedings in case of breach of the Act and referring any criminal offence encountered in the course of his function to competent authorities;
- ordering the blocking, erasure or destruction of data, or imposing a temporary or permanent ban on processing, or warning or admonishing controllers; and
- at the request of data subjects, verifying that the processing of data is compliant with the Act.
As part of the investigative powers of the Commissioner, the Commissioner is entitled to obtain access to personal data that is being processed and information about, and documentation of, the processing of personal data and the security of such processing upon request. In exercising this function the Commissioner is empowered to enter and search any premises under the powers that are vested in executive police by any law.
3 Breaches of data protection
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
Breaches of particular provisions of the Act may lead to criminal penalties, which vary from fines of €120 up to €23,300 and imprisonment of not more than six months. The criminal penalties may vary depending on the provisions of the Act being breached. On encountering a breach of the Act, which could lead to criminal proceedings, the Commissioner is to refer the situation to the competent authorities who in turn would need to take action in the Criminal Courts of Malta.
Other breaches of the Act may result in administrative fines, which can vary from one-time fines of up to €23,300 and daily fines of up to €2,500, depending on the provisions of the Act being breached.
4 Exempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
The Act does not apply to the processing of personal data where such processing is undertaken by a natural person in the course of a purely personal activity and to processing operations concerning public security, defence, state security (which includes economic well-being of the state when the processing operation relates to security matters) and activities of the state in areas of criminal law.
5 Communications, marketing and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.
The Act covers direct marketing. However interception of communications, unsolicited communications over electronic communications and the monitoring and surveillance of individuals are covered by the Processing of Personal Data (Electronic Communications Sector) Regulations 2003, which implement the provisions of Directive 2002/58/EC and Commission Regulation 611/2013. Interception of communications is also covered by the Electronic Communications Networks and Services (General) Regulations, subsidiary legislation 399.28 and by the Security Service Act, Cap 391 of the Laws of Malta.
6 Other laws
Identify any further laws or regulations that provide specific data protection rules for related areas.
Under the Act a number of subsidiary legislations have been enacted.
- The Processing of Personal Data (Protection of Minors) Regulations provide for permitted processing in the case of any information obtained by a teacher or any other person acting in loco parentis or in his or her professional capacity in relation to a minor if such processing is in the best interest of the minor.
- The Data Protection (Processing of Personal Data in the Police Sector) Regulations are to ensure a high level of data protection in the police sector and any other public body exercising police powers.
- The Processing of Personal Data (Police and Judicial Cooperation in Criminal Matters) Regulations have been enacted to ensure a high level of protection of fundamental rights and freedoms of natural persons.
7 PII formats
What forms of PII are covered by the law?
The Act covers the processing of personal data as well as sensitive personal data. The Act defines personal data as any information relating to an identified or identifiable natural person, whereby an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Sensitive personal data is defined as personal data that reveals race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health or sex life.
Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?
The territorial scope of the Act is limited to the processing of personal data in Malta or in a Maltese Embassy or High Commission abroad, and to the processing of personal data where the controller is established in a third country but the equipment used for processing is located in Malta, except where the equipment is only used for the purpose of transmitting information.
- Covered uses of PII
Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners?
The act of processing PII is defined broadly in the Act to cover any operation or set of operations that is taken in regard to personal data, whether or not it occurs by automatic means and includes the collection, recording, organisation, storage, adaptation, alteration, retrieval, gathering, use, disclosure by transmission, dissemination or otherwise making information available, alignment or combination, blocking, erasure or destruction of such data.
Different responsibilities are placed on the controller of the personal data and the processor, who processes personal data on behalf of a controller. The processor is not allowed to process personal data other than in accordance with instructions from the controller, unless there is a legal requirement. Furthermore, the Act requires that the processing by a processor is to be done under a written contract whereby the processor is bound to act only on the instructions of the controller and to ensure that the required security measures relating to processing are in place.
Legitimate processing of PII
10 Legitimate processing – grounds
Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?
According to article 9 of the Act, personal data may be processed only in the circumstances below:
- the data subject has given unambiguous consent; or
- processing is necessary for:
- performance of a contract to which data subject is a part to or in order to take steps at the request of the data subject prior to entering into a contract;
- compliance with a legal obligation to which the controller is subject;
- protection of the vital interests of the data subject;
- the performance of an activity that is carried out in the public interest; or
- a purpose that concerns a legitimate interest of the controller or of such a third party to whom personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular the right to privacy.
- Legitimate processing – types of PII
Does the law impose more stringent rules for specific types of PII? (Whether because of their nature, eg, health information; or the context or use of the information, eg, information used in the employment context or information held for credit purposes. Give details.)
The Act specifies that sensitive personal data may not be processed unless explicit consent is obtained from the data subject or the data subject has made the sensitive personal data public.
Furthermore, the Act provides that sensitive personal data may be processed if appropriate safeguards are adopted and the processing is necessary in order that the controller will be able to comply with his or her duties as an employer, or it will be possible to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving his or her consent, or it will become possible to establish, exercise or defend legal claims.
The Act further provides that there are other situations where sensitive personal data may be processed.
These include when the processing of sensitive data is done:
- on the members of a body of persons or other entity not being a
commercial body, with political, philosophical, religious or trade union objects in the course of its legitimate activities with appropriate guarantees, by the mentioned body of persons;
- for health and hospital care purposes, provided that it is necessary for preventive medicine and the protection of public health; medical
diagnosis; health care or treatment; or management of health and hospital care services; and
- for research and statistics purposes, provided that processing is
necessary for the performance of an activity that is carried out in the public interest.
The processing of sensitive personal data for research and statistics purposes may also be done in the case of statistics, with Commission approval; and in case of research, also with Commission approval, on the advice of the research ethics committee of an institution recognised by the Commissioner.
In the absence of consent, a legally valid identification document may only be processed when such processing is clearly justified having regard to the purpose of the processing, secure identification or some other valid reason as may be prescribed.
Data relating to offences, criminal convictions or security measures may only be processed under the control of a public authority unless specifically provided for under any other law.
Data handling responsibilities of owners of PII
Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?
The owners of PII must provide the individuals whose data they hold with:
- the identity and habitual residence or principal place of business of the owner of PII and of any other person authorised by him or her to
- the purpose of processing;
- any further information relating to the recipients or categories of the recipients of data;
- whether the reply to any question made to the data subject is
obligatory or voluntary; and
- the existence of the right to access, the right to rectify and the right to erase the data.
This information must also be provided in the situation where the data collected was collected from other sources.
Such information needs to be provided at the time of undertaking the recording of the personal data, or when the information is obtained from other sources, not later than the time when the data is first disclosed.
13 Exemption from notification
When is notice not required?
The information does not need to be provided where the data subject already has this information, and where the processing is for statistical purposes or for historical or scientific research, or if there are provisions in any other law and adequate safeguards are adopted.
14 Control of use
Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?
Upon request from the individuals whose data is held by owners of PII, the owners of PII are required to provide written information as to whether personal data concerning the data subject is held, without excessive delay and without expense.
It is to be noted that such requests for information on the data held by the owners of PII should only be made at reasonable intervals.
The owners of PII should inform the individual what information is being processed, where the information was collected, the purpose of the processing, to whom the information has been disclosed and knowledge of the logic involved in any automatic processing of data concerning the individual.
The owner of PII is required to immediately rectify, block or erase personal data on the request of the individual in accordance with the law.
The owner of PII is also obliged to provide data subjects about their right to opt-out from direct marketing, and must provide easy and simple opt-out methods free of charge. Data subjects who want to opt-out must give notice to the owner of PII that they oppose such processing of their data. Direct marketing via non-electronic means can be provided unless the data subject has opted-out from receiving such marketing; direct marketing via electronic means requires an opt-in unless the data subject is a customer of the owner of PII and the direct marketing is related to the latter’s own products and services (details of opt-out methods must be sent to the data subject in each and every message).
15 Data accuracy
Does the law impose standards in relation to the quality, currency and accuracy of PII?
The owner of PII is required by law to ensure that personal data is processed fairly and lawfully. The owner of PII is also required to ensure that personal data is adequate and relevant in relation to the processing as well as correct and if necessary, up to date. The owner of PII must take all reasonable measures to complete, correct, block or erase data to the extent that such data is incomplete or incorrect, taking into account the purpose for which the data is processed.
16 Amount and duration of data holding
Does the law restrict the amount of PII that may be held or the length of time it may be held?
The information is not to be kept for a period longer than is necessary, having regard to the purposes for which it is processed. This would mean that if information is obtained in the creation of a business relationship, then one would look into the prescriptive period in which a claim may be made following the termination of the relationship and such period would be the maximum period that the owner of PII is allowed by law to keep that information.
17 Finality principle
Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?
Yes. The owner of PII must ensure that personal data is only collected for specific, explicitly stated and legitimate purposes. Furthermore, no more personal data is to be processed than is necessary.
18 Use for new purposes
If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?
Personal data cannot be processed for any other purpose other than the explicitly stated purpose. This means that if the owner of PII is to process it for some other purpose, he or she would need to get explicit consent, unless one of the other grounds for processing applies.
- Security obligations
What security obligations are imposed on PII owners and service providers that process PII on their behalf? (If obligations are imposed, explain those obligations, in particular whether they cover technical matters and organisational requirements or require risk assessments and give an indication of the level of detail at which the security obligations are imposed.)
The law provides that the owners of PII are to implement technical and organisation measures appropriately to protect the personal data from accidental destruction, loss or unlawful forms of processing.
Adequate security should be in line with what is technically possible and normal costs of implementing security measures that mitigate the special risk that exists in the processing of sensitive personal data. Thus the owners of PII are allowed some discretion in implementing the security measures that they consider sufficient in their circumstances.
Where PII is processed by third party service providers, the owner or controller of the data must ensure that the outsourced processor adopts security measures that are no less stringent than the requirements that are applicable to it in terms of the DPA. The owner bears the ultimate responsibility to identify that the service provider has the capacity of implementing the necessary security measures and for seeing that these measures are actually carried out.
- Notification of data breach
Does the law include (general and/or sector-specific) obligations to notify the supervisory authority and individuals of data breaches? (If so, explain the nature and extent of the obligation and whether there is a threshold for notification to be mandatory.) If breach notification is not required by law, is it recommended by the supervisory authority? (If so, under what circumstances?)
Presently, there is no general requirement under the Act which obliges the owner of PII to notify the regulator or the individual on whom information is collected that a breach of security ensued.
However the data controllers are required to submit to the Commissioner requests for processing of personal data that involve particular risks of improper interference with the fundamental rights and freedoms of data subjects.
Where the data controller is a provider of publicly available electronic communications services he or she is required to notify the Commissioner of a personal data breach without undue delay. If the breach is likely to also affect the personal data or privacy of an individual, the owner of PII must notify the individual of the breach without undue delay. Notifying the individual is not required if the owner of PII has demonstrated to the satisfaction of the Commissioner that he or she has implemented appropriate technological protection measures, such that the data is rendered unintelligible to unauthorised individuals and that those measures were applied to the data concerned by the security breach.
Notifying the individual shall at least include the nature of the personal data breach and the contact points where more information can be obtained, and shall recommend measures to mitigate the possible adverse effects of the personal data breach.
Notifying the Commissioner shall, in addition, include the consequences of, and the measures proposed or taken by the provider to address, the personal data breach.
21 Data protection officer
Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?
It is mandatory to appoint a representative established in Malta when the owner of PII is established in a third country and the equipment used for processing is situated in Malta. There is no other mandatory requirement to appoint a data representative. However, if a data representative is appointed he or she shall have an independent role and is required to ensure that the owner of PII processes the personal data in a lawful and correct manner, and in accordance with good practice. The data representative is only bound to inform the owner of PII should he or she notice any inadequacies.
The personal data representative is obliged to report to the Commissioner if there is any suspicion that the owner of PII has contravened the provisions for processing and no rectification was implemented after the personal data representative informed the owner of PII of the situation.
The personal data representative is an independent function and is required to consult with the Commissioner in the event of doubt about how the rules applicable to processing are to be applied.
22 Record keeping
Are owners of PII required to maintain any internal records or establish internal processes or documentation?
Owners of PII are legally obliged to process personal data in line with the principles established by the Act and to ensure that they are adequately protecting that personal data throughout its lifecycle, from collection to use, to disclosure and to destruction. It is of utmost importance that the owner of PII effectively manages the personal data that he or she collects and processes.
Although the Act does not specifically state this, in addition to technical and physical measures to protect personal data, owners of PII must take the necessary administrative measures. These safeguards include measures such as company policies, training, procedures, privacy notices (ie, external statements) to ensure the proper management of privacy and security of customer and employee personal data.
The proposed Draft Data Protection Regulation currently includes documentation obligations on data controllers – as well as the appointment of a personal data representative if the organisation legally qualifies for one – therefore it would be wise for data controllers to start preparing for this. In case of a breach, the company would need to show that it took all the necessary steps (technical, administrative and physical) it could take to keep the personal data safe and secure and that it acted in a responsible manner throughout. Moreover, the Commissioner can carry out an on-site investigation to make sure that the company did in fact take all these measures.
Registration and notification
Are PII owners and/or processors of PII required to register with the supervisory authority? Are there any exemptions?
Yes, owners and processors of PII are to register with the Commissioner. The notification should be made before carrying out any wholly or partially automated or manual processing operation.
The Commissioner may allow the simplification of, or the exemption from, notification obligation only in respect of processing operations that are unlikely to prejudice the rights and freedoms of data subjects, and in respect of which the Commissioner specifies the purposes of the processing, the data or categories of data being processed, the category or categories of data subjects affected by such processing, the recipients or categories of recipients to whom the data is to be disclosed and the length of time for which the data is to be stored.
What are the formalities for registration?
The notification is to be submitted before carrying out any processing operation and should include:
- the name and address of the data controller and of any other person authorised by him or her;
- the purpose or purposes of processing;
- a description of the category of data subject and of the data relating to them;
- the recipients to whom data might be disclosed;
- proposed transfers of data to third countries; and
- a general description allowing preliminary assessment to be made of the appropriateness of the security measures taken.
Unless the data provided in the first notification changes, the owner of PII is not required to resubmit any documentation.
A fee of €23.29 is payable on a yearly basis, where the year runs from July to June.
What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?
The Commissioner may impose an administrative fine if the data controller fails to notify the Commissioner when data processing begins, and the fine shall be considered a civil debt. This administrative fine can vary between €120 and €600, in addition to a daily fine, which can be between €20 and €60.
26 Refusal of registration
On what grounds may the supervisory authority refuse to allow an entry on the register?
The Act is silent on refusal of entry on the register as a data controller or personal data representative. The obligation is on the owner of PII to submit the necessary form and fee to be so registered. In case of breach of such an obligation, the Commissioner may impose certain restrictions on the owner of PII, such as a temporary ban on processing and may also admonish, issue warnings and impose fines.
27 Public access
Is the register publicly available? How can it be accessed?
The register of data controllers and personal data representative is public and is available online on the website www.idpc.gov.mt.
28 Effect of registration
Does an entry on the register have any specific legal effect?
There is no specific legal effect on entry on the register, since once data processing begins, the data owner or processors are bound by the requirements of the law.
Transfer and disclosure of PII
29 Transfer of PII
How does the law regulate the transfer of PII to entities that provide outsourced processing services?
The owner of PII may appoint third parties to process data. Such third parties may only process the personal data in accordance with the instructions of the owner of PII, unless the third party is otherwise required to do so by law. A written agreement is required for the appointment of third party providers to provide processing services. The agreement should provide instructions from the owner of PII and the technical and organisational measures that the controller implements to protect the personal data, so that the service provider follows the same measures. It is the responsibility of the owner of PII to ensure that third party providers can implement such measures and do so.
30 Restrictions on disclosure
Describe any specific restrictions on the disclosure of PII to other recipients.
As long as the owner of PII has obtained explicit consent from the data subject to disclose the PII to other recipients, and it is made clear what the purpose of the disclosure is, then there are no other restrictions on disclosure of PII to other recipients.
31 Cross-border transfer
Is the transfer of PII outside the jurisdiction restricted?
Transfer of PII outside the jurisdiction is allowed for as long as the jurisdiction whereto the transfer of PII is to occur has adequate levels of protection of data. It is at the Commissioner’s discretion who decides whether or not a third country has adequate levels of data protection, as the owner of PII is required to obtain the Commissioner’s approval to transfer PII outside of the jurisdiction.
The law further specifies that transferring to a third country, which does not have the adequate levels of protection, is prohibited. Nevertheless, it is allowed to transfer to a third country that does not have adequate levels of protection if the Commissioner is satisfied that the controller will provide adequate safeguards, such as clear contractual obligations with the service provider in the third country. In analysing whether the agreements with the service provider are sufficient, the Commissioner should consider the provisions of Commission Decision 2001/497/EC of 27 December 2004 and Commission Decision 2010/87/EU of 5 February 2010.
Moreover, such transfer is also allowed if the transfer is necessary for the performance of a contract, or is necessary or legally required on public interest grounds, or for the establishment, exercise or defence of legal claims, to protect the vital interests of the data subject. In addition, transfer may be effected to a third country where there is no adequate level of protection if it is made from a register that according to laws is intended to provide information to the public.
It is to be noted that any country which is a member of the European Union, the EEA or a third country or jurisdiction which is not a member of the EU or the EEA but is from time to time recognised by the EU commission to have an adequate level of protection (currently Andorra, Argentina, Australia, Canada, Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay), and organisations complying with the US Department of Commerce’s Safe Harbor Privacy Principles, are not considered as third countries, therefore transfer to these jurisdictions is allowed and does not require authorisation from the Commissioner.
- Notification of cross-border transfer
Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?
The owner of PII is required to notify the Commissioner where international data transfer is to be made, by submitting a form. Where the transfer of data is to be made to a third county, then the approval of the Commissioner is required prior to such transfer being made.
33 Further transfer
If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?
The restrictions and authorisations requirements for transfer of data to a third country hold irrespective of whether the transfer is to be made to a service provider or to other data owners.
Rights of individuals
Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.
The law provides that the individual has the right of access; however the right does not include the right to see a copy of their personal information held by PII owners. The PII owner is required, however, to provide in written form to the individual actual information about the data subject which is processed, where the information has been collected, the purpose of the processing and to which recipients the information is disclosed. The PII owner is also required to provide in writing an explanation of the logic involved in any automatic processing of data concerning the individual.
The individual must make such a request in writing. This cannot be made frequently, but should be done at reasonable intervals.
35 Other rights
Do individuals have other substantive rights?
Under the Act, data may not be processed for direct marketing, unless the individual has given his or her explicit consent. The individual, however, has the right to oppose the processing of his or her data for the purpose of direct marketing at no cost.
The individual also has the right to rectify, and where applicable, the right to erase the data concerning him or her. It is the duty of the owner of PII to immediately rectify, block or erase personal data which is not being processed in accordance with the Act.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?
Individuals are entitled to sue any owner of PII who has processed data in contravention of the Act for damages, by filing a sworn application with the competent court. Under Maltese law, there has to be actual damage for there to be compensation.
Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?
Actions for damages are to be filed with the competent courts. However, individuals may apply for the Commissioner to take adequate action against the owners of PII, should they feel that there was a breach of the Act.
Exemptions, derogations and restrictions
38 Further exemptions and restrictions
Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.
The principles of data protection, the requirement to provide the individual with certain information, the right to access and the maintenance by the Commissioner of a register of processing operations shall not apply when the law specifically provides that processing the data is a necessary measure in the interests of:
- national security, defence or public security;
- prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for regulated professions;
- economic or financial significance, including monetary, budgetary and taxation matters;
- monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official authority; or
- such information that is prejudicial to the protection of the individual or of the rights and freedoms of others.
39 Judicial review
Can data owners appeal against orders of the supervisory authority to the courts?
Data owners may appeal to the Information and Data Protection Appeals Tribunal. This tribunal is formed of a chairman and two other members appointed by the minister responsible for freedom of information and data protection. The appeal has to be filed within 30 days from the decision of the Commissioner.
The grounds for an appeal to the tribunal are limited to material error on the facts of the case, material procedural error, error of law, or material illegality, including unreasonableness or lack of proportionality.
A party may furthermore appeal a decision of the tribunal with the Court of Appeal on questions of law.
40 Internet use
Describe any rules on the use of ‘cookies’ or equivalent technology.
41 Electronic communications marketing
Describe any rules on marketing by e-mail, fax or telephone.
The Act provides that direct marketing is only allowed if the individual has given his or her consent. However, the Processing of Personal Data (Electronic Communications Sector) Regulations provide that an owner of PII shall not use, or cause to be used, e-mail, fax or telephone for the purpose of direct marketing unless the individual has given prior consent in writing. Having said that, if the contact details were obtained in relation to the sale of a product or a service, it is allowed to use e-mail for marketing purposes for similar products or services.
The owner of PII is, however, required at the time of collection to give the opportunity to the individual to object, free of charge and in an easy and simple manner, to such use of the e-mail details.
It is forbidden to send e-mail for direct marketing whereby the identity of the sender is disguised or concealed.
- Cloud Services
Describe any rules or regulator guidance on the use of cloud computing services.
Maltese regulatory authorities have thus far not issued guidance or rules that specifically address the use of cloud computing services. At present, cloud computing raises data protection concerns under Maltese data privacy law when the data is hosted on cloud servers that are located outside of the EU, in which case the transfer of data must be notified to the Commissioner and approved in the same manner as other third country data transfers (see Question 32).
Current policy frameworks seek to mitigate risks, while at the same time seizing the full benefits of cloud computing. This can be seen, for instance, in the licensing approach carried out at present by the Malta Gaming Authority, Malta’s public regulatory body responsible for all forms of gaming, where requests for use of public or private cloud are dealt with on a case by case basis during the licensing process of a remote gaming operator. The same approach is to be seen with respect to financial services licence applications before the Malta Financials Services Authority (the single regulator of financial services in Malta).
UPDATE & TRENDS
Are there any emerging trends or hot topics in international data protection in your jurisdiction?
An emerging issue in Malta is the recent adoption by the European Parliament and the Council in April 2016 of the EU’s new General Data Protection Regulation, which will affect entities that in some way process, control or handle personal data. The new rules encourage businesses to adopt privacy-friendly data techniques such as anonymization, pseudonymisation and encryption, and will provide a level playing field for all EU and non-EU businesses, since all entities providing services to EU consumers and data subjects must comply with these rules. Typically, EU regulations come into force after twenty days from their original publication in the Official Journal of the EU, however businesses are not going to be subject to the new rules just yet and are to be allowed a two-year grace period. During this time, data controllers are strongly advised to allocate time and resources necessary to ensure compliance with the new data protection rules, once they come into force in 2018.