Olga Finkel has written the Malta chapter for the e-Commerce 2017 issue of Getting The Deal Through. The chapter addresses the legal and regulatory issues within the electronic industry in Malta.
- How can the government’s attitude and approach to internet issues best be described?
As a member state of the European Union, Maltese legislation aims to be technology-neutral, compliant with EU legislation, harmonised with other member states’ regimes and broadly seeks to attract business and investment and foster competition in the market. Moreover, Malta’s government leads the e-government initiative, increasingly making more government service accessible to Maltese citizens via electronic channels, including by means of electronic ID available to every adult citizen. The current government is continuing the work previously done in this sphere to promote e-commerce, digital services and investment in ICTs.
- What legislation governs business on the internet?
Unless a specific legislative instrument excludes the use of the internet or amends general provisions to address specific issues associated with the use of the internet, general legislation applies to transactions equally, regardless of the channel used. Thus, legislation dealing with general consumer protection and unfair consumer terms (under the Consumer Affairs Act, Chapter 378), data protection matters (through the Data Protection Act, Chapter 440), general direct and indirect taxation rules, defamation and generally criminal laws apply.
In addition, there are several specific primary and subsidiary legislative instruments dealing with e-commerce, including:
- the Electronic Commerce Act (‘the E-Commerce Act’) dealing with validity of electronic evidence, electronic contracts, liability of information society service providers and electronic signatures;
- the Electronic Commerce (General) Regulations, which, together with the E-Commerce Act, implemented the EU Electronic Commerce Directive and the Electronic Signatures Directive;
- the Electronic Communications Networks and Services (General) Regulations 2011, which, among other things, addresses data-
protection issues arising out of the use of electronic communications networks and services;
- the Tax Credit (Electronic Commerce) Rules, granting tax credits in certain circumstances for qualifying expenditures relating to the development of e‑commerce systems;
- the Distance Selling (Retail Financial Services) Regulations; addressing specific issues of distance selling of financial services;
- the Remote Gaming Regulations dealing with the provision of gambling services over the internet;
- the Criminal Code and in particular the sections dealing with computer misuse and related offences;
- the Public Procurement Regulations where public procurement by electronic means is involved; and
- the Copyright Act implementing EU law on copyright and digital rights.
- Which regulatory bodies are responsible for the regulation of e-commerce, data protection and internet access tariffs and charges?
The Malta Communications Authority (the MCA) is designated the competent authority under both the E-Commerce Act and the Electronic Commerce (General) Regulations. Moreover, electronic communications networks and services also fall under the authority of the MCA, thereby granting it the responsibility to monitor the competitiveness of the market and regulate, where appropriate, internet access tariffs and charges in accordance with the requirements of the EU electronic communications regulatory framework as transposed in Malta by the Electronic Communications Regulation Act and subsidiary legislation.
The Malta Competition and Consumer Affairs Authority (the ‘MCCAA’) also plays an important role with respect to consumer protection in the electronic communications sector.
The Information and Data Protection Commissioner provides regulatory oversight with respect to data protection and privacy.
Finally, the Malta Information Technology Agency is the entity responsible for the Maltese government’s e-services.
- What tests or rules are applied by the courts to determine the jurisdiction for internet-related transactions (or disputes) in cases where the defendant is resident or provides goods or services from outside the jurisdiction?
The rules relevant for the determination of jurisdiction for internet-related transactions or disputes mainly emanate from private international law, and particularly from the Brussels I and Rome II Regulations, although national jurisdictional rules established in the Code of Organisation and Civil Procedure (COCP, Chapter 12) must also be considered, in particular with regard to disputes involving a party not domiciled within the European Union.
Under Maltese law the parties to a contract are free to choose the law and forum applicable to the contract, provided this does not circumvent the mandatory rules that cannot be derogated from.
Within the EU, the rules established in Regulation (EU) 1215/2012 (the Brussels Recast Regulation, which came into force in January 2015 and replaced the previous Regulation 44/2001, known as ‘Brussels I’) apply to disputes in civil and commercial matters, including disputes arising from e-commerce transactions. In case of a generic business-to-business transaction, the fundamental principle is that, unless the parties agreed differently, a plaintiff should follow the defendant and institute an action at the forum of the defendant. In case of business-to-consumer contracts, however, the consumer generally has the right to sue the seller established in another member state in the country where the consumer is resident.
Transactions or disputes involving parties not domiciled in a member state of the EU are generally governed by the law provided in the relevant terms and conditions.
With respect to non-contractual obligations and disputes arising in civil and commercial matters, the main rule under the Regulation 864/2007/EC (Rome II Regulation) is that jurisdiction will be founded where the damage occurs or is likely to occur. One should note, however, that this does not apply to, inter alia, non-contractual obligations arising out of violations of privacy and rights relating to personality, including defamation. In these cases, national jurisdictional rules apply.
While the principal rules are established as stated above, in reality it is important to analyse the facts of the case in order to establish the correct rules of jurisdiction.
Contracting on the internet
- Is it possible to form and conclude contracts electronically? If so, how are contracts formed on the internet? Explain whether ‘click wrap’ contracts are enforceable, and if so, what requirements need to be met?
The E-Commerce Act clearly allows contracts to be formed and concluded electronically. Article 9(2) of the Act establishes that any offer, acceptance of an offer and any related communication, including any subsequent amendment, cancellation or revocation of the offer and the acceptance of the contract may, unless otherwise agreed by the parties to the contract, be communicated electronically.
Article 10 then establishes that unless otherwise agreed by the parties who are not consumers, where the recipient of the service places his order through technological means, an electronic contract is concluded when, after the order is placed, the recipient of the service receives from the service provider acknowledgement of the receipt of the order. The Act therefore clearly establishes the moment in which the contract is deemed to be concluded to prevent disputes, particularly as it propounds that the order made by the recipient and the acknowledgement of receipt are deemed to have been received when the parties to whom they are addressed are able to access them. It is important to note, however, that the contract is not considered to have been concluded as aforesaid with respect to contracts concluded exclusively by electronic mail or by equivalent individual communications.
‘Click wrap’ contracts are generally enforceable under Maltese law, provided the electronic contract provides the recipient of the service with all of the information required by law, and provided also that the service provider acknowledges receipt of the order.
Finally, one must also consider that consumer protection legislation, such as the Consumer Affairs Act and the Distance Selling Regulations also apply to electronic contracts. The requirements established in these instruments must therefore also be adhered to.
- Are there any particular laws that govern contracting on the internet? Do these distinguish between business-to-consumer and business-to-business contracts?
Apart from the provisions relating to general contract law in the Civil Code, contracting on the internet is governed by the E-Commerce Act mentioned above. While no general formal distinction between business-to-consumer and business-to-business contracts is set out under Maltese law, certain legislative provisions apply to only one of the two categories of contracts. For instance, the consumer protection legislation applies only to business-to-consumer contracts, while the E-Commerce Act establishes a number of exceptions in respect of ‘parties who are not consumers’. In certain cases, therefore, business-to-business contracts may be approached differently from business-to-consumer contracts.
- How does the law recognise or define digital or e-signatures?
The E-Commerce Act defines the term ‘electronic signature’ as data in electronic form which are attached to, incorporated in or logically associated with other electronic data and which serve as a method of authentication. The Act also defines advanced electronic signatures as electronic signatures which are uniquely linked to the signatory, are capable of identifying the signatory, are created using means that the signatory can maintain under his or her sole control and are linked to the data to which they relate in such a manner that any subsequent change of data is detectable.
Among other things, the Act establishes that the provision of an electronic signature suffices to satisfy the requirement of providing a signature under Maltese law.
- Are there any data retention or software legacy requirements in relation to the formation of electronic contracts?
There are no general data retention or software legacy requirements in relation to the formation of electronic contracts. Nevertheless, parties are strongly advised to keep organised records to ensure clarity in the event of a dispute. In general, companies are required to keep documents and contracts pertaining to their business for 10 years for accounting and verification purposes.
9 What measures must be taken by companies or ISPs to guarantee the security of internet transactions? Is encryption mandatory?
While no general obligations exist with respect to the security of internet transactions as such, there are several laws that require certain providers involved in various steps of an internet transaction to keep adequate security. This requirement, for instance, applies to providers of electronic communications and services (as far as security and integrity of networks are concerned, as required under the Electronic Communications Networks and Services (General) Regulations 2011.
Moreover, under the E-Commerce Act, all signature certification service providers (defined as persons who issue certificates or provide other services related to electronic signatures) must, inter alia, use trustworthy systems and products that are protected against modification, ensure the technical and cryptographic security of the processes supported by them and take measures against forgery of certificates, and, in cases where the signature certification service provider generates signature-creation data, guarantee confidentiality during the process of generating such data. Signature certification service providers are also required to use
trustworthy systems to store certificates in a verifiable form such that only authorised persons can make entries and changes, information can be checked for authenticity, certificates are publicly available for retrieval in only those cases for which the certificate holder’s consent has been obtained and any technical changes compromising these security requirements are apparent to the operator.
Furthermore, under the provisions of the Data Protection Act and associated subsidiary legislation, all data controllers (persons responsible for processing personal data) must ensure adequate security of data processing.
Although the implementation of encryption techniques is not mandatory, the legal obligation to maintain adequate levels of security reflects the regulatory thrust in favour of increased data security techniques such as anonymization and encryption to promote personal data protection.
- As regards encrypted communications, can any authorities require private keys to be made available? Are certification authorities permitted? Are they regulated and are there any laws as to their liability?
Under article 355Q of the Criminal Code, the executive police may, in addition to seizing a computer, require any information that is contained in a computer to be delivered in a form in which it can be taken away and in which it is visible and legible. It therefore follows that they may either require private keys or the encrypted information itself to be made available.
The E-Commerce Act provides for certification authorities via the term ‘signature certification service providers’. Signature certification service providers are defined as persons who issue certificates or provide other services related to electronic signatures. The Act establishes a number of requirements that must be adhered to by such providers when issuing certificates, such as demonstrating the reliability necessary for providing signature certification services and ensuring the operation of a prompt and secure directory and a secure and immediate revocation service. With regard to liability, the Act establishes, inter alia, that signature certification service providers who issue a certificate to the public or who guarantee such certificate shall be liable for any damage caused to any person who reasonably relies on such certificate. Moreover, providers are required to maintain sufficient financial resources to operate in conformity with the requirements laid down in the Act and in particular to bear the risk of liability for damages, for example, by obtaining appropriate insurance.
The law also prohibits the unauthorised obtainment, use, creation or alteration of electronic signatures, such that doing so may result in a fine or imprisonment for a term not exceeding six months or both.
- What procedures are in place to regulate the licensing of domain names? Is it possible to register a country-specific domain name without being a resident in the country?
The Malta Internet Foundation (NIC (Malta)) is responsible for the ‘.mt’ country code top-level domain. All domain names ending with ‘.mt’ must therefore be registered with NIC (Malta). Terms and conditions apply when obtaining and using a domain name. While it is possible for anyone to obtain a ‘.mt’ domain name, it must be noted that NIC (Malta) reserves the right to refuse to register a domain name, and may for good cause, and in any event upon any breach by the holder of the terms and conditions, immediately revoke the domain name from registration.
- Do domain names confer any additional rights (for instance in relation to trademarks or passing off) beyond the rights that naturally vest in the domain name?
No. The mere possession or use of a domain name does not, in and of itself, confer additional rights beyond those that naturally vest in the domain name. Where, on the other hand, the domain name itself constitutes or reflects a trademark, trade name or other form of intellectual property, then the rights attaching to that intellectual property also apply in respect of the domain name.
- Will ownership of a trademark assist in challenging a ‘pirate’ registration of a similar domain name?
In all likelihood, the ownership of a trademark will assist in challenging the registration of such a domain name. An action for trademark infringement under the relevant provisions of applicable legislation may be instituted where the domain name is used, without the consent of the proprietor, either in Malta (in the case of a national trademark), or within the EU (in the case of a Community Trade Mark). The approach to be taken depends on whether the person uses, in the course of trade, a sign that is identical or similar with the trademark in relation to goods or services that are identical or similar with those for which it is registered and may cause likelihood of confusion on the part of the public; or whether the mark has a reputation in Malta or the Community and the use of the domain takes unfair advantage of, or is detrimental to the distinctive character or the repute of the trademark.
14 What rules (including legislation and other rules such as self-regulatory codes) govern advertising on the internet?
Maltese law does not specifically regulate advertising on the internet. However, legislative instruments regarding consumer matters will in many cases apply to advertising on the internet. The first of these instruments is the Consumer Affairs Act, which implements EU Directives and contains provisions that govern the use of unfair contract terms, misleading advertising practices and comparative advertising among others. The restrictions contained in the Tobacco (Smoking Control) Act will also apply to advertising on the internet, particularly as it is explicitly provided that ‘advertising that is not permitted in the press and other printed publications shall not be permitted in information society services’.
Online advertising for online gaming or gambling services are governed by the provisions of the Remote Gaming Regulations. The restrictions contained in these Regulations are supplemented by a Directive issued by the Malta Gaming Authority that enacted a Code of Conduct on Advertising, Promotions and Inducements which applies to all Malta-licensed gaming operators.
15 How is online advertising defined? Could online editorial content be caught by the rules governing advertising?
The Consumer Affairs Act defines advertisement as any form of representation, including a catalogue, a circular and a price list, about a trade, business, craft or profession in order to promote the supply or transfer of goods or services, immovable property, rights or obligations. The Act does not provide for a specific definition of online advertising since this definition of advertisement is generic enough to cover the distribution of such advertisement material through any channel.
16 Are there rules against misleading online advertising? (Do advertising claims have to be substantiated and what evidence do advertisers have to keep on record? Do these rules apply centrally or are they industry-specific?)
The Consumer Affairs Act defines misleading practices in advertising by providing lists of misleading commercial practices, by enumerating instances of misleading statements in advertising and misleading omissions in Articles 51C and 51D respectively. Misleading statements refer inter alia to the provision of false information or taking into consideration all its features and circumstances and the limitations of the communication medium, it omits or hide, provide in an unclear, unintelligible, ambiguous or untimely format material information. Misleading omissions on the other hand may to be determined in context, with reference to limitations of space or time imposed by the advertising medium, and taking into consideration material information needed by the average consumer to take an informed transactional decision.
The Consumer Affairs Act rules apply irrespective of the industry and are to be followed by all advertisers, and irrespective of the medium of distribution of the advertising material. The Director General (Consumer Affairs) has the power to carry out investigations of his own motion or upon a reasonable allegation in writing of a breach of the provisions of the Consumer Affairs Act.
17 Are there any products or services that may not be advertised on the internet?
The general rules apply to the internet content in this respect. For instance, dissemination of material contrary to public morals is prohibited generally, and therefore also on the internet. Article 208 of the Criminal Code prohibits the acquiring, keeping, putting into circulation or exporting of pornography, even if this is done for the sake of distribution. It may therefore be argued that Maltese criminal law prohibits those subject to Maltese jurisdiction from acquiring, possessing, circulating or exporting pornography in any manner, including via the internet. Malta is a party to relevant international treaties. Another example is defamatory material:
defamation is an offence, including if carried out over the internet.
18 What is the liability of content providers and parties that merely host the content, such as ISPs? Can any other parties be liable?
Advertising content providers whose material infringes the rules of the Consumer Affairs Act may be liable to the imposition of an administrative fine which may range between EUR 470 and EUR 47,000. The Director General for Consumer Affairs is also empowered to issue compliance orders requiring persons engaging in infringing advertising practices to refrain from such activity and may include other measures such as requiring a public corrective statement.
There are no specific liability provisions foreseen in relation to advertising which may be used against hosting providers or any other parties. To this end, it must be submitted that in all cases (including for the advertising content providers themselves) a party may be liable for damages arising from a successful claim for liability in tort under the applicable provisions of the Civil Code.
- Is the advertising or selling of financial services products to consumers or to businesses via the internet regulated, and, if so, by whom and how?
Yes. It is primarily controlled via the Distance Selling (Retail Financial Services) Regulations. These regulations, emanating from article 20B of the Malta Financial Services Authority Act, cement the Malta Financial Services Authority’s position as the competent authority in regard to financial services. The regulations establish, inter alia, information that must be provided to consumers, a right of withdrawal, a requirement for contractual terms to be provided by the supplier to the consumer in writing or another durable medium and out-of-court dispute settlement procedures.
- Are ISPs liable for content displayed on their sites?
The E-Commerce Act grants protection from liability to intermediary service providers for information in respect of which they act as mere conduits, and for the provision of caching and hosting facilities. Information displayed on a website generally falls under the ‘hosting’ safe harbour provision found in article 21 of the E-Commerce Act, which provides protection from liability for damages resulting from the storage of information provided by and stored at the request of recipients of the service, as long as the provider does not have actual knowledge of the illegality of the activity, and is not aware of facts or circumstances from which illegal activity is apparent, or upon obtaining such knowledge or awareness, such provider acts expeditiously to remove or disable access to such information. The protection from liability does not apply when the recipient of the service, in providing or requesting the storage of information, is acting under the authority or control of the provider.
- Can an ISP shut down a web page containing defamatory material without court authorisation?
The determination of this question largely depends on the meaning attributed to the terms ‘knowledge’ and ‘awareness’ under article 14 of the Maltese Electronic Commerce Act. Regrettably, the Act transposed the ‘hosting’ safe harbour provision almost verbatim, thereby carrying forward the ambiguity of the Electronic Commerce Directive in this regard. The absence of court pronouncements on the matter does not aid the situation. Practical experience shows that many intermediary service providers based in Malta do remove contested material hosted on a web page upon complaint and in the absence of court authorisation, and this practice has thus far not been challenged by the authorities or in front of the courts.
- Can a website owner link to third-party websites without permission?
This issue largely depends on the terms and conditions stipulated by the owners of third-party websites regarding the use of the material hosted on their websites. If any such owner expressly stipulates that the use of links to his or her own website requires prior authorisation, then the absence of such permission could constitute a breach of contract tacitly entered into by the ‘linking’ party upon accessing the website. Maltese law does not, however, legislate explicitly on the use of links on the internet and there is no distinction made between linking and deep-linking.
23 Can a website owner use third-party content on its website without permission from the third-party content provider? Could the potential consequences be civil in nature as well as criminal or regulatory?
Content hosted on websites may qualify for protection under copyright law. Article 7(1)(a) of the Maltese Copyright Act provides in this respect that the direct or indirect, temporary or permanent reproduction by any means and in any form, in whole or in part, of copyrighted work, is dependent on the copyright owner’s authorisation. To qualify for such protection, the work must be an artistic, audiovisual, literary or musical work or a database; it must have an original character; it must have been written down, recorded, fixed or otherwise reduced to material form; in the case of databases, these must, by reason of the selection or arrangement of their contents, constitute the author’s intellectual creation. Infringement of copyright, neighbouring rights or sui generis rights in respect of any work would result in proceedings of a civil nature with potential consequences of payment of damages or a fine, and possibility of restitution of all the profit derived from the infringement. Furthermore, it is a criminal offence if a person in the exercise of any trade or course of business or with the view to gain for himself or for any other person or with the intent to cause loss to or to prejudice another person, print, manufacture, duplicate or otherwise reproduce or sell distribution or otherwise offers for sale or distribution any article or other thing in violation of the rights of copyright protected under the laws of Malta.
- Can a website owner exploit the software used for a website by licensing the software to third parties?
The determination of this question depends largely on the ownership of the software being licensed to third parties. If the website owner is the software owner, then he or she may license the software to third parties in accordance with article 7 of the Maltese Copyright Act. The same does not hold for the website owner if he or she merely licenses software from a third party and the copyright belongs to that third party. In the latter case, the licensing of such software to third parties may be in violation of article 7(a), (b) and (c) of the Copyright Act.
- Are any liabilities incurred by links to third-party websites?
Maltese law does not legislate expressly on the use of links on websites. In general, every person is liable for damage suffered by another person due to the first person’s fault, so civil liability will arise if the person claiming damages shows that the damages, which are real and quantified, have been suffered and that these damages have been caused by the defendant’s placing and maintaining links.
26 Is video content online regulated in the same way as TV content or is there a separate regime?
There is no separate regime for online video content, and the same rules which would apply for audio-visual works under the Copyright Act would apply the same way to video content online as any other audio-visual content, since the definition of audio-visual works does not specify the distribution channel of such work.
27 Do authorities have the power to carry out dawn raids and issue freezing injunctions in connection with IP infringement?
The police may be granted the power through a warrant issued by a Magistrate, to enter any house, premises or place in order to search for, seize and remove any goods or things by means of which, or in relation to which an offence against the Trademarks Act has been committed.
In terms of the Enforcement of Intellectual Property Rights (Regulation) Act, the Court may even before the commencement of proceedings on the merits of the case, upon an application by a person who has filed reasonably available evidence to support his claim that his intellectual property right has been infringed or is about to be infringed, order such prompt and effective provisional measures as it considers appropriate to preserve relevant evidence in respect of the alleged infringement, subject to the protection of confidential information. Such measures may include the detailed description, with or without the taking of samples or the physical seizure of the infringing goods and, in appropriate cases, the materials and implements used in the production and, or distribution of the said goods and the documents relating thereto. The competent court may also, if it considers it necessary, order that such measures be taken without the other party having been heard, in particular where any delay is likely to cause irreparable harm to the right holders or where the Court considers that there is an evident risk of the evidence being destroyed.
28 What civil remedies are available to IP owners? Do they include search orders and freezing injunctions?
In terms of the provisions of the Enforcement of Intellectual Property Rights (Regulation) Act an IP owner may by application request the Court to issue a decree to prevent or forbid any imminent infringement of such intellectual property right in the context of an alleged IP right infringement on a provisional basis and subject, where appropriate, to a recurring penalty payment where provided for by law, the continuation of the alleged infringements of that right, or to make such continuation subject to the lodging of guarantees intended to ensure the compensation of the right holder. An interlocutory injunction may also be issued, under the same conditions, against an intermediary whose services are being used by a third party to infringe an intellectual property right, and order the physical seizure or delivery up of the goods suspected of infringing an intellectual property right.
The same Act also makes a wide range of civil remedies available to IP rights holders in Article 12 et seq. A court may order the payment of an amount of damages to an injured party, which will take into account all relevant aspects, including the negative economic consequences that may have been suffered as well as unfair profits made by the infringer. This provision is also one of the few instances under Maltese law where a court awarding damages may also have regard to moral prejudice suffered. To best ensure that an injured IP rights holder is provided with a sufficient remedy where its rights have been infringed, the Court is also allowed to apply an alternative method of calculation of damages payable as it considers appropriate. Other corrective measures which may be applied where the Court has found a breach of an IP right include recall from circulation within all channels of commerce (whether online or physical) and destruction of seized items.
Data protection and privacy
29 How does the law in your jurisdiction define ‘personal data’? (Is there a category of ‘sensitive personal data’ and what additional rules apply to the processing of such a category of data? Can anonymisation or similar techniques be used to make data non-personal and avoid regulation?)
The Maltese Data Protection Act defines personal data as any information relating to an identified or identifiable natural person, whereby an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
The Act also establishes a subcategory of personal data subject to more stringent regulation – sensitive personal data. In this regard, ‘sensitive personal data’ are defined as personal data that reveal race or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, health or sex life. Sensitive personal data may only be processed if the data subject has given explicit consent to such processing or has made the data public. Furthermore sensitive personal data may be processed if appropriate safeguards are adopted and the processing is necessary in order that the controller will be able to comply with its duties or exercise his rights under any law regulating the conditions of employment, or the vital interest of the data subject or of some other person will be able to be protected and the data subject is physically or legally incapable of providing consent, or legal claims will be able to be established, exercised or defended
Anonymised or pseudonymised data cannot identify a natural person, therefore such data is not considered as personal data and will not be subject to the Data Protection Act.
30 Do parties involved in the processing of personal data, such as website owners, have to register with any regulator to process personal data?
The Maltese Data Protection Act defines ‘controller of personal data’ as a person who alone or jointly with others determines the purposes and means of the processing of personal data. Article 29 of the Act also provides that a controller of personal data must notify the information and data protection commissioner before carrying out any wholly or partially automated processing operation or set of such operations intended to serve a single purpose or several related purposes. Such notification must specify the name and address of the data controller and of any other person authorised by him or her in that behalf, the purpose of the processing, a description of the category of data subject and of the data or categories of data relating to them, the recipients or categories of recipient to whom the data might be disclosed, the proposed transfers of data to third countries, and a general description allowing a preliminary assessment to be made of the appropriateness of the measures taken to ensure security of processing. Moreover, the controller must notify the commissioner of any changes affecting the information.
A website provider, as a controller of personal data pertaining to his or her website users, must ensure under article 7 of the Act that, inter alia, personal data are not processed for any purpose that is incompatible with that for which the information is collected. Thus if personal data are originally collected for a particular purpose not including sale of data, the provider cannot subsequently sell such personal data without the data subject’s consent.
31 Could data protection laws and regulatory powers apply to organisations or individuals resident outside of the (eg, if an internet company’s server is located outside the jurisdiction, are there restrictions on the transfer of personal data, and what protection does a foreign national have under local data protection laws)?
The Maltese Data Protection Act applies to processing of personal data carried out in the context of activities of an establishment of a controller in Malta or in a Maltese Embassy or High Commission abroad, or to processing of personal data where the controller is established in a third country provided that the equipment used for the processing of the personal data is situated in Malta.
32 Is personal data processed on the basis of customer consent or other grounds? What is the commonly adopted mechanism for obtaining customer consent or establishing the other grounds for processing (eg, are there opt-in and opt-out requirements)?
Personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of an activity that is carried out in the public interest or in the exercise of official authority vested in the
controller or in a third party to whom the data is disclosed; or
(f) processing is necessary for a purpose that concerns a legitimate interest of the controller or of such a third party to whom personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular the right to privacy.
Opt in is generally the commonly adopted mechanism for obtaining customer consent however when certain processing is necessary in accordance to the principles above, consent is done without – however this is more the exception rather than the rule.
33 May a party involved in the processing of personal data, such as a website provider, sell personal data to third parties, such as personal data about website users? (If so, is the sale on the basis of outright transfer or a limited licence and what is the liability of the seller and buyer in relation to such data?)
Transferring of personal data would be considered as processing of personal data which therefore would require either the consent of the data subject for the personal data to be transferred or else the transfer is necessary in accordance to one of the grounds mentioned above. As long as the processing is done in accordance with the criteria for processing, a transfer can take the form of either an outright transfer or a limited licence. In that event, the buyer is subject to Maltese law, the buyer would be required to continue processing the personal data in accordance with the provisions of the Data Protection Act. It is however common that the buyer would be an operator located outside of Malta and therefore he would be subjected to the data protection legislation of the jurisdiction in which the buyer is located.
Generally, personal data may not be processed for purposes concerning direct marketing if the data subject gives notice to the controller of personal data that he or she opposes such processing. However, in relation to internet or electronic services, direct marketing (by means of e‑mail or SMS) and profiling may only be done with the explicit consent of the data subject (except for advertising of additional services offered by the provider itself to its current customers). In this regard, it must be noted that Regulation 9 of the Processing of Personal Data (Electronic Communications Sector) Regulations provides that publicly available electronic communications services cannot be used or allowed to be used to make unsolicited communications for the purpose of direct marketing.
- Does your jurisdiction recognise or regulate the ‘right to be forgotten’?
The Maltese Data Protection Act provides that personal data may not be kept for longer than is necessary, with regard to the purposes for which it is processed. However any obligations that exist under any other law with respect to data retention should be taken into consideration, in particular prescriptive periods for bringing up actions in a court of law. Thus, as long as there is a legal requirement that justifies the right to retain the data, the data controller would not be in breach of the data protection requirement.
- Does your jurisdiction restrict the transfer of personal data outside your jurisdiction?
Transfer of personal data outside of Malta is only permitted if it is transferred to another EU state or if it is transferred to a third country and the Information and Data Protection Commissioner is satisfied that there is a sufficient and adequate level of protection of data in that third country. If, however, a data controller is in a position to provide sufficient safeguards to the satisfaction of the Commissioner, such as contractual provisions, the Commissioner may authorise a transfer of personal data to a third country that does not provide a sufficient level of protection.
37 What regulations and guidance are there for email and other distance marketing (eg, is unsolicited marketing allowed)?
The Processing of Personal Data (Electronic Communications Sector) Regulations provide that there has to be prior consent in writing by the subscriber or user for unsolicited marketing through electronic communications. Nevertheless, an advertiser may use the contact details obtained in relation to the sale of a product or service to market own similar products or services. In this respect, the customer should always be given the opportunity to object, free of charge and in any easy and simple manner to such use of electronic contact details at the time of their collection and on the occasion of each message where the customer has not initially refused such use.
38 What rights and remedies do individuals have in relation to the processing of their personal data? Are these rights limited to citizens or do they extend to foreign individuals?
The data subject, who could be either a citizen of Malta or a foreign national, has the right to receive unless the data subject already has it, the identity and habitual residence or principal place of business of the controller and any other person authorised by him in that behalf if any, the purpose of processing for which the data is intended, and any further information relating to recipients or categories of recipients of the data, whether the reply to any questions made to the data subject is obligatory or voluntary, as well as the possible consequences of failure to reply, and the existence of the other rights pertaining to a data subject, primarily the right to access (i.e. the right to request the controller information as to what personal data is held by the controller), the right to rectify (i.e. the right to ask for the data to be updated if the data is not up-to-date) and where applicable the right to erase the data concerning him.
- Is the sale of online products subject to taxation?
Income generated through the supply of online products would be subject to tax in Malta at progressive rates in the case of individual suppliers and at the standard corporate tax rate of 35 per cent in the case of a company. In the case of a company acting as a supplier, the shareholders of the company may, upon receiving a dividend from the company and upon certain conditions, claim a refund generally of 6/7 of the Malta tax paid by the company, ie, the shareholder would receive 30 per cent back.
As far as VAT is concerned we would need to distinguish between the supply of goods and the supply of services. The standard rate of VAT in Malta is that of 18 per cent.
The supply of online goods would generally be subject to VAT in Malta if the supply is a domestic supply and if the goods are transported by the supplier from Malta or made available for the customer in Malta (transport organised by the customer). Different treatment would apply if the customer is a business and receiving the goods in another member state.
As of 1 January 2015, Malta adopted the new VAT regime with respect to B2C supply of electronically supplied services. In terms of this new regime the place of supply of electronically supplied services such as downloadable software or books and games are subject to VAT in the country of consumption. B2B supplies of electronically supplied services are also subject to VAT in the member state of consumption. No VAT would be due on electronically supplied services provided to customers outside the EU.
The Tax Credit (Electronic Commerce) Rules allow any small or medium-sized enterprise carrying on a trade, business, profession or vocation, which enters into or intends to enter into a project for the acquisition of tangible and intangible assets consisting of computer hardware or software or website development services for or in connection with the development of e-commerce systems that enable the sale of tangible goods or services through business transactions processed over publicly accessible electronic networks to apply for a tax credit in accordance with the rules. The granting of such a tax credit will depend on the enterprise’s adherence to the requirements set out in the rules and on the Malta Enterprise Corporation’s approval.
- What tax liabilities ensue from placing servers outside operators’ home jurisdictions? Does the placing of servers within a jurisdiction by a company incorporated outside the jurisdiction expose that company to local taxes?
A company incorporated abroad may be subject to tax in Malta if it operates through a permanent establishment in Malta. Malta generally follows the principles and commentaries emanating from the OECD Model Tax Convention. A server may accordingly be considered to establish a permanent establishment in Malta if it meets the requirement of creating a fixed place of business from which the foreign company operates.
A Maltese company operating through servers located in another jurisdiction may likewise be subject to tax in that other jurisdiction, if the servers would be considered as creating a permanent establishment in that jurisdiction. The Maltese company would still be subject to tax in Malta on its worldwide income.
Naturally one would need to consider the applicable double tax treaty and the interpretation given in the particular jurisdiction. Tax relief in the country of residence may generally be granted in the terms of the double tax treaty applicable or other form of tax relief. Malta offers in addition to treaty relief additional forms of double tax relief, such as the flat rate foreign tax credit and unilateral relief.
- When and where should companies register for VAT or other sales taxes? How are domestic internet sales taxed?
The VAT Act requires a supplier to register with the Director General Tax within 30 days from the date on which the goods or services are supplied. Companies may also have an obligation to register for VAT in Malta if VAT is due in Malta in terms of the Place of Supply Rules via the reverse charge mechanism. In domestic internet sales, the supplier should add Maltese VAT (18 per cent) to its invoices and pass this collected VAT to the VAT Department in Malta by submitting VAT returns, normally every three months.
- If an offshore company is used to supply goods over the internet, how will returns be treated for tax purposes? What transfer-pricing problems might arise from customers returning goods to an onshore retail outlet of an offshore company set up to supply the goods?
Generally, a claim for refund on VAT and any applicable duty may be granted if the product is re-exported. If the goods are returned to an outlet of the offshore company and a refund is paid to the customer, the local outlet would not be able to claim a VAT refund unless the product is exported.
- Is it permissible to operate an online betting or gaming business from the jurisdiction?
Yes, provided the operator either obtains a licence from the Malta Gaming Authority in accordance with the provisions of the Remote Gaming Regulations, or is in possession of an equivalent authorisation by the government or competent authority of an EEA member state, or any other jurisdiction approved by the authority.
- Are residents permitted to use online casinos and betting websites? Is any regulatory consent or age, credit or other verification required?
Yes, provided, once again, the operator either obtains a licence from the Malta Gaming Authority in accordance with the provisions of the Remote Gaming Regulations, or is in possession of an equivalent authorisation by the government or competent authority of an EEA member state, or any other jurisdiction approved by the authority.
The Remote Gaming Regulations establish a number of criteria that operators must satisfy to obtain a licence and provide lawful remote gaming services, including anti-money laundering, player protection and business integrity requirements. With respect to the protection of players, the regulations require a prospective player to register an account with a licensee, which must at least include the player’s identity, place of residence, functional e-mail address and that the player must be at least 18 years of age. Licensees are also required to verify the player’s identity, age and place of residence prior to making a payment to such player in excess of €2,329.37.
- What are the key legal and tax issues relevant in considering the provision of services on an outsourced basis?
It is good practice to have explicit and precise provisions in an outsourcing agreement covering at least the following matters:
- the scope of services to be provided;
- the applicable service levels, such as time frames for fixing errors of different levels of urgency or criticality, uptime, response times for customer service;
- the price and its inclusions and exclusions;
- the responsibilities of the service provider and remedies (rebates, service credits, pre-liquidated damages) in case of failure to perform under the agreement;
- the client’s responsibilities (providing information and access to systems, if necessary, responding to queries);
- intellectual property ownership (software, data);
- exit or termination actions (change of control, notice period, handover of data); and
- choice of law and dispute resolution.
- What are the rights of employees who previously carried out services that have been outsourced? Is there any right to consultation or compensation, do the rules apply to all employees within the jurisdiction?
The Maltese Employment and Industrial Relations Act provides that when a business or other undertaking is taken over from an employer, an employee in employment on the date of transfer of the undertaking shall be deemed to be in the employment of the transferee and the transferee shall take on all the rights and obligations that the transferor has towards the employee. This includes the obligation on the part of the transferee to observe the terms and conditions of any collective agreement until the date of termination or expiry of such collective agreement or the entry into force or application of another collective agreement; it also includes employees’ rights to old age, invalidity or survivors’ benefits under supplementary company pension schemes outside the provisions of the Social Security Act.
Moreover, the transferor and the transferee are obliged to inform the affected employees or their representatives, by means of a written statement to be delivered at least 15 days before the transfer is carried out or before the employees are directly affected by the transfer, whichever is earlier, about the proposed or actual date of the transfer, the reasons for such transfer, the legal, economic and social implications of the transfer for the employees and the measures envisaged in relation to them.
Non-compliance with the above-mentioned duties constitutes an offence under Maltese law. However, no right to compensation or consultation emanates from Maltese law.
- When would a website provider be liable for mistakes in information that it provides online? Can it avoid liability?
The determination of this question depends on whether the website provider is merely hosting the information containing such mistakes, or whether it is also responsible for the content of such information. In the latter case, it is considered that the publisher and the rules applicable to publishers under the Press Act will apply. Potential liability may result in case of defamation or in the case where a mistake causes damage. Generally, online publishers are advised to have terms and conditions limiting their liability for mistakes in the website.
- If a website provider includes databases on its site, can it stop other people from using or reproducing data from those databases?
Databases are eligible for protection under the Copyright Act. Pursuant to the requirements of the Database Directive (Directive 96/9/EC), databases may be protected in a number of ways.
First, a database that by reason of the selection and arrangement of its contents constitutes the author’s own intellectual creation is eligible for copyright protection as a whole. Moreover, the Copyright Act also provides for a sui generis database right, such that a database that involves a substantial investment in either the obtaining, verification or presentation of the contents of that database is protected by a database right of lesser duration than copyright. It must be noted that both copyright and the sui generis right do not extend to the contents of the database, although, if the requirements of the law are satisfied, such contents may be protected in its own right (for instance, as a literary work).
Copyright grants the holder the exclusive right to authorise or prohibit how the protected material in its totality or substantial part thereof is used in Malta, either in its original form or in any form recognisably derived from the original of, inter alia, the direct or indirect, temporary or permanent reproduction, the rental and lending, the distribution, the translation, broadcasting and performance of the work.
On the other hand, the database right grants the holder the right to authorise or prohibit acts of extraction or reutilisation of its contents, in whole or in a substantial part, evaluated qualitatively or quantitatively.
The Copyright Act establishes exceptions and limitations in respect of both categories of protection. A website’s terms and conditions would
normally state the allowed and prohibited uses of the database.
UPDATE & TRENDS
Are there any emerging trends or hot topics in e-Commerce regulation in the jurisdiction? Is there any pending legislation that is likely to have consequences for e-Commerce and internet-related business?
An important topic of interest for e-Commerce service providers is the recent adoption by the European Parliament and the Council in April 2016 of the EU’s new General Data Protection Regulation due to its wide implications on e-commerce businesses’ handling of customer personal data. The new rules encourage businesses to adopt privacy-friendly data techniques such as anonymization, pseudonymisation and encryption, and will provide a level playing field for all EU and non-EU businesses, since all entities providing services to EU consumers and data subjects must comply with these rules. Typically, Eu regulations come into force after twenty days from their original publication in the Official Journal of the EU, however businesses are not going to be subject to the new rules just yet and are to be allowed a two-year grace period. During this time, e-commerce businesses are strongly advised to allocate time and resources necessary to ensure compliance with the new data protection rules once they come into force in 2018.