This country-specific Q&A provides an overview to technology laws and regulations that may occur in Malta.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Communications networks and services are regulated under the Electronic Communications (Regulation) Act, Chapter 399 of the Laws of Malta, (the ‘ECRA’) and in particular the Electronic Communications Networks and Services (General) Regulations, Chapter 399.28 of the Laws of Malta (the ‘ECNSR’). A general authorisation is required for the provision of electronic communications networks and services mentioned below:
- public communications networks;
- publicly available telephone services;
- television and radio distribution services;
- other publicly available electronic communications services;
- non-public electronic communications services;
- publicly available telephone directories and directory enquiry services; and
- private electronic communications networks and/or services.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
The Malta Communications Authority (the ‘MCA’) is the authority entrusted to regulate electronic communications, postal and electronic commerce sectors and is constituted by law under the Malta Communications Authority Act, Chapter 418 of the Laws of Malta (the ‘MCA Act’), to exercise regulatory functions in the field of communications. Its aims are to promote competition, develop the internal market, promote the interests and rights of users within the European Union and ensure that there are adequate electronic communications services to satisfy all reasonable demands. The MCA also works to develop an environment that is favourable to investment, innovation, social inclusion and economic growth.
The MCA is a governmental authority. It provides advice to the Government of Malta on various matters, including the international dimension of the electronic communications regulatory framework.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
The ECRA provides that any undertaking may be allowed to provide electronic communications services but prior to doing so, such prospective operator must notify the MCA of such intention by means of a notification. There are no restrictions on foreign ownership of telecoms operators.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power? What are the principal consumer protection regulations that apply specifically to telecoms services?
The ECRA provides that no restrictions should be imposed or maintained that prevent undertakings in Malta or in other Member States from negotiating between themselves agreements on technical and commercial arrangements for cases and/or interconnection, as long as these are in accordance with EU Law.
The MCA has the power to impose obligations on undertakings that control access to end users to ensure end-to-end connectivity. Such obligations may include the requirement for operators of public communications networks to offer interconnection to other undertakings, subject to the terms and conditions imposed by the MCA.
The ECNSR provides that undertakings designated as having significant market power shall be subject to particular obligations imposed by the MCA which include non-discrimination in relation to interconnection and/or access, accounting separation, transparency, grant of access to the MCA and use of network, price control and cost accounting obligations. Further to this, should the MCA wish to impose additional obligations, it may do so only after it has been granted authorisation from the European Commission to impose such further obligations, after it has made a request for such permission.
Should the MCA be of the opinion that imposing such measures on large market providers have proved to be ineffectual and failed to achieve effective competition, it may impose the exceptional measure for the structural separation of networks. Prior to taking such measures, the MCA must submit a proposal to the European Commission including evidence justifying its conclusions, an impact analysis and a reasoned assessment that there is minimal, or lack of, effective and sustainable infrastructure based competition within a reasonable timeframe.
The main laws which regulate consumer protection specifically in relation to telecoms include the ECNSR, the MCA Act and the Consumer Affairs Act, Chapter 378 of the Laws of Malta (the ‘CCA’). The MCA Act, lays down the powers and the workings of the MCA such as for instance, how it should cooperate with other competent authorities responsible for competitions and consumer affairs issues which may be of common interest.
Further to the above, the ECNSR, in particular part VI, provides the MCA with powers to ensure that end-user interests and rights are upheld by guaranteeing that service providers comply with their duties at law and that end-users are furnished with information on what they are entitled to and their obligations when using their services. The MCA is empowered to take regulatory action should a service provider commit a breach of legislation administered by the MCA.
Although the CCA deals with consumer protection matters in general, it specifically states that the Director General (Consumer Affairs) shall handle a claim which had been originally submitted to the MCA by an aggrieved end-user in relation to a communications service. Such an instance occurs when the complaint falls outside the remit of the MCA, due to the nature of the complaint, such as if the contract concerning the end-user contains unfair contract terms or if there is a case of misleading advertising.
What legal protections are offered in relation to the creators of computer software?
The Copyright Act, Chapter 415 of the Laws of Malta (the ‘CA’) provides that computer programs are protected as literary works. It is the expression of the idea which is protected by copyright and not the idea itself. Therefore, it is the source code of a computer software which is protected by copyright.
Are specific intellectual property rights in respect of data/databases recognised?
Databases are one of the works listed in the CA, which may be eligible for copyright protection as a whole, provided that, by reason of the selection or arrangement of its contents, it establishes the author’s intellectual creation.
Copyright protection grants the right holder an exclusive right to authorise or prohibit the use in Malta, either in its original form or in any form recognisably derived from the original of, inter alia, the reproduction, the distribution, the rental and lending, the translation (which includes different computer languages), the adaptation and the broadcasting or performance of the work.
Irrespective of whether a database qualifies for copyright protection, a sui generis database right is also available where the maker of a database can show that there has been substantial investment in the formation and organisation of the contents of the database. It is of note that both the sui generis right and copyright protection do not cover the contents of the database in question. If however certain legal requirements are satisfied, the contents may be eligible for copyright protection in their own right as a literary work, for example.
What key protections exist for personal data?
The Data Protection Act, Chapter 440 of the Laws of Malta (the ‘DPA’), along with the subsidiary legislation issued thereunder provides the main protections for personal data. The DPA provides certain safeguards for personal data that must be ensured by anyone processing such data. In particular personal data must be processed fairly and lawfully, processed in accordance with good practice, only for specific, explicitly stated and legitimate purposes, is correct and kept up-to-date. Further to this, the DPA provides that personal data may only be processed if certain criteria are adhered to, such as when the data subject has unambiguously given his consent or that the processing of such personal data is necessary for the performance of a contract to which the data subject is party to. Moreover, the DPA states that where the data subject notifies the controller of personal data that he opposes to his personal data being processed for direct marketing purposes, then such data may not be processed.
With respect to sensitive personal data, the DPA requires that additional safeguards need to be implemented for the processing of such data and the processing is necessary in order that:
(i) the controller complies with his obligations or rights under employment law; or
(ii) the vital interests of the data subject or of some other person will be able to be protected and the data subject is physically or legally incapable of giving his consent; or
(iii) legal claims will be able to be established, exercised or defended.
In addition to this, the DPA provides specific purposes for when sensitive personal data may be processed such as processing concerning health or medical purposes, processing for research and statistics purposes and processing by foundations and similar entities. With respect to processing data relating to legal offences the DPA allows such data to solely be processed under the control of a public authority, unless otherwise provided under any law.
The DPA provides rights to data subjects such as requiring that the controller provides the data subject with relevant information and the right of access to his personal data, when requested. In fact, where such data is collected from a third party and not from the data subject himself the controller must provide the data subject with specific details.
Further to the above, the DPA explicitly requires that appropriate technical and organisational measures are implemented by the controller to ensure that any processed personal data is secured against unlawful forms of processing, accidental destruction or loss.
Are there restrictions on the transfer of personal data overseas?
Transferring personal data is essentially a processing operation which must be notified to the Commissioner. If such data is transferred to an EU Member State, a country which is a member of the EEA, or to a third country provided that such third country is recognised as having an adequate level of protection, no restrictions or other formalities apply as long as the provisions of the DPA are complied with. The Commissioner has the power to assess whether such an adequate level of protection exists in order to allow transfer of personal data to a third country. A transfer of personal data to a third country not ensuring an adequate level of protection may still be carried out, provided that the data subject has given his unambiguous consent or if the transfer is necessary for certain specified circumstances which the DPA provides for, such as for the performance of the contract which is to be concluded in the interests of the data subject, amongst others. In any case, the Commissioner may authorise the transfer of personal data to a third country that does not ensure an adequate level of protection, if he is satisfied that the controller offers adequate safeguards by means of standard contractual clauses, which are deemed to be sufficient in protecting the privacy and fundamental rights and freedoms of individuals.
With respect to transfers of personal data from Malta to the United States (‘U.S.’), as long as the entities to which data is being transferred within the U.S. comply with the EU-U.S. Privacy Shield, which became operational on 1 August 2016, then mere notification to the Commissioner is required.
In the event that data needs to be transferred within a multinational organisation, Binding Corporate Rules are seen to be a valuable tool should data be transferred regularly and can be adopted without having to sign a separate agreement with each intra-group entity for each processing operation requiring an international data transfer.
What is the maximum fine that can be applied for breach of data protection laws?
The maximum administrative fine that may be imposed is that of €23,300, for instance such a fine might be applied if the rectification of data processed in an unlawful manner has not been carried out, following an order by the Commissioner. Further to this, the DPA makes certain acts an offence, such as if the controller provides the data subject with untrue information or if sensitive personal data is processed in contravention to the provisions of the DPA, which may attract a maximum fine of €23,000, as well as, a period of imprisonment which may range from 3 to 6 months.
In addition to the above, the Third Country (Data Protection) Regulations, Subsidiary Legislation 440.03 of the Laws of Malta, which apply to transfers of personal data to third countries, lay out an administrative fine of €23,293.73 for each violation whereby a daily fine of €2,329.37 may be imposed for each day which the violation persists. Any contraventions in relation to the Processing of Personal Data (Electronic Communications Sector) Regulations, Subsidiary Legislation 440.01 of the Laws of Malta, attracts the same latter administrative fine.
Are there any restrictions applicable to cloud-based services?
There are no restrictions or specific legislation in respect of cloud-based services. However, local authorities follow closely the developments and initiatives taken at EU level especially the EU Commission Strategy for Unleashing the Potential of Cloud Computing in Europe, the EU Parliament resolution and the EU Commission Staff Working Document.
Are there specific requirements for the validity of an electronic signature?
The Electronic Commerce Act, Chapter 426 of the Laws of Malta, (the ‘E-Commerce’) deals with the validity of electronic transactions in the internal market and has recently been amended to ensure the implementation of the Regulation No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market (the ‘eIDAS Regulation’). The eIDAS Regulation speaks of electronic signatures, described as data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign and classifies them into qualified electronic signatures (which is an advanced electronic signature created by a qualified electronic signature creation device and based on a qualified certificate for electronic signatures) and advanced electronic signatures.
The eIDAS Regulation provides that advanced electronic signatures must be uniquely linked to the signatory, capable of identifying the signatory, created using electronic signature creation data that the signatory can, with a high level of confidence, use under his or her exclusive control and is linked to the data signed therewith, in such a manner that any subsequent change of data is detectable.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
Under the Employment and Industrial Relations Act, Chapter 452 of the Laws of Malta (“EIRA”), when a business is taken over, in whole or in part, any employee in employment with the transferor shall be deemed to be in employment with the transferee, and the transferee takes on the rights and obligations which the transferor as employer has in respect of the employees.
The Transfer of Business (Protection of Employment) Regulations, Subsidiary Legislation 452.85 (“TBR”), provides that the above also applies in case of service provision change, i.e. where activities cease to be carried out by a person (client) on his own behalf and are carried out instead by another person on the client’s behalf (contractor); or where activities cease to be carried out by a contract on a client’s behalf, whether or not those activities had previously been carried out by the client on his own behalf, and are carried out instead by another subsequent contractor on the client’s behalf; or activities cease to be carried out by a contractor or a subsequent contractor on a client’s behalf, whether or not those activities had previously been carried out by the client on his own behalf, and are carried out instead by the client on his own behalf.
The TBR apply irrespective of the services being provided, and thus include also IT services, but are limited to undertakings that are being transferred and that employ more than 20 employees.
Assets or third party contracts are not automatically assigned, and such transfers would need to be agreed to by the parties in appropriate contractual arrangements.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
The CCA provides that any producer shall be liable for the damage caused by a defect in his product. The term ‘producer’ has several meanings assigned to it by the CCA, including: ‘the manufacturer of a finished or processed product’; ‘manufacturer of a component part’; or any person who imports into an EEA State a product for sale, hire, leasing or any other form of distribution, where the product is manufactured or produced outside a Member State. The injured party shall solely be required to prove the damage, defect and causal link between the defect and damage and shall not be required to prove fault on the producer’s part. A supplier may be deemed to be a producer in the event that the producer or the importer of an imported product cannot be identified and the supplier fails to answer the injured party’s request to provide the identity and full address of the producer in question, within the stipulated time period.
What key laws exist in terms of obligations as to the maintenance of cybersecurity?
The DPA, in conjunction with subsidiary legislation established under it, provides legal provisions on the technical and organisational measures which must be implemented by controllers and processers in order to prevent, apart from unlawful processing, accidental destruction or loss. Such a framework provides for security obligations which need to be implemented by processors of personal data. It is also pertinent to note that the General Data Protection Regulation (the ‘GDPR’) is to become directly applicable in 2018, which means that Malta will have to comply with any further obligations to cater for cybersecurity which the GDPR may impose.
The ECNSR require any undertaking authorised to operate a public communications network to ensure the security and integrity of networks from any threats, vulnerabilities or incidents. An entity providing publicly available electronic communications services over public communications networks must do all that is necessary to ensure availability of such services, should there be a catastrophic network breakdown.
Other sector specific legislation provide for measures to be taken in order to ensure proper information security. With respect to qualified trust service providers, which provide various electronic services, the eIDAS Regulation places obligations on such providers to ensure a high level of security by implementing appropriate technical and organisational measures, taking into account the latest technological developments. The eIDAS Regulation, inter alia, requires providers to ensure that measures are taken to minimise and prevent the impact of security and further provides that stakeholders are to be informed of adverse effects, in the event of any security incident.
In the remote gaming sector the Remote Gaming Regulations, Subsidiary Legislation 438.04 of the Laws of Malta, require service providers to adhere to information security requirements and are subjected to certain testing and audit processed by the Malta Gaming Authority where they must prove that security measures which are proportionate to the risks were implemented.
With respect to the Financial sector, in particular the Financial Institutions Act, Chapter 376 of the Laws of Malta and the Banking Act, Chapter 371 of the Laws of Malta both provide a rather general obligation that the institution in question must have sufficient procedures to identify, manage, monitor and report any risks and appropriate internal control mechanisms. In addition to this, service providers in the financial sector are being increasingly expected to set up an internal audit function, in order to assess the appropriateness of such financial service provider’s internal policies and procedures, including information security and risk management strategies, and the organisation’s compliance with such policies.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
The Criminal Code, Chapter 9 of the Laws of Malta (the ‘Code’) is the primary law dealing with ‘computer misuse’ and provides that unlawful access to or use of information and misuse of hardware and the hindering and impairing the functioning or operation of a computer system, software or the integrity or reliability of any data are criminal offences.
The Malta Government launched a Cyber Security Strategy (the ‘Strategy’) in 2016. The Government is committed to review the existing legislation and create legal and regulatory frameworks to cater for the Strategy’s goals such as securing cyber-space and combatting cybercrime.
What technology development will create the most legal change in the jurisdiction?
In April 2017, the Cabinet of Minister approved a draft of the National Strategy to promote blockchain technology. It is expected that blockchain technology and smart contracts will be adopted in various government departments and regulatory authorities. Furthermore, the Prime Minister has also hinted that it is the intention of the government to look at Bitcoin and other cryptocurrencies with an open mind. It is envisaged that, if the National Strategy is adopted, this will create a number of legal changes throughout all sectors across the board, but particularly to the Fintech sector.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
The most common factor that impedes economic development is generally legal uncertainty. Currently we are anticipating the implementation of the 4th Money Laundering Directive by the Members States of the EU and also the coming into force of the General Data Protection Regulation in 2018. These two pieces of legislation will definitely require businesses to adapt to the new requirements, however, until it is certain how these will be interpreted and implemented, uncertainty prevails which undoubtedly effects negatively economic development and commerce in general.
Do you believe the legal system specifically encourages or hinders digital services?
Malta, as a member state of the European Union, seeks to be compliant with EU legislation. By doing so, this also contributes to its aim to attract business and investment from foreign countries. The Maltese Government recognises that we are living in an increasingly digital world and realises that investment in digital services is essential. In fact, together with the Malta Information Technology Agency (‘MITA’), the Maltese Government provides its services and information by means of an electronic system. In 2016, by the Government of Malta launched a Cyber Security Strategy (the ‘Strategy’) with the aim to review current legislation and create legal and regulatory frameworks to cater for the Strategy’s goals such as securing cyber-space and combatting cybercrime. Moreover, the eIDAS Regulation which became directly applicable in Maltese law has paved the way for citizens and entities alike to be able to better access and utilise online services. Consequentially, the E-Commerce Act was amended by means of Act XXXV of 2016 to guarantee the effective implementation of such Regulation.
To what extent is the legal system ready to deal with the legal issues associated with artificial intelligence?
Maltese law already contains various concepts which can be used to compensate for damage caused by AI machines. Apart from product liability, which may be made use of by the consumer who would have purchased the AI machine, should such machine cause the consumer damage, it is highly likely that tort law, under the Maltese Civil Code, Chapter 16 of the Laws of Malta (the ‘Maltese Civil Code’) may also be applied in various other instances to allocate responsibility in the case of damage caused by artificial intelligence.
Further to this, Maltese law provides for indirect liability of employers, parents, proprietors of animals or buildings, which could probably provide for an adequate basis should it be determined that specific legal provisions regulating AI would need to be inserted into Maltese law, since such approaches of indirect liability provided for in the Maltese Civil Code are generally only applied exclusively to the specific scenarios set out in the law.
Moreover, should legal personality be applied to AI machines, as is done for companies, this would create a potential scenario where the AI machine itself could possibly be sued for any damage it could have caused to an individual.
Should the legal personality concept never be applied to AI machines, the most likely scenario envisaged would be that Malta would have to update its legal system and adapt the existing legal framework to the issues that AI brings with it; in particular amendments to Maltese tort law.