This country-specific Q&A provides an overview to technology, media and telecom laws and regulations that may occur in Malta.
This Q&A is part of the global guide to TMT. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/tmt-3rd-edition/
What is the regulatory regime for technology?
There is no single regulatory regime for technology in Malta. The following pieces of legislation (along with relative subsidiary legislation) regulate various aspects of the technological sphere:
- the Malta Communications Authority Act (Chapter 418, Laws of Malta);
- the Electronic Communications (Regulation) Act (Chapter 399, Laws of Malta);
- the Data Protection Act (Chapter 586, Laws of Malta);
- the Electronic Commerce Act (Chapter 426, Laws of Malta);
- the Virtual Financial Assets Act (Chapter 590, Laws of Malta);
- the Malta Digital Innovation Authority Act (Chapter 591, Laws of Malta); and
- the Innovative Technology Arrangements and Services Act (Chapter 592, Laws of Malta).
Are communications networks or services regulated?
In terms of the Electronic Communications (Regulation) Act (Chapter 399 of the Laws of Malta), undertakings wishing to provide electronic communications are required to notify the Malta Communications Authority for a general authorisation to provide such services.
If so, what activities are covered and what licences or authorisations are required?
General authorisations established by the Electronic Communications Networks and Services (General) Regulations (ECNSR) include the following:
- the establishment and operation of a public communications network;
- publicly available telephone services;
- the provision of other publicly available electronic communications services;
- the provision of television and radio distribution services;
- the provision of non-public electronic communications services;
- publicly available telephone directories and directly enquiry services; and
- private electronic communications networks or services.
Before commencing its service, an undertaking wishing to provide an electronic communications network or an electronic communications service must first notify the MCA by completing the relevant notification form. The form must include all the requisite information provided for under Regulation 66 of the ECNSR.
Once the MCA acknowledges the undertaking’s submission of notification, the undertaking concerned is deemed to be authorised to provide an electronic communications network or service. However, this is subject to the conditions established in the ninth schedule to the ECNSR. Moreover, administrative charges are specified in the Eighth Schedule (Part A) of the ECNSR.
The duration of a general authorisation to provide an electronic communications service is unlimited, subject to ongoing compliance with the conditions attached to it. If there is a breach of these conditions, the MCA can take any actions that it deems to be suitable.
Is there any specific regulator for the provisions of communications-related services?
The Malta Communications Authority (“MCA”) is the regulator for the provision of communications-related services. It is the duty of the MCA to exercise such regulatory functions in the field of communications, regulate, monitor and keep under review all practices, operations and activities relating to any matter regulated by or under the Malta Communications Authority Act and subsidiary legislation. In addition, it is in the MCA’s powers to grant any licence, permit or other authorisation, for the carrying out of any operation or activity relating to any matter regulated by or under the Malta Communications Authority Act.
Are they independent of the government control?
Section 6 of the Malta Communications Authority Act (Chapter 418, Laws of Malta) establishes that the Minister responsible for communications may give the MCA directions in writing of a general character in cases which appear to him to affect public interest provided that such directions are not inconsistent with the provisions of the Act. Furthermore, if the Authority fails to comply with any directions issued under this article, the Prime Minister may make an order transferring to the Minister in whole or in part any of the functions of the Authority.
Therefore, whilst the MCA is required to “act independently and shall not seek or take instructions from any other body on any matters related to the exercise of any of its statutory functions”, these external government forces have a significant impact on reducing that independence.
Are platform providers (social media, content sharing, information search engines) regulated?
Currently, there is no specific legislation or regulation in Malta relating specifically to digital platforms. However, the e-Commerce Directive (Directive 2000/31/EC), which was transposed into Maltese law in 2002 through the Electronic Commerce Act (Chapter 426 of the Laws of Malta), creates a basic legal framework for online services including platform providers such as social media, content sharing and information search engines.
If so, does the reach of the regulator extend outside your jurisdiction?
Does a telecoms operator need to be domiciled in the country?
Maltese law does not require telecoms operators to be established and domiciled in Malta. However, if Maltese regulations are to apply to that operator, the physical electronic communications networks that are essential to the transmission of signals should be located in Malta.
Are there any restrictions on foreign ownership of telecoms operators?
There are no restrictions on foreign companies commencing operations in the Maltese telecoms market and in fact all of the three larger telecoms players in Malta have material or controlling foreign interests.
Are there any regulations covering interconnection between operators?
Yes- Part IV of the Electronic Communications Networks and Services (General) Regulations (S.L. 399.28) provide the rights and obligations of telcoms operators in relation to access and interconnection.
If so are these different for operators with market power?
No- the interconnection rules apply universally and are based on a cost-accounting system at a reasonable rate of return on investment, which “rate serves to promote efficiency and sustainable competition and maximise consumer benefits.”
What are the principal consumer protection regulations that apply specifically to telecoms services?
The Electronic Communications Networks and Services (General) Regulations (S.L. 399.28) cover the principal aspects of consumer protection within the telecoms sector in Malta, dealing with matters such as competition rules, end user interests and rights (bills, portability, directory listings etc), security of networks and services, and protection of privacy.
What legal protections are offered in relation to the creators of computer software?
Computer programs are considered literary works under the Copyright Act (Chapter 415 of the Laws of Malta) and are therefore automatically eligible for copyright in terms of the same act. There is no depository to file copyright in Malta.
Do you recognise specific intellectual property rights in respect of data/databases?
Pursuant to EU directive 96/9/EC of 11 March 1996, a database may be subject to both copyright, which may benefit its author in respect of his original selection or arrangement of the contents of the database, and to a specific, sui generis right that will inure to its ‘producer’ for a period of 15 years, irrespective of the originality of the database. Nevertheless, under the above rules, it is only the database that is protected, not the data itself. The underlying reasoning is that data, as information, should circulate freely and should not be owned by the database creator or developer, unless of course that information is made confidential by an exclusive information holder or recognized as confidential under the law.
What key protections exist for personal data?
In addition to the protections provided in the Data Protection Act, Chapter 586 of the Laws of Malta and the General Data Protection Regulations made under that Act, which implement the provisions of the EU’s GDPR, it is pertinent to note the additional protections afforded through the provisions of the Processing of Data (Electronic Communications Sector) Regulations (SL 586.01) and the Electronic Communications Networks and Services (General) Regulations (S.L. 399.28).
The Processing of Data (Electronic Communications Sector) Regulations (SL 586.01) regulate data protection in the electronic communications sector. Thus, for instance, regulation 20 establishes that services providers must retain certain categories of data necessary to:
- trace and identify the source of a communication;
- identify the destination of a communication;
- identify the date, time and duration of a communication;
- identify the type of communication;
- identify users’ communication equipment or what purports to be their equipment; and
- identify the location of mobile communication equipment.
The Electronic Communications Networks and Services (General) Regulations (S.L. 399.28), on the other hand, requires undertakings which provide publicly available electronic communications services to inform subscribers and users (where possible) about the existence of any situations allowing the contents of communications to be unintentionally made known to persons who are not party to them. It also covers industry-specific considerations such as the obligation of telecoms undertakings to provide users with simple and free of charge solutions for the prevention of calling-line identification, preventing the presentation of the calling line identification of incoming calls and the rejection of incoming calls where the presentation of the calling line identification has been prevented by the calling user or subscriber, and stopping automatic call forwarding by a third party to the terminal of that subscriber’s without delay. Such calling line identification prevention may be overridden when a subscriber requests the tracing of malicious or nuisance calls received on his/ her line or where the undertaking deems it necessary or expedient to trace any such calls.
Are there restrictions on the transfer of personal data overseas?
Yes. A transfer of personal data to a country outside the EEA that does not provide for an adequate level of protection may only take place if additional requirements have been met. For example, a data transfer agreement based on EC Model Clauses or other additional safeguards may be necessary.
What is the maximum fine that can be applied for breach of data protection laws?
In the case of a breach of data protection laws, depending on the provision of the GDPR which was infringed, the maximum administrative fine which the Information and Data Protection Commissioner may impose may be up to €20,000,000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is the higher.
What additional protections have been implemented, over and above the GDPR requirements?
As indicated in the reply to question 7 above, the Electronic Communications Networks and Services (General) Regulations (S.L. 399.28) provide specific privacy rules which are relevant to the telecoms sector, which go beyond the general provisions of the GDPR. Any person suffering any loss or damage as a result of an undertaking’s breach of these privacy rules is entitled to refer the matter to the Maltese Courts to seek compensation from that other person for the loss or damage suffered.
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
No specific restrictions apply.
Are there specific requirements for the validity of an electronic signature?
Regulation (EU) 910/2014 (known as the eIDAS Regulation) regulates the use of electronic signatures and related trust services for electronic transactions in the internal market. The eIDAS Regulation has direct effect in Malta and sets out the validity requirements for electronic signatures, and the Maltese legislator has taken the approach of retaining the text of the Regulation as directly effective in Malta, rather than replicate those requirements into a specific Maltese statute. It is relevant to note that the Electronic Commerce Act (Chapter 426, Laws of Malta), was duly amended by Act XXX of 2016 in the light of the eIDAS Regulations, removing from the Maltese statute book concepts that were conflicting with the eIDAS Regulation.
Under the Regulation, a 'qualified electronic signature' has the same effect as a handwritten signature (Article 25(2)) as long as it was created by a qualified electronic signature device and based on a qualified certificate for electronic signatures (Article 3(12)). The validity requirements for a qualified electronic signature are set out in Article 26 and Annexes I and II of the Electronic Identification Regulation and include the following: the signature must be uniquely linked to the signatory (Article 26(a)), the qualified electronic signature creation device must have appropriate technical and procedural measures to ensure that the confidentiality of the signature is assured (Paragraph 1(a), Annex II) and the qualified certificate for electronic signatures must clearly indicate the name or pseudonym of the signatory (Paragraph (d), Annex I).
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No, this would not be the case, unless it is explicitly agreed between the parties.
If a software program which purports to be a form of A.I. malfunctions, who is liable?
In spite of the fact that the Maltese government is exploring the regulation of AI and has launched a public consultation on the matter, there still exists quite some legal uncertainty with respect to AI liability. Under current general contract and tort rules found in our Civil Code (Chapter 16, Laws of Malta) this analysis would require a review of the warranties, representations and limitations established in the software agreement (whether it is a licensing, development or sale agreement) and also a consideration of the link of causation between the malfunction and any material damages resulting from that malfunction which may have been suffered by the user or licensee of that software or any third party.
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
a) obligations as to the maintenance of cybersecurity; and
Maltese legal instruments dealing with various aspects of cybersecurity include the following:
- the Maltese Criminal Code provisions dealing with cybercrime under a chapter heading entitled ‘Of Computer Misuse’;
- Processing of Personal Data (Electronic Communications Sector) Regulations (SL 586.01);
- the Electronic Communications Networks and Services (General) Regulations (SL 399.28); and
- the Council of Europe Cybercrime Convention, to which Malta has been a signatory since 2001, and which was ratified in April 2012.
b) the criminality of hacking/DDOS attacks?
The Maltese Criminal Code provisions dealing with cybercrime under a chapter heading entitled ‘Of Computer Misuse’.
What technology development will create the most legal change in your jurisdiction?
The Maltese communication sector is working hard to keep up with rapid technological development and new business models for the provision of communication services. Consumer and business needs are changing, in turn driving new technological demands which, in turn, has increased the demand for bandwidth. The use of cloud based services is on the rise, as is the use of connected devices and services, many of which are bandwidth intensive. The need for data is growing, and showing no signs of stopping – highlighting the need for resilient, consistent and high quality network services for a variety of different customers. Local undertakings within the sector have also started to look into implementing 5G networks that could provide far greater speeds than those currently being offered on the market.
On the other hand, the MCA is also gearing itself towards responding to the above-mentioned demands and advancements in new technology and it also plans to focus on the following matters (among others):
- maintaining conditions for a multi-player scenario in the Next Generation Access environment;
- facilitating the deployment of Next-Generation-Access Networks;
- development of the Radio Spectrum Potential (development of a national radio frequency spectrum management strategy and review of the National Frequency Plan);
- the introduction of a national roadmap for spectrum in the 700MHz band in order to initiate the process of providing the necessary spectrum for 5G by 2021;
- ensuring that net neutrality principles are adhered to in line with the EU Telecoms Single Market Regulation;
- monitoring mobile operators to ensure that they are observing the obligations set out in the roaming Regulations;
- keeping an eye on the development of the Internet of Things (IoT) with the aim of facilitating innovation and investment;
- monitoring the provisions of the newly implemented national legislation that was required to ensure legal consistency with eIDAS Regulation;
- updating and publishing a revised National Broadband Strategy, which will reflect the European Commission’s communication ‘Towards a European Gigabit Society’ and the 5G action plan; and
- development of satellite and space communications services in line with the Malta National Space Policy.
Market reviews are also on the table. In fact, the MCA will continue to observe the implementation of current ex-ante remedies ensuing from the analysis that it had conducted in the past with respect to the pertinent markets. Moreover, the MCA will continue to assess and observe the relevant electronic communications markets to ensure that markets review decisions remain applicable and that remedies are congruous to any changes in the markets since the previous review. The MCA has declared that it will strive throughout 2018 to review the following wholesale electronic communications markets:
- wholesale local access provided at a fixed location market (Market 3a); and
- wholesale central access provided at a fixed location for the mass-market products market (Market 3b).
On a separate note, the MCA is in the process of revising its Amateur Radio Licensing framework. Currently, the MCA issues licences to individuals holding a valid radio qualification. Because the general principles regarding the current amateur radio licensing framework were drawn up a long time ago, the MCA deems that it is necessary to review and update this framework to regulate this service in an effective manner and to apply the ‘best practice’ licensing principles. Interested stakeholders were invited to submit their opinion by 2 February 2018.
As a result of the aforesaid public consultation process the MCA has submitted proposals to the Maltese government to adopt revisions to the Amateur Radio licensing regime. MCA's proposals are still being considered by the government.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
No obvious legal provisions or regime exists that appears to be creating a meaningful impediment to Malta’s economic development.
Do you believe your legal system specifically encourages or hinders digital services?
The Maltese Government’s efforts to embrace new technologies such as AI and cryptocurrencies indicates that the legislator is dedicating significant time, energy and resource to sustain the rapid development of digital services in Malta. With Malta being located on the fringes of the European Union, digital services have presented the single biggest development in Malta’s economic development in the past 20 years.
Moreover, technologically neutral laws are being implemented in most areas, enabling digital services to develop to its fullest potential without limitations relating to the channel of distribution.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
In March 2019, the Maltese Parliamentary Secretary for Financial Services, Digital Economy and Innovation within the Office of the Prime Minister launched a high-level policy document on artificial intelligence: “Malta: Towards an AI Strategy”, which was issued for public consultation. By implementing a legal and ethical framework for the implementation of artificial intelligence, the Maltese government aims to attract leading artificial intelligence companies to Malta and increasing local start-up activity in Malta.