Lexology 2018 Q&A Report on Data Security & Cybercrime in Malta
Lexology 2018 Q&A Report on Data Security & Cybercrime in Malta
21 min read
Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
Malta has been proactive in the implementation and development of its national data protection legal framework and is fully compliant with EU standards and best practice. Accordingly, Malta is a member of the EU Article 29 Data Protection Working Party and actively and periodically ensures that all of its policies and best practices are in line with those established by the working party.
From a commercial and practical perspective, Malta’s development as a hub for e-commerce, remote gaming and payment services has played a significant role in keeping its national data protection laws ahead of the curve.
Are any changes to existing data protection legislation proposed or expected in the near future?
The General Data Protection Regulation is set to come into force on May 25 2018. As a result, certain policies and practices previously adopted by the Office of the Information and Data Protection Commissioner are expected to undergo changes. However, it is unclear whether these changes will be adopted by way of a legal instrument (ie, a law or regulation) or by updating the Office of the Information and Data Protection Commissioner’s policies.
To this end, it is pertinent to note that on the 13th of March 2018, the Minster for Justice, Culture and local Government submitted his proposal for the First Reading in Parliament of the Data Protection Bill, which will effectively implement the GDPR principles into Maltese legislation.
What legislation governs the collection, storage and use of personal data?
The Data Protection Act (Chapter 440 of the Laws of Malta) and its subsidiary legislation seek to protect individuals against violations of their privacy through the processing of their personal data.
The ‘processing’ of data effectively refers to the processing (automated, mechanical, manual or otherwise) of a person’s data in a filing system or in what is intended to form part of a filing system.
Scope and jurisdiction
Who falls within the scope of the legislation?
The Data Protection Act applies to:
- data controllers established in Malta;
- data controllers in a Maltese embassy or high commission outside Malta; and
- equipment used for data processing situated in Malta, even where the data controller is located outside the European Union.
What kind of data falls within the scope of the legislation?
‘Personal data’ is defined as any information relating to an identified or identifiable natural person (ie, a physical person and not a company or similar legal person).
A person is considered to be identifiable when he or she can be identified, directly or indirectly by reference to an identification number or one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
Data relating to companies and organisations (including addresses, phone numbers and email addresses) are excluded from the Data Protection Act’s remit.
Are data owners required to register with the relevant authority before processing data?
Yes. A data controller must register with the Office of the Information and Data Protection Commissioner notifying his or her intention to process data before undertaking such operations. Data controllers must also notify the office regarding:
- the appointment or removal of a personal data representative; and
- the planned transfer of personal data to countries outside the European Union.
Registration with the Office of the Information and Data Protection Commissioner involves an annual notification fee of €23.29, although certain exemptions exist for non-profit organisations and small businesses.
The afore-mentioned obligation of notification is subject to change with the coming into effect of the GDPR provisions. Indeed, the GDPR states that the obligation of notification produced administrative and financial burdens and therefore such obligation should be abolished. The local office of the Information and Data Protection Commission has confirmed that the notification requirement will be abolished as from 25 May 2018, meaning that compliance with data protection obligations is automatic and does not involve any obligations for notification.
Is information regarding registered data owners publicly available?
Yes. A request for information must be made to the Office of the Information and Data Protection Commissioner.
Is there a requirement to appoint a data protection officer?
The appointment of a data protection officer (referred to by Maltese law as a ‘data protection representative’) is not mandatory.
Which body is responsible for enforcing data protection legislation and what are its powers?
The Office of the Information and Data Protection Commissioner is responsible for enforcing data protection legislation. It has the power to:
- create and maintain a public register of all processing operations;
- exercise control and verify whether the processing is carried out in accordance with the Data Protection Act;
- receive reports from data subjects on violations under the Data Protection Act and to take remedial action;
- issue such directions as may be required;
- institute civil or legal proceedings in the case of violations under the Data Protection Act;
- inform and advise the general public of the provisions under the Data Protection Act;
- order the blocking, erasure or destruction of data;
- impose a temporary or definitive ban on data processing;
- warn or admonish a data controller;
- advise the government on the promulgation of legislation;
- draw up annual reports on commission activities;
- collaborate with other supervisory authorities;
- carry out the functions assigned under the Freedom of Information Act;
- impose administrative fines in the case of contravention of data protection legislation; and
- obtain access to personal data on request.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
The processing of personal data is allowed by law only if:
- the data subject gives his or her unambiguous consent;
- it is necessary for the performance of a contract to which the data subject is party. If the data controller is not party to the contract, it may still process the information when the data subject requests it for this reason;
- it is necessary to fulfil a legal obligation by the data controller;
- it is necessary to protect the data subject’s vital interests;
- it is necessary for carrying out an activity in the public interest or in the exercise of official authority; or
- it is necessary for the purpose of a legitimate interest of the controller, insofar as that interest will not violate the data subject’s fundamental rights and freedom.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
Although the Data Protection Act states that personal data should not be kept for “a period which is longer than is necessary” having regard to the purposes for which the data is processed, there are no objective timeframes provided for specific categories of data. However, it is possible for data controllers to draft their own customised data retention policies and submit them to the Office of the Information and Data Protection Commissioner for review and approval.
Telecommunications companies and internet service providers that fall within the parameters of the Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary legislation 440.01) must retain data required to:
- trace and identify a communication’s source;
- identify a communication’s destination;
- identify a communication’s date, time and duration;
- identify the type of communication;
- identify users’ communication equipment or what purports to be their equipment; and
- identify the location of mobile communication equipment.
Where the communication’s data relates to internet access and email logs, the retention period is six months from the date on which the communication was created.
Conversely, where the communication data relates to fixed network or internet telephony, the data must be retained for one year from the date on which the communication was created.
Under the same regulations, the police are granted the power to issue an order for the conservation of data by a data controller. Where such an order has been issued, the service provider must conserve the data:
- for a further six months following the basic retention period outlined above (subject to a two-year maximum). If such order is issued by a magistrate or a competent court, the retention obligation may exceed two years; or
- for criminal proceedings which have been commenced within the above retention periods, the data controller may be obliged to retain the relevant data for such time as may be necessary until the conclusion of the proceedings.
Do individuals have a right to access personal information about them that is held by an organisation?
The data subject has the right to access any personal data held by a data controller in his or her regard, provided that such requests are made by the individual at reasonable intervals.
The law requires that data controllers provide the following information on request:
- actual information about the individual data subject that has been processed;
- where the data was collected;
- the recipients of the processed data;
- the purpose of processing the data; and
- a simple explanation of the automated processes involved in processing the data.
Do individuals have a right to request deletion of their data?
If the data subject requests it, the data controller must immediately rectify, block or erase personal data that has not or is not being processed in accordance with the provisions of the Data Protection Act and its subsidiary legislation.
In such circumstances, the data controller must also notify all other third-party data controllers to whom it may have disclosed such data. This notification is not required in circumstances where it would involve a disproportionate effort.
Is consent required before processing personal data?
Yes. The data subject must give his or her consent freely and unambiguously.
If consent is not provided, are there other circumstances in which data processing is permitted?
Data may be processed without consent where the processing is required:
- for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
- for compliance with a legal obligation to which the controller is subject;
- in order to protect the data subject’s vital interests;
- for the performance of an activity that is carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data is disclosed; or
- for a purpose that concerns a legitimate interest of the data controller or of a third party to whom the personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and – in particular – the right to privacy.
Sensitive personal data may be processed without consent where:
- the data subject has made the data public;
- the data controller can comply with his or her duties or exercise his or her rights under any law regulating the conditions of employment;
- the vital interests of the data subject or another person will be protected and the data subject is physically or legally incapable of giving his or her consent;
- legal claims will be able to be established, exercised or defended;
- a body of persons (not being a commercial body or entity with political, philosophical, religious or trade union aims) is processing sensitive data concerning its own members or other persons who are in regular contact with the body (for internal purposes);
- the processing is for health and hospital care purposes, provided it is necessary for preventative medicine and the protection of public health, medical diagnoses, healthcare or the treatment or management of health and hospital care services; or
- the processing is for research and statistical purposes, provided that it is necessary for the public interest.
What information must be provided to individuals when personal data is collected?
In all cases where data is collected for processing, the data controller must provide the following information to the data subject:
- the identity and habitual residence or principal place of business of the data controller and any other person authorised by him or her in that capacity;
- the purpose of the data processing;
- any information relating to the recipients, whether the reply to any questions asked is mandatory or not; and
- information about the right of access.
In all cases where data is obtained from a third party in order to contact the data subject, the same information as above must be provided to the data subject with respect to the data controller who acquired the data from the other data controller.
Data security and breach notification
Are there specific security obligations that must be complied with?
A data controller must implement appropriate technical and organisational measures to protect personal data against destruction, loss or any form of unlawful processing. Security measures must consider:
- available technical possibilities;
- the cost of implementing the security measures;
- special risks that exist in the processing of personal data; and
- the sensitivity of the personal data being processed.
Are data owners/processors required to notify individuals in the event of a breach?
The Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 440.01), which implements EU Regulation 611/2013, imposes an obligation on electronic communications providers to notify any personal data breach to the subscriber or individual concerned. This notification must be made when the breach:
- is likely to affect the personal data or privacy of the person involved adversely; and
- is made in addition to the notification that must be made to the Office of the Information and Data Protection Commissioner.
The notification obligation to the subscriber or individual may be waived only if encryption measures have been undertaken by the electronic communications provider to the Office of the Information and Data Protection Commissioner’s satisfaction, rendering the data concerned unintelligible to an unauthorised person.
The Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) provide that where there is a significant risk of a breach of security or integrity of the services or network, the provider must appropriately, and without undue delay, notify any users concerned of the possible risks and remedies available, as well as contact points for more information. Where the Communications Authority – the authority responsible for network security in Malta – determines that the network security breach is in the public interest, it may inform the public or require the undertaking concerned to do so accordingly.
Are data owners/processors required to notify the regulator in the event of a breach?
While there is no clear general obligation established in the Data Protection Act regarding the notification of unauthorised access to the information held by data controllers, providers of publicly available electronic communications services are subject to such an obligation. Such providers must notify a personal data breach to the Office of the Information and Data Protection Commissioner immediately.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
Data collected by a data controller cannot be used for direct marketing without the data subject’s express consent. The data controller must make it clear to the data subject that he or she has the right to opt out whenever he or she wishes.
Yes. Regulation 5 of the Processing of Personal Data (Electronic Communications Sector Regulations), which implements the provisions of the EU Privacy and Electronic Communications Directive (2002/58/EC), requires data controllers to obtain the data subject’s prior consent for processing his or her personal data, unless it is strictly necessary for the provision of an information society service.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
Such transfers may be effected by the data controller if the data subject has given his or her unambiguous consent or if the transfer:
- is necessary for the performance or conclusion of a contract between the data subject and the data controller;
- is necessary for the performance or conclusion of a contract between the data subject and a third party;
- is necessary on the grounds of public interest or for the establishment, exercise or defence of legal claims;
- is necessary to protect the data subject’s vital interests; or
- is made from a public register that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, provided that the conditions for consultation set out in the law are fulfilled in the particular case.
Are there restrictions on the geographic transfer of data?
The Third Country (Data Protection) Regulations (Subsidiary Legislation 440.03) provide that before transferring personal data to a third country, data controllers are required to notify the Office of the Information and Data Protection Commissioner about any transfers of data that may be involved as part of a processing operation. The transfer of data to third countries (ie, a country not included in the list maintained by the commissioner for this purpose) may be made only:
- to a country that ensures an adequate level of protection (to be decided by the commissioner on a case-by-case basis);
- to a country that does not ensure an adequate level of protection and the commissioner has made an exemption; or
- with the data subject’s unambiguous consent.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Sensitive personal data may be transferred to a third party only if a data subject explicitly consents thereto.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
Penalties for non-compliance depend on the level of breach. The courts may impose the following penalties:
- Level 1: a fine between €120 and €600 and/or a maximum of one month’s imprisonment;
- Level 2: a fine between €250 and €2,500 and/or one to three months’ imprisonment; or
- Level 3: a fine between €2,500 and €23,300 and/or three to six months’ imprisonment.
The Office of the Information and Data Protection Commissioner may impose the following fines without recourse to a court hearing:
- Level 1: a fine between €120 and €600 or a daily fine between €20 and €60;
- Level 2: a fine between €250 and €2,500 or a daily fine between €25 and €250; or
- Level 3: a fine between €2,500 and €23,300 or a daily fine between €250 and €2,500.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Yes. A data subject may, by way of an application filed before the court, exercise an action for damages against any data controller who processes data in contravention of the Data Protection Act. Such action must be instituted by the data subject within 12 months from the date on which he or she becomes aware or could have become aware of the circumstances causing the damage.
While there is no specific provision on the size of damages that may be awarded for a breach of a data subject’s rights, the basic principles of Maltese tort law would require the data subject to prove the value of actual damages suffered and any lost earnings caused by such a breach.
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
Yes. Maltese laws dealing with various aspects of cybersecurity include:
- the Criminal Code, which deals with cybercrime in the chapter entitled ‘Of Computer Misuse’;
- the Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 440.01); and
- the Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28).
Malta has also been a signatory to the Council of Europe Cybercrime Convention since 2001, which was ratified in April 2012.
It is noteworthy to point out that the Malta Critical Infrastructure Directorate (CPID) which operates within the portfolio of the Ministry of Home Affairs and National Security (MHAS) in Malta, has recently issued a draft Legal Notice for Public Consultation regarding Malta’s transposition of EU Directive 1148 of 2016 regarding Security of Network and Information Systems (‘NIS Directive’). This Directive represents the first EU-wide rules on cybersecurity. Interested parties and stakeholders were invited to review the draft Legal Notice and provide their feedback and proposals. The deadline for submission of feedback fell on the 11th of April 2018, following which submissions will be duly considered by the Ministry in finalising a draft text for tabling before Parliament.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
The principal international standard adopted by data-centric businesses in Malta with regard to managing their data security is International Organisation for Standardisation Standard 27001. There is no obligation to adopt this standard, but it is encouraged in both the public and private sectors and serves to demonstrate efforts towards taking adequate cybersecurity measures. This standard is duly recognised in the Malta Cyber Security Strategy 2016.
Which cyber activities are criminalised in your jurisdiction?
The Criminal Code criminalises unlawful access to, or use of, information, particularly through the use of computers or other devices. The following actions may result in a criminal offence:
- the unlawful use of a computer or other device or equipment to access any data;
- unauthorised activities that hinder access to any data;
- unlawful disclosure of data or passwords; and
- the misuse of hardware.
Which authorities are responsible for enforcing cybersecurity rules?
The Office of the Information and Data Protection Commissioner is empowered to regulate and enforce cybersecurity aspects of personal data processing.
The Communications Authority is the authority responsible for enforcing the security of Malta’s public communication networks.
The Maltese police are responsible for detecting, investigating and prosecuting cybercriminals, primarily through a specialised team – known as the Cyber Crime Unit.
Other industry-specific authorities, such as the Financial Service Authority and the Gaming Authority, are the relevant authorities to report to for operators holding licences issued by such authorities.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Insurance coverage for cybersecurity is available in Malta. However, it is uncommon for businesses to obtain such coverage.
Are companies required to keep records of cybercrime threats, attacks and breaches?
No – companies are not specifically required to keep records of cybercrime threats, attacks and breaches.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
The Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) provide that where there is a significant risk of a breach of security or integrity of services or a network, the provider must notify the Communications Authority and any users concerned appropriately and without undue delay. Serious and significant breaches are to be notified to the authority which will inform regulatory authorities in other EU member states and the European Network Information Security Agency where appropriate.
Are companies required to report cybercrime threats, attacks and breaches publicly?
No – there is no legal obligation to publicly report any cybercrime threats, attacks and breaches.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
The criminal penalties provided for under the Criminal Code for cybersecurity offences are a maximum fine of €150,000, a maximum of four years’ imprisonment or both.
What penalties may be imposed for failure to comply with cybersecurity regulations?
The Data Protection Act imposes penalties which may consist of fines between €120 and €23,300 and a maximum of six months’ imprisonment. The criminal penalties vary depending on the provisions of the act being breached. Other breaches of the act may result in administrative fines, ranging from one-time fines of up to €23,300 and daily fines of up to €2,500, depending on the provisions of the act being breached.
In the remote gaming sector, if operators are found to be in breach of their information security policy and system access control policy, the Gaming Authority may take action to ensure compliance. If the operator is found to be in breach, administrative fines may be imposed. In the financial sector, the Financial Services Authority reserves the right to impose penalties on non-compliant licence holders. These range from the revocation or restriction of a licence to the imposition of administrative penalties if found to be in breach of law.