The following is a Lexology Q&A report compiled by Dr. Andrew Zammit, Dr. Nicole Attard and Dr. Yasmine Aquilina dealing with “Data Security and Cybercrime”. GVZH is the exclusive contributor for Malta for this area.
Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
Malta has been very proactive in the implementation and development of its national data protection legal framework and is fully compliant with European standards and best practices in the area. Malta is a member of the EU’s Article 29 Data Protection Working Party and actively ensures that all policies and best practices are in line with those established by the Working Party from time to time.
From a commercial and practical perspective, Malta’s development as a hub for electronic commerce, remote gaming and payment services has played a significant role in keeping Malta’s national data protection laws ahead of the curve.
Are any changes to existing data protection legislation proposed or expected in the near future?
With the GDPR set to come into force on the 25th May 2018, we expect that certain policies and practices previously adopted by the Office of the Information and Data Protection Commissioner (“IDPC”) will undergo some change. However it is not clear at the time of writing (March 2017) whether these changes will be adopted by way of legal instrument (law or regulation) or through the updating of the IDPC’s policies.
What legislation governs the collection, storage and use of personal data?
The Data Protection Act (Chapter 440 of the Laws of Malta) (“DPA”) and its subsidiary legislation seek to provide for the protection of individuals against the violation of their privacy by the processing of personal data.
The processing of data effectively refers to the processing (whether automated, mechanical, manual or otherwise) of a person’s data in a filing system, or in what is intended to form part of a filing system.
Scope and jurisdiction
Who falls within the scope of the legislation?
Maltese Data Protection Law applies to:
- Data controllers established in Malta
- Data controllers in a Maltese Embassy or High Commission outside Malta
- Equipment used for processing and situated in Malta, even where the Controller is established outside the EU.
What kind of data falls within the scope of the legislation?
Personal data is defined as any information relating to an identified or identifiable natural person (i.e. a physical person and not a company or similar legal person).
A person is considered to be identifiable when he/she can be can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
Data relating to companies and organisations (including address, phone number and e-mail address/es) are excluded from the remit of the DPA.
Are data owners required to register with the relevant authority before processing data?
Yes. A data controller must register with the IDPC, notifying his/her intention to process data prior to undertaking such data processing operations. Data controllers are also obliged to notify the IDPC about:
- The appointment or removal of a Personal Data Representative; and
- The planned transfer of personal data to countries outside the EU.Registration with the IDPC involves an annual notification fee of Euro 23.29, although certain exemptions from the notification fee exist for non-profit organisations and small businesses.
Is information regarding registered data owners publicly available?
Yes. A request for information must be made to the IDPC.
Is there a requirement to appoint a data protection officer?
The appointment of a data protection officer (referred to by Maltese law as a “data protection representative”) is not mandatory.
Which body is responsible for enforcing data protection legislation and what are its powers?
The Information and Data Protection Commissioner is responsible for enforcing data protection legislation. The Commissioner has the following powers:
- To create and maintain a public register of all processing operations;
- To exercise control and verify whether the processing is carried out in accordance with the DPA;
- To receive reports from data subjects on violations under the DPA and to take remedial action;
- To issue such directions as may be required of him;
- To institute civil or legal proceedings in the case of violations under the DPA;
- To inform and advise the general public on the provisions under the DPA;
- To order the blocking, erasure or destruction of data, to impose a temporary or definitive ban on processing, or to warn or admonish the controller;
- To advise the Government of Malta on the promulgation of legislation;
- To draw up annual reports on his activities;
- To collaborate with other supervisory authorities;
- To carry out the functions assigned to him under the Freedom of Information Act;
- To impose administrative fines in the case of contravention; and
- To obtain access to personal data upon request
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
In all cases where personal data is processed, this is only allowed by law if:
- The data subject gives his unambiguous consent
- It is necessary for the performance of a contract to which the data subject is party. If the controller is not party to the contract, they may still process the information when the data subject requests it for this reason.
- It is necessary to fulfill a legal obligation by the data controller.
- It is necessary to protect the vital interests of the data subject.
- It is necessary for carrying out an activity in the public interest or in the exercise of official authority.
- It is necessary for the purpose of a legitimate interest of the controller insofar as that interest will not violate the fundamental rights and freedom of the data subject.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
Although the DPA states that personal data should not be kept for “a period which is longer than is necessary” having regard to the purposes for which the data is processed, there are no objective time- frames provided in the DPA for any specific categories of data. It is however possible for data controllers to draft their own customized data retention policies and submit them to the IDPC for review and approval.
Having said this, it is relevant to note that telecommunications companies and Internet Service Providers (ISPs) which fall within the parameters of the Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary legislation 440.01) requires that such service providers retain the following categories of data:
- Data necessary to trace and identify the source of a communication;
- Data necessary to identify the destination of a communication;
- Data necessary to identify the date, time and duration of a communication;
- Data necessary to identify the type of communication;
- Data necessary to identify users’ communication equipment or what purports to be theirequipment; and
- Data necessary to identify the location of mobile communication equipment.
Where the communications data relates to Internet Access and email logs the retention period is that of six months from the date of communication.
Where, on the other hand, the communication data relates to fixed network telephony and Internet telephony the data must be retained for a period of one year from the date of communication.
In terms of the same regulations, the Police are granted the power to issue an order for the conservation of data by a data controller. Where such an order has been issued, the service provider shall conserve the data:
- For a further 6 months over and above the basic retention period outlined above (subject to a 2 years maximum period). If such order is issued by a Magistrate or a competent Court, the retention obligation may be made to exceed a 2 year period; or
- For criminal proceedings which have been commenced within the above retention periods, the data controller may be obliged to retain the relevant data for such time as may be necessary until the conclusion of the proceedings.
Do individuals have a right to access personal information about them that is held by an organisation?
The data subject has the right to access any personal data held by a data controller in his/her regard, provided that such requests are made by the individual at reasonable intervals.
The law requires that data controllers provide the following information upon request:
- Actual information about the individual (data subject) that has been processed;
- Where the data was collected;
- The recipients of the processed data;
- The purpose of the processing; and
- A simple explanation of the automated processes involved in the processing of the data
Do individuals have a right to request deletion of their data?
If the data subject requests it, the data controller must immediately rectify, block or erase personal data that has not or is not being processed in accordance with the provisions of the DPA and its subsidiary legislation.
In such circumstances, the data controller must also notify all other third party data controllers to whom it may have disclosed such data. This notification is not required in circumstances where it would involve a ‘disproportionate effort’.
Is consent required before processing personal data?
Yes. The data subject must give his/her consent freely and unambiguously
If consent is not provided, are there other circumstances in which data processing is permitted?
Data may be processed without consent in the following circumstances:
- Where the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- Processing is necessary for compliance with a legal obligation to which the controller is subject;
- Processing is necessary in order to protect the vital interests of the data subject;
- Processing is necessary for the performance of an activity that is carried out in the public interest orin the exercise of official authority vested in the controller or in a third party to whom the data isdisclosed; or
- Processing is necessary for a purpose that concerns a legitimate interest of the data controller or ofsuch third party to whom the personal data is provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the data subject and in particular the right to privacy.
Sensitive personal data may be processed without consent where:
- The data subject has made the data public;
- The data controller will be able to comply with his duties or exercise his rights under any lawregulating the conditions of employment;
- The vital interests of the data subject or of some other person will be able to be protected and thedata subject is physically or legally incapable of giving his consent;
- Legal claims will be able to be established, exercised or defended;
- Any body of persons (not being a commercial body or entity with political, philosophical, religious ortrade union objects) may process sensitive data concerning its own members and other personswho are in regular contact with the body (for internal purposes);
- The processing is for health and hospital care purposes, provided it is necessary for preventativemedicine and the protection of public health, medical diagnosis, health care or treatment or management of health and hospital care services; or
- The processing is for research and statistical purposes, provided that it is necessary for public interest.
What information must be provided to individuals when personal data is collected?
In all cases where data is collected for processing, the data controller must provide the following information to the data subject:
- The identity and habitual residence or principal place of business of the controller and of any other person authorised by him in that capacity;
- The purposes of the processing;
- Any further information relating to the recipients, whether the reply to any questions asked tothe data subject is mandatory (and the consequences of not answering); and
- Information about the right of access.
In all cases where data is obtained from a third-party to contact the data subject, the same information as above must be provided to the data subject with respect to the data controller who acquired the data from the other data controller.
Data security and breach notification
Are there specific security obligations that must be complied with?
A data controller is bound to implement appropriate technical and organisational measures to protect personal data against destruction, loss or any forms of unlawful processing. Security measures must take into consideration the following:
- Technical possibilities available;
- Cost of implementing the security measures;
- Special risks that exist in the processing of personal data; and
- Sensitivity of the personal data being processed.
Are data owners/processors required to notify individuals in the event of a breach?
The Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 440.01) which implements Commission Regulation 611/2013 imposes an obligation upon electronic communications providers to make a notification of any personal data breach to the subscriber or individual concerned. This notification must be made when the breach is likely to adversely affect the personal data or privacy of the person involved; this notification is made in addition to the notification that must be made to the IDPC.
The notification obligation to the subscriber or individual may only be waived if encryption measures have been undertaken by the electronic communications providers to the satisfaction of the IDPC, rendering the data concerned unintelligible to an unauthorised person.
The Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) provide that where there is a significant risk of a breach of security or integrity of the services or network, the provider must appropriately and without undue delay notify any users concerned of the possible risks and remedies available, as well as contact points for more information. Where the Malta Communications Authority, as the Authority responsible for network security in Malta, determines that the network security breach is in the public interest, it may inform the public of this, or require the undertaking concerned to do so accordingly.
Are data owners/processors required to notify the regulator in the event of a breach?
Whilst there is no clear obligation established in the DPA regarding the notification of any unauthorized access to the information held by data controllers generally, providers of publicly available electronic communications services are subject to such an obligation. Such providers are required to notify the personal data breach to the IDPC without delay.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
Data collected by a data controller cannot be used for direct marketing without the express consent of the data subject. The data controller must make it clear to the data subject that he/she has the right to opt out whenever he/she wishes.
Yes. Regulation 5 of the Processing of Personal Data (Electronic Communications Sector Regulations), which implements the provisions of the ePrivacy Directive (Directive 2002/58/EC) requires the data controller to obtain the data subject’s prior consent for the processing personal data, unless such processing is strictly necessary for the provision of an information society service.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
Such transfers may be effected by the data controller if the data subject has given his unambiguous consent to the proposed transfer or if the transfer falls within any of the following provisions:
- it is necessary for the performance or conclusion of a contract between the data subject and the data controller;
- it is necessary for the performance or conclusion of a contract between the data subject and a third party;
- it is necessary on the grounds of public interest or for the establishment, exercise or defence of legal claims;
- it is necessary to protect the vital interests of the data subject; or
- the transfer is made from a public register that is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided that the conditions laid down in the law for consultation are fulfilled in the particular case.
Are there restrictions on the geographic transfer of data?
The Third Country (Data Protection) Regulations (Subsidiary Legislation 440.03) provides that prior to transferring personal data to a third country, data controllers are required to notify the IDPC about any transfer/s of data that may be involved as part of a processing operation. Transfers of data to third countries (i.e. a country not included in the list maintained by the IDPC for this purpose) may only be made:
- To a country that ensures an adequate level of protection (to be decided by the Commissioner on a case by case basis);
- To a country that does not ensure an adequate level of protection and the Commissioner has made an exemption; or
- With the unambiguous consent of the data subject.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Sensitive personal data may be transferred to a third party only if a data subject explicitly consents thereto.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
Penalties for non-compliance depend on the level of breach. The Courts of Malta may impose the following penalties:
- Level 1: Fine between €120 and €600, imprisonment of not more than one month
- Level 2: Fine between €250 and €2,500, imprisonment of between 1 and 3 months.
- Level 3: Fine between €2,500 and €23,300, imprisonment between 3 and 6 months.
The Data Protection Commissioner may impose the following fines without recourse to a court hearing:
- Level 1: Fine between €120 and €600, or a daily fine between €20 and €60
- Level 2: Fine between €250 and €2,500, or a daily fine between €25 and €250
- Level 3: fine between €2,500 and €23,300, or a daily fine between €250 and €2,500
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Yes. A data subject may, by application filed before the Courts of Malta, exercise an action for damages against any data controller who processes data in contravention of the Act. Such action must be instituted by the data subject within twelve months from the date when the data subject becomes aware or could have become aware of any circumstances causing the damage.
Whilst there is no specific provision at law on the quantum of damages that may be awarded for a breach of the data subject’s rights, the basic principles of Maltese law on tort would require the data subject to prove the value of actual damages suffered (damnum emergens) and/or any lost earnings (lucrum cessans) caused by any data breach.
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
Yes. Maltese laws dealing with various aspects of cybersecurity include the following:
- The Maltese Criminal Code does deal with cybercrime in a chapter entitled ‘Of Computer Misuse’;
- Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary legislation 440.01); and
- The Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28)
Malta is also signatory to the Council of Europe Cybercrime Convention since 2001, which Convention was ratified in April 2012
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
The principal international standard adopted by data-centric businesses in Malta in respect of managing their data security is the ISO 27001 standard. There is no obligation to adopted this standard. Nevertheless, the adoption of this standard is encouraged in both the public and private sectors and serves to demonstrate efforts towards taking adequate cybersecurity measures. This standard is duly recognized in The Malta Cyber Security Strategy 2016.
Which cyber activities are criminalised in your jurisdiction?
The Maltese Criminal Code criminalises unlawful access to, or use of, information, particularly through the use of computers or other devices. The following actions may result in a criminal offence: the unlawful use of a computer or other device or equipment to access any data, unauthorised activities that hinder access to any data, unlawful disclosure of data or passwords and the misuse of hardware.
Which authorities are responsible for enforcing cybersecurity rules?
The Information and Data Protection Commissioner is the authority empowered to regulate and enforce cybersecurity aspects of the processing of personal data.
The Malta Communications Authority is the authority charged with responsibility for enforcing the security of Malta’s public communication networks.
The Maltese Police Force is responsible for detecting, investigating and prosecuting cybercriminals, primarily through a specialized team called the Cyber Crime Unit.
Other industry-specific authorities such as the Malta Financial Service Authority and the Malta Gaming Authority would be the relevant authority to report to for operators holding licences issued by such authorities.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Insurance coverage for cybersecurity is available in Malta, however it is not common for businesses to obtain such coverage.
Are companies required to keep records of cybercrime threats, attacks and breaches?
No- companies are not specifically required to keep records of cybercrime threats, attacks and breaches in terms of the existing Maltese legal framework.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
The Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28) provide that where there is a significant risk of a breach of security or integrity of the services or network, the provider must notify the Malta Communications Authority (MCA) appropriately and without undue delay and any users concerned. Serious and significant breaches are to be notified to the MCA, and where appropriate, the MCA shall inform regulatory authorities in other member states and the European Network Information Security Agency (ENISA).
The Malta Financial Services Authority (MFSA) similarly imposes a duty on financial institutions to immediately report any security breaches to the MFSA, the Maltese Central Bank and in the event of a personal data breach, the IDPC. Operators in the investment services and insurance fields would be subject to similar duties, whether in the form of licence conditions or by regulation.
In the remote gaming sector the Malta Gaming Authority requires operators to report any breaches or attacks on their systems. These reports need to be prepared in the form of a prescribed incident report form and submitted to the Malta Gaming Authority within 24 hours of the relevant incident.
Are companies required to report cybercrime threats, attacks and breaches publicly?
No- there is no legal obligation to publicly report any cybercrime threats, attacks and breaches in terms of the existing Maltese legal framework.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
The criminal sanctions provided for in respect of the cybersecurity offences covered in the Maltese Criminal Code are of a fine (multa) of up to €150,000, up to four years of imprisonment, or both a fine and imprisonment.
What penalties may be imposed for failure to comply with cybersecurity regulations?
The Data Protection Act imposes penalties which may consist of fines ranging between €120 and €23,300 and imprisonment of not more than six months. The criminal penalties vary depending on the provisions of the Act being breached. Other breaches of the Act may result in administrative fines, ranging from one-time fines of up to €23,300 and daily fines of up to €2,500, depending on the provisions of the Act being breached.
In the remote gaming sector, if operators are found to be in breach of their information security policy and system access control policy, the Malta Gaming Authority may take adequate actions to ensure compliance. If the operator is found to be in breach, administrative fines may be imposed. In the financial sector, the Maltese Financial Services Authority reserves the right to impose sanctions on non- compliant license holders. These range from the revocation or restriction of a licence to the imposition of administrative penalties if found to be in breach of law.