We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
31 July 2018
The long-awaited General Data Protection Regulation (GDPR) finally entered into force on 25 May 2018. The GDPR is an EU regulation with direct effect in EU member states. Therefore, this is now the primary source of law regulating data protection and the processing of personal data in Malta.
That said, the GDPR allows member states some flexibility to regulate certain areas of the law within specific parameters. Accordingly, Malta recently enacted a new Data Protection Act (Chapter 586 of the Laws of Malta, which repealed and replaced the old Chapter 440), together with a set of subsidiary laws which regulate sector-specific data protection issues.
The new Chapter 586 and the collection of subsidiary laws complement and must be read with the GDPR. Therefore, it is important for all organisations – whether they are data controllers or data processors – to be aware of this comprehensive regulatory regime and not simply rely on the GDPR.
This update summarises the changes that have been brought about by the new act and the subsidiary laws in Malta. Of course, organisations established in Malta that process personal data which may be governed by the laws a foreign jurisdiction (eg, by targeting services to data subjects established in another country or processing the personal data of data subjects that reside in another country) must also be aware of any country-specific data protection laws which might affect their processing activities.
As expected, the new Data Protection Act caters for certain standard provisions. For instance, it regulates the establishment and powers of the Office of the Information and Data Protection Commissioner (IDPC) and stipulates procedural rules as to how the IDPC can investigate claims, institute prosecution and impose fines. It also regulates appeal procedures.
The new act recognises the extended regulatory reach of data protection laws in order to reflect the wider scope that the GDPR mandates. Therefore, the law now also applies to controllers and processors not established in the European Union that process the personal data of individuals (ie, data subjects) who are in Malta where the processing relates to:
Additionally, as with the old act, Chapter 586 contains special rules relating to the processing of personal data for journalistic, research, archiving, historical and statistical purposes. It also regulates certain derogations for public interest and security purposes.
However, of key interest are the following new provisions.
Consultation and prior authorisation obligations
Under the new act, a data controller must consult with, and obtain prior authorisation from, the commissioner where the controller intends to process, in the public interest:
Processing of identification cards
Under the GDPR, EU member states are free to set their own rules regarding the processing of national identification numbers. The new act provides that an identity document can be processed only when doing so is clearly justified, having regard to:
The new obligation set out by the GDPR and reflected in the act is that a national identity number or any other identifier of general application must be used only under appropriate safeguards to protect the rights and freedoms of the data subject.
Administrative fines for public authorities
As mentioned above, the IDPC can impose the administrative fines set out in the GDPR, which can reach up to €20 million or 4% of global group turnover – whichever is higher.
The GDPR allows EU member states to determine whether administrative fines will be imposed on public and government authorities in the respective state. In Malta, the IDPC can impose administrative fines on a public or government authority; however, depending on the nature of infringement, these fines will be capped at:
Criminal offences – fines and imprisonment
In addition to the administrative fines that can be imposed in cases of GDPR infringement, the act provides that any person who knowingly provides false information to the commissioner or does not comply with any lawful request pursuant to an investigation by the commissioner will be guilty of an offence. Any conviction will result in a fine of no less than €1,250 and no more than €50,000, imprisonment for six months or both.
Of course, officers of a company should be vigilant in this regard, as this implies personal criminal liability.
Damages – including moral damages
Under the old act, in addition to pursuing a complaint with the IDPC, aggrieved data subjects could institute an action for an effective judicial remedy against the controller concerned. The GDPR and the new act restate this; however, this time data processors are also in the line of fire. This remedy may include instituting a damages action against the relevant controller or processor.
Of particular interest in the Maltese scenario is how the GDPR provides that any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. As a result, the new act provides that if a court finds the controller or processor liable for the damage caused, the court will set out the amount of damages factoring in moral damages.
Moral damages in terms of data protection are novel in Malta. This concept is also somewhat testing in the context of Maltese law, which has rarely contemplated awarding moral non-pecuniary damages. How the Maltese courts will apply this in practice is not yet known. That said, caution must be exercised, as compensation will be awarded for non-material damage, such as reputational of psychological distress caused by a breach of data protection law.
Such actions are time barred after 12 months from the date on which the data subject became aware, or ought to have reasonably become aware, of such contravention – whichever is earlier.
While the GDPR allows EU member states to regulate other aspects of the law, Malta has yet to do so. For instance, the following have been left up to member states:
In addition to the new Data Protection Act, the Maltese legislature has re-enacted certain subsidiary laws that applied under the old regime. These include regulations which transposed the EU E-Privacy Directive into Maltese laws. The EU E-Privacy Directive regulates the processing of personal data in the context of e-communications and is highly relevant in the context of marketing and the use of web-cookies and similar tracking technologies, among other things. Other sector-specific regulations relate to:
Further, with the onset of the GDPR, four new subsidiary laws have been enacted:
One of the main goals of the GDPR is to consolidate and harmonise data protection laws across the European Union, introducing measures to simplify cross-border procedures (including the 'one-stop-shop' concept). Nevertheless, the reality is that EU member states still retain a degree of discretion to introduce derogations or sector-specific conditions. These vary between countries and industries, and divergences will likely increase over time.
Considering that there may be personal criminal liability for offences, compensation for real and moral damages, and significant fines imposed data controllers and processors alike now face the arduous task of staying on top of these legislative developments and remaining in touch with the ever-growing collection of 'official' guidance being issued on so many subjective aspects of the law. It is only a matter of time before some or all of these changes will be put to the test.
For further information on this topic please contact Paul Gonzi at Fenech & Fenech Advocates by telephone (+356 2124 1232) or email (email@example.com). The Fenech & Fenech website can be accessed at www.fenechlaw.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.