Legislation

The General Data Protection Regulation

Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, commonly referred to as the “General Data Protection Regulation” or “GDPR”, entered into force on 24 May 2016 and started applying from 25 May 2018. The GDPR is an essential step to strengthen individuals' fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market. The GDPR allows individuals to better control their personal data. It also modernises and unifies rules, allowing businesses to reduce red tape and to bene t from greater consumer trust. The GDPR also establishes a system of completely independent supervisory authorities in charge of monitoring and enforcing compliance, of which the IDPC form part. Arguably, the GDPR is the most comprehensive and significant component of the EU data protection law reform, along with the Law Enforcement Directive, which is also described here below.

The Data Protection Act and Subsidiary Legislation

On the 28 May 2018, Malta further implemented and specified the provisions of the GDPR by means of Act XX of 2018 of Parliament, the Data Protection Act, recorded under Chapter 586 of the Laws of Malta. The new Data Protection Act repealed and replaced the former Data Protection Act (Chapter 440 of the Laws of Malta), which remained in force for nearly two decades and effectively shaped the central role of data protection in the Maltese jurisdiction, along with the functions of the IDPC.

The Data Protection Act also conforms to the principles of the Convention of the Council of Europe for the Protection of Individuals Regarding Automatic Processing of Personal Data, the first legally binding instrument recognising the international dimension of data protection by introducing measures to safeguard the rights of individuals against abuses in the collection and processing of their personal data, and to regulate the trans-frontier ow of personal data. The Republic of Malta ratified the Convention in 2003. Subsequently, the Convention was supplemented by a number of additional protocols, including the recent modernisation into the “Convention 108+” of 2018.

By virtue of his powers, the Minister responsible for data protection has issued Legal Notices laying down further requirements in relation to certain specific aspects of data protection. These are being recompiled here below:

Subsidiary Legislation 586.01 – Processing of Personal Data (Electronic Communications Sector) Regulations. These Regulations govern the processing of personal data within the electronic communications sector, establishing specific rules applicable to providers operating in this field.

Subsidiary Legislation 586.02 – Notification and Fees (Data Protection Act) Regulations. These regulations revoked the obligation to notify all processing operations to the IDPC, and to pay the corresponding fee.

Subsidiary Legislation 586.03 – Third Country (Data Protection Act) Regulations. These regulations revoked the rules concerning transfers of personal data to countries which are not Member States of the European Union priorly in force. The discipline concerning transfers of personal data to third countries or international organisations is currently found in Chapter V of the GDPR.

Subsidiary Legislation 586.04 – Processing of Personal Data (Protection of Minors) Regulations. These regulations give any teacher, member of a school administration person acting in loco parentis or in a professional capacity in relation to a minor, the capacity to collect and in any other way process personal data in relation to that minor without the need to request the parents’ consent, as long as the processing is in the best interest of the minor. The provisions of this Act are without prejudice to the obligation to consult and, or obtain prior authorisation by the IDPC, as the case may be.

Subsidiary Legislation 586.05 – Transfer of Personal Data to Third Countries Order. These regulations revoked the former Minister’s order on transfers of personal data to certain third countries for specific purposes.

Subsidiary Legislation 586.06 – Processing of Personal Data for the Purposes of the General Elections Act and the Local Government Act Regulations. These regulations stipulate that personal data, including sensitive personal data, the processing of which is provided for in the General Elections Act (Chapter 354 of the Laws of Malta) and in the Local Government Act (Chapter 363 of the Laws of Malta), may be processed by any person entitled to process such data for the purpose of the implementation of the General Elections Act and the Local Government Act.

Subsidiary Legislation 586.07 – Processing of Personal Data (Education Sector) Regulations. These regulations set forth specific provisions applicable data processing operations carried out by controllers operating within the education sector.

Subsidiary Legislation 586.08 – Data Protection (Processing of Personal Data by Competent Authorities for Law Enforcement Purposes) Regulations. These Regulations implement rules relating to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, in line with the Law Enforcement Directive.

Subsidiary Legislation 586.09 – Restriction of the Data Protection (Obligations and Rights) Regulations. Article 23 of the GDPR lists a number of requirements to be met in order for a measure restricting the rights of the data subjects and certain obligations of the controller to be lawfully relied upon. Restrictions must respect the essence of the fundamental rights and freedoms and must be a necessary and proportionate measure in a democratic society to safeguard certain primary conditions. Further to this, restrictions must be foreseeable and laid down by Union or Member State law. One of these legislative measures is Subsidiary Legislation 586.09, which indicates the grounds based on which restrictions may apply, along with the necessary conditions and safeguards. These Regulations provide for the restriction of certain data protection rights and obligations in specified circumstances, where such restrictions are necessary and justified under the applicable legal framework.

Subsidiary Legislation 586.10 – Processing of Data concerning Health for Insurance Purposes Regulations. These regulations reconcile the specific processing operations attached to the business of insurance and to insurance distribution activities, which may involve processing of data concerning health. In essence, processing personal data concerning health shall be deemed to be in the substantial public interest when such processing is necessary for the purpose of the business of insurance or insurance distribution activities, without prejudice to the implementation of suitable and specific measures designed to safeguard the fundamental rights and freedoms of data subjects.

Subsidiary Legislation 586.11 – Processing of Child’s Personal Data in Relation to the Offer of Information Society Services Regulations. Information society services are services provided for remuneration, at the request of the recipient and at a distance during the connection of electronic devices by an electronic communication network. Taking into account the risks of processing personal data of children in providing them with information society services, article 8 of the GDPR provides that the processing of the personal data of a child in relation to the offer of information society services directly to the child shall be lawful where the child is at least 16 years old. The same provision stipulates that where the child is below the age of 16 years, the processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Article 8 of the GDPR foresees that Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years. Subsidiary Legislation 586.11 does so by lowering that age to 13 years.

Subsidiary Legislation 586.12 – Enforcement of Rights of the Data Subjects in relation to Transfers of Personal Data to a Third Country or an International Organisation Regulations. The scope of these regulations is to establish rights in Maltese law for third party beneficiaries with respect to transfers of personal data to a third country or an international organisation.

Subsidiary Legislation 586.13 – Data Protection (Fair Access to and Use of Data) Regulations. These Regulations implement the requirements of Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act).

Subsidiary Legislation 586.14 – Artificial Intelligence (Designation of the Information and Data Protection Commissioner for the purposes of Regulation (EU) 2024/1689) Regulations. These Regulations implement  the provisions of Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act).

The Law Enforcement Directive

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, also referred as Law Enforcement Directive, ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims or suspects.

The Law Enforcement Directive, which is also part of the EU data protection reform package, establishes a comprehensive framework to ensure a high level of data protection, while taking into account the specific nature of the police and criminal justice field. It contributes to increased trust and facilitates cooperation in the fight against crime in Europe by harmonising the protection of personal data by law enforcement authorities in EU Member States and Schengen countries.

Directives are binding legislative acts addressed to Member States setting out goals to be achieved in a consistent manner. Malta implemented the Law Enforcement Directive into Subsidiary Legislation 586.08, titled “Data Protection (Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties) Regulations”. The Act specifies and implements the objectives of the Law Enforcement Directive into national law, taking into account the peculiarities of the Maltese police and criminal justice system, and designated the IDPC as the independent public authority established in Malta responsible for monitoring the application of the national implementation of the Law Enforcement Directive.

The e-Privacy Directive

Information is exchanged through public electronic communication services such as the internet, mobile and landline telephony and via their accompanying networks. These services and networks require specific rules and safeguards to ensure the users’ right to privacy and confidentiality. These were introduced by Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, also known as “e-Privacy Directive”. The e-Privacy Directive was a milestone in the regulation of data protection in the electronic communications sector by setting out rules to ensure security in the processing of personal data, the notification of personal data breaches, and confidentiality of communications. As a general rule, it also bans unsolicited communications where the user has not given their consent. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 intervened to bring amendments to the e-Privacy Directive as part of the EU's telecoms reform package.

The e-Privacy Directive and its subsequent amendments were enacted into Maltese law by means of Subsidiary Legislation 586.01, titled “Processing of Personal Data (Electronic Communications Sector)”. The IDPC has a primary role in these regulations, and it is assigned with a wide range of powers to verify compliance thereof by providers of publicly available electronic communications services.

Re-Use of Public Sector Information

Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and reuse of public-sector information lays down the legal framework for the reuse by persons or legal entities of documents held by public-sector bodies or public undertakings such as geographical, land registry, statistical or legal information and of publicly funded research data. The core principle of the Directive is that public and publicly funded data should be reusable for commercial or non-commercial purposes. In doing so, the Directive aims at boosting the socioeconomic potential of public sector information by promoting competition and transparency in the information market, and it is part of a package of measures designed to reinforce the EU’s data economy, including the development of artificial intelligence.

The provisions of the Directive were implemented into Chapter 546 of the Laws of Malta, titled “Re-Use of Public Sector Information Act”, which also appointed the IDPC as the regulatory authority responsible for the monitoring of the implementation of the Act.

Freedom of Information Act

As part of its regulatory functions, the IDPC is entrusted with promoting the observance by relevant public authorities of the requirements of the Freedom of Information Act, recorded as Chapter 496 of the Laws of Malta. The Freedom of Information Act gives people a general right of access to information held by most public authorities. Aimed at promoting a culture of openness and accountability across the public sector, it enables a better understanding of how public authorities carry out their duties. Under the Freedom of Information Act, eligible persons are entitled to request documents held by a public authority without giving reason or the need to justify their request. Eligible persons also have a right to remedy in relation to such requests, which can be exercised by lodging a complaint with the IDPC. The IDPC recognises that the Freedom of Information Act is a is a significant piece of legislation which merits all necessary attention, from a regulatory viewpoint, being an integral part of a democratic society built on rule of law

Freedom of Access to information on the Environment

Directive 2003/4/EC of the European Parliament and of the Council on public access to environmental information was introduced with the objective of adapting the laws of the Members States to the 1998 Aarhus Convention on access to information, public participation and access to justice in environmental matters. The Directive requires that Member States guarantee that the public has access to environmental information held by, or for, public authorities, both upon request and through active dissemination. The Directive also sets out the basic terms, conditions and practical arrangements that a member of the public must respect when granted access to the requested environmental information.

In Malta, the Directive was enacted by Subsidiary Legislation 549.39, titled “Freedom of Access to Information on the Environment Regulations”. The purpose of these regulations is, apart from the transposition of the Directive, to guarantee the right of access to environmental information held by or for public authorities and to set out the basic terms and conditions of, and practical arrangements for, its exercise and to ensure that, as a matter of course, environmental information is progressively made available and disseminated to the public in order to achieve the widest possible systematic availability and dissemination to the public of environmental information.

The IDPC is competent to receive applications for decisions on infringements of these regulations by any person who has previously made a request to be provided with environmental information by a competent authority and is dissatisfied with the response obtained.