Answer ... The EU General Data Protection Regulation (2016/679) (GDPR) is the applicable data protection regime in Malta.

Adherence to the cornerstone principles set out in Article 5 of the GDPR will prove especially challenging for certain fintech companies, and it is expected that a number of issues may arise which will require data protection authorities and potentially even the European Court of Justice to provide further guidance. By way of example, the purpose limitation principle may easily be at odds with innovations such as big data analytics and machine learning, since the boundaries of client consent for the processing and reprocessing of personal data become blurred in this context. The right to be forgotten also seems to be at odds with compliance requirements imposed on institutions such as financial institutions, which are required to hold client information for specified minimum periods. The double-edged sword of pseudonymisation will also need to be considered. On the one hand, the GDPR imposes a requirement to pseudonymise data, but this may also become a redundant exercise within the context of powerful machine learning algorithms which can easily re-identify data. On the other hand, compliance requirements will arise where users can operate within pseudo-anonymous environments such as public permissionless blockchains. Issues with outsourcing – which is very common within an industry composed primarily of start-ups – will also need to be configured with the GDPR framework, which may prove challenging.

Answer ... The Malta Financial Services Authority (MFSA) imposes a general requirement on all applicants for a financial services licence to implement an IT and operational set-up where the company’s main servers are located in Malta. The MFSA will generally consider good practice and recommend that the main servers of the company be located in Malta, with the possibility of having mirror servers abroad. The applicant’s cybersecurity policy will generally be included in the application and reviewed by the MFSA in order to ascertain that the proposed entity will have a robust framework in place to mitigate risks such as identity theft and financial fraud. Within the context of banks and certain financial institutions, the MFSA will also request such entities to conduct an online banking questionnaire which sets out in detail the applicant’s cybersecurity protocols.

Within the context of crypto-assets (mainly virtual financial assets and distributed ledger technology), the MFSA has issued a consultation document entitled “Guidance Notes on Cyber Security” which sets out a proposed strategy to mitigate threats and increase certainty within the context of cybersecurity in an increasingly complex digital world. The MFSA highlights that while such innovations bring about several benefits, they also present a number of new opportunities for cybercrime. The proposed guidance notes set out minimum best practices and risk management procedures to be followed in order to effectively mitigate cyber-risks within the context of professional investor funds investing in virtual currencies, issuers of virtual financial assets and virtual financial asset service providers.