AI, Machine Learning & Big Data Laws And Regulations

Camilleri Preziosi Advocates


Camilleri Preziosi commands an outstanding reputation amongst clients and peers as a leading Maltese corporate law firm. We are regularly ranked as a top-tier firm by Chambers, IFLR1000 and Legal 500. We retain a strong commitment to deliver a quality service in the practice of law. We do this by combining technical excellence with a solution-driven approach. Camilleri Preziosi: Technical excellence, practical solutions.
The unparalleled global growth of, and interest in, artificial intelligence ("AI") has caused great tension in legal fields, particularly in the data privacy and information technology sectors.
Malta Privacy
To print this article, all you need is to be registered or login on


The unparalleled global growth of, and interest in, artificial intelligence (“AI”) has caused great tension in legal fields, particularly in the data privacy and information technology sectors.  Since their inception in the 1950s, AI, big data, and machine learning have gained tremendous momentum, especially in recent years, possibly owing to their mainstream implementation.  Legal norms will persistently be strained as AI becomes increasingly complex and adept at completing “life-like” tasks when utilising machine learning.

In 2019, Malta set up an AI taskforce which was entrusted with:

  1. finding ways to create a sustainable local engine for growth;
  2. looking into the unknown risks of AI without hindering innovation and economic development; and
  3. creating a new sector for investment on the Maltese islands.1

On 3 October 2019, Malta launched its national AI strategy, called “Malta the Ultimate AI Launchpad: A Strategy and Vision for Artificial Intelligence in Malta 2030”2 (the “Strategy”).  The Strategy is aimed at mapping the path for Malta to gain a strategic competitive advantage in the global economy as a leader in the AI field.

In addition to the Strategy, Malta created a new authority in 2018 called the Malta Digital Innovation Authority (the “MDIA”).3  The purpose of the MDIA is to seek the development of the innovative technology sector in Malta through proper recognition and regulation of relevant innovative technology arrangements and related services.  The Innovative Technology Arrangements and Services Act4 (the “ITAS Act”) was enacted along with the establishment of the MDIA.  The ITAS Act allows for the certification of innovative technology arrangements by the MDIA, those being: distributed ledger technologies; decentralised ledger technologies; and smart contracts.5  The ITAS Act also allows other innovative technology arrangements to be accommodated within the scope of this Act, and it is expected that AI systems will be included as well.

As part of the Strategy, in January 2022 the (then) Ministry for the Economy and Industry, in collaboration with the MDIA, launched a €125,000 fund for artificial intelligence research projects.6  Applicants willing to contribute their research are able to receive up to a maximum of €25,000 toward their project.  The first deadline for submission of proposals was 31 March 2022.

One of the sectors in which the implementation of AI systems on the Maltese islands has been explored is the transport sector.  This is possibly because AI may play an important part in offering a solution to Malta's daily road congestion.  Researchers at the University of Malta have conducted a study into the feasibility of introducing “driverless” vehicles in Malta using AI systems under Malta's Introduction of Shared Autonomous Mobility (“MISAM”) project.7  Part of the MISAM project sets out to explore the current legislative framework, and to propose initial solutions in respect of any gaps currently found within Maltese law, such as liability for any collisions or accidents which autonomous vehicles may cause.  These are issues which will undoubtedly strain current concepts and the application of civil liability, and will introduce moral dilemmas which may not be entirely addressed through traditional legal means.

Separately to the MISAM project, the Ministry for Transport, Infrastructure and Capital Projects and the Ministry for Education, in collaboration with the University of Malta and Malta Public Transport, launched an innovative research project on autonomous buses in May 2021.8  The project will use four pre-planned routes to test self-driving public transport vehicles that will be integrated into the current public transport network.

Legal issues surrounding the use of AI

The key legal issues which arise with AI systems include algorithmic transparency, cybersecurity and privacy vulnerabilities, bias and discrimination, intellectual property (or “IP”) and legal personhood issues, liability and lack of accountability.  Regarding algorithmic transparency, it is understood that developers are often not keen to disclose their work.  Given the proper satisfaction of certain requirements at law, such works could be considered as trade secrets in terms of the local Trade Secrets Act.9  However, bar any confidential information, the operation and underlying operations of AI systems should be transparent and accessible to any users of the system.  That is not to say that the code underlying such systems should be rendered publicly accessible.  Rather, there should be a pre-determined set of information regarding AI systems which must be made publicly available.  This information would include, for example, the high-level criteria which the system has used to set its parameters and the legal effects which such a system may have on its end-users.

The prevalent cybersecurity issues are obvious when one considers that the relationship between security and ease of access and efficiency of use are inversely proportional.  The primary goal of security is to safeguard a particular dataset, which naturally increases the time to access or perform other processing operations on such dataset.  Conversely, ease of access procedures aim to make the aforesaid more productive and time efficient.  Therefore, ease of access typically comes at the cost of security.  For example, if a person wants to use Facebook's “auto log-in” feature, or access their account across multiple devices, they must accept cookies which are not “strictly necessary”.  That said, if an assailant infiltrates the host system, they too will benefit from this painless accessibility. 

Under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (the General Data Protection Regulation or “GDPR”), information society services must disable any cookies which are not “strictly necessary” by default, and providers must allow the end-user to opt in to use supplementary cookies.  This minor example is exacerbated with complex AI systems which are, by design, created to perform complex tasks efficiently with no human intervention.  Therefore, any AI framework must carefully consider other pieces of legislation such as the GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) before they are introduced.

Industries/sectors leading the development and adoption of AI

With regard to industries and sectors benefitting from the introduction of AI systems, the private, transport, health, and education sectors stand to gain the most from prevalent use of AI systems, at least in the short term. 

In the private sector, AI is especially useful in conducting client due diligence assessments.  AI's main strength lies in its ability to effectively recognise patterns and deduce outcomes to an effective degree of certainty.  Additionally, such systems can process vast amounts of data in minimal time when compared to manual due diligence – this accuracy and efficiency could save companies ample time and resources, which can instead be allocated to other work. 

Within the health sector, certain local companies have partnered with entities outside of Malta to enhance the electronic patient record system and to provide patients in the UK with the accessibility to set hospital appointments, reschedule or cancel them in real time.  Given that the Government of Malta is currently undergoing a digital overhaul of its services, the implementation of such a system within the health sector could be well received if implemented with the appropriate safeguards.  Since health data falls within the special categories of personal data under article 9 of the GDPR, an extra degree of caution (and additional safeguards) must be taken in any processing operations.10

Within the education sector, the University of Malta and the Ministry for the Economy and Industry have partnered up with the MDIA to run three projects using AI.11  The intention behind all three projects is for them to lead to the Maltese language being written, understood and processed in modern day technology.  One of the three projects, “Edu AI”, targets children aged from eight to 10 years of age and uses AI-powered puppets during shared reading sessions.  The AI system includes language and literacy tasks and games involving speech and text recognition.

In addition, the Centre for Literacy within the University of Malta initiated the “EduRoboKids” project to develop and promote the use of AI in the education section.12  The “EduRoboKids” programme targets children with learning difficulties who may benefit from communicating with social robots.  The aim of the project is for such children to engage in constructive learning with an autonomous or semi-autonomous AI-driven robot, which would replicate traditional learning contexts.


Malta's current legislative framework does not provide for sui generis IP rights relating to AI systems, nor does it cater for the nuances brought about by works or inventions created by AI systems.  Furthermore, the Maltese Industrial Property Registrations Directorate (IPRD) has not issued any guidelines or recommendations which would help tackle issues such as the patentability of AI systems or AI-generated solutions.

In terms of Maltese patent law, ownership over such IP is bestowed upon the applicant, who must be a legal person in order to fulfil the criteria of the patent regulations.13  While this is understandable when an AI system is developed using one's own intellectual endeavours, matters become increasingly complex when that system generates its own “content” or solution, without the intervention of a legal person.  If the AI system generates any invention without any human intervention, current patent law would not consider such invention as being patentable.  It is therefore necessary to update current legislation to provide for ownership of IP generated entirely by automated systems or to bestow such ownership rights to agents, and consider creating an agency status for AI automated systems. 

Code is predominantly based on arithmetic expression.  Hence, AI (being code for the most part) is protected through the Maltese Copyright Act (Chapter 415 of the Laws of Malta) as a literary work, provided that the work satisfies the definition of a “computer program” found therein.14  Computer programs must have an original character, be written down and reduced to material form by a specific author for copyright protection to arise (which protection arises automatically upon publication).  Issues will arise for any work generated by the AI system because Maltese copyright law defines an “author” as a natural person who created the work, thus excluding the possibly of automated systems being considered “authors”.  The main argument is whether the AI system was developed specifically to generate the work in question and, if so, whether the system was merely a “tool” utilised by the author; in this case, the system would not be deemed an author itself.  Hence, while the developer of the AI system would be the owner of that system in terms of the Maltese Copyright Act, any subsequent works generated by this system fall within a lacuna which is not currently catered for in Maltese national legislation.

With regard to data privacy, the main concern is the automated processing of personal data and the scale at which this is done, particularly if the data subject (as defined within the GDPR) has not consented to the collection of their personal data.  A practical example is data crawling conducted by a law enforcement agency (“LEA”) for the purposes of crime detection or investigation.  While LEAs could arguably have a legitimate interest in scouring publicly available data as a preventative measure, one must also take note of the intrusive nature of such systems.  Finding the right balance between data subjects' rights on the one hand, and the public interest in LEAs carrying out their duties on the other, is no easy task and such considerations would need to be carefully set out within the applicable legal framework.

Antitrust/competition laws

Big data in combination with AI has not changed the basic tenets of competition law.  However, under certain circumstances, they also feature as a contributing factor to competition concerns, including: (i) increasing market power and facilitating exploitative or exclusionary practices by dominant firms; (ii) facilitating collusion; and (iii) merger control issues.  Determining any alleged illegality depends on the factual context of each case and the legislative framework in the particular jurisdiction.  Maltese (and EU) courts are yet to decide on such matters.

One relevant issue faced in the competition sector, for example, is that of algorithmic pricing, wherein an AI system utilises “big datasets” and machine learning techniques to automatically re-calibrate prices based on internal or external factors.  These include supply and demand variables, competitors' prices, or external market data (which is typically purchased by the respective undertaking).

Algorithmic pricing is not deemed illegal per se where the information is obtained legitimately, and if the AI system was developed independently.  Should, however, the system be a result of collusion or collaboration between competing undertakings to set prices, then, regardless of whether the price setting was conducted orally, through correspondence or through algorithms, the basic tenets of Maltese/EU competition law remain true in an online environment as well, including the unlawful setting of prices among competitors.

Board of directors/governance

The use of AI systems in the decision-making process within a board of directors does not seem to be a novel concept in foreign jurisdictions.  In Malta, the legal landscape does not specifically cater for, inter alia, liability regarding breaches of directors' duties or obligations, should these be decided upon by an AI system.  The authors are of the view that the use of such systems in decision-making processes would not alter the directors' ultimate liability should a breach in duty be found.  However, while an AI system could develop into a system that is arguably more capable of recognising complex patterns and predicting corporate outcomes when compared to a natural person, such systems lack the commercial insight, experience and “human touch” that is often required when taking decisions at board level. 

Additionally, developing an AI system which can apply context to an inputted scenario is not easy, and until these hurdles are overcome, the authors do not foresee that AI will be given the lead role in the decision-making process.  That said, the authors believe that a reasonable compromise could be to allow the AI system to function on a pre-determined basis and retain an advisory role with no legal authority.  This may prove insightful to directors who, by default, are prone to human error, which an AI system is not.

Regulations/government intervention

The EU has drafted a proposal for a regulation to harmonise rules on AI throughout the EU (the “Regulation”).15  As an EU Member State, Malta will be bound by the Regulation, which will be directly enforceable without requiring national implementation.  Through the Regulation, the EU seeks to define AI systems using a risk-based approach, ranging from low-risk to prohibited systems.  The latter is a clear attempt to prohibit AI systems which evaluate persons based on their “trustworthiness” or social behaviour.  Interestingly, the EU differentiates between “real-time” biometric scanners depending on their use-case.  This is particularly important insofar as LEAs are concerned, as the only legislation which covers processing of personal data by LEAs is Directive 2016/680 (the “LED”), which differs slightly from the GDPR, predominantly insofar as “consent” is used as a legal basis for processing.16  That said, we are yet to see the interplay between the Regulation, the GDPR and the LED, and the possible limitations which the latter two may impose on such systems despite the possibility of the AI system being developed and used in compliance with the Regulation.

Civil liability

Maltese legislation does not currently provide for non-contractual liability for damages caused by AI or other alternative digital technologies.  In lieu of this, one must fall back on the provisions of the Civil Code (Chapter 16 of the Laws of Malta) to determine liability from a traditional tort-based perspective.

Therein, article 1031 establishes the principle that every person is liable for damages caused through their own fault.  The standard of proof in determining such fault is that of the bonus paterfamilias (“reasonable man”).  This standard is evident within article 1032 of the Civil Code, which provides that a person is deemed to be at fault where they fail to exercise the attention, diligence and prudence of a “reasonable man”.  The extent of reasonableness is only determined by the courts, which must exercise discretion in their determination.  Moreover, article 1033 of the Civil Code further provides that any person who with or without intention to injure, voluntarily or through negligence, imprudence, or want of attention, is guilty of an act or omission which breaches the duty of care as imposed by law, will be liable for any damage resulting from their negligence.

This begs the question as to whether, if an AI system acts of “its own” volition and through no prior instructions of the developer, the owner would be indirectly liable for creating a system which gives rise to the damage.

Turning to the Product Liability Directive and its local implementation, it is evident that current liability rules do not fit “black-box” systems such as AI, which results in a number of legal complexities, particularly when it comes to proving any defects and the causal link between such defects and the damage incurred.17 

The European Commission acknowledges the lacuna that has emerged in this respect and has already conducted an initial impact assessment roadmap on adapting civil liability rules to the digital age.18

For the purpose of civil liability, it would appear that the developer of an AI system would be deemed to be the legal person against whom claims for damages may be brought.  This thinking would currently apply to damages arising both as a result of the use of the AI system itself, as well as the reliance on any of the outcomes of that system, even if such outcomes arose from the system's own processes.  This is because, ultimately, it is the developer who implemented the system's “cognition”.  When coupled with the concept of the bonus paterfamilias, this entails that the developer should be liable for not implementing appropriate “fail-safes” or be found liable for producing a defective product.  This would also suffice for the sake of practicality.  A natural person would not be able to seek legal redress against an AI system unless a separate legal personality, or some form of agency status as a minimum, is attributed to it.

Discrimination and bias

A core concern with AI systems is the innate human bias of its developers which is embedded within the system per se.  If one views code as an expression of the developer's self, it is not difficult to understand how such bias arises within AI systems.  This has been identified as a major challenge related to the use of algorithms and automated decision-making.  The principle of non-discrimination as enshrined in article 21 of the Charter of Fundamental Human Rights of the European Union is not to be taken lightly and must be at the forefront of any system.  Potential examples of discrimination include candidates for job interviews, scores in creditworthiness or during trials, amongst others.

Therefore, it is imperative that any national AI ethical framework is drafted cautiously and implemented meticulously.   In August 2019, Malta published a draft Ethical AI Framework called “Towards Trustworthy AI”, which aims to establish a set of guiding principles and trustworthy AI governance and control practices.  The intention is for the Malta Ethical AI Framework to support AI practitioners in identifying and managing the potential risks of AI, while also serving to identify opportunities to encode a higher ethical standard into AI.  The draft document was released for public consultation in August 2019 and the final version was expected in October 2019, shortly after the release of the Strategy.19  As at the time of writing, no further updates are publicly available.  The intention is also for a National Technology Ethics Committee to be set up under the MDIA to oversee the Ethical AI Framework and its intersection across various policy initiatives, including investments in tools and continuous monitoring mechanisms, skills and capabilities, an innovation ecosystem and regulatory mechanisms.

There is also the IEEE P7003 standard for algorithmic bias considerations which provides a development framework to avoid unintended, unjustified, and inappropriately differing outcomes for users.  Therefore, it is vital that technical partners liaise heavily with legal practitioners to minimise the risk of such bias occurring and limit the detrimental effect it may cause.

While technical solutions are welcome, this should not come at the cost of a comprehensive regulatory framework and a policy focus which prioritises fairness, especially considering marginalised groups.  Currently, the only such local framework is the abovementioned AI ethical framework.  Furthermore, Maltese legislation does not cater for nuances such as digital rights or informational self-determination, which if not remedied, could prove cumbersome for AI systems in practice.


Society is currently undergoing a technological revolution, whereby technology is moulding and paving the way for the legislative landscape.  AI and other advanced digital technologies will become increasingly complex and will challenge even the most long-standing legal concepts.  Therefore, it is up to legislators to lead by example and use their knowledge and legal expertise to interpret (or re-shape) the law in a manner which appropriately caters for such advancements.  That said, it is imperative to exercise great caution with any legislative change, and to do so cautiously through interdisciplinary teams to avoid knee-jerk reactions which accommodate current short-term trends.

It is a fact that, in practice, laws are generally required to catch up with technological advancements (as with AI).  If countries attempt to draft overarching policies which introduce unnecessary bureaucracy, technological developments will significantly slow down, or worse, the industry will be forced to disregard overkill policies which hinder progress.  Legislators should engage in more thorough discussion with stakeholders (both on a national and international level) to determine technical needs prior to drafting the relevant legislation.


The authors would like to thank Jake Camilleri for his invaluable assistance in the preparation of this chapter.

Jake graduated LL.B. (Hons.) from the University of Malta in 2019 and obtained a Master's in Advocacy from the same University in 2020.  In the course of his studies for the first degree he submitted a dissertation entitled “The EU's implementation of cross-border enforcement to enhance data security and deter cybercrime: an apt response or is further enforcement needed?”.

As part of the Camilleri Preziosi training programme, Jake has been assigned work in various practice areas, ranging from Information Technology and Privacy Law to Intellectual Property and Telecommunications.

Jake was admitted to the Bar in 2021 and intends on pursuing an LL.M. in Law and Technology.  Having been admitted to practise, Jake's principal areas of focus concern Technology & Privacy Laws, Cybersecurity, Telecommunications and Intellectual Property. 

Tel: +356 2123 8989 / Email:


1 Malta.AI Taskforce – Our Vision: (Hyperlink).

2 Malta The Ultimate AI Launchpad: A Strategy and Vision for Artificial Intelligence in Malta 2030.  Available at: (Hyperlink).

3 The Malta Digital Innovation Authority Act (Chapter 591 of the Laws of Malta).

4 Chapter 592 of the Laws of Malta.

5 As defined within the Malta Digital Innovation Authority Act (Chapter 591 of the Laws of Malta).

6 Press release available at: (Hyperlink)

7 Project MISAM (REP-2020-017) is financed by the Malta Council for Science and Technology, for and on behalf of the Foundation for Science and Technology, through the FUSION: R&I Research Excellence Programme.  An initiative led by the Department of Spatial Planning and Infrastructure within the Faculty for the Built Environment at the University of Malta, with the support of Debono Group and Infrastructure Malta.

8 Press release available at: (Hyperlink).

9 The Trade Secrets Act (Chapter 589 of the Laws of Malta).

10 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

11 Press release available at: (Hyperlink).

12 Further information available at: (Hyperlink).

13 Patent Regulations (Subsidiary Legislation 417.01 of the Laws of Malta).

14 Article 2 of the Copyright Act: “computer program” includes computer programs whatever may be the mode or form of their expression including those which are incorporated in hardware, interfaces which provide for the physical interconnection and interaction or the interoperability between elements of software and hardware and preparatory design material leading to the development of a computer program, provided that the nature of the preparatory design material is such that a computer program can result therefrom at a later stage.

15 Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts.

16 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

17 Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations and administrative provisions of the Member States concerning liability for defective products and the Consumer Affairs Act (Chapter 378 of the Laws of Malta) and its subsidiary legislation.

18 Further information is available at: (Hyperlink).

19 Information available at: (Hyperlink).

Originally Published by Global Legal Insights

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More