1. Metaverse

1.1 Laws and Regulations

Research conducted by an online comparison service, Uswitch, has ranked Malta as the fourth most metaverse-ready nation out of 34 countries analysed, with a total score of 7.31 out of ten. Various aspects were considered in arriving at the ranking, including the median fixed broadband speed and its cost, the number of blockchain financial services start-ups, hi-tech exports per capita and the number of searches per million on the metaverse. With this technology being still relatively young, the legal issues surrounding the metaverse and its use have not been specifically analysed or addressed in Malta, and thus there is no specific legal framework nor explicit laws that deal with the matter. Nonetheless, the technology is already regulated to some extent by existing laws, such as consumer law, data protection, product liability and general civil and criminal law. This being said, more widespread use of the metaverse will certainly result in new legal and regulatory challenges. One area that will certainly become relevant is the sale and use of digital assets and services; questions relating to the verification of ownership, authenticity of the virtual items purchased and claims of infringement will need to be navigated. This is in addition to problems of jurisdiction, territoriality, and conflicts of laws.

As a member state of the EU, Malta will be required to implement any legislation in this respect that may be enacted by the European Union. The European Parliament has issued a briefing analysing the opportunities, risks and policy implications that the metaverse may introduce, and which makes reference to a number of potential legal challenges. An example is that, from a data protection point of view, it may become more difficult to define who is acting as a data processor or a data controller in a given scenario due to the fact that it may be difficult to ascertain which party is acting on behalf of the other. A practical example of this as laid out by the European Parliament could be in the provision of a privacy notice to users and whether this should be done by each metaverse in its entirety or by each metaverse separately, since the GDPR stipulates that users must give explicit consent for each specific purpose.

2. Digital Economy

2.1 Key Challenges

Strategy

On 23 November 2022, Malta published its national strategy for 2022-2027 (dubbed "Digital Malta") with the aim of positioning Malta as leader in digital transformation built around a vision of establishing digital as the key driving force for transformation. The national strategy underpinned various sectorial digital policies currently in place in Malta including Digital Innovation; eCommerce; and Cyber Security. In accordance with the European Commission's Digital Economy and Society Index (DESI) report 2022, Malta ranks sixth out of 27 EU member states. The DESI report also states that since 2019, all Maltese households are reached by Very High Capacity Networks offering speeds of up to 1Gbps. Malta also records good scores on human capital, especially because of the high shares of ICT graduates (6.6% of graduates in Malta, versus 4.2% in the EU) and performs slightly higher than the EU average in terms of ICT specialists (4.8% versus 4.6% in the EU). The large majority (77.9% versus 69.1% in the EU) of Maltese SMEs in Malta have at least a basic level of digital intensity and perform particularly well in the use of technologies such as big data and cloud solutions, which are used by 30% and 47.5% of enterprises in the country respectively. Malta has also focused on technologies such as blockchain and artificial intelligence. An improvement in the uptake of e-government services was also reported, with the share of e-government users reaching 82.97% versus 74.2% in the EU in 2022.

Legislation

On a legislative level, Malta has enacted and continues to review the legislative framework necessary to enhance Malta's position in the digital arena. Legislative efforts in this field have focused generally on implementing various EU legislative instruments such as the Data Governance Act, Data Act, Digital Markets Act and Digital Services Act, to promote data sharing, enhancing access to data, protecting data privacy and security, ensure fair competition in digital markets and empowering consumers with greater choice and control over their personal information. Many of these issues are discussed in other parts of this chapter. In terms of digital services and digital markets, Malta is working to transpose the Digital Services Package, adopted by the Commission on 15 December 2020, which comprises the Digital Services Act and the Digital Markets Act. Both these instruments are being implemented with the aim of creating an enhanced sense of uniformity with regard to the regulation of a safe digital space where the fundamental rights of users are protected, as well as to establishing a level playing field for businesses in the ever-growing tech industry.

3. Cloud and Edge Computing

3.1 Highly Regulated Industries and Data Protection

Cloud computing is not yet expressly or specifically regulated in Malta; however, rules governing a standard level of network security and many industries, especially the banking and gaming sectors, address cloud computing. These sectors are discussed below.

Financial Services

The financial services sector is a wide sector, with different sub-sectors such as banking, insurance and investment services, all of which are subject to broadly similar rules in relation to the outsourcing of a material service or activity. Such rules are issued by the Malta Financial Services Authority (MFSA), the competent authority to regulate all matters relating to banking and finance in Malta. Generally, the use of a cloud service would be considered as material, and notification is required to be given to the MFSA prior to engaging in the use of that service. A risk assessment of the arrangement, as well as the necessary due diligence, would normally also be required to ensure that the service provider is suitable. The MFSA has also released the "Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements" which would more generally apply to the financial services sector as a whole. These guidelines take cloud computing into account and provide a practical framework for licence holders and requirements for different cloud computing service models – such as software as a service (SaaS) or platform as a service (PaaS) – requiring communication and information systems to protect the data they handle in transit and at rest; this data must only be accessible to authorised parties as and when needed. They further provide that confidentiality, integrity, availability, authentication and non-repudiation should form the five pillars in the design of any technology arrangement implemented by a licensed institution. Cloud computing systems must also take into consideration the ISACA's Guiding Principles for Cloud Computing Adoption and Use.

Gaming Law

The use by a Malta-licensed gaming provider of managed information technology services is regulated in accordance with the Gaming Authorisations Regulations (Chapter 583.05, Laws of Malta) as well as the "Policy on Outsourcing by Authorised Persons", issued by the Malta Gaming Authority (MGA), the authority which regulates the gaming sector in Malta. These legal instruments state that cloud computing services would be considered a material gaming supply, which carry a number of risks to the operation of a Malta-based gaming licensee. Thus, the MGA recommends that such service providers be assessed and approved by it as part of the pre-licensing assessment or at the post-licensing stage. Where the licensee receives material gaming supplies from a third party not approved by the MGA, the licensee must assume full regulatory responsibility for such supplies. A licensee must also have a regularly updated outsourcing policy and a written agreement with the service provider containing a number of required provisions.

Security of Network and Information Systems

The Measures for High Common Level of Security of Network and Information Systems Order (Chapter 460.35, Laws of Malta) transposes Directive (EU) 2016/1148 (the "NIS Directive") into Maltese law and addresses cloud computing. (NIS2 Directive however is yet to be transposed). The NIS Directive aims to implement measures for the achievement of a high common level of network and information system security across the EU's critical infrastructure. The Order establishes a Critical Information Infrastructure Protection Unit (the "CIIP Unit"), which is responsible for matters relating to the identification and designation of operators of essential services and digital service providers, as well as the adoption of a national strategy on the security of network and information systems. Malta has also implemented a cybersecurity strategy which had six main goals, including the establishment of a governance framework, the strengthening of the fight against cybercrime and national cyber defence, improving cybersecurity awareness and education, encouraging initiatives by the private sector, awareness and education, and building upon national and international co-operation.

Data Protection

Malta is subject to the GDPR; the general rules in this respect apply also to the issues brought about by cloud computing. The most common issues here relate to the fact that most service providers in this field provide standard terms which are not easily negotiable and thus any data protection-related provisions may not always reflect the required GDPR standards if the cloud service provider is based outside the EEA. Additionally, transfers of personal data need to comply with specific safeguards, the most common being the use of the Commission's Standard Contractual Clauses (SCCs). The SCCs have been amended in June 2021 following the Schrems II judgment which invalidated the EU-US Privacy Shield. As a result, international transfers have become significantly more complex. A provider of cloud computing services established outside the EU would need to show compliance with the new standards in order to be considered GDPR-compliant.

4. Artificial Intelligence and Big Data

4.1 Liability, Data Protection, IP and Fundamental Rights

Projects involving big data, machine learning (ML) and artificial intelligence (AI) have one common factor in that they need to make use of vast amounts of data, which may be of a personal nature. This brings about challenges in relation to the management of such personal data in compliance with the GDPR and Maltese data protection law. ML and AI also raise various other legal issues, as outline below, together with potential solutions.

Data Protection

An AI system needs extensive data to train and develop the algorithmic models on which it operates in order to provide an accurate output. Much of this data may be personal in nature, thus compliance with the GDPR and Maltese data protection law is necessary; however, the volume of personal data processed makes compliance more complex to achieve. An overview of the obligations imposed on controllers and processors by Maltese and European data protection law can be found in 1. Metaverse and 2. Digital Economy.

These obligations become particularly problematic in the case of ML and AI since access to and collection of personal data is generally restricted by law. Furthermore, personal data can only be processed for its original intended purpose and the scope to reuse data for additional purposes has been widened by the Data Act, it is still limited. This legal requirement could limit the possibility of extracting new value from the combination of datasets. It should also be noted that, under the GDPR, decisions that were taken solely in an automated manner must allow for human review of that decision if it significantly affects the data subject. Additionally, the data subject has a right to an explanation as to how a decision was reached. Whilst these principles can stifle the development of ML and AI technology to some extent, they also ensure that such technology is developed in an ethical manner that respects human rights and the right to privacy of each individual. ML and AI companies and applications that involve the use of personal data can achieve trust by ensuring that they are compliant with the requirements of the GDPR, by implementing the necessary safeguards and ensuring that data protection is present at the design stage and by default.

Ethics

Closely related to the discussion of data protection is the matter of ethical development of ML and AI technologies. In October 2018, the Malta.AI Taskforce was set up by the Maltese government to advise on strategies, ethics and legal issues relating to the development of such technologies. One of the documents published by the Taskforce is the Ethical AI Framework which, though it does not have the binding force of law, lays down a set of guiding principles for trustworthy AI governance. The Framework builds upon the Ethics Guidelines for Trustworthy AI, published in April 2019 by the European Commission's High-Level Expert Group on Artificial Intelligence (AI HLEG), and adds a number of control practices which aim to guide developers and users of ML and AI technologies in terms of how the principles set out therein should be translated in practice. The Framework sets out four ethical principles for trustworthy AI, namely:

  • human autonomy – humans interacting with AI systems must be able to keep full and effective self-determination over themselves;
  • preventing harm – AI systems must not cause harm at any stage of their life cycle to humans, the natural environment, or other living beings;
  • fairness – the development, deployment, use and operation of AI systems must be fair; and
  • explicability – end users and other members of the public should be able to understand and challenge the operation of AI systems as required for the particular use case.

Malta has set up a national AI Certification Programme, based on the Framework. Certification would provide applicants with acknowledgement that their AI system has been developed in an ethically aligned, transparent and socially responsible manner, in line with the principles and control practices established by the Framework.

Liability

Liability is often an issue when it comes to ML and AI technologies. It is not easy to establish who or what is legally responsible for the non-human decision-making of a machine. The matter becomes more complicated if the hardware and software performed precisely as they were intended and without a perceptible defect or malfunction of any kind. Malta does not have a dedicated legal framework to govern liability issues relating to ML and AI per se; however, a patchwork of legal provisions addresses the matter to a significant extent. Under the Maltese law of obligations, specifically the Maltese Civil Code (Chapter 16, Laws of Malta), one finds the general concept that a person should always show reasonable care in all their actions, and the standard of reasonable care which is required is that of a reasonable man (bonus paterfamilias). The corollary is that a person who causes harm by acting in a manner which falls below this standard would be liable to compensate for such harm.

Another relevant provision under the Civil Code provides that the owner of an animal, or any person using an animal during the time that such person is using it, is liable for any damage caused by it, whether the animal was under their charge or had strayed or escaped. With regard to this latter provision, academic writers have drawn a parallel with this situation and one where an AI system behaves disruptively or uncontrollably, stating that such provisions should be used in such a case.

Furthermore, in September 2022 the European Commission released the proposal for an AI Liability Directive. The directive seeks to provide legal certainty and address concerns surrounding liability, compensation, and accountability. It focuses on clarifying liability issues related to AI systems such as determining who is responsible in cases where AI systems cause harm or damage. This directive could potentially play a pivotal role in Malta when determining liability when there has been the use of AI and ML.

On a final note, the Product Liability Directive (Directive 85/374/EEC) was transposed into Maltese law through part of the Consumer Affairs Act (Chapter 378 of the Laws of Malta), which brings into effect the concept of strict (no fault) liability into the product liability regime, subject to the limitations of the Product Liability Directive itself. Under the Product Safety Act, a product is safe if it meets all statutory safety requirements under European or national law (or in default thereof, Commission recommendations and codes of practice), and any distributor who supplies products which they should know to be unsafe (even having actual knowledge of this) would be liable.

5. Internet of Things

5.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection

Restrictions on a Project's Scope

The term "internet of things" (IoT) describes physical objects that have technology built into them allowing them to connect to the internet or other communication networks to exchange, process, store, and transport data. The IoT includes a wide range of interconnected products and systems, including connected appliances, smart home security systems, biometric cybersecurity scanners, activity trackers, and smart agricultural equipment.

Data Protection and Privacy Considerations

Since it is not always possible to obtain consent from the data subject directly in IoT technology, IoT manufacturers must look into alternative methods of obtaining consent or find another legal basis for processing the data in order to comply with the GDPR's criteria. Furthermore, processing of special categories of data, such as health and biometric data, is subject to stricter regulation and is only permitted under certain conditions and can only be processed in specific circumstances. Data subjects also have the right not to be subject to decisions based solely on automated decision-making processes, to access data held about them, to request erasure or rectification of the personal data, and to receive the personal data concerning themselves, which they have provided to a controller, in a structured, commonly used and machine-readable format. When contemplating a project with connected devices, one needs to consider how these data subjects rights will be addressed.

Data controllers behind IoT projects are also required to conduct a Data Protection Impact Assessment (DPIA) before launching a new IoT technology or device. Companies and organisations working on IoT technologies must put in place technical and organisational protections from the beginning of the design of the processing activities to preserve privacy and ensure that data protection rules are followed (ie, data protection by design). These organisations should also make sure that if personal data is processed using IoT technology, the highest requirements of data privacy are in effect by default (ie, data protection by default).

Cybersecurity Considerations

Many connected devices still seem to be at risk of hacking, virus assaults, processing mistakes and risks, and other comparable dangers. Because any connected device missing security safeguards could endanger the entire IoT network, the matter is very significant. While there are a number of laws in Malta that deal with product safety and cybercrime, these laws do not expressly cover IoT devices or the certification of such devices. Although Malta has a cybersecurity plan, which was briefly covered under the previous heading, no particular standards of behaviour for the development, manufacture, or usage of IoT devices have yet been created.

6. Audio-Visual Media Services

6.1 Requirements and Authorisation Procedures

Audio-Visual Service Requirements and Applicability – Broadcasting Licences

According to the Broadcasting Act (Chapter 350, Laws of Malta), no one may broadcast audio or video content in Malta for the entire country or any part of it without a written permit from the Malta Broadcasting Authority (MBA), nor may anyone broadcast audio or video content from Malta to any foreign country without a written permit from the MBA. The MBA may grant a broadcasting licence subject to the terms, restrictions, and restrictions it sees fit. These licenses are likewise governed by the First Schedule of the Broadcasting Act. There are various classifications and types of licences, including:

  • licences for nationwide television services;
  • nationwide radio services;
  • community radio services;
  • satellite radio services;
  • satellite television services; and
  • other services which may be broadcast or provided on or by an electronic communications network.

The MBA may grant a general interest broadcast content licence or a commercial broadcast content licence in relation to national television services. A general interest goal service is a television broadcasting service that commits to airing a predetermined number of general interest programmes that are under the purview of a public service broadcasting service as defined by the National Broadcasting Policy.

A general interest objective service may be either a generalist service or a niche service. A "niche service" refers to a television broadcasting service which predominantly transmits programmes of a limited number of genres of a specialist subject matter, whilst a "generalist service" means a television broadcasting service which transmits a wide range of programme genres. On the other hand, a "commercial television broadcasting service" means a television broadcasting service that is either a generalist service or a niche service that is not subject to the obligations of a general interest objective service.

An application for a broadcasting licence must be made to the MBA through the relevant licence application, some of which are discussed below:

  • in the case of a new nationwide TV station, arrangements have to be made in the first place with the service providers Melita Limited and GO plc, the two TV distribution networks on the island, prior to applying for a licence from the MBA;
  • in the case of digital radio broadcasting (which is further regulated by Digital Radio Broadcasting Regulations (Chapter 350.29, Laws of Malta), arrangements have to be made in the first place with the licensed digital radio broadcasting service provider DigiB Network, prior to applying for a licence from the MBA; and
  • satellite uplink services are licensed by the Malta Communications Authority (MCA), and the initial step in this case is to complete and return an application for a satellite earth station licence.

Audiovisual Media Services

A television broadcast or an on-demand audiovisual media service both qualify as audiovisual media services. A provider of an on-demand media service generally does not need a broadcasting licence as stated under the previous heading but they must notify the MBA in writing by sending a letter to the Chairman of the MCA before offering the service. This written notification must include the following information:

  • in the case of a natural person, the name, surname and address, identity card number, passport number or any other identification document as may be accepted by the MCA; and
  • in the case of a legal person, the name and address of the company and of the registered office.

An audiovisual media service transmitted by a media service provider falling under the jurisdiction of Malta must comply with specific provisions of the Broadcasting Act as to the content of its transmissions, as well as other provisions which may be relevant under consumer and press laws.

Requirements for Video-Sharing Platform Providers

A supplier of a video-sharing website based in Malta is subject to Maltese law. A provider of a video-sharing platform does not need a broadcasting licence as defined under the first heading in this section but they must nevertheless notify the MBA in writing by sending a letter to the Chairperson of the MCA that includes the following information:

  • in the case of a natural person, the name, surname and address, identity card number, passport number or any other identification document as may be accepted by the MCA; and
  • in the case of a legal person, the name and address of the company and of the registered office.

Video-sharing platform providers falling under the jurisdiction of Malta must also comply with specific provisions of the Broadcasting Act as to the content of its transmissions, as well as other provisions that may be relevant under consumer and press laws.

7. Telecommunications

7.1 Scope of Regulation and Pre-marketing Requirements

Authorisation of Commercial Services

The Electronic Communications (Regulation) Act (Chapter 399 of the Laws of Malta) stipulates that an entity that wants to provide some form of commercial electronic communications (electronic communications networks and services) must notify the MCA, the regulator for the telecommunications sector, in order to obtain a "general authorisation" to provide the type of service desired. This is usually done through a notification form, which should contain the following:

  • the name of the provider;
  • the legal status of the provider, its form and registration number;
  • the official address for service of notice in Malta, and the geographical address of the main establishment of the provider in Malta or any other member state, as the case may be;
  • the website address of the provider, where applicable, associated with the provision of electronic communications networks and/or services;
  • a contact person and contact details;
  • a short description of the networks and/or services intended to be provided;
  • the member state or member states where the networks and/or services are being provided; and
  • an estimated date for starting the activity.

Upon notification to the MCA, an entity may start the activity so notified, subject to the provisions on the rights of use under the law. The entity will still be required to obtain and/or notify and comply with, any permit, licence, right of use, or other general authorisation in respect of numbering resources, equipment, or radio spectrum, and any other permit that may be necessary at law.

Voice-over internet protocol (VoIP) services using a carrier selection facility are regulated in Malta as a publicly available telephony service if they are number-dependent – that is, if the service requires numbers from the national numbering plan. A VoIP service which is not number-dependent would not be regulated. Likewise, instant messaging services that are not number-dependent (such as Facebook Messenger) would be unregulated. The internet network and service over which such services are provided would be regulated as discussed elsewhere in this section.

Radiocommunications Equipment Licensing

The European Authorisation Directive (Directive 2002/20/EC), and rules issues by the International Telecommunications unit (the "Radio Regulations") stipulate that a form of authorisation is required for radio transmissions. The Electronic Communications (Regulation) Act (Chapter 399, Laws of Malta) accordingly also requires that the use of radio frequencies and the installation or use of radiocommunications equipment need to be authorised.

There are various types of authorisations for radiocommunications equipment, which can be categorised under three high-level categories: individual licensing, light-licensing and licensing-exempt. These types of licences are generally managed by the MCA under its spectrum management responsibilities. The same laws require that the installation or use of radiocommunications equipment must be subject to an individual licence unless the equipment is licence-exempt or covered by a general authorisation.

The light licensing framework is laid down by the General Authorisations (Radiocommunications Apparatus) Regulation (Chapter 399.40, Laws of Malta). This framework is a general authorisation framework which applies to various types of radio equipment:

  • which, when used, do not require co-ordination between users;
  • for which user individualisation is not necessary;
  • when the use of a frequency or of a frequency band is possible by a number of users within a particular area;
  • when spectrum is available on a long-term basis; and
  • when the radio applications are not subject to frequency planning, co-ordination and individual frequency assignment.

Radio Frequency Identification Devices (RFIDs) fall within this category, as do cordless telephones, radio local area networks such as Wi-Fi equipment, remote controls, PMR446 radios, certain satellite terminals, short-range devices (SRDs), and Bluetooth devices are some categories of radiocommunication equipment that are regulated by the above-mentioned general authorisation regulation. Anyone making use of such equipment must comply with its purpose of use and comply with the technical and other operating requirements as stated in the General Authorisations (Radiocommunications Apparatus) Regulations. In accordance with the Fees Leviable by Government Departments Regulations (Chapter 35.01, Laws of Malta). RFIDs are exempt from the payment of fees.

Spectrum Licensing

In accordance with the Electronic Communications Act, an authorisation is required for the right to use radio frequencies. This regulatory requirement is in place so as to ensure that harmful interference is avoided, and to safeguard the efficient use of radio spectrum. Anyone who desires to apply for the right to use radio frequencies must complete the Generic Spectrum Application Form.

8. Challenges with Technology Agreements

8.1 Legal Framework Challenges

Legal Framework Features

An entity that intends to enter into IT service agreements with another entity in Malta will be bound be the general concepts of Maltese contract law, unless the agreement stipulates that a different law should apply. As a general rule, the Civil Code (Chapter 16, Laws of Malta), provides that contracts legally entered into have the force of law for the contracting parties. Parties may go against what is stated in the general law by virtue of their agreement, unless there is a prohibition by the law itself by way of mandatory rules or because of a prohibition of public policy. IT service agreements would generally cover:

  • a detailed description of the service;
  • whether only services are being provided, or whether materials are also being supplied;
  • the payable fees;
  • term of contract and termination methods;
  • ownership over any intellectual or other property produced during the term of the agreement;
  • liability for the service provided and limitations thereon (usually governed by a Service Level Agreement);
  • insurance;
  • how changes to the agreement/services can be made;
  • notifications to the other party;
  • confidentiality, non-compete and non-solicitation;
  • dispute resolution;
  • data processing (where personal data is accessible by the IT service provider);
  • independent relationship of the parties;
  • whether the contract can be transferred.

The above-mentioned provisions are relatively standard and provided that they have been agreed to by both parties, and that valid consent can be proved, a court would follow the terms of agreement between the parties when interpreting the contract, especially where the wording is unambiguous. However, lack of clarity and proper description of the expectations of the parties are the most common legal problems that have been encountered in relation to IT service agreements.

An IT service agreement will be valid even if not done in writing, but verbal contracts of this nature are most certainly not recommended.

Limitation of Liability

It is quite common for limitation of liability clauses to be included in service contracts. In this respect, it should be noted that in certain circumstances liability cannot be limited. One example is that where fraud is involved, this would invalidate the entire contract, including any limitation of liability clauses. Furthermore, Maltese jurisprudence has also held in various situations that liability cannot be limited in cases of gross negligence.

Maltese courts have on occasion also used reasoning similar to the "doctrine of fundamental breach" to invalidate limitation of liability clauses where the party commits a breach of the contract that is so fundamental that it deprives the other party of essentially the whole of the contract's benefits. The Maltese courts have also invalidated limitation clauses on occasion simply because they were not brought to the attention of the weaker party, even though the clause itself was technically valid, although this would probably apply more readily in the case where the recipient of the IT service is a consumer. Where the IT service contract includes the provision of materials, one needs to consider that warranties against latent defects cannot always be excluded. Product liability issues may also need to be considered.

Penalty Clauses

IT services agreements frequently involve fines for non-performance or contract violations (for example, a breach of confidentiality or breach of the non-solicitation clause). Frequently, penalty clauses are pre-liquidated, so the sum due in the event of a certain violation would be specified in the contract itself. The Maltese courts would generally tend to uphold the penalty clause stipulated between the parties, unless the amount is grossly unfair to one of them. In this respect, it should be noted that the Civil Code provides that a court cannot abate or mitigate a penalty agreed between the parties except:

  • if the service provider has performed the obligation in part, and the recipient of the service has expressly accepted the part so performed; or
  • if the service provider has performed the obligation in part, and the part so performed is clearly useful to the recipient of the service.

In any such case, an abatement cannot be made if the recipient of the service, in undertaking to pay the penalty, has expressly waived their right to any abatement or if the penalty has been stipulated in consideration of mere delay. Therefore, it is important to consider the inclusion or otherwise of such wording in the contract.

Regulatory Matters

Under the GDPR and local data protection law, specific measures need to be put into place if personal data is to be transferred outside of the European Economic Area (EEA). Thus, should the IT service provider be based outside the EEA, and wish to access personal data held by the recipient of the service, a data processing agreement will need to be concluded in accordance with the European Commission's Standard Contractual Clauses, unless other safeguards are in place.

Additionally, several companies that are subject to regulation demand that particular regulatory data be stored on EEA-based servers so that the appropriate regulatory authority can easily access it. The Malta Gaming Authority (MGA), which mandates that regulatory data be accessible, available, and traceable, is one example. For this purpose, the MGA demands access to real time information, which could present problems if such data is in a different jurisdiction or on the cloud. The matter can be solved by real-time replication of the data, on a live replication server in Malta, although this is not the only solution. Discussions with the MGA can serve to address these issues.

9. Trust Services and Digital Entities

9.1 Trust Services and Electronic Signatures/Digital Identity Schemes

The eIDAS Regulation (Regulation (EC) 910/2014) permits citizens, enterprises, and public authorities to use electronic identification and trust services to access online services or handle electronic transactions. Through openness, security, technical neutrality, co-operation, and interoperability, eIDAS seeks to promote the efficient flow of trade throughout the EU. To uphold these ideals, eIDAS ensures that individuals and organisations can access public services offered online in other EU nations using their own national electronic identification schemes (eIDs) and establishes a European internal market for trust services by guaranteeing that these services will function internationally and have the same legal standing as their conventional paper-based counterparts.

The eIDAS Regulation was transposed into the Maltese eCommerce Act and the Electronic Trust Services Notification and Fees Regulations SL 426.03 by virtue of Act XXXV of 2016, which also repealed or amended all local provisions that were previously in force but were inconsistent with the eIDAS Regulation. The Regulation deals with three types of electronic signatures: standard, advanced or qualified, as detailed below.

  • An advanced electronic signature (AdES) is one that meets the following requirements:
    • it is uniquely linked to the signatory;
    • it is capable of identifying the signatory;
    • it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control; and
    • it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
  • A qualified electronic signature (QES) is an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures. In other words, a QES is an advanced electronic signature with a digital certificate that has been encrypted by a secure signature creation device through a qualified trust service provider (requirements for these are also in the law).

The Regulation states that an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures (for example, with a scanned signature, one would need to prove its validity with additional evidence). On the other hand, a qualified electronic signature has the equivalent legal effect of a handwritten signature. If a qualified electronic signature is based on a qualified certificate issued in one member state, it must be recognised as a qualified electronic signature in all other member states.

Under Schedule 5 of the Maltese eCommerce Act, unless specifically provided in the law, the above does not apply to the following activities/areas.

  • The field of taxation.
  • Matters in relation to information society services covered by any laws relating to data protection.
  • Questions in relation to agreements or practices governed by competition law.
  • The following activities of information society services:
    • the activities of notaries or equivalent professions to the extent that they involve a direct and specific connection with the exercise of public authority;
    • the representation of a client and defence of their interests before the courts; and
    • gambling activities which involve wagering a stake with monetary value in games of chance, including lotteries and betting transactions.
  • Contracts that create or transfer rights over immovable property other than leasing rights.
  • Contracts of suretyship granted and on collateral security furnished by persons acting for purposes outside their trade, business or profession.
  • The law governing the creation, execution, amendment, variation or revocation of:
    • a will or any other testamentary instrument;
    • a trust; or
    • a power of attorney.
  • Any law governing the making of an affidavit or a solemn declaration, or requiring or permitting the use of one for any purpose.
  • The rules, practices or procedures of a court or tribunal however so described.
  • Any law relating to the giving of evidence in criminal proceedings.
  • Any contracts governed by family law.

In relation to trust services, the European Union Trusted Lists (EUTL) is a public list of trust service providers (TSPs) that are specifically accredited to offer certificate-based digital IDs for individuals, digital seals for businesses, and time stamping services for Qualified Electronic Signatures in compliance with the eIDAS. Each EU member state generally supervises trust service providers established in that state; however, once approved in one member state, the service provider can be provided in other EU countries and accepted as having the same level of compliance. In Malta, trust service providers are supervised by the Malta Communications Authority.

Malta has also put into place the "eIDAS Node", which complies with the EU Interoperability Framework and allows Maltese citizens to use the digital public services of other EU member states and conversely allows European citizens access to the digital services of the Maltese government.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.