[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Malta

Constitutional Privacy Framework

Article 38 of the Constitution of Malta provides individuals protection against arbitrary searches and seizures. To conduct a search, police officers must obtain warrants under reasonable grounds of suspicion. The Minister of Home Affairs or the Prime Minister may issue wiretap warrants, but only in circumstances that relate to national security.[3547]

Data Protection Framework

In May 2004, Malta joined the European Union. In order to comply with the EU Data Protection Directive 2002/58/EC, the Republic of Malta enacted the Data Protection Act[3548] in 2001, which entered into force on July 15, 2003. The Ministry for Information Technology and Investment is charged with enforcing data protection in Malta. Pursuant to the Act, the Republic named a Data Protection Commissioner and a Data Protection Appeals Tribunal in March 2002. The Act outlines nine principles to ensure the protection of personal information.[3549] Data collectors must state to individuals the specific purpose for the collection of information,[3550] and the data may not be used for other purposes.[3551] The Act also contains accuracy requirements, mandating that "reasonable measures" be taken to "complete, correct, block or erase data to the extent that such data is incomplete or incorrect."[3552] Regarding consent, an individual's "unambiguous" consent is required in order to process personal information[3553] (absent several exceptions) and "explicit" consent it necessary in order to process "sensitive personal data."[3554]

Data Protection Authority

Malta has a Data Protection Commissioner (the Commissioner), the Ombudsman, who independently investigates complaints. The Ombudsman may investigate complaints against government agencies as well as complaints against private individuals. In addition, the Data Protection Act establishes the following obligations of the Commissioner:

to carry out inspection or investigation and considering any complaint and for such purpose require the production of any documents and have access to the premises where data is kept;

to create and maintain a public register of all processing operations being notified by Data Controllers;

to encourage the drawing up of suitable codes of conduct by the various sectors;

to order the blocking, erasure or destruction of data, to impose a temporary or definitive ban on processing, or to warn or admonish the controller;

the Commissioner is also required to collaborate with supervisory authorities of other countries to the extent necessary for the performance of his duties and participate in the EU for a of data protection authorities;

to enforce the provisions of the Act and in cases of violation, the Commissioner may impose administrative fines or institute court proceedings.[3555]

The Commissioner has received numerous complaints which cover issues ranging from incorrect processing of personal data, right of access to personal data, excess collection of personal data, breach of a consumer's confidentiality, collection of personal data without prior consent, abusive processing of personal data, etc. In 2005, the Office received 41 complaints.[3556] Periodically privacy complaints lead to facility inspections. In 2005, inspections were undertaken at a state hospital, credit reporting agencies, casinos, and the Armed Forces of Malta.[3557] The Commissioner’s Office utilizes multiple media outlets to educate citizens about privacy protections. The Office also provides a number of their services online, including online submission of complaints and payments.[3558]

The provisions of the Data Protection Act impose an obligation on data controllers to notify the processing operations in relation to the personal data being processed. As per L.N.154 of 2003 as amended by L.N.162 of 2004, the notification deadline was extended to July 14, 2004 and the notification fee reduced to a flat rate of Lm10 payable annually. Data Controllers who have no employees are exempted from the notification fee, also exempted are NGOs who are exempted from the payment of Income Tax. Companies whose only personal data is that contained in the Articles registered with the Registrar of companies are not required to provide notification. To date, 9,000 notifications reached the DPA Office.[3559] In 2005, 340 new notifications were received by the Office.[3560] The Commissioner's staff consists of a technical unit with a legal professional, an IT professional and an executive compliance and five support staff.[3561] In 2005, a “twinning light” agreement was signed with the German Federal Commissioner for Data Protection. The agreement was signed to help the Commissioner strengthen and consolidate necessary resources in order to successfully implement the Data Protection Act.[3562]

The Commissioner established working groups that are representative of various sectors, such as education, insurance, journalism, and banking.[3563] The working groups have identified privacy issues unique to their industry and will work with the Commissioner’s Office to develop appropriate privacy principles to guide their sector. The Commissioner has also worked with various health privacy and medical research groups, as well as the Health Ethics Committee within the Ministry of Health, to establish data protection provisions for research participants.[3564]

The Malta Communications Authority regulates the telecommunications industry as mandated by the Telecommunications Regulation Act.[3565] The Authority was established in 2001 under the authority of the Malta Communications Authority Act.[3566] The main role of the Authority is to ensure freedom of communications, and they may only be limited when there are higher values at stake such as the protection of privacy or the prevention of crime.[3567] In 2003, the Authority enacted Telecommunications (Personal Data and Protection of Privacy) Regulations.[3568] The Regulations contain provisions to help telecommunications subscribers maintain their privacy. The Regulations require telecommunications providers to inform their subscribers of the existence of situations where their information may be unintentionally made available to third parties.[3569] The Regulations also require telecommunications carriers to provide the option of disabling caller ID functions.

Directive 2002/58/EC in the field of electronic communications has been transposed in subsidiary legislation under both the Data Protection Act and the Electronic Communications (Regulation) Act.[3570] The secondary legislation provides an obligation for both authorities, the Office of the Data Protection Commissioner and the Malta Communications Authority, to mutually collaborate with the objective of ensuring effective data protection implementation in the electronic communications sector.[3571] In 2005, the applicability of privacy protections regarding unsolicited communications was extended to legal aliens as well as natural citizens.[3572] A proposal to amend Directive 2002/58/EC is currently being considered at the European level. The proposal regards the retention of data that relates to terrorist activities.[3573]

The Press Act sets forth the boundaries of acceptable content for the press.[3574] The Act makes it unlawful to "impute ulterior motives to the acts of the President of Malta" or to "insult, revile or bring into hatred . . . the person of the President." The Act also establishes libel and slander laws. The Seditious Propaganda (Prohibition Ordinance)[3575] makes it illegal to print material that is likely to encourage seditious activity. The Act allows the government to obtain a warrant to intercept and open mail suspected of containing seditious material.[3576] The government generally respects the freedom of the press and independent media are active in Malta.[3577] However, there were two incidents of journalists’ homes being targeted for arson after they printed stories regarding human rights for immigrants and refugees. In 2005, journalists were invited to submit proposals to the Data Protection Commissioner for a code of conduct to govern their profession. The aim of the activity is to determine how to balance the privacy rights of citizens with freedom of expression.[3578] There were no government restrictions on access to the Internet in 2006 and bloggers are free to post whatever content they desire.[3579]

The Constitution prohibits arbitrary interference with privacy, family, home and correspondence. In 2003, the government generally respected these prohibitions in practice and violations were subject to effective legal sanctions. Only police officers with the rank of inspector or above are allowed to issue search warrants based on reasonable grounds for suspicion of wrongdoing. Security services may intercept communications, such as tap telephones, but only under specific written authorization of the Minister for Home Affairs or the Prime Minister. [3580] In 2003, such actions were permitted only in cases related to national security, including combating organized crime.[3581] These authorizations were reviewed by a special commission and a security committee, under the oversight of the Prime Minister, the Leader of the Opposition, and the Ministers for Home and Foreign Affairs.[3582]

Recent Developments

Since its launch in April 2003, the Malta Public Service Intranet has been steadily increasing its features and attracting a growing number of users. The main development brought by the second phase of the Public Service Intranet (PSI), which started in September 2004, was the creation of secure, reserved areas that allow user groups to share restricted documents such as presentations, minutes and news items.[3583] Currently, 90% of schools and 50% of homes have internet access.[3584]

The government of Malta has initiated the research phase of a program aimed at switching all voice communications between central departments to Voice over Internet Protocol (VoIP). The Office of the Prime Minister's Central Information Management Unit (CIMU)[3585] and Malta Information Technology and Training Services Ltd (MITTS)[3586]– a government-owned company supplying IT systems and services to government departments – are currently working on a project to implement VoIP communications between ministries. CIMU will lead the project from the business aspect, while MITTS will be coordinating the technical side. A Project Review Board has defined a short to medium term strategy – involving the migration to VoIP of each individual department – and a long-term strategy that will connect all departments together so as to achieve cost savings in intra-governmental calls. Switching to VoIP is not a complete novelty for the Maltese public sector. In 2003 the Ministry for the Family and Social Security[3587] implemented a VoIP system connecting it to all its agencies.[3588]

Malta established an electronic health information portal for its citizens. The site allows people to do various tasks, including apply for a European Health Insurance Card and register online for numerous classes and programs.[3589]

International Obligations

Malta is a member of the Council of Europe (CoE) and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms,[3590] as well as the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention No. 108).[3591] In January 2002, the Maltese government signed the CoE Convention on Cybercrime, but the Parliament has not ratified yet.[3592] The Data Protection Commissioner is also an active member of the Article 29 Working Party, an EU group focused on data protection and privacy.[3593]

Malta must begin issuing biometric passports by 2009 in order to remain compliant with European Commission requirements.[3594] In 2004, the Maltese government voted for adoption of fingerprints on all EU member state issued passports and travel documents.[3595]

[3547] See 2002 United States State Department Country Report on Human Rights Practices, available at <http://www.state.gov/g/drl/rls/hrrpt/2002/18380.htm>.

[3548] Data Protection Act, Chap. 440, Act XXVI of 2001, available at <http://www.privacyinternational.org/countries/malta/ Data%20Protection%20Act%20CHAPT440.pdf>.
[3549] Data Protection Act, Part III § 7; See also Frank C. Dimech, "Protecting Yourself. . .from Data Protection," October 2002, available at <http://www.cdf.com.mt/pages/docs/DATA%20PROTECTION.PDF>.
[3550] Data Protection Act, Part III § 7(c).
[3551] Id. at § 7(d).
[3552] Id. at § 7(h).
[3553] Id. at § 9. Unambiguous consent may not be passive (e.g., opt-out) (See PART III of the Data Protection Act). However, the consent need not be explicit, and consent may be implied through certain actions an individual takes.
[3554] Id. at § 12(2).

[3555] E-mail from Ian Deguara, Head Information Unit, Office of the Commissioner for Data Protection of the Republic of Malta, to Ula Galster, International Policy Fellow, Electronic Privacy Information Center, August 1, 2005 (on file with EPIC).

[3556] Office of the Data Protection Commissioner, “Data Protection Annual Report 2005”, available at <http://www.dataprotection.gov.mt/dbfile.aspx/Annual%20Report%202005.pdf>.
[3557] Id.
[3558] Id.

[3559] E-mail from Ian Deguara, supra.
[3560] Office of the Data Protection Commissioner, “Data Protection Annual Report 2005”, supra.
[3561] Office of the Data Protection Comissioner, available at <http://www.dataprotection.gov.mt/article.aspx?art=112>.
[3562] European Commission, “Ninth Annual Report of the Article 29 Working Party on Data Protection,” June 14, 2006.

[3563] Office of the Data Protection Commissioner, “Data Protection Annual Report 2005”, supra.
[3564] Id.

[3565] Chapter 399, Act XXXIII of 1997, available at <http://www.privacyinternational.org/countries/malta/telecomm%20regs%20act.pdf>.
[3566] Chapter 418, Act XVIII of 2000, available at <http://www.privacyinternational.org/countries/malta/comm%20authority%20act%20chapt418.pdf>.
[3567] Ministry for Competitiveness & Communications, “The Malta Communications Authority,” available at <http://www.mtc.gov.mt/communications.asp>.
[3568] Telecommunications (Personal Data and Protection of Privacy) Regulations, available at <http://www.mca.org.mt/>.
[3569] Id. at § 8.

[3570]Chapter 399, Act VII of 2004, available at <http://docs.justice.gov.mt/lom/legislation/english/leg/vol_12/chapt399.pdf>.
[3571] E-mail from Ian Deguara, supra.
[3572] European Commission, “Ninth Annual Report of the Article 29 Working Party on Data Protection,” supra.
[3573] Office of the Data Protection Commissioner, “Data Protection Annual Report 2005”, supra.

[3574] Press Act, Chapter 248, Act XL of 1974, available at <http://www.privacyinternational.org/countries/malta/press%20act%20chapt248.pdf>.
[3575] Chapter 71, Ordinance XIX or 1932, available at <http://www.privacyinternational.org/countries/malta/seditious%20propaganda%20act.pdf>.
[3576] Id. at § 3.
[3577] United States Department of State Country, Bureau of Democracy, Human Rights, and Labor, Report on Human Rights Practices (2006), Malta country report, available at <http://www.state.gov/g/drl/rls/hrrpt/2006/78827.htm>.
[3578] Office of the Data Protection Commissioner, “Data Protection Annual Report 2005”, supra.
[3579] US Department of State, Report on Malta 2006, supra.

[3580] United States Department of State Country, Bureau of Democracy, Human Rights, and Labor, Report on Human Rights Practices (2003), Malta country report, February 25, 2004, available at <http://www.state.gov/g/drl/rls/hrrpt/2003/27853.htm>.
[3581] Id.
[3582] Id.

[3583] “Maltese public sector Intranet supports communities of practice," eGoverment news, March 1, 2005 available at <http://europa.eu.int/idabc/en/document/3951/5791>.

[3584] US Department of State, Report on Malta 2006, supra.

[3585] See <http://www.cimu.gov.mt/htdocs/index.asp>.
[3586] See <http://mitts.gov.mt/default.aspx>.
[3587] See <http://www.msp.gov.mt/>.
[3588] "Maltese public sector to migrate to Voice over IP," eGovernment news, March 29, 2005, available at <http://europa.eu.int/idabc/en/document/4061/5791>.

[3589] Ministry for Health, the Elderly and Community Care, available at <http://www.ehealth.gov.mt/>.

[3590] Signed December 12, 1966; ratified January 23, 1967; entered into force January 23, 1967.
[3591] Signed January 15, 2003; ratified February 28, 2003; entered into force June 1, 2003.
[3592] Signed January 17, 2002.
[3593] Office of the Data Protection Commissioner, “Data Protection Annual Report 2005”, supra.

[3594] “Latest Developments on Biometric Passports (Malta EU Information Centre), MIT&I, available at <http://www.miti.gov.mt/site/page.aspx?pageid=2284>.
[3595] “EU: Compulsory Fingerprinting for all Passports,” State Watch News Online, available at <http://www.statewatch.org/news/2004/oct/10eu-biometrics-fp.htm>.