Following the publication of a white paper about new laws in the fields of data protection, electronic commerce and information practices earlier this year, two new bills dealing with have been published in the Government Gazette in October 2000. It is the government’s intention that the drafts are discussed and approved in Parliament by the end of the year.

The first bill will govern electronic commerce while the other is the Data Protection Act, aimed at protecting individuals against violation of their privacy and integrity by the processing of personal data.

Electronic Commerce Bill
The objects and reasons of the Electronic Commerce Bill are to facilitate the use of electronic commerce, communications and transactions; to promote confidence in the use of electronic commerce and communications, and to enable the business sector and the community to use electronic communications in their dealings with the government. The bill also amends the Criminal Code by introducing computer misuse.

The e-commerce bill provides that a transaction would not be deemed to be invalid merely because it took place, wholly or partly, by means of one or more electronic communications. If, by law, a person is required or permitted to give information in writing, that requirement shall be deemed to have been satisfied if the person gives the information by means of electronic communication.
When the signature of a person is required, this requirement would be deemed as satisfied if the signature is in the form of an advanced electronic signature which is based on a qualified certificate and which is created by a secure signature creation device.

The bill includes provisions on signature certification services and a prohibition of misuse of electronic signatures, signature creation devices certificates and fraud, with penalties going up to a maximum of six months in prison and a fine of Lm10,000 plus. There may also be administrative sanctions.

When a person is required to record information in writing, such information may be stored electronically as long as it is readily accessible.

The new bill provides for electronic contracts, provisions on time of dispatch and receipt.

The amendment to the criminal code lists possible cases constituting computer misuse include unauthorised access to data, software or supporting documentation; the unauthorised prevention or hindrance of others from accessing data, the unauthorised destruction or transfer of data, disclosure of passwords or access codes to unauthorised persons, the unauthorised use of other persons' passwords or access codes and the unauthorised modification of computer equipment.

When an act is committed outside Malta which, had it been committed in Malta, would have constituted an offence, that act would be considered as having been committed in Malta if it affects computers used here. Penalties go up to a maximum fine of Lm10,000 and a jail term of four years.
The bill includes safeguards regarding the laws on wills and testaments, the creation of power of attorney, the taking of affidavits, the family law and the transfer of immovable property.

Data Protection Bill
The Data Protection Bill provides for the setting up of a regulatory body that will exercise overall control on the processing of personal data.

The new law shall not affect the provisions of the European Convention Act relating to freedom of expression or the provisions of the Press Act relating to journalistic freedoms. The competent authority being set up according to the new law will however encourage the drawing up of a suitable code of conduct for journalists and the media to regulate the processing of personal data.

Controllers will be responsible for ensuring that personal data is processed only if is lawful and it is always processed in a correct manner and in accordance with good practice. Personal data may only be collected for specific, explicitly stated and legitimate purposes and personal data may not be processed for any purpose that is incompatible with that for which the information is collected. Personal data may not be kept for longer than required.

Personal data may be processed only if the data subject had unambiguously given his consent; if the processing is necessary for the performance of a contract to which the data subject is party; processing is necessary for compliance with a legal obligation; if processing is necessary to protect the vital interests of the data subject and if processing is necessary.

The bill lays down that no one may process sensitive personal data unless the data subject would have given his consent or if the data is manifestly made public by the data subject. Such data may be processed for health management reasons, statistic by the competent authority, when it is necessary under employment law and when the vital interests of the data subject will be able to be protected and the data subject is physically or legally incapable of giving his consent or when legal clams will be established, exercised or defended.

Non-profit seeking organisations with political, philosophical religious or trade union objectives may in the course of their activities and with proper guarantees, process sensitive personal data concerning their members and such other persons who by reason of the objects of the entity have regular contact with. Sensitive personal data may be provided to a third party only if the data subject agrees.

Data relating to offences, criminal convictions or security measures may only be processed under the control of a public authority. Identity card numbers in the absence of consent, may be processed when it is clearly justified according to the purpose of processing, the importance of secure identification and other valid reasons that may be prescribed.

The bill provides that a controller must provide the data subject from whom data would have been collected at least the identity of the controller and any other persons authorised by him, the purpose of the processing of the data and the right to access to and rectify the data concerning him. There are restrictions to the right to access in cases such as national security, defence, public security, criminal investigations, monetary, budgetary and taxation matters.

The bill includes provisions on protection in the case of automated processing.

The competent authority will create and maintain a public register of all processing operations and, on its own initiative or when requested by a data subject, verify whether the processing is being carried out according to law. It may instruct processors and controllers to take measures to ensure their operation is in line with the law and refer to the authorities any criminal offences that are encountered.

Violation of the law makes a person liable for a fine of up to Lm10,000 and a jail term of six months.

Return to the main INTERNET index