MALTA Law and Practice Contributed by: Andrew J Zammit, James Bartolo and Nicholas Scerri, GVZH Advocates
which carry a number of risks to the operation of a Malta-based gaming licensee. Thus, the MGA recommends that such service providers be assessed and approved by it as part of the pre-licensing assessment or at the post-licens - ing stage. Where the licensee receives material gaming supplies from a third party not approved by the MGA, the licensee must assume full regu - latory responsibility for such supplies. A licensee must also have a regularly updated outsourc - ing policy and a written agreement with the ser - vice provider containing a number of required provisions. The agreement must specifically include clauses addressing data confidentiality, subcontracting limitation, and the right of the MGA to audit or access data stored within the cloud infrastructure. Non-compliance with these requirements can result in penalties, including the suspension or revocation of the gaming licence. Security of Network and Information Systems The Measures for High Common Level of Secu - rity of Network and Information Systems Order (Chapter 460.35, Laws of Malta) transposes Directive (EU) 2016/1148 (the “NIS Directive”) into Maltese law and addresses cloud comput - ing. (The NIS2 Directive however is yet to be transposed). The NIS Directive aims to imple - ment measures for the achievement of a high common level of network and information sys - tem security across the EU’s critical infrastruc - ture. The Order establishes a Critical Information Infrastructure Protection Unit (the “CIIP Unit”), which is responsible for matters relating to the identification and designation of operators of essential services and digital service providers, as well as the adoption of a national strategy on the security of network and information systems. The CIIP Unit works in collaboration with sector- specific regulators to establish clear reporting
obligations for significant incidents affecting cloud services. Malta has also implemented a cybersecurity strategy which had six main goals, including the establishment of a governance framework, the strengthening of the fight against cybercrime and national cyber defence, improving cyberse - curity awareness and education, encouraging initiatives by the private sector, awareness and education, and building upon national and inter - national co-operation. This strategy includes periodic reviews and updates to ensure align - ment with emerging cybersecurity challenges, particularly those posed by reliance on cloud infrastructures and remote working models. Data Protection Malta is subject to the GDPR; the general rules in this respect apply also to the issues brought about by cloud computing. The most common issues here relate to the fact that most service providers in this field provide standard terms which are not easily negotiable and thus any data protection-related provisions may not always reflect the required GDPR standards if the cloud service provider is based outside the EEA. Additionally, transfers of personal data need to comply with specific safeguards, the most com - mon being the use of the Commission’s Stand - ard Contractual Clauses (SCCs). The SCCs were amended in June 2021 following the Schrems II judgment which invalidated the EU-US Privacy Shield. As a result, international transfers have become significantly more complex. A provider of cloud computing services established outside the EU would need to show compliance with the new standards in order to be considered GDPR compliant. Furthermore, organisations must conduct a Data Protection Impact Assessment (DPIA) when processing personal data in cloud environments that involve high risks to the rights
255 CHAMBERS.COM
Powered by FlippingBook