MALTA Law and Practice Contributed by: Andrew J Zammit, James Bartolo and Nicholas Scerri, GVZH Advocates
4.2 Compliance and Governance Companies deploying IoT solutions in Malta face several compliance challenges that require care - ful regulatory adherence. • Cybersecurity vulnerabilities – with no specific IoT security certification framework in place, organisations must rely on broader EU cyber - security regulations. The Malta Cybersecurity Strategy provides guidance but lacks sector- specific standards for IoT devices, making it imperative for companies to implement their own robust security protocols. • Spectrum allocation and numbering resourc - es – the Malta Communications Authority (MCA) regulates spectrum allocation and numbering plans for IoT/M2M connectiv - ity. Businesses must obtain the necessary authorisations and comply with MCA’s num - bering framework to avoid service disrup - tions. To effectively manage IoT deployments in Malta, companies should adopt the following govern - ance frameworks. • Regulatory compliance monitoring – organi - sations must stay updated on developments from the MCA, the Information and Data Protection Commissioner (IDPC), and other Maltese regulatory bodies to ensure contin - ued compliance with evolving legal require - ments. • IoT device certification and standards compli - ance – although Malta does not have specific certification requirements, companies should voluntarily align with international security and interoperability standards such as ISO/ IEC 27001 to enhance trust and market com - petitiveness.
unsafe (even having actual knowledge of this) would be liable.
4. Internet of Things 4.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection The key legal frameworks applicable in Malta include the following. • Data Protection Act (Chapter 586 Laws of Malta) – IoT manufacturers and service pro - viders must ensure compliance with GDPR, particularly regarding consent, purpose limitation, data minimisation and user rights. Since it is not always feasible to obtain direct consent from users, alternative legal bases for processing data must be explored. • The Processing of Personal Data (Electronic Communications Sector) Regulations (Sub - sidiary Legislation 586.01)) – these Regula - tions govern the confidentiality of communi - cations, addressing issues such as electronic tracking, consent for data collection and the security of communications. • Data Protection Impact Assessments (DPIA) – companies deploying IoT projects must con - duct DPIAs before launching a new device or service to identify and mitigate risks associ - ated with data processing. • EU Cybersecurity Act (Regulation (EU) 2019/881) – this regulation enhances cyber - security across the EU by establishing a cybersecurity certification framework for ICT products, services and processes, including IoT devices.
258 CHAMBERS.COM
Powered by FlippingBook