Policy Update

The Malta Business Bureau is the EU-Business advisory office of the Malta Chamber of Commerce, Enterprise and Industry, and the Malta Hotels and Restaurants Association.

Regulation (EU) 2016/679 on General Data Protection

The EU revised personal data protection laws

After four years of discussion, in April 2016, the European Institutions have finalised the revision of the EU data protection legislation managed by businesses, known as the General Data Protection Regulation (GDPR).

GDPR’s primary objectives include simplifying the regulatory environment for business by unifying the rules within the European Union and strengthening citizens’ protection of personal data. Although the new Regulation shall become applicable from 25 May 2018, as it contains some onerous obligations, businesses will need time to prepare for it. For instance, it expands the territorial reach, includes the appointment of a Data Protection Officer, introduces accountability obligations on data controllers to demonstrate compliance as well as adds a framework of sanctions.

While the business community welcomed the initial proposal, it also expressed concern on its modifications. From a local perspective, the major concern was with regard to the obligation to appoint a Data Protection Officer by enterprises employing at least 250 persons or processing operations which require regular and systematic monitoring of data subjects. This would have resulted an unnecessary administrative and financial burden that businesses not involved in data processing operations would be forced to bear, especially for SMEs.

The Malta Business Bureau lobbied effectively with legislators to achieve a degree of flexibility in the application of the regulation as well as to take into account the nature of enterprises’ core activities by ensuring that the regulation did not undertake a one-size fits all approach.

The agreed text exempts the very large majority of Maltese SMEs from the obligation of appointing a Data Protection Officer. Only those engaged in activities that require regular and systematic monitoring of data subjects on a large scale or special categories of data.

The MBB welcomes the agreement reached on the new data protection regulation since it does not constitute an excessive burden for local business and focuses on companies that are not SMEs and those using large amounts of personal data.

From a European business perspective, BusinessEurope regrets that this new framework fails to include some elements that could have stimulated competiveness. Moreover it is disappointed since this is a missed opportunity for bringing additional harmonisation in the digital single market as well as for putting in place a really significant one-stop shop, which should have provided foreseeability and legal certainty for cross-borders cases. These rules will bring new burdens for businesses and create a disproportionate framework of sanctions.