First Floor, Victoria Buildings, 8, Triq l-Għenieq,Naxxar NXR3622, Malta

The pre-GDPR regime – PART 1

by Dr Edric Micallef Figallo – Associate

The following is the second article in a series of articles delving into the GDPR, intended to give an overview of the main aspects of the provisions it introduced, retained and updated in the data privacy law regime of the European Union, and its legislative implementation in Malta. The first article may be viewed here.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, hereinafter “Directive”

The GDPR effectively repealed the Directive with effect from the 25th May 2018 by virtue of Article 94 thereof (ergo on the date of application of the GDPR).

The above also led to a redrafting of national legislative provisions related to the Directive and the GDPR. Malta had introduced its Data Protection Act (Cap. 440 of the Laws of Malta) by virtue of Act XXVI of 2001 with a view towards complying with the acquis communitaire ahead of its EU accession (on the 1st May 2004), and thus to fulfill the requirements of the Directive. Following the date of application of the GDPR, set for the 25th May 2018 by virtue of Article 99 thereof, the Maltese legislature promulgated Act XX of 2018 on the 28th May 2018, which act repealed and replaced Cap. 440 so as to comply with the requirements of the GDPR. This new national legislative instrument, once again entitled Data Protection Act, is now Chapter 586 of the Laws of Malta.

It is essential to point out that the legislative instrument adopted draws out a particular legal distinction, ergo the Directive was a directive while the GDPR is a Regulation. The former established end results to be achieved by Member States through the enactment of national legislation and its subsequent administrative implementation, while the GDPR is directly applicable and part of the domestic legal order by virtue of the choice of legislative instrument. The previous regime had allowed for greater discretion to Member States, more legislative fragmentation within the EU, and less legal certainty for operators acting beyond the jurisdiction of one Member State. All of these were in fact reasons leading to the GDPR being a Regulation.

With that cleared, what was the historical background leading to the Directive?

Length constraints require a very concise summary thereof, and the main intention of this article is to pave the way so as to eventually highlight the developments leading to, and the changes brought about by, the GDPR in a future article in the series. In latter article we shall delve in the actual principles, processes and requirements of the GDPR as in force, with a comparative outlook vis-à-vis the previous regime as needed.

The Directive came into force in an age in which the internet, and the immense number of data transactions it has come to entail, had not yet taken the scene when it comes to data processing. It was preceded on an international level by the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (hereinafter, “Guidelines”, found here) of the Organisation for Economic Co-operation and Development (OECD), adopted on the 23rd September 1980. According to the Introduction of its Explanatory Memorandum, with reference to the 1970s, the Guidelines inter alia came about due to the following:

“A feature of OECD Member countries over the past decade has been the development of laws for the protection of privacy. These laws have tended to assume different forms in different countries, and in many countries are still in the process of being developed. The disparities in legislation may create obstacles to the free flow of information between countries. Such flows have greatly increased in recent years and are bound to continue to grow as a result of the introduction of new computer and communication technology.”

Reference to the Guidelines is important for the principles laid therein were central to the Directive and retain centrality as regards the GDPR as well. These principles related to:
1. Collection limitation;
2. Data quality;
3. Purpose specification;
4. Use limitation;
5. Security safeguards;
6. Openness;
7. Individual; and
8. Accountability.

In PART 2 of this article, we shall amplify on these principles and possibly on how they were implemented in the Directive and the GDPR.

Disclaimer: This article is not to be considered as legal advice, and is not to be acted on as such. Should you require further information or legal assistance, please do not hesitate to contact Dr Edric Micallef Figallo on