The Implementation of the EU AI Act into Maltese Legislation

The EU AI Act provides a risk-based regulatory framework for AI systems operating in the EU, setting transparency obligations for AI operators and prohibits the use of AI in certain high-risk situations. 
 

L. N. 226 and the Malta Digital Innovation Authority 

L.N.226 provides the Malta Digital Innovation Authority (“MDIA”) new obligations and surveillance authority stemming from the EU AI Act. The MDIA is the primary regulatory instrument in Malta for AI systems with the ultimate aim of ensuring transparent and reliable technological and digital innovation, including systems involving AI. 

The key provisions of L.N. 226 include: 

• Surveillance and Information Sharing:  Through this L.N. the MDIA and the Malta Financial Services Authority are to co-ordinate efficiently between each other when it comes to information regarding market surveillance activities needed to carry out their respective supervisory, surveillance and obligatory activities. 
  
  In cases where high-risk AI systems are involved such cooperation is also expected by the MDIA with other relevant market surveillance authorities listed in Section A of Annex 1 of the EU AI Act. 

• Registration of High-risk AI Systems:  Providers of high-risk AI systems falling under Point 2 of Annex III of the EU AI Act are to register the AI system with the MDIA through the authority’s respecting guidelines. 

• Administrative Penalties: Whilst keeping in mind the provisions of penalties under the EU AI Act, any operator which infringes any provision of the EU AI Act shall be liable to an administrative penalty of maximum €350,000 for every infringement committed. Where the offender is an undertaking, the maximum penalty shall be up to 1% of its total worldwide annual turnover for the preceding financial year, assuming that it is higher than €350,000. 
  
  In addition, the MDIA may also impose a daily penalty of €12,000 on infringing operators for each day such infringements persist. 
  
  On deciding the gravity of the administrative penalty, the MDIA shall assess the relevant circumstances including the: 

  • Gravity and duration of the infringement and its consequences 
  • Penalties – whether they had already been applied by another Market Surveillance Authority regarding the same infringement 
  • Size and annual turnover of the infringing operator 
  • Any other aggravating or mitigating factors applicable to the circumstances of the case 
  • Degree of co-operation with the national competent authorities 
  • Degree of responsibility of the operator 
  • Circumstances under which the breach was detected by the authority 
  • Degree of intent involved or whether the infringement was due to negligent behaviour 
  • Action taken by the operator to mitigate the harm 

Under the assessment of the case, the MDIA may assign an administrative penalty on a public authority or body of up to €50,000 for each infringement and an additional daily penalty of €50 for each day the infringements persist. 

The MDIA may, when it deems appropriate, issue reprimands, warnings or take any other similar disciplinary measures which are not monetary in nature to the operator. 

Proceedings initiated by the MDIA have a prescription period of 2 years starting from the date on which the alleged infringement had been committed. Additionally, any penalty or fine imposed by the MDIA may be appealed in accordance with Part IX of Chapter 591. 

L.N. 227 and the Office of the Information and Data Protection Commissioner 

L.N. 227 focuses on the protection of personal data which is used in tandem with AI. To do so, L.N. 227 designates the Office of the Information and Data Protection Commissioner (“IDPC”) as the Market Surveillance Authority in Malta for certain high-risk AI systems. It further provides situations in which AI is prohibited and the limits of the use of AI in high-risk situations. 

The IDPC shall surveillance several high-risk AI systems being: 

• high-risk biometric systems used for law enforcement purposes, border management and justice and democracy, including: 

  • Remote biometric identification systems not including AI systems used for biometric verification, 
  • Biometric categorisations systems attributed to sensitive characteristics, 
  • AI systems intended to be used for emotion recognition 

• high-risk systems used to evaluate and classify emergency calls by natural persons or as a dispatcher of emergency first response services, 

• high-risk systems used for law enforcement, in so far as their use is permitted by law, 

• high-risk systems used for migration, asylum and border control management, in so far as their use is permitted by law, 

• high-risk systems used for administration of justice and democratic processes. 

L.N. 227 also provides a list of prohibited AI practices as per the EU AI Act in which where one is committed, the IDPC shall exercise its discretion accordingly. 

High-risk AI Systems Register 

The IDPC shall establish a registry for the national registration of high-risk AI systems listed in regulation 3 of the L.N. 

Administrative Penalties 

The IDPC may take enforcement action against operators who breach the EU AI Act or national implementing regulations. Like the MDIA, the IDPC may issue warnings as deemed necessary.  

Administrative penalties can be up to €50,000 per infringement, plus a daily fine of €50 if the violation continues. 

Operators may also be required to cease unlawful behaviour and take remedial action in writing. An appeal against the IDPC’s decision can be made to the Information and Data Protection Appeals Tribunal, and enforcement actions must be initiated within 2 years of the alleged breach. 

 

Real-Time Biometric Identification Systems 

L.N. 227 regulates the use of real-time remote biometric identification systems in publicly accessible spaces for law enforcement which allows the following exceptions when it is used for: 

• Targeted search for victims of abduction, human trafficking, sexual exploitation, or missing persons. 

• Preventing a specific, substantial, and imminent threat to life or physical safety, or a genuine and present/foreseeable terrorist threat. 

• Locating or identifying a person suspected of committing a serious criminal offence (as listed in Annex II of the EU AI Act) punishable by at least four years of imprisonment or detention 

Additionally, for post-remote biometric identification systems to be used in criminal investigations, the authority deploying it must request authorisation from a Magistrate either in advance (ex ante) or, in urgent cases, within 48 hours of use. The exception is if the system is only used for an initial identification based on clear and objective links to the crime. Each use must be strictly limited to what is necessary for investigating a specific criminal offence. 

These two Legal Notices establishes a national framework aligning Maltese Law with EU Regulations. They create a dual regulatory system that balances technological improvements with the protection of individuals rights. L.N. 226 empowers MDIA to oversee and enforce standards for AI system ensuring transparent technological development. L.N. 227 entrusts the IDPC with supervising high-risk AI systems. In doing so, data protection principles and ethics are safeguarded. By delineating the competencies of these two authorities, co-operation and information sharing are facilitated.  
 

Legal Intern, Martina Galea and Senior Lawyer, Dr Lara Borg Bugeja  

 

Want to know more?

Get in touch