Bill 143 - Article 33: personal data affirmed by legislative intent

The legal framework governing access to planning information in Malta is primarily structured by the Article 33 of the current Development Planning Act (Cap. 552). This provision requires the Planning Authority to make available to the public a range of documents relevant to development applications and decisions, such as reports, environmental assessments, and site analyses. Central to this framework is the concluding proviso of sub-article (2)(c)(iv), which currently provides:

“Provided further that for the purposes of this article, in the case of a file held by the Authority, any person shall have access to that part of the file containing the following information:
(i) the application report of all applications and any planning report regarding such applications;
(ii) all decisions relating to development permissions issued by the Authority together with the relative plans and documents including the reasons for the grant of such permissions or refusal;
(iii) all environmental impact statements, environmental planning statements and traffic impact statements; and
(iv) all alternative site assessments and cost-benefit analysis.”

Bill No. 143 of 2025, however introduces a consequential revision. It replaces the full stop at the end of paragraph (iv) with a colon and adds:

“Provided further that any information or documentation not expressly identified in this article as accessible shall not be made available, unless otherwise provided by applicable regulations or, where appropriate, at the discretion of the Authority.”

Under the current formulation, the list of accessible documents is detailed but arguably non-exhaustive; the amendment presumes inaccessibility for any material not expressly identified in the statutory list unless a specific legal or regulatory exception applies. It is safe to say that this amendment reflects a broader shift in administrative design grounded in codified permissions and data governance constraints based on a model of presumptive transparency.

Still, the new approach realigns access with explicit legal authorisation—particularly in response to evolving obligations under the General Data Protection Regulation (Regulation EU 2016/679). Files frequently contain personal submissions, objector identities, and other data that engage privacy protections under Articles 6 and 10 GDPR. Under the GDPR, personal data may only be disclosed by public authorities where there exists a clear, specific legal basis.

Kranenborg (2008) emphasises that public access to personal information cannot be presumed from the institutional context alone; it must be affirmed by legislative intent and circumscribed by safeguards. Kuner, Bygrave, and Docksey (2020) further reinforce this principle by noting that the use of “special category” data in administrative decisions (such as those pertaining to health, objections, or environmental risks) must be accompanied by regulatory clarity and safeguards against undue exposure. As Hoofnagle and Van Der Sloot (2019) argue, GDPR compliance demands not only minimalism in disclosure but an evidential standard of necessity and proportionality in each act of access.

This means that public authorities are obligated to articulate and control disclosure frameworks to avoid regulatory liability and ensure lawful processing.

In the context of planning, this is not a theoretical risk.

Having said all this, the transparency concerns under discussion become ‘mitigated’ by the ‘procedural guarantees’ introduced through Bill No. 144 of 2025, which restructures the Environment and Planning Review Tribunal (EPRT). The new tribunal framework embeds mandatory digital notification, adversarial exchange, and symmetrical access to documents for all parties involved in the appeal process. The effect of these provisions is to ensure that all evidence, submissions, and communications form part of a shared procedural record, accessible to all litigants.

Indeed, according to Article 11(2):

“The Secretary of the Tribunal shall keep a register of the email addresses of all persons involved in the appeal proceedings, and this register shall be available to all such persons.”

This is reinforced by Article 11(3), which stipulates:

“Any document… shall be notified to all other parties via email at the time of submission, or no later than two (2) working days thereafter.”

So while the amendment to Article 33 of the Development Planning Act reflects a clear legislative intent to harmonise public access rights with data protection requirements under the GDPR by advancing a model of rule-based disclosure, conditioned by regulatory oversight and administrative discretion, everything seems to fall flat at tribunal stage.

Hoofnagle, Chris Jay, & Van Der Sloot, Bart.

The European Union General Data Protection Regulation: What it is and what it means.
Information & Communications Technology Law, Vol. 28, Issue 1, 2019, pp. 65–98.

Kuner, Christopher; Bygrave, Lee A.; Docksey, Christopher (eds).

The EU General Data Protection Regulation: A Commentary (2nd Edition).
Oxford University Press, 2020, Chapter on Articles 6 & 10, pp. 120–160.

IT Governance Publishing (ITGP) Team.

EU General Data Protection Regulation (GDPR): An Implementation and Compliance Guide.
Ely, UK: IT Governance Publishing, 2025 Edition, pp. 1–120.

Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) Adopted 27 April 2016.

Bill 143 – Article 33: personal data affirmed by legislative intent

Recent Posts

When the “Flexibility Policy” Meets Its Limits: Lessons from Spiteri Gonzi

Article 495A: Why Co-Owners Cannot Buy Each Other Out

Desertion in Planning Appeals: Reframing the Doctrine Around Procedural Initiative

Why Governments Hesitate to Use Protocol No. 12

Main Menu

Q&As

Publications