Data Protection Bill draft in two months

An outline of the Data Protection Bill, ensuring protection of personal data, will be completed within the next two to three months, according to the Ministry of Digital Infrastructure and Information Technology.

Speaking to The Sunday Morning Business, the Ministry’s Additional Secretary M.C.L. Rodrigo stated that for the bill to become operational, it requires approval from the Cabinet and thereafter tabled at the Parliament for final nod.

“Through Cabinet it has to go to the Parliament as it is a bill. Our plan is to put that within two months, but April is also coming, which will create a slowdown. Minister needs to finalise it within the next two months and we will try our best to do that.”

Data protection and information security laws are crucial in attracting FDIs and several stakeholders have complained that foreign investors are deterred by the lack of such a legal setup in Sri Lanka.

Information and Communication Technology (ICTA) Director/ Legal Advisor & Sri Lanka CERT Actg Chairman Jayantha Fernando stated that an outline of the bill would be sent to the stakeholders to obtain their comments and feedback on the contents.

An expert Committee has been appointed with the responsibility of preparing the bill by the Ministry of Digital Infrastructure and Information Technology, with Fernando functioning as Convener of this committee.

Fernando said that making the outline of the bill available to the stakeholders, including the banks, chambers, telecommunication providers, IT industry Associations and to the Central Bank of Sri Lanka (CBSL) was a decision which had to be taken by the Ministry.

“Once we get the outline of the document, we will put it out for review towards the last week of April. We can share it with a wider community. It will allow people to examine whether the law will benefit the country and whether this is the kind of the model people are looking for.”

Fernando stated that even though an Expert Committee is vested with the responsibility of preparing the Bill, the drafting of the Bill is being done by the Department of Legal Draftsman. The Committee is working strategically with the officials identified by the Ministry for this purpose and looking at International best practices.

“Actual drafting work is with the legal draftsman. We have regular meetings to review the formulation of the document.”

According to Rodrigo, the Bill may also require Constitutional approval from the Attorney General.

“For technical documents we need approval, the screening and review by the Legal Draftsman Department, and we may also need the Attorney General’s approval. If we can do that in two months, it will be a very big achievement.”

Fernando stated that the Article 14A in the 19th Amendment facilitated the introduction of the of the concept of privacy as an exemption.

“The Article has the right to information built in but there is a clause giving an exemption and it talks about balancing the person’s right to obtain the information with control measures for public safety and national security. Using that exemption as a baseline, there is an ongoing initiative in Sri Lanka at the moment and Digital Infrastructure ministry is handling that. There is an ongoing process to form a data protection legal regime.”

In the process of drafting the Data Protection Bill, Sri Lanka is looking at Data Protection Acts of several countries including Australia and Singapore.

“We have looked at Australia and Singapore but the problem is Singapore does not have the right to information law. So in a sense, we are in a different situation. India is still in the drafting stage,” Fernando stated.

Considering the maturity levels of countries, models of smaller countries with common law regimes were also looked at.

“We are looking at the fundamental principles. People are talking about General Data Protection Regulation (GDPR) of the EU which is a very complex regime to implement. We were looking at smaller countries from the common law regime such as Malta, Malaysia, Mauritius, and Kenya.”

The Data Protection Bill was initiated under the guidance of Minister of Digital Infrastructure and Information Technology Ajith P. Perera and is currently being reviewed by an expert committee of which Jayantha Fernando is Convenor.

During a recent press conference, the Minister stated that the Ease of Business Doing Index of Sri Lanka will be increased along with the developments in the country’s digital infrastructure facilities.