Data protection legislation nearing Cabinet stage

Window for stakeholder comments closing tomorrow

Up for Cabinet approval after independent review

The much-needed yet long overdue framework for a proposed data protection legislation was recently made public for stakeholder comments.

The prepared framework provides outlines of the key principles and provisions that are proposed to be included in the Draft Bill.

The provisions were formulated by a drafting committee by examining several international best practices, according to the Ministry of Digital Infrastructure and Information Technology Secretary D.C. Dissanayake.

Accordingly, when drafting the Bill, the committee referred to Organisation for Economic Co-operation and Development (OECD) Guidelines, Asia-Pacific Economic Cooperation (APEC) Privacy Framework, Council of Europe Data Protection Convention, the European Union General Data Protection Regulations, as well as laws enacted in other jurisdictions such as Australia, Mauritius, Singapore, and the Indian draft legislation.

The window provided for stakeholder comments will be closed tomorrow and following that, the framework would be reviewed by an independent review committee which is co-chaired by Justice K.T. Chitrasiri and Prof. Savithri Goonesekera.

Subsequently, the Bill will be sent for Cabinet approval and thereafter, will be tabled at the Parliament for final nod.

During a recently held press conference, Non-Cabinet Minister of Digital Infrastructure and Information Technology Ajith P. Perera noted that the whole process from obtaining comments to submitting to the Parliament will take two months.

At the moment, Sri Lanka does not have a cross-sectoral data protection law. However, there are several data protection enabled legislation such as the Banking Act (1988), licenses issued under the Telecommunications Act (1991), Intellectual Property Act (2003), Computer Crimes Act (2007), and the Registration of Persons (Amendment) Act No. 8 of 2016.

Sri Lanka was in dire need of data protection and information security laws as they are crucial in attracting foreign direct investment (FDI). Economists disclose that several stakeholders have complained that foreign investors are deterred by the lack of such a legal setup in Sri Lanka.

The move comes following a request made by the Central Bank of Sri Lanka (CBSL) in 2018 as well as Sri Lanka’s drive towards becoming a digital economy, resulting in increasing personal data collection by the private sector.

The Ministry took steps to formulate data protection legislation during a stakeholder meeting held at the CBSL on 19 September 2018.

The Article 14A in the 19th Amendment facilitated the introduction of the concept of privacy as an exemption, according to Information and Communication Technology (ICTA) Director/Legal Advisor and Sri Lanka Computer Emergency Readiness Team (CERT) Acting Chairman Jayantha Fernando.
“The Article has the right to information built in but there is a clause giving an exemption and it talks about balancing the person’s right to obtain the information with control measures for public safety and national security. Using that exemption as a baseline, the Digital Infrastructure Ministry is forming a data protection legal regime,” he stated speaking to The Sunday Morning Business in March.