Business

Changes to data protection law to be finalised in 2-3 weeks

The changes to the framework for Sri Lanka’s first data protection legislation will be finalised in the next two-three weeks, based on comments from industry stakeholders.

The much-needed yet long overdue framework was made public for stakeholder comments recently, according to the ICTA Director/Legal Advisor.

The changes are expected to bring the draft legislation in line with stakeholder views which had been received, and address certain concerns that had been raised.

The draft framework provided the key principles and provisions that are proposed to be included in the draft bill.
The Ministry of Digital Infrastructure and Information Technology (MDIIT) in collaboration with the International Trade Centre (ITC) held a National Public-Private Dialogue (PPD) on the “Legal Framework for the Proposed Data Protection Bill” on 27 June which provided a platform for a live discussion of certain aspects of the draft.

While many issues were brought up at this forum, a majority of participants commended the availability of the draft for public review as a positive first step.
The provisions have been formulated by a drafting committee by examining several international best practices, according to the Ministry of Digital Infrastructure and Information Technology Secretary D.C. Dissanayake.

Accordingly, when drafting the bill, the committee referred to Organisation for Economic Co-operation and Development (OECD) Guidelines, Asia-Pacific Economic Cooperation (APEC) Privacy Framework, Council of Europe Data Protection Convention, the European Union General Data Protection Regulations, as well as laws enacted in other jurisdictions such as Australia, Mauritius, Singapore, and the Indian draft legislation.

Following the amendments based on the public comments, the bill will be sent for Cabinet approval and thereafter, will be tabled at the Parliament for final nod.
During a recently held press conference, Non-Cabinet Minister of Digital Infrastructure and Information Technology Ajith P. Perera noted that the whole process from obtaining comments to submitting to the Parliament will take two months.

At the moment, Sri Lanka does not have a cross-sectoral data protection law. However, there are several data protection enabled legislation such as the Banking Act (1988), licenses issued under the Telecommunications Act (1991), Intellectual Property Act (2003), Computer Crimes Act (2007), and the Registration of Persons (Amendment) Act No. 8 of 2016.

Sri Lanka is in dire need of data protection and information security laws as they are crucial in attracting foreign direct investment (FDI). Economists disclose that several stakeholders have complained that foreign investors are deterred by the lack of such a legal setup in Sri Lanka.

The move came following a request made by the Central Bank of Sri Lanka (CBSL) in 2018 as well as Sri Lanka’s drive towards becoming a digital economy, resulting in increasing personal data collection by the private sector.
The Ministry took steps to formulate data protection legislation during a stakeholder meeting held at the CBSL on 19 September 2018.