Data Protection Bill draft made public

The final draft of Sri Lanka’s first, much-awaited Data Protection Bill that was released last week provides a new set of rights to citizens under the title “Rights of Data Subjects” while imposing obligations on those who collect personal data.

The final draft of the Bill, prepared by the Legal Draftsman Department and the Data Protection Drafting Committee of the Ministry of Digital Infrastructure and Information Technology, was released to the public last week.

The Data Protection Drafting Committee was led by Jayantha Fernando (Chair/ Convenor), and comprised Yamuna Ranawana and Thushari Vitharana (Legal Draftsman’s Dept), Kanchana Ambahawita & Niluka Herath (Central Bank of Sri Lanka), Sunali Jayasuriya (ICTA), Sanduni Wickramasinghe (Mobitel), Trinesh Fernando and Shenuka Jayalath (Dialog PLC).

The Bill allows personal data to be collected only for specified purposes. However, a media release issued by the Ministry highlighted that processing of data in public interest and scientific or historical research would be allowed.

“Personal data has to be processed in a manner to ensure appropriate security, including protection against accidental loss, destruction, or damage,” the release noted.

Under the Bill, individuals would have the right to withdraw his or her consent given to controllers and the right to rectify the data without undue delay. In addition to this, the “Data Subjects”, as the people are referred to, have been given the right to object to the processing of their data.

These Rights of Data Subjects can be exercised directly by the individuals with the controller, who are required to respond within a defined time period and are obliged to give reasons for refusing to meet the request or reasons why the controller would refrain from further processing said data.

The individual has a right to appeal against the decision of the controller to the Data Protection Authority.

Although the original framework had provisions for the mandatory registration of controllers, this requirement has been removed in the latest version. Instead, the Drafting Committee has deliberated and introduced specific and comprehensive transparency and accountability obligations on controllers.

The accountability obligations would require controllers to implement internal controls and procedures known as a “Data Protection Management Programme” in order to demonstrate how it implements the data protection obligations imposed under the Act.

The legislation also prohibits controllers from processing personal data and sending unsolicited messages, unless the respective individuals have given express consent. Provisions have also been included to deal with relationships between controllers and third parties who process personal data on their behalf.

Importantly, administrative penalties have been introduced with a ceiling instead of fines calculated on the global turnover of controllers.

The drafting of the legislation was initiated by Minister of Digital Infrastructure and Information Technology Ajith P. Perera on 5 February 2019.

In June this year, the Ministry put out the framework of the Bill for stakeholder comments and following that, substantial modifications were made to the said framework, based on consultations held with key stakeholders.

The legislation will be implemented in stages and the entire Bill will come into operation within a period of three years from the date the Speaker certifies the Bill, and the time period would provide adequate time for the Government and private sector to prepare for the implementation of the legislation.

According to the Ministry, for the implementation of the legislation, the Data Protection Authority is required to be established within 18 months of time.

A number of institutions including the Central Bank of Sri Lanka (CBSL), Sri Lanka Computer Emergency Readiness Team (SLCERT), Ministry of Justice and Prison Reforms, and the Information and Communication Technology Agency (ICTA) have been involved in this process.

The provisions have been formulated by a drafting committee through the examination of several international best practices. Accordingly, when drafting the Bill, the committee referred to the Organisation for Economic Co-operation and Development (OECD) guidelines, Asia-Pacific Economic Co-operation (APEC) Privacy Framework, the Council of Europe Data Protection Convention, European Union General Data Protection Regulation (EU GDPR), and laws enacted in other jurisdictions such as Australia, Mauritius, Singapore, and India.

At the moment, Sri Lanka does not have a cross-sectoral data protection law. However, there are several data protection-enabled legislations such as the Banking Act No. 30 of 1988, licenses issued under the Telecommunications Act No. 25 of 1991, Intellectual Property Act No. 36 of 2003, Computer Crimes Act No. 24 of 2007, and Registration of Persons (Amendment) Act No. 8 of 2016.

Sri Lanka is in dire need of data protection and information security laws as they are crucial in attracting foreign direct investment (FDI). Economists have noted that stakeholders complain that foreign investors are deterred by the lack of such a legal setup in Sri Lanka.

The first steps towards a data protection act were made following a request made by the CBSL in 2018 as well as Sri Lanka’s drive towards becoming a digital economy, resulting in increasing personal data collection by the private sector. The Ministry took steps to formulate data protection legislation during a stakeholder meeting held at the CBSL in September 2018.