The passage of Sri Lanka’s first-ever Data Protection Bill, which has been eagerly awaited by the information and communication technology (ICT) industry and business, will be delayed significantly, despite encouraging progress made over the past year. The Sunday Morning Business learns that the bill is currently pending certification from the Attorney General (AG) on its constitutionality. The Data Protection Drafting Committee Chair Jayantha Fernando told us that Secretary to the Ministry of Information and Communication Technology and Minister Information and Communication Technology, Higher Education, and Technology and Innovations are in the process of obtaining the Certificate from the AG, following which the bill will be published and presented to Parliament. “Following the election, the final draft was resubmitted to the Cabinet of Ministers. It came back from the Cabinet and is now pending the AG’s certificate of constitutionality for it to be published as a bill,” Fernando noted. He added that the business committee in Parliament has to decide when to take the bill up in Parliament, once the bill reaches it. However, he believes it is unlikely that the bill will be taken up for at least another month, as there are no free slots in the Parliament schedule. According to Fernando, despite the change of government, content of the final draft of the Data Protection Bill remains the same, with no major changes made by the incumbent Government. However, the subject Minister, Dr. Bandula Gunawardana, said that the Data Protection Bill does not come under his Ministry but confirmed that passing of the bill has been postponed. “The Data Protection Bill was transferred to the Ministry of Defence from my Ministry of Information and Communication Technology,” Dr. Gunawardana noted. However, we reliably learnt that even though most of the digital security subjects and institutions such as the Information and Communication Technology Agency (ICTA) and Sri Lanka Computer Emergency Readiness Team (SLCERT) were transferred under the purview of the Ministry of Defence, this particular Bill was submitted to the Cabinet under the subject of “Communication Technology”, which is part of Dr. Gunawardana’s Ministry. Background The final draft of the Data Protection Bill that was released in September last year provides a new set of rights to citizens under the title “Rights of Data Subjects” while imposing obligations on those who collect personal data. The final draft of the bill was prepared by the Legal Draftsman’s Department and the Data Protection Drafting Committee of the Ministry of Information and Communication Technology. The Data Protection Drafting Committee was led by Jayantha Fernando (Chair/Convener), and comprised Yamuna Ranawana and Thushari Vitharana (Legal Draftsman’s Dept.), Kanchana Ambagahawita and Niluka Herath (Central Bank of Sri Lanka), Sunali Jayasuriya (ICTA), Sanduni Wickramasinghe (Mobitel), and Trinesh Fernando and Shenuka Jayalath (Dialog PLC). The bill allows personal data to be collected only for specified purposes. However, a media release issued by the Ministry highlighted that processing of data in public interest and scientific or historical research would be allowed. “Personal data has to be processed in a manner to ensure appropriate security, including protection against accidental loss, destruction, or damage,” the release noted. Under the bill, individuals would have the right to withdraw his or her consent given to controllers and the right to rectify the data without undue delay. In addition to this, the “Data Subjects”, as the people are referred to, have been given the right to object to the processing of their data. These rights of data subjects can be exercised directly by the individuals with the controllers, who are required to respond within a defined time period and are obliged to give reasons for refusing to meet the request or reasons why the controllers would refrain from further processing said data. The individual has a right to appeal against the decision of the controllers to the Data Protection Authority. Although the original framework had provisions for the mandatory registration of controllers, this requirement has been removed in the latest version. Instead, the Drafting Committee has deliberated and introduced specific and comprehensive transparency and accountability obligations on controllers. The accountability obligations would require controllers to implement internal controls and procedures known as a data protection management programme, in order to demonstrate how it implements the data protection obligations imposed under the act, once the bill is passed. The legislation also prohibits controllers from processing personal data and sending unsolicited messages, unless the respective individuals have given express consent. Provisions have also been included to deal with relationships between controllers and third parties who process personal data on their behalf. Importantly, administrative penalties have been introduced with a ceiling instead of fines calculated on the global turnover of controllers. The drafting of the legislation was initiated by then Minister of Digital Infrastructure and Information Technology Ajith P. Perera on 5 February 2019. In June last year, the Ministry put out the framework of the bill for stakeholder comments and following that, substantial modifications were made to the said framework, based on consultations held with key stakeholders. The legislation will be implemented in stages and the entire bill will come into operation within a period of three years from the date the Speaker of Parliament certifies the bill and the time period would provide adequate time for the Government and private sector to prepare for the implementation of the legislation. A number of institutions including the Central Bank of Sri Lanka (CBSL), SLCERT, Ministry of Justice and Prison Reforms, the ICTA have been involved in this process. The provisions have been formulated by a drafting committee through the examination of several international best practices. Accordingly, when drafting the bill, the committee referred to the Organisation for Economic Co-operation and Development (OECD) guidelines, Asia-Pacific Economic Co-operation (APEC) Privacy Framework, the Council of Europe Data Protection Convention, European Union General Data Protection Regulation (EU GDPR), and laws enacted in other jurisdictions such as Australia, Mauritius, Singapore, and India. At the moment, Sri Lanka does not have a cross-sectoral data protection law. However, there are several data protection-enabled legislations such as the Banking Act No. 30 of 1988, licenses issued under the Telecommunications Act No. 25 of 1991, Intellectual Property Act No. 36 of 2003, Computer Crimes Act No. 24 of 2007, and Registration of Persons (Amendment) Act No. 8 of 2016. Sri Lanka is in dire need of data protection and information security laws as they are crucial in attracting foreign direct investment (FDI). Economists have noted that stakeholders complain that foreign investors are deterred by the lack of such a legal setup in Sri Lanka. The first steps towards a data protection act were made following a request made by the CBSL in 2018 as well as Sri Lanka’s drive towards becoming a digital economy, resulting in increasing personal data collection by the private sector. The Ministry took steps to formulate data protection legislation during a stakeholder meeting held at the CBSL in September 2018.