By Asela Waidyalankara
Ever since British mathematician Clive Humby, in 2006, coined the phrase “data is the new oil”, impressed upon the importance of how this “new” natural resource would shape our digital lives, and, in the process, made a few selected tech companies very rich, regulators and governments across the world have been playing catch-up to legislate how personal data is used by organisations. Data protection is commonly defined as the law designed to protect an individual’s personal data.
Among data protection advocates, the European Union’s (EU) General Data Protection Regulation (GDPR) is seen as the gold standard. The EU enforces strict rules on how its citizens’ data can be used by tech companies, as well as enforces hefty fines for noncompliance – up to € 20 million ($ 23 million) or 4% of a firm’s annual global turnover. Some notable examples of noncompliance fines are British Airways – $ 230 million, Marriott – $ 123 million, and Google – $ 57 million.
In the Sri Lankan context of data protection, or in the wider scope of privacy overall, there appears to be little legal precedent before the current efforts towards data protection legislation. Although Sri Lankan courts have somewhat overcome these difficulties by providing judgments that recognise the right to privacy by individual citizens (Sinha Ratnatunga v. the State, [2001] 2 SLR 172), there still exists a considerable lacuna in our legal framework, which does not recognise citizens’ right to privacy, especially data privacy.
After much deliberation and many rounds of legal consultations, since 2017, by various industry stakeholders including the Ceylon Chamber of Commerce (CCC), Sri Lanka Association for Software Services Companies (SLASSCOM), Federation of Information Technology Industry Sri Lanka (FITTS), etc., we can finally witness the fruition of this exercise in the form of the final draft of the Data Protection Bill that was published as a gazette on 19 November 2021. The Bill is expected to be presented to Parliament in early 2022 for approval, wherein it would become law. This historic legislation would not have been possible without the dedicated Legal Drafting Committee, headed by Information and Communication Technology Agency (ICTA) General Counsel Jayantha Fernando, who was accommodative of the diverse opinions of stakeholders, and the committee did its best to accommodate and review each stakeholder’s differing points of view.
The draft Bill takes its inspiration heavily from the EU’s GDPR and introduces two vital data protection concepts into Sri Lanka’s framework – privacy by design and rights of data subjects (users).
Privacy by design
Privacy by design (PbD) is an approach towards data protection that all businesses (including non-IT based businesses) should now take when creating digital products and building websites. PbD involves keeping data collection to a minimum and building security measures into all stages of a product’s design.
If we examine Sections 6, 7, 8, 9, 10 of the Bill, we can observe that “Section 6: Obligation to define a purpose for personal data processing”, which includes specified, explicit, and legitimate purposes, requires that the purpose for processing personal data be defined clearly by business entities or data controllers.
Each data controller (organisations that collect user data) has an obligation to limit the purpose of data collection to its defined purposes given in Section 7, thereby limiting the unauthorised usage and exploitation of customers’ data, by stipulating conditions that data processed shall be adequate, relevant, and proportionate to its usage.
Section 8 relates to the accuracy of data and to ensure data is kept updated, and Section 9 defines periods of retention. Section 10 provides key safeguards for collected data, inclusive of encryption and other data protection methodologies, to ensure its protection by organisations that gather the data. Finally, all these are internally enforceable in an organisation by mandating that data controllers implement mature data protection management programmes (under Section 12).
Rights of data subjects
The Data Protection Bill vests new rights with users of services that collect their data, which is discussed under Part II: Rights of Data Subjects.
Under Sections 13, 14, 15, and 16, citizens are empowered to know exactly how their data is collected and used, request what information has been collected, and if there are mistakes/errors in their data, a citizen can request to have them corrected. A request can also be made to delete an individual’s data from the records of a data collector.
Finally, citizens are allowed to refuse data processing, for example, marketing efforts, although it must be noted that these rights are subject to controls and exceptions discussed in later sections. Failure to comply with the rights and regulations laid down by the Bill would subject a data controller to a fine not exceeding Rs. 10 million for noncompliance as determined by the Data Protection Authority (state agency empowered and established under the Bill).
An additional aspect for citizen empowerment provided under this Bill would be the crackdown of the current wave of unsolicited messages received by many citizens for which their consent had not been given to receive such messages. The Bill would empower the Data Protection Authority to take action on these messages and their service providers.
Applicability to int’l businesses
Some other salient features of the Bill are that Section 2, specifying to whom this legislation would apply, makes special note, under 2(b)(v), “…specifically monitors the behaviour of data subjects in Sri Lanka including profiling with the intention of making decisions in relation to the behaviour of such data subjects in so far as such behaviour takes place in Sri Lanka”.
This is a clear indication that global tech companies that have made data collection a trillion-dollar business will be subjected to review under this legislation. Therefore, companies like Meta (Facebook, Instagram) and Google will be likely to fall under the purview of the Data Protection Authority of Sri Lanka in terms of their data collection practices. It would be an interesting development in the future to see how these organisations would react to any rulings by the Sri Lankan authorities.
Data residency and sovereignty
The Data Protection Bill introduces the concepts of data residency and data sovereignty. Data residency refers to the physical or geographic location of an organisation’s data or information. Data sovereignty refers to the jurisdictional control or legal authority that can be asserted over data because its physical location is within jurisdictional boundaries. If we examine Section 26 the Bill, it sets limits for when a public authority (government agency) processes citizens’ data, which should be processed within the territory of Sri Lanka and not in a third country, unless approved by the subject minister in consultation with the Data Protection Authority. However, given the complexity of some IT systems, especially with cloud implementations, it would be interesting to examine how the Data Protection Authority would lay down the guidelines and frameworks for this type of data residency to be implemented.
SL entering new phase
Finally, Sri Lanka has suffered many setbacks in attracting high-net technology foreign direct investments (FDIs) into the country due to the lack of a clear legal framework on data protection. Additionally, Sri Lankan technology companies have had challenges such as non-tariff trade barriers to enter EU markets due to its weak privacy legislation. The Data Protection Bill, with its subsequent approval in Parliament, would lay the foundation to send a signal that Sri Lanka is mature enough to join the ranks of countries that empower and protect its citizens’ data rights.
The Bill would also create new lines of businesses opportunities in data privacy services in Sri Lanka, such as virtual data protection officers, consultancy and audit services to implement internal controls for organisations for their data protection in line with the legislation, and training and education services for employees, management, and boards on the importance of data protection practices and their added liabilities.
Sri Lanka is entering a bold new phase in its technology laws with the introduction of the Data Protection Bill. As more mature, connected technologies emerge and are used to harness, and at times exploit, our data, more legislative vigour and agility may be required to curb these practices and ensure a safe digital environment for future generations. At least we have our start; let’s build on this foundation for a better, secure, digital Sri Lanka.
(The writer has been a prominent personality in the sphere of cybersecurity, with over a decade of experience in progressive technology and digital strategy. Garnering extensive qualifications in both the legal and technical arenas, he is a pioneer trailblazer and avant-garde in the information security marketplace)
Data protection in a digital Sri Lanka
04 Dec 2021
Data protection in a digital Sri Lanka
04 Dec 2021
Kapruka
Discover Kapruka, the leading online shopping platform in Sri Lanka, where you can conveniently send Gifts and Flowers to your loved ones for any event. Explore a wide range of popular Shopping Categories on Kapruka, including Toys, Groceries, Electronics, Birthday Cakes, Fruits, Chocolates, Automobile, Mother and Baby Products, Clothing, and Fashion. Additionally, Kapruka offers unique online services like Money Remittance, Astrology, Medicine Delivery, and access to over 700 Top Brands. Also If you’re interested in selling with Kapruka, Partner Central by Kapruka is the best solution to start with. Moreover, through Kapruka Global Shop, you can also enjoy the convenience of purchasing products from renowned platforms like Amazon and eBay and have them delivered to Sri Lanka.Send love straight to their heart this Valentine's with our thoughtful gifts!
Discover Kapruka, the leading online shopping platform in Sri Lanka, where you can conveniently send Gifts and Flowers to your loved ones for any event. Explore a wide range of popular Shopping Categories on Kapruka, including Toys, Groceries, Electronics, Birthday Cakes, Fruits, Chocolates, Automobile, Mother and Baby Products, Clothing, and Fashion. Additionally, Kapruka offers unique online services like Money Remittance, Astrology, Medicine Delivery, and access to over 700 Top Brands. Also If you’re interested in selling with Kapruka, Partner Central by Kapruka is the best solution to start with. Moreover, through Kapruka Global Shop, you can also enjoy the convenience of purchasing products from renowned platforms like Amazon and eBay and have them delivered to Sri Lanka.Send love straight to their heart this Valentine's with our thoughtful gifts!