Data Protection Act before year end
To be expedited as priority action
By Madhusha Thavapalakumar
Amidst growing concerns over the lack of privacy and data protection, the long-awaited Data Protection Act is finally set to be passed and implemented before the end of this year, as the Government is treating its implementation as a priority, according to the Information and Communication Technology Agency (ICTA).
ICTA Chairman Jayantha de Silva, who is also the former Chief Executive Officer and President of IFS Sri Lanka, told The Sunday Morning Business that the Attorney General’s (AG) observation was given in August and the final round of drafting was completed on 2 November.
“We got Cabinet approval; the Data Protection Bill will be submitted to Parliament soon and subsequently implemented within this year. The President himself has given a lot of recognition and importance to the Bill,” de Silva stated.
The legislation was initially said to be implemented in stages and the entire Act will come into operation within a period of three years from the date the Speaker of Parliament certifies the Act. The time period would provide adequate time for the Government and the private sector to prepare for the implementation of the legislation.
The final draft of the Data Protection Bill that was released in September 2019 provides a new set of rights to citizens under the title “Rights of Data Subjects”, while imposing obligations on those who collect personal data. The Bill allows personal data to be collected only for specified purposes. However, a media release issued at that point in this matter by the authorities highlighted that processing data in public interest and scientific or historical research would be allowed. Under the Bill, individuals would have the right to withdraw his or her consent given to controllers and the right to rectify data without undue delay. In addition to this, the “data subjects”, as the people are referred to, have been given the right to object to the processing of their data.
These rights of data subjects can be exercised directly by the individuals with the controllers who are required to respond within a defined time period and are obliged to give reasons for refusing to meet the request or reasons as to why the controllers would refrain from further processing said data. The individual has a right to appeal against the decision of the controllers to the Data Protection Authority that will be set up to implement the legislation.
The drafting of the legislation was initiated by then Minister of Digital Infrastructure and Information Technology Ajith P. Perera on 5 February 2019. In June last year, the Ministry put out the framework of the Bill for stakeholder comments, following which substantial modifications were made to the said framework, based on consultations held with key stakeholders.
Sri Lanka is in dire need of data protection and information security laws as they are crucial in attracting foreign direct investment (FDI). Economists have noted that stakeholders complain that foreign investors are deterred by the lack of such a legal setup in Sri Lanka.
The first steps towards the Data Protection Act were made following a request made by the Central Bank of Sri Lanka (CBSL) in 2018 as well as Sri Lanka’s drive towards becoming a digital economy, resulting in an increase in personal data collection by the private sector. The Ministry took steps to formulate data protection legislation during a stakeholder meeting held at the CBSL in September 2018.