Data Protection Act in May 

  • CBSL, AG’s Dept., Justice Ministry consulted for preparation

By Zahida Rizvi


The final draft of the Data Protection Bill, which was recently released to the public after amendments of key provisions made in the original Draft Bill, will be presented to the Cabinet of Ministers, and thereafter published as an Act in May.

Speaking to The Morning Business, Information and Communication Technologies Authority (ICTA) Director and Legal Advisor Jayantha Fernando stated: “A high-level implementation task force has recently been appointed to define the roadmap for the implementation of the Data Protection Bill, and to identify options for the Data Protection Act (DPA) models.”

The ICTA Director further pointed out that at this stage it would be a formal public document, and further modifications are to be made, while several changes have currently been made to the substantive provisions of the original Draft Bill released in December 2019, including the rearrangement of key provisions.

“The changes were based on the feedback of a number of stakeholders, including the Central Bank of Sri Lanka (CBSL), Attorney General’s Department, and Ministry of Justice,” he added.

He also highlighted the key measures introduced in the latest version of the Bill. The Data Protection Management Programme requires Government departments, banks, telecom operators, and organisations to be accountable for processing personal data as a self-regulatory mechanism. 

Further, a Data Protection Authority will process the Right of Appeal requests by citizens against entities for refusal of their requests under the Law. Another aspect of Data Protection Impact Assessment (DPIA) is centred on entities carrying out high-risk processing. An instance where DPIA is relevant is when different organisations carry out digital adoption that results in the collection of sensitive individual data. The Bill also defines the criteria for cloud hosting of data under the provisions governing cross-border data flows, and includes safeguards when data is hosted outside the country.

The Data Protection Authority will instruct government and private sector entities on processing personal data, and impose penalties in the event of non-compliance. It further authorises a Right of Appeal from these decisions to the Court of Appeal.

The drafting committee took into account international best practices such as the Organisation for Economic Co-operation and Development (OECD) Privacy Guidelines, Asia Pacific Economic Co-operation (APEC) Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation, and laws enacted in other jurisdictions such as the UK, Singapore, Australia, and Mauritius, the state of California, as well as the relevant Indian Bill, when formulating the said draft legislation.

The original Draft Bill has already been released to the public through the ICTA website, and reviewed by the Attorney General (AG) for compliance with Article 77 of the Constitution, with the preliminary observations of the AG received by the drafting committee in July last year. 

The drafting committee’s responses to the AG’s observations were also reviewed by an independent review panel chaired by Justice K.T. Chitrasiri.