Data protection bill: Revised draft coming soon

The legal text of the data protection draft bill, approved by the Legal Draftsman’s Department, will soon be made available to the general public through the Ministry of Digital Infrastructure and Information Technology website.

The bill that is with the Legal Draftsman’s Department at the moment will also be sent to the Cabinet of Ministers for their approval soon in parallel to being published on the website.

According to Information and Technology Agency (ICTA) Director/Legal Advisor Jayantha Fernando, the draft bill will be gazetted after approvals from the Cabinet at the Attorney General’s (AG) Department. However, even thereafter, the bill can be subjected to committee-stage amendments when presented to Parliament based on stakeholder comments and suggestions.

“There is opportunity to further improve the draft bill, even after it’s sent to the Cabinet, depending on feedback received by the Ministry. Nothing is better than having a continuous process of improvement,” he told The Sunday Morning Business.


He added that the bill would capture all the relevant policies in addition to the comments from stakeholders.

In June this year, the Ministry put out the framework of the bill for stakeholder comments, and legislation was said to be finalised before the end of July. The draft framework provided the key principles and provisions that are proposed to be included in the draft bill and was available for comments until 1 July.

Since 28 June, several rounds of discussions have been held with a variety of stakeholders. The initial discussion was held on 28 June and was followed by another stakeholder discussion on 18 July, specific to the banking sector.

In between, several discussions were held, each separately, with the doctors involving medical informatics, chief information officers of banks, and with the computer society of Sri Lanka. The latest round of discussions was held last week and based on the comments and suggestions received from all these discussions, substantial modifications have been made to the first framework that was published in June.

A number of institutions including the Central Bank of Sri Lanka (CBSL), Sri Lanka Computer Emergency Readiness Team (SLCERT), Ministry of Justice and Prison Reforms, and the Information and Communication Technology Agency (ICTA) have been involved in this process.

The provisions have been formulated by a drafting committee through the examination of several international best practices. Accordingly, when drafting the bill, the committee referred to Organisation for Economic Co-operation and Development (OECD) guidelines, Asia-Pacific Economic Cooperation (APEC) Privacy Framework, the Council of Europe Data Protection Convention, European Union General Data Protection Regulation (EU GDPR), laws enacted in other jurisdictions such as Australia, Mauritius, Singapore, and Indian draft legislation.

At the moment, Sri Lanka does not have a cross-sectoral data protection law. However, there are several data protection-enabled legislations such as the Banking Act No. 30 of 1988, licenses issued under the Telecommunications Act No. 25 of 1991, Intellectual Property Act No. 36 of 2003, Computer Crimes Act No. 24 of 2007, and the Registration of Persons (Amendment) Act No. 8 of 2016.

Sri Lanka is in dire need of data protection and information security laws as they are crucial in attracting foreign direct investment (FDI). Economists have noted that stakeholders complain that foreign investors are deterred by the lack of such a legal setup in Sri Lanka.

The first steps towards a data protection act were made following a request made by the CBSL in 2018 as well as Sri Lanka’s drive towards becoming a digital economy, resulting in increasing personal data collection by the private sector. The Ministry took steps to formulate data protection legislation during a stakeholder meeting held at the CBSL in September 2018.