Proposed Data Protection Bill: Increasing online usage drives necessity

• Final draft ready; gazette likely to be issued in August: Justice Minister  
• Stakeholders awaiting final draft to review and express concerns 

By Yoshitha Perera 

The Data Protection Draft Bill was initially submitted to Cabinet on 18 December 2019 after formulating several rounds of consultations with the public and relevant stakeholders. Subsequently, the draft bill was further reviewed and discussed with stakeholders, including at a seminar organised by the Junior Bar Council of the Bar Association of Sri Lanka (BASL) in 2020. 

The draft bill was also reviewed by the Attorney General (AG) to verify its compliance with Article 77 of the Constitution and the preliminary comments received by the Drafting Committee in July 2020. Subsequently, the Drafting Committee met several times and is currently preparing the bill including the observations of the AG. 

According to the data presented to the Information and Communications Technology Agency of Sri Lanka (ICTA), the Drafting Committee’s response to the AG’s observations was also reviewed by an independent review panel chaired by Judge K.T. Chitrasiri and the response was sent to the AG and Legal Draftsmen on 22 October 2020. 

Sharing his views on the current progress of the Data Protection Bill, Justice Minister Ali Sabry PC said that according to his knowledge, the AG has cleared the English version of the draft bill and the translations are being done.  

To be gazetted in August

He said: “Hopefully, the bill should be gazetted during the first part of August.” 

He further added that the particular subject does not directly come under the Justice Ministry and further explanations would be provided by the Ministry of Digital Infrastructure and Information Technology in this regard. 

Confirming this statement, Justice Ministry Secretary M.M.P.K. Mayadunne also said that the draft of the Data Protection Bill is in the final stages, and the relevant ministries would be able to produce it to Cabinet in August.  

However, when The Sunday Morning contacted Ministry of Technology Secretary Jayantha de Silva to ascertain the current progress of the draft bill, he said that he was unable to share his views at the moment.

Protecting personal data is a vital mechanism that should be legally implemented with the rapid expansion of new technology.

According to the latest draft of the bill released on the ICTA website, the proposed bill provides covers the regulation of the processing of personal data while strengthening the rights of the data subjects.

It will also implement a statutory body or any other institution controlled by the Government or establish, under any written law, the “Data Protection Authority of Sri Lanka”. 

Presently, the country does not have any such laws for data protection and as more social, economic, and government activities are conducted online, personal data protection has to be implemented immediately.   

Sharing views on the draft bill at an online session conducted by the ICTA in the first week of July, ICTA General Counsel Jayantha Fernando said that the proposed bill would comprise provisions of internationally recognised standards. 

Timely implementation

He said: “In the current context, this is a timely discussion. Covid-19 has increased in its force and almost everyone has to move to online platforms to conduct their work. The law broadly stipulates a number of responsibilities for entities that collect data and the rights of individuals who provide data. When it comes to the perspective of duty, the law imposes a series of obligations on the organisations that collect data and how it proceeds.”

When The Sunday Morning contacted BASL President Saliya Pieris PC, he said that the BASL is waiting until the relevant authorities finalise the draft of the bill and gazette it to have a proper review on it. 

“We have to first study the final draft of the bill; until that, I cannot give a comment on the areas that BASL has concerns about. We cannot provide a straight comment at the moment,” he said. 

TISL’s recommendations

Transparency International Sri Lanka (TISL), last week, in a statement, mentioned that it has taken steps to provide some legislative insights that lawmakers should consider for the proposed Data Protection Bill of 2021.  

The TISL’s recommendations are as follows: 

1. Include a specific exception to ensure that the Right to Information Act is not overridden in case of an inconsistency 
2. Establish an independent data protection authority 
3. Harmonise the understanding of “personal data” between the Personal Data Protection Bill and the Right to Information Act. Such an amendment would ensure that when a request is made to obtain information under the Right to Information Act, the possibility that the request clashes with the Personal Data Protection Bill is minimised 
4. Remove “Financial Data” and “Personal Data Relating to Offences, Criminal Proceedings, and Convictions” from the list of special categories of personal data. This will ensure that people’s right to access information pertaining to corruption and malpractices is not infringed 
5. Recognise “journalistic purpose” as a legitimate condition to process data

The TISL stated that the main purpose of these recommendations was to prevent the possibility of this particular bill in effect infringing on the right to information of the citizens of this country. 

TISL Executive Director Nadishani Perera, commenting on the importance of the proposed recommendations, stated: “If the law relating to personal data protection infringes on the law relating to the right to information, there is a possibility that the public could lose faith in both of these laws. This could also lead to confusion between the agencies tasked with upholding these laws. Therefore, it is of paramount importance that steps are taken to amend the proposed legislation in order to ensure that both pieces of legislation are able to accomplish their expected goals.” 

It must also be highlighted that the establishment of an independent “data protection authority” is vital to ensuring that the new legislation would not be abused by individuals or groups who aim to use the legislation to the detriment of the public.