Data Protection Bill receives Cabinet nod

As the pandemic pushed the world, including Sri Lanka, into the digital highway faster than anyone would have thought possible, the authorities at home are beefing up legal protections against its citizens’ personal data, used both online and offline. 

To this end, the Cabinet has already approved the draft Data Protection Bill and it is expected to become law soon after a faster passage expected through Parliament, as the project launched in 2019 to bring legislative protection against the personal data of Sri Lankans. 

With the accelerated digitalisation of almost everything in the world and the dominance of big technology companies, which rely predominantly on personal data to advance their business and financial objectives, concerns mounted, specially in the West and Europe, over the protection of data and privacy.

In response, the European Union (EU) in 2018 enacted what is called the General Data Protection Regulation (GDPR), the toughest privacy and security law in the world thus far, setting guidelines on collection and processing of personal information from the individuals who live in the trading block by anyone from any part of the world.  The violators are slapped with the harshest fines going up to tens of millions of euros and in the recent times, big tech companies became the key targets by the EU regulators.  While there were few industry-specific legislative protections available through other Acts of Parliament against privacy violations in Sri Lanka, which functions in isolation, this is the first time a consolidated legal framework has been developed to provide robust protection, with a clear definition of the term ‘data’ and with specific provisions for implementation.     

In parallel, a draft Cybersecurity Bill, another piece of legislation aimed at providing legal protection against the potential cybersecurity risks and threats on which Sri Lanka currently remains heavily vulnerable, is also expected to become law soon. After being launched in 2019 and revised in March 2021, the final draft of the Act to Provide for Regulation of Processing of Personal Data (July 2021) was released last month. The draft bill provides measures to protect individual data held by banks, telecom operators, hospitals and other personal data aggregating and processing entities. Use of personal data for purposes other than the specified purposes would tantamount to a violation of the law, under the draft bill.

The passage of the bill also becomes crucial at a time when the government is forging ahead with its much ambitious digital identity project and the potential measures in contact tracing for effective management of the COVID-19 pandemic. 

In July this year, Transparency International in a legislative brief issued on the final draft bill made five key recommendations to be incorporated, before it becoming a law, with the main aim of preventing the possibility of the provision of this bill infringing the right to information by the citizens, provided by the Rights to Information Act. 
“Harmonise the understanding of ‘personal data’ between the Personal Data Protection Bill and Right to Information Act. Such amendment would ensure that when a request is made to obtain information under the Right to Information Act, the possibility that the request clashes with the Personal Data Protection Bill is minimised,” one of their recommendation cited. 

“Recognise ‘journalistic purpose’ as a legitimate condition to process data,” another recommendation stated. It also proposed to set up an independent Data Protection Authority.