Privacy laws in Sri Lanka Your privacy is your right!

If you have come across a situation where your telephone conversations, intimate video tapes, CCTV footage or any other material has been recorded and published without your consent, you’re in a situation where your privacy has been violated. Several laws and Acts in the country defines a person’s right to privacy although Constitutionally, it is yet to be established as a fundamental right. Recent incidents of leaking phone recordings, a video of a former MP flashing a pet dog, various CCTV footage of shootings and other crimes to mainstream media underscore the inadequacy of privacy laws in the country. Here’s a glimpse of the laws and Acts that can be referred to, in the event of a violation of privacy.

International laws 

Article 12 of the Universal Declaration of Human Rights talks about privacy. It states that no one shall be subject to arbitrary interference with his privacy, family, home or correspondence nor attacks upon his honour or reputation.  Everyone has a right to protection of the law against such interference or attacks. 

“Most of these laws were made in UK, USA and other countries and  there are two words that correspond each other – privacy and honour and reputation,” opined Chanakya Jayadeva, Attorney-at-Law, legal counsel and expert on Entertainment Law, Media and Intellectual Property Law. “This is because privacy is about protecting your honour, dignity and reputation. As such the European Union member states have therefore recognized privacy as a fundamental right.”

In 1960, International jurist Prof. William Prosser  devised a ‘complex of four’ point test to attest privacy. The four points are;

Whether there has been an intrusion into the person’s private space 
Whether the public disclosure of personal information about a person, which could be embarrassing to them has been revealed
Promoting access to information about a person which could lead to the public to have an incorrect belief about them 

Appropriation, for the defendant’s advantage, of the person’s name or likeness

Sri Lankan situation 

Jayadeva further said that in terms of the Sri Lankan situation  there is no constitutional or fundamental right to privacy. “But it is found in a few Acts and in the common law. Privacy issues have come up in certain court cases, in situations ranging from servitude, criminal defamation, unlawful arrests etc.”
In common law legal systems the Right to Privacy has been recognized as integral to the individual’s dignity. Roman Dutch Law which is Sri Lankan common law too recognizes the Right to Privacy. The Right to Privacy has gained recognition as an independent personality right and a breach of privacy would give rise to an action for injury under the actio injuriarum. Actio injuriarum provides a general remedy for wrongs to interest of personality. Here, damages are awarded to the plaintiff’s injured dignity and/or reputation. If your privacy has been violated, it violates your dignity and therefore you someone can file damages on these grounds,” Jayadeva further said. 
There are certain laws which recognize the right to privacy in Sri Lanka. These include the Computer Crimes Act No. 24 of 2007, the Right to Information Act No. 12 of 2016 and the Personal Data Protection Act No. 9 of 2022. If we take the Computer Crimes Act, it indirectly recognizes the right to privacy. The Computer Crimes Act is designed to protect against unauthorized access to a computer by making it an offense. 

The Right to Information Act is an Act to provide for the Right to Information. Section 5 talks about denial of access to information – there are many grounds, but the first clause states that information that relates to personal information and the disclosure of which has no relationship to any public activity or interest or which could cause unwarranted invasion of privacy of an individual is prohibited unless the larger public interest justifies same. Therefore the Right to Information Act is subject to these exceptions. Hence, if a person’s privacy is being violated, the exception is that unless public interest justifies,” Jayadeva further said. 

However, no matter what law is brought about, social media and internet is difficult to control because of the changing technological landscape of the Internet day by day.  Therefore, it is very difficult to deal with privacy violations in the internet of things, including social media and standalone internet sites

Section 43 of the RTI Act elaborates that information includes any material which is recorded in any form including recordings, documents, memos, emails, opinions, advices, press releases, circular orders, log books, contracts, reports, papers, samples, models, correspondence, memorandum, draft legislation, book, plan, map, drawing, diagram, pictorial or graphic work, photographs, film, micro film, sound recordings, video tape, machine readable record, computer records and other documentary material, regardless of its physical form or character and any copy thereof. 

The latest and most significant law in which privacy is protected is the Personal Data Protection Act which was enacted last year. The preamble to this Act states that whereas it has become necessary for the government of Sri Lanka to provide a legal framework to provide for mechanisms to protect personal data of the subject ensuring consumer trust and safeguarding privacy. The Act defines what personal data is; a data subject is an identified or identifiable natural person, deceased person to which personal data relates to. 

Personal data is defined as information that can identify a data subject directly or indirectly by reference to an identifier such as a name, an identification number, financial data, one or more factors specific to the physical, physiological, biological , economic, cultural, social identity of that individual or natural person. 
Apart from that there are special categories of data such as personal data revealing racial, ethnic, religious, political opinions, philosophical beliefs, biometric data for uniquely identifying a natural person, data concerning a person’s sex life, sexual orientation, personal data relating to offenses and so on.

When someone obtains the types of data mentioned above) he has to obtain it with the consent of the person who holds the data. The person who obtains becomes the data controller and he can only use or process that data for the purposes which are elaborated as a legal purpose which is authorized under the Data Protection Act. The data controller can be an individual person or a legal person (company, government authority, institution etc.) 
Section 14 further also states every data subject shall have the right to withdraw his consent at any time upon a written request made by such data subject if such processing is based on the grounds specified in item (a) of Schedule I or item (a) of Schedule II of this Act; provided that, the withdrawal of such content shall not affect the lawfulness of any processing taken place prior to such withdrawal. “In that case the data controller has a duty to remove it, otherwise there would be a breech,” he pointed out. 

Release of CCTV footage 

Speaking about the release of certain videos to media, Jayadeva said that law enforcement authorities which obtain any video, audio or any data can only be used for the purpose of investigation, prosecution and furtherance of the investigation. Such data cannot be released to the media or any other unrelated institution unless a judicial order has been made. “One such international example is cricketer Danushka Gunathilaka’s alleged rape case where Australian courts made a suppression order against releasing information of the rape victim to the media.  That is the protection she had. However the suspect’s  name was revealed because he was the suspect,” he added.

The release of CCTV footage of shootings, robberies and other incidents have been frowned upon by the public as it not only instigate violence but also invades people’s privacy. “Even before the Personal Data Protection Act was introduced to Sri Lanka we have seen a notice being put up in places where CCTV cameras are in operation. It says ‘CCTVs cameras are in operation’ because you have a right to know that you’re being recorded or not.”
“Even on zoom meetings and other social media platforms there’s a message that goes to everyone to inform them that the meeting is being recorded. This is because of strict privacy laws prevalent in countries where such tech platforms originate from. However, in certain countries if you step into public places, you indirectly consent for your visual actions to be recorded by third parties without having to get your permission. In this event, the copyright of the recorded data is with the person who records it. However, the person who records such information cannot use it for commercial purpose or distort the visuals taken from the public place and use it for their advantage without taking the permission from the data subject (person or things in the visual).  Otherwise, in these countries, it can amount to both a privacy violation as well as a moral right violation.”

The Internet of Things and the way forward 

The European Union has drafted the General Data Protection Regulations which is one of the most advanced data protection laws.  However, no matter what law is brought about, social media and internet is difficult to control because of the changing technological landscape of the Internet day by day.  Therefore, it is very difficult to deal with privacy violations in the internet of things, including social media and standalone internet sites,” Jayadeva observed.

“I believe that the world has to get together and bring about a treaty which deals with regulation of privacy, which includes social media and mainstream media and bring about a Fuigeneris Law (of its own kind of law). Thereafter, a majority of countries should be encouraged to sign to it. This way, any country can deal with cross border issues. Unless an international treaty is devised it is difficult to protect privacy and publicity rights of people where citizen journalism has taken an unprecedented lead owing to social media and internet. Such treaty can be in the nature of WIPO’s internet treaties (WPPT and WCT) by which issues relating to international intellectual property violations are dealt with. We should also have a constitutional provision that includes right to privacy as a fundamental right. Certain countries do have a provision of the right to privacy and it is recognized as a constitutional right,” he underscored.