By Yakuta Dawood
Protection of privacy is a grave concern we all encounter on a daily basis with corporations processing personal data without consent, not allowing customers to opt-out of having their data processed, apps being loaded with trackers and many more similar incidents. However, a legislation to ensure protection from privacy violations and data concerns is yet to be implemented.
[caption id="attachment_136038" align="alignright" width="408"]
Lalith Gamage[/caption]
The final draft of Sri Lanka’s proposed Data Protection Bill which was scheduled to be published this month (May) after being presented to the Cabinet is now delayed by another two months, The Sunday Morning Business learns. The draft of the bill was initially finalised by the then Government in 2019 and since then the draft has been re-amended during multiple occasions and was expected to be submitted to the Parliament a couple of times.
Speaking to us, Information and Communication Technology Agency of Sri Lanka (ICTA) Chairman Prof. Lalith Gamage revealed that the Bill which was recently released to the public after amendments of key provisions made in the original Draft Bill is delayed due to the prevailing conditions in the country.
“The Bill will now be presented in the month of July. Firstly, due to the prevailing Covid-19 conditions which have also resulted in employees working from home, and secondly because of several other barriers to achieve the result,” he said.
Further, speaking to us, ICTA Director and Legal Advisor Jayantha Fernando said that the amendment on the Bill is based on the feedback given by several stakeholders including the Central Bank of Sri Lanka (CBSL), Attorney General’s Department, and Ministry of Justice.
However, in March, Fernando said that a high-level implementation task force was recently appointed to define the roadmap for the implementation of the Data Protection Bill and also to identify options for the Data Protection Act (DPA) models.
Explaining about the latest version of the Bill, he noted that one of the key measures of the amendment is that after the implementation, the Government departments, banks, telecom operators, and organisations will be held accountable for persons’ personal data as a self-regulatory mechanism which is known as the Data Protection Management Programme.
Secondly, a Data Protection Authority will instruct Government and private sector entities on processing personal data, and impose penalties in the event of non-compliance. It also authorises a Right of Appeal from these decisions to the Court of Appeal.
[caption id="attachment_136039" align="alignright" width="403"]
Jayantha Fernando[/caption]
Thirdly, is the Data Protection Impact Assessment (DPIA) which is centered on entities carrying out high-risk processing of data collection. The Bill similarly defines the criteria for cloud hosting of data under the provisions governing cross-border data flows, and includes safeguards when data is hosted outside the country.
Along with many other amendments and benefits, the Data Protection Authority will also process the Right of Appeal requests by citizens against entities for refusal of their requests under the Law.
The final draft of the Data Protection Bill that was released in September 2019 provides a new set of rights to citizens under the title “Rights of Data Subjects”, while imposing obligations on those who collect personal data. The Bill allows personal data to be collected only for specified purposes. However, a media release issued at that point in this matter by the authorities highlighted that processing data in public interest and scientific or historical research would be allowed. Under the Bill, individuals would have the right to withdraw his or her consent given to controllers and the right to rectify data without undue delay. In addition to this, the “data subjects”, as the people are referred to, have been given the right to object to the processing of their data.
These rights of data subjects can be exercised directly by the individuals with the controllers who are required to respond within a defined time period and are obliged to give reasons for refusing to meet the request or reasons as to why the controllers would refrain from further processing said data. The individual has a right to appeal against the decision of the controllers to the Data Protection Authority that will be set up to implement the legislation.
The drafting of the legislation was initiated by then Minister of Digital Infrastructure and Information Technology Ajith P. Perera on 5 February 2019. In June last 2019, the Ministry put out the framework of the Bill for stakeholder comments, following which substantial modifications were made to the said framework, based on consultations held with key stakeholders.
Sri Lanka is in dire need of data protection and information security laws as they are crucial in attracting foreign direct investment (FDI). Economists have noted that stakeholders complain that foreign investors are deterred by the lack of such a legal setup in Sri Lanka.
The first steps towards the Data Protection Act were made following a request made by the Central Bank of Sri Lanka (CBSL) in 2018 as well as Sri Lanka’s drive towards becoming a digital economy, resulting in an increase in personal data collection by the private sector. The Ministry took steps to formulate data protection legislation during a stakeholder meeting held at the CBSL in September 2018.
[caption id="attachment_136040" align="alignright" width="400"]
Asela Waidyalankara[/caption]
Meanwhile, we also spoke to Technology Consultant Asela Waidyalankara who expressed his concerns stating that Sri Lanka has a huge void in this context, as there is no clear mandate, no clear law, or no clear regulation on how digital data of individuals is managed.
“Every day, Sri Lanka’s data is being exploited. For instance, if you look at the election period, people were suddenly bombarded by propaganda from different parties through SMS, calls, etc., but we don’t know how they found the phone numbers nor will they disclose the information – which means that people’s data has been treated badly,” he highlighted.
Hence, he further stated that he can see a light at the end of the tunnel as the Data Protection Act will be presented to the Cabinet and Parliament.
“However, even if the Act is passed today, it will take at least two years for that Act to kick in, as time would need to be given for organisations to change their internal processes or system to make sure they’re up to the mark with the Act which is not acceptable to me, as it should be enforced as quickly as possible,” Waidyalankara added.
Alongside the Data Protection Bill, ICTA is also working towards the implementation of the Cybersecurity Bill which has been in the pipeline for several years. However, it is scheduled to be finalised by the Legal Draftsman within the next three months.
ICTA Director Fernando speaking to us last month stated that the long-outstanding issue which was dragging through one-and-a-half years has finally been resolved.
“The good news is that the issue is sorted and currently the Ministry of Technology is in the process of presenting the cabinet memorandum to the relevant cabinet ministers,” Fernando added.
According to him, ICTA, together with the Sri Lanka Computer Emergency Readiness Team (SLCERT), has been involved in several discussions with the Ministry of Defence to handle the area of cybersecurity legislation.
Similarly, ICTA Chairman Silva had also confirmed that the Cybersecurity Bill is currently being drafted by ICTA and SLCERT, together with the Defence Ministry, in order to enforce security on activities based online.
With reference to the Defence Ministry, this legal framework will be introduced under the National Cyber Security Strategy, which will be formulated soon to address emerging cybercrime-related issues that pose a threat to national security.
In January 2020, Defence Secretary Gen. (Retd.) Kamal Gunaratne instructed SLCERT to finalise drafting the proposed Cybersecurity Act in order to establish a comprehensive framework for the prevention and management of cybersecurity threats and incidents effectively, and also for the protection of critical information infrastructure.
“These crimes include cybercrimes such as credit card fraud, revenge, pornography, crimes against property, crimes against hacking and intellectual property theft, and crimes against the government and other organizations such as cyber-terrorism, hacking of websites, processing of unauthorised information, and hacking into sensitive financial data,” a press release by the Ministry of Defence, dated 22 January 2020, affirmed.
In terms of cybersecurity safety in Sri Lanka, currently it is exceptionally good in comparison to previous years. For example, earlier as the cyber secure country it was ranked 98th, however, at present it is ranked 69th which is a tremendous increase in the cybersecurity level in Sri Lanka with almost 30 positions up.
It is to be understood that Sri Lanka Computer Emergency Readiness Team (SLCERT) along with ICTA and other organisations are closely monitoring Sri Lanka’s digital platform which leaves absolute minimum space for breaches by external threats such as hackers.
With both the important Data Protection Act and Cybersecurity Act in the process of being approved by the Government this year, Sri Lanka will hopefully be set to be a much safer, secure, and threat-free advanced country in the future.