brand logo

Safeguards in cyberspace

05 Dec 2021

  • How will the new Data Protection Bill protect Sri Lankans?
By Sumudu Chamara Having to provide a name, date of birth, mobile number, or email address, when installing apps/software, or having to permit the collection of internet-related data by websites when using the internet, are extremely common experiences nowadays, and sometimes, we have to grant access to what is stored on our devices. Unfortunately, we have very little freedom to choose what information we share, and the information we give is often used for various purposes such as advertising.  We live in a digital age, and while there is a greater emphasis on people’s privacy or personal data, it is also something we have very little of due to the ways our personal information can be shared and processed. In this context, various countries have looked into introducing laws to protect people’s personal data, and restricting the ways and reasons entities can use, store, or process such data. Sri Lanka too identified the need for such a legal framework some time ago, and the drafting of a law to protect personal data was underway. After a lengthy process, the Cabinet of Ministers recently approved the draft data protection bill, and on 25 November, the Government issued a Personal Data Protection Bill.  Personal Data Protection Bill The Bill provided for the regulation of processing of personal data, and to identify and strengthen the rights of data subjects (a person to whom personal data relates or belongs) in relation to the protection of personal data. In addition, the Bill also provides for designation of the Data Protection Authority (DPA). Information and Communication Technology Association of Sri Lanka (ICTA) General Counsel and Bill Drafting Committee Chairman Jayantha Fernando, last week, stated that this Bill primarily intends to balance the interests of enterprises that rely on personal data, and the interests of individuals whose personal data is being processed. The Bill states that every (data) controller (an entity that determines the purposes for which and the methods through which personal data is processed) is bound to ensure that personal data is processed for a specified, explicit, and legitimate reason, and that purposes and such personal data should not be further processed in a manner which is incompatible with such purposes. The provisions of the Bill, however, do not apply to any personal data processed purely for private, domestic, or household purposes by an individual, and also any data other than personal data. Further processing of personal data by a controller for archiving purposes in the public interest, scientist research, historical research, or statistical purposes will not be considered incompatible with the initial purposes (referred to in the Bill). However, controllers are required to ensure integrity and confidentiality of personal data that is being processed.  Describing the applicability and implementation of the provisions of the Bill (once it is passed in Parliament), during a webinar held by the ICTA and the Sri Lanka Institute of Directors (SLID), Fernando further said that it also aims to ensure transparency and accountability in data processing activities. Fernando added: “The way in which personal data should be processed and managed by entities that collect people’s data, also known as controllers or processors, are statutorily governed through the Personal Data Protection Bill.” “A set of statutory rights have been given to individuals (through the Bill),” he said, stressing that the citizens’ rights is what is primarily guaranteed through the Bill and the rights of data subjects are specifically covered through the Bill. Those who collect and process personal data, according to Fernando, will be tasked to ensure security and confidentiality of personal data they process, by employing appropriate security and technical and organisational measures, and they will be further required to meet minimum transparency obligations. He pointed out that not only companies, corporates, and government entities in Sri Lanka, but also foreign platform providers and foreign entities that offer goods or services to data subjects would be subjected to the provisions of this Bill. One of the specialities of this Bill, according to Fernando, is that it ensures corporate liability with regard to the proper management of people’s personal data. He added: “A penalty can be imposed under Part 6 of this statute once it is enacted, and if it was imposed on a body of persons or a corporate entity; every person who, at the time of the non-compliance under this law, was a director or other officer responsible for management or control of that entity, would be liable.” Data protection authority Speaking of the proposed establishment of a data protection authority, he said that for the proposed law to be successful in order to attract digital investments, Sri Lanka also needs to have an effective, strong, and independent data protection authority. Objectives of the authority, as mentioned in Part 5 of the Bill, include regulating the processing of personal data in accordance with the provisions of the Act, safeguarding the privacy of the data subjects from any adverse impact arising from the digitalisation of the procedures and services in the public and private sector, providing for mechanisms to ensure the protection of personal data of data subjects engaged in digital transactions and communications, and ensuring the regulatory compliance with the provisions of the Act to facilitate for the growth and innovation in digital economy. Data privacy and the right to information Moreover, Fernando discussed the concerns pertaining to data privacy and right to information, which some parties such as Transparency International Sri Lanka (TISL), have pointed out. TISL, in its legislative brief on the Bill, recommended that a specific exception be included in the Bill in order to ensure that the Right to Information (RTI) Act is not overridden in case of an inconsistency. TISL explained: “In terms of Section 35 (1) (e) of the Personal Data Protection Bill 2021, exemptions, restrictions, or derogations to the provisions of the Bill are allowed for the protection of right to information. This provision attempts to guarantee the balance between the two rights. However, Section 3 of the Bill states that in the event of any inconsistency between the provisions of the Bill and the provisions of any written law, the provisions of the Bill prevail. Section 3 of the Bill can, therefore, repress the application of the RTI Act in case of a conflict between the two laws. It can affect the procedures set out by the RTI Act to access information, ultimately restricting citizens’ fundamental right to access information.” TISL said that practically, it can also lead to a self-censoring at the information officer level due to the lack of absolute clarity on whether the provisions of the RTI Act can be applied without fear of impinging on data protection rights, and that this situation can also lead to an increase in refusals and in turn, appeals, which would increase the burden on the State and detract from the principle of maximum disclosure upon with the right of access to information is founded. TISL recommended that the Bill should recognise application of the provisions of the RTI Act as a proviso to Section 3 of this Bill. With regard to the alleged clash between data privacy and right to information, noting the right to privacy guaranteed under Article 14 A of the Constitution, Fernando said that even though the Bill may be construed as a restriction, he would consider this data protection framework as a facilitator tool. He added that the provisions of the Bill allow sharing of data based on a written legal obligation stemming from the RTI Act, among other purposes or requirements. Laws to protect personal data During the discussion, International Association of Privacy Professionals member and Certified Information Privacy Manager (CIPM) and Certified Information Privacy Professional/Europe (CIPP/E) Sanduni Wickramasinghe described the context in which Sri Lanka drafted the laws pertaining to the protection of people’s personal data. She said: “When we started the process of drafting the Bill in early 2019, the privacy and data protection landscape in Sri Lanka and globally was very different from what we are experiencing today, and obviously, the pandemic has forced many of us to be more technology savvy and has forced entities to go in the path of digital transformation. Owing to that, so many issues of privacy and data protection have arisen, and people have become more careful about their privacy and protection than they were two years ago.  “Also, since this is an ever-changing landscape, since General Data Protection Regulation (GDPR) (Europe’s data privacy and security law) came into effect in May of 2018, it has had a global ripple effect even in companies that are located in Sri Lanka. So, similarly, as the law progresses, we would see how the data protection law in Sri Lanka will also have such an effect across the country, and across controllers who are private and public entities.” Speaking of the benefits of adopting laws to protect people’s personal data, she added that while the proposed law would assist controllers to be more compliant with the laws pertaining to personal data, it will also be beneficial from a business and an operational perspective. “This law imposes certain principles which require controllers to comply with, and these include having a lawful ground to process (personal data), consent, vital interest (in this case, when the processing of personal data is vital to an individual’s life/survival), legitimate interest (in this case, when processing of data is done in a manner people would reasonably expect and would have a minimal impact on privacy), and public interest (in this case, when processing of data is necessary for the performance of a task carried out in the interest of the public).” Adding that the proposed law requires companies that collect personal data to collect or process that information only for a specific purpose and to ensure that the entire processing activity is limited to that specific purpose/s, Wickramasinghe said: “So, it will prevent companies from using personal information for purposes that are not disclosed to the data subject. Also it limits the retention period (how long personal data is stored or achieved) to ensure there are technical and organisational measures implemented to ensure security of information, and to ensure the processing activity is transparent and accountable.” She also elaborated on consent-related aspects of personal data, noting: “Certain rights have also been recognised; among them are, the right to withdraw, right to have access to a person’s information, right to delete information in certain circumstances, and the right to rectification. All of this combined will create a huge change in technical and organisational measures in terms of how personal data is processed.”  Meanwhile, ICTA Chief Digital Economy Officer Anura de alwis, speaking of the relevance of having laws to protect personal data, noted the importance of data protection-related risk management needs, in a context where the world has switched from physical documentation to digital devices and platforms and then to cloud services (to store and process data), which increase the likelihood of people’s data from being exposed to external parties. He also pointed out the importance of organisations, the public sector, and also the general public being aware of the provisions of the Bill. With regard to digital literacy and data protection, de Alwis said: “We look at digital literacy in the country, but when we go for a better digital economy, our measurement, or key performance indicators (KPIs) or indexes, should be digital citizenship, because it encompasses digital law literacy as well. Digital literacy only talks about whether a person can make use of smart technologies or electronic technologies on a day-to-day basis. But, when you focus on the digital citizenship aspect, it has more to do with whether you are using it responsibly.” Expressing his opinions during the discussion, Aventude Chief Technology Officer (CTO) Thurupathan Vijayakumar said that even though the proposed personal data protection law is rather new to Sri Lanka, most organisations (that collect or process personal data) have adopted basic practices that protect certain aspects of people’s personal data, and that the process of embracing new laws, however, would be an ongoing process. Nevertheless, he added that the proposed law has to be tested because in certain emerging technologies, there will be certain areas where they would have to debate with the law, especially when it comes to the matter of data retention and ways certain technologies operate. He opined that bigger enterprises are very serious about implementing data protection laws, and that a lot of companies that store and process data are working towards appointing a dedicated officer to handle personal data protection-related matters. He noted that the Bill also requires the appointment of a data protection officer (DPO). Speaking of Sri Lanka’s situation concerning personal data, he opined that certain technological aspects (relating to personal data) of some businesses have gone a little too far in terms of innovation. He explained: “There are two categories of personal data, i.e. standard personal data and special personal data. The first category relates to data such as name, email address, and phone number, while data pertaining to genetics, race, or religion could be considered special data. If we take an e-commerce business, for example, they record the customer’s name and phone number. But in the Sri Lankan context, just by looking at a name, we can derive the customer’s race and religion. They (companies) do that for seasonal promotions. Now, the user/customer has consented to give the name, but has not consented for more personal data to be derived from the name.” He stressed that with the new law about to be enacted, these companies will have to discuss with data protection authorities and inform the users/customers of the new developments in that regard.  Personal data protection/privacy laws are not a new concept to the world, and in a context where there is a growing concern about how business entities use and process people’s personal data, a number of countries have adopted laws to regulate that process permitting businesses to use, store, and process data for essential purposes. While the law Sri Lanka has proposed is yet to be passed, this is a progressive development in a context where Sri Lanka does not adequately discuss how people’s personal information is being used for various purposes with or without their consent or knowledge. However, as those who spoke about it noted, Sri Lanka needs to identify the need for raising awareness among not only the general public, but also among the entities that use and process personal data.


More News..