Sri Lanka: Proposed Bill on Personal Data Protection
Presently, Sri Lanka does not have any consolidated and/or specific laws on data protection. The Data Protection Drafting Committee of the Ministry of Digital Infrastructure and Information Technology ('MDIIT'), and the Legal Draftsman Department, has initiated drafting legislation on data protection. The Framework for the Proposed Personal Data Protection Bill ('the Bill') was first released on 12 June 2019 for stakeholder comments and, following this release, substantial modifications were made to the Bill based on consultations held with key stakeholders. Manjula Sirimane, Partner at D. L. & F De Saram, provides an overview of the Bill, and discusses its provisions for areas such as the rights of data subjects and penalties for non-compliance.
There are several data protection-enabled legislation which are industry specific, such as the Banking Act, No. 30 of 1988, the Telecommunications Act, No. 25 of 1991, the Intellectual Property Act, No. 36 of 2003, the Computer Crimes Act, No. 24 of 2007, and the Registration of Persons (Amendment) Act, No. 8 of 2016. This legislation does not, however, provide a definition for the term 'data,' nor specific provisions for implementation.
The final draft of the Bill was released on 24 September 2019 through the website of the MDIIT. After review by an Independent Review Committee, the Bill would be published in the Government gazette as a 'Bill.' The legislation will be implemented in stages and the Bill will come into operation within a period of three years from the date it is ratified by Parliament, the time lapse providing an opportunity for the Government and private sector to prepare for the implementation of the legislation.
Protecting personal data
The Bill prescribes measures to protect the personal data of individuals held by banks, telecom operators, hospitals, and other entities aggregating and processing personal data. It aims to regulate the processing of personal data, designate a data protection authority, safeguard the rights of citizens referred to as 'data subjects,' and regulate the dissemination of unsolicited messages using personal data.
Under the terms of the Bill, data will be processed only for specified purposes, however it also provides that data may be processed for purposes in the public interest, and for scientific, historical, research, or statistical purposes.
The Bill provides for the designation of a public corporations, statutory body, or any other institution controlled by the Government or established under any written law, as the 'data protection authority' of Sri Lanka. Such an authority shall be responsible for all matters relating to personal data protection in Sri Lanka, and for the implementation of the provisions of the Bill. The processing of data will be undertaken by a controller who is defined as any natural or legal person, public authority, non-governmental organisation, agency, or any other body or entity which alone, or jointly with others, determines the purposes and means of processing personal data.
Data subject rights
The rights of data subjects provided in the Bill include the right to withdraw consent given to controllers, the right to access, rectify, and erase data without undue delay, and to object to the processing of data. These rights can be exercised directly by individuals with the controller, who is required to respond within a defined time period and is obliged to give reasons for refusing to meet the request, or reasons why the controller would refrain from further processing of said data. The data subject shall have the right to request a controller to review a decision made based solely on automated processing that affects the rights and freedoms of the data subject as guaranteed under any written law. The controller is required to inform the data subject of their right of appeal in instances where the controller refuses or restricts the mentioned rights of data subjects.
Data controller obligations
The Bill introduces accounting obligations on controllers which require them to implement internal controls and procedures known as a 'Data Protection Management Program,' in order to demonstrate how it implements the data protection provisions imposed under the Bill. In the event the processing of personal data is 'likely to result in a high risk to the rights and freedoms of data subjects,' a controller has to carry out a Privacy Impact Assessment ('PIA') prior to such processing. Such a PIA is mandatory when there is any other processing activity, as may be prescribed taking into consideration the scope and associated risks of that processing.
Controllers are prohibited from processing personal data and sending unsolicited messages, unless the respective individuals have given express consent. Provisions have also been included to deal with relationships between controllers and third parties who process personal data on their behalf. Controllers are under an obligation to maintain integrity, confidentiality, and to process data in a transparent manner.
The penalties imposed for failure to comply with the provisions of the Bill shall not exceed a sum of LKR 10,000,000 (approx. €50,000) in any given case, and shall be imposed taking into consideration the nature and extent of relevant non-compliance, and its impact on data subjects. The Bill further prescribes a list of matters to consider when imposing a penalty, which includes inter alia the nature, gravity, and duration of the contravention, the degree of responsibility of the controller, the categories of personal data affected by any contravention, and any action that was taken by the controller or processor to mitigate the damage suffered by data subjects.
This would be considered a landmark development as it would be the first piece of exhaustive legislation regulating data protection that is not industry specific. The data protection principles and the rights of data subjects as contained in the Bill are encouraging and provide for use only for legitimate purposes, thus empowering individuals as legislation had not done previously. Due to the growth and innovation of the digital economy in Sri Lanka, it is encouraging to know that it has been considered necessary to regulate the processing of personal data, to safeguard the rights of individuals, and to ensure consumer trust in information privacy in online transactions and information networks. Under the Bill, private companies would have a duty of care, and therefore, a legal liability if in breach. Practically, safeguards would require implementation, and it is also important that the data protection legislation is not stringently regulated by increasing the administrative burden on businesses, thereby restricting innovation and causing barriers to trade.
The proposed implementation should require the existing manual data records to be brought into the contemplated system, as at present, manual records constitute the largest part of data that is processed.
Manjula Sirimane Partner
D. L. & F De Saram, Colombo