The personal data protection bill, defining measures to protect personal data of individuals held by banks, telecom operators, hospitals and other personal data aggregating and processing entities, was formulated by the Legal Draftsman Department and the Data Protection Law Drafting Committee, appointed by the Ministry of Digital Infrastructure.
The drafting committee considered international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation and laws enacted in other jurisdictions such as United Kingdom, Singapore, Australia and Mauritius, laws enacted in the State of California as well as the Indian draft bill, when formulating the said draft legislation.
Data protection legislation is urgently required given the dynamics of digital strategies adopted by the government and private sector. In the context of contact tracing solutions for effective management of Covid19 by health authorities and the planned digital identity initiative, the draft bill is of paramount importance and strengthens the governance and administration of personal data.
Consequently, this legislation has now been given priority by the Ministry of Technology. The Central Bank of Sri Lanka, which originally initiated this legislation, along with TRCSL and Securities Exchange Commission are working together to support the implementation of this new Legislation. An Expert Committee has been appointed to formulate the implementation framework.
The first version of the draft bill, published in June 2019, was subject to seven rounds of stakeholder consultations and the revised version received policy level approval from the Cabinet of Ministers in January 2020. Thereafter, further stakeholder consultations were conducted by the Bar Association, the Ceylon Chamber. In addition, the Ministry of Justice, Hon Attorney General, the Central Bank and TRCSL provided observations on the draft bill during 2020 and further revisions were made to the Bill. The Hon. Attorney General recently issued the certificate under Article 77 of the Constitution on the bill’s constitutionality, and therefore the bill is cleared for next steps. The Bill is being translated into Sinhala & Tamil and thereafter will be submitted to the Cabinet of Minister to proceed with next steps.
The legislation intends to balance the interest of the enterprises who rely on personal data processing and the interests of individuals whose personal data is being processed to ensure transparency and accountability in processing activities. Several obligations have been imposed by this legislation on those who collect and process personal data (known as “controllers” and “processors”) and a whole new set of statutory rights have been given to natural persons/individuals (known as “data subjects”) under this new legislation, which are known as “rights of data subjects”.
For instance, processing must be based on a ground recognized as lawful under Schedule I or Schedule II of the bill and processing of personal data could needs to be limited to a specified purpose and must not be processed for any other purpose which can be incompatible with the original purpose(s). Controllers are also tasked with ensuring security and confidentiality of the personal data that they process by employing appropriate technical and organizational measures. Moreover, they are responsible to meet the transparency obligations enumerated in this legislation and deploy appropriate data protection management programs within their respective organizations to meet the obligations which are enumerated in this bill, in particular under Part I, II and III.
“Data subjects” are guaranteed a host of rights by this bill as a means of harmonizing the interests of data subjects against the interests of the controllers. For example, where processing is based on consent of data subjects, such data subjects will have the right to withdraw his or her consent given to controllers. Data subjects can object to processing if its carried out pursuant to a task in the public interest or when the controller is pursuing a legitimate interest of the controller. Moreover, data subjects will have the right to rectify their data without undue delay. It is important to note that the bill recognizes the right of data subjects to have decision of the controller reviewed under specified circumstances in the context of automated decision making, where the controller takes decisions purely on automated means that affects the rights of the data subjects (for example use of artificial intelligence). These rights of data subject can be exercised directly by the individuals with the controller, who is required to respond within a defined time period and obliged to give reasons for refusing to meet the request of the data subject. The individual has a right of appeal against the decision of controller to the data protection authority. Any decision of the said authority is subject to judicial review by the Court of Appeal.
The legislation has devised its approach towards cross-border data transfers in line with the regional and international procedures. For example, there is no data localization requirement except for the public authorities who process data in the capacity of a controller or processor. Cross-border transfers by controllers or processors who are not public authorities are facilitated by adequacy decisions and other instruments to be prescribed by the Data Protection Authority.
The legislation also prohibits controllers who process personal data from sending unsolicited messages unless the individuals have given consent in line with the criteria under Schedule III. In addition, controllers are expected to carry out data protection impact assessments to identify risks before carrying out certain types of processing activities, and where required, seek the opinion of the data protection authority. The legislation requires the appointment of data protection officers in certain circumstances, who, once appointed, are vested with the responsibility to advise the controller, and ensure compliance with the law. Certain liabilities are specifically assigned to processors to ensure that they abide by the instructions of the controller and assist the controller to meet the controller’s obligations under this legislation.
The proposed law also attempts to govern data breach incidents where the controllers are expected to notify data breaches to the authority and/or to the data subjects in such manner, form and within such time as may be determined by Rules made under this Act. The circumstances under which the data protection authority and/or data subjects must be notified are to be stipulated by way of Rules made by the authority in due course.
Importantly, provisions have been introduced to enable the Data Protection Authority to issue directives on entities which do not adhere to the provisions of the proposed law and administrative penalties are imposed only on those who do not comply with the said directives. The provisions on penalties are subject to ceiling instead of fines calculated on the global turnover of the controllers, like in some developed jurisdictions.
Finally, in its effort to balance any competing interests, the legislation recognizes that no restriction, exception or derogation can be placed against the provisions of this law unless it is prescribed by law, a proportionate and necessary measure in a democratic society for the protection of national security, public safety and public health, impartiality of judiciary, investigation and prosecution of criminal offences, execution of criminal penalties or for the protection of the rights and fundamental freedoms of persons, particularly the freedom of expression and the right to information.
The Drafting Committee was Chaired by General Counsel, ICTA Mr Jayantha Fernando and the Committee composition included, Ms Yamuna Ranawana & Ms Thushari Vitharana (Legal Draftsman’s Dept), Ms Kanchana Ambagahawita & Ms Niluka Herath (Central Bank of Sri Lanka), Ms Sanduni Wickramasinghe (Mobitel), Mr Trinesh Fernando, Ms Shenuka Jayalath & Mr Rashmin De Silva (Dialog PLC) and Sunali Jayasuriya (ICTA)
In the Digital era, Data Protection Legislation has become an important policy level priority because such legislation define measures to protect personal data of individuals held by Government Departments, banks, telecom operators, hospitals and other personal data aggregating and processing entities. This Legislation is also important in view of the Digital ID and shared KYC initiatives.
The urgent need for Data Protection legislation was first mooted by the Central Bank of Sri Lanka in September 2018. At the request of Central Bank, the then Ministry of Telecommunications and Digital Infrastructure (MTDI) started the drafting process with ICTA, Central Bank and other stakeholders. The Drafting Committee, Chaired by ICTA Legal Advisor, included representatives from Government Agencies and Private Sector, with expertise in privacy practices. The Draft Bill prepared by this Committee was submitted to 6 rounds of stakeholder consultations. The Draft Bill was also reviewed from time to time by an Independent Advisory Panel, comprising eminent group of professionals, which was Chaired by a former Justice of the Supreme Court.
The Draft Bill finalized by the Legal Draftsman’s Department was submitted to the Cabinet of Ministers on 18th December 2019. After Cabinet approval in January 2020, the Draft was further reviewed by key stakeholders. The Draft Bill was also presented to the Bar Association of Sri Lanka (BASL) on 20th February 2020, where more than 250 lawyers as well as Judges of the Supreme Court & Court of Appeal were present.
The Attorney General’s observations on the Draft Bill was received on 7th July 2020 and thereafter the Data Protection Drafting Committee met on several occasions, through August 2020, to prepare its response to the Attorney General’s observations. The Drafting Committee Response to AG’s Observations have been reviewed by the Independent Advisory Panel and sent to the Legal Draftsman’s Dept and the Attorney General on 22nd October 2020 to finalize the Legislation.
The Legislation will be implemented in stages. The entire Bill will come into operation within a specified period from the date the Speaker certifies the Bill. This would provide sufficient time for Government and private sector to take adequate steps to implement this legislation. The Data Protection authority is required to be established also within a specified period. However, the implementation time frame may be brought forward in view of the Digital ID and shared KYC initiatives. A high-level Task Force is likely to facilitate the establishment of the Data Protection Authority.
Several obligations have been imposed by this legislation on those who collect and process personal data (“Controllers” and “Processors”) and whole new set of rights have been given to citizens under this new legislation, which are known as “Rights of data subjects”. For instance, personal data could be collected only for a specified purpose and not for any other purpose that is incompatible with the said purposes. However, processing data in public interest, scientific or historical research will not be considered incompatible. Personal Data has to be processed in a manner to ensure appropriate security, including protection against accidental loss, destruction or damage. Data subject (individuals) will have the right to withdraw his or her consent given to Controllers and will also have the right to rectify the data without undue delay.
Further, the Data Subjects have been given the right to object to processing of their data. These rights of data subject can be exercised directly by the individuals with the Controller, who are required to respond within a defined time period and is obliged to give reasons for refusing to meet the request or reasons why the Controller would refrain from further processing the said data. The individual has a right of appeal against the decision of Controller to the Data Protection Authority.
The Draft Bill has also introduced specific and comprehensive transparency and accountability obligations on Controllers, which will be a pre-requisite to comply with. The accountability obligations would require the Controllers to implement internal controls and procedures, known as a “Data Protection management Program”, in order to demonstrate how it implements the data protections obligations imposed under the Act.
The Data Protection Drafting Committee:
Jayantha Fernando (Chair/Convenor)
Yamuna Ranawana and Thushari Vitharana (Legal Draftsman’s Dept)
Kanchana Ambahawita and Niluka Herath (Central Bank of Sri Lanka)
Sanduni Wickramasinghe (Mobitel)
Trinesh Fernando, Shenuka Jayalath and Rashmin De Silva (Dialog PLC) and
Sunali Jayasuriya (ICTA)