Data Protection Legislation – Overview

In the Digital era, Data Protection Legislation has become an important policy level priority because such legislation define measures to protect personal data of individuals held by Government Departments, banks, telecom operators, hospitals and other personal data aggregating and processing entities. This Legislation is also important in view of the Digital ID and shared KYC initiatives.

The urgent need for Data Protection legislation was first mooted by the Central Bank of Sri Lanka in September 2018. At the request of Central Bank, the then Ministry of Telecommunications and Digital Infrastructure (MTDI) started the drafting process with ICTA, Central Bank and other stakeholders. The Drafting Committee, Chaired by ICTA Legal Advisor, included representatives from Government Agencies and Private Sector, with expertise in privacy practices. The Draft Bill prepared by this Committee was submitted to 6 rounds of stakeholder consultations. The Draft Bill was also reviewed from time to time by an Independent Advisory Panel, comprising eminent group of professionals, which was Chaired by a former Justice of the Supreme Court.

The Draft Bill finalized by the Legal Draftsman’s Department was submitted to the Cabinet of Ministers on 18th December 2019. After Cabinet approval in January 2020, the Draft was further reviewed by key stakeholders. The Draft Bill was also presented to the Bar Association of Sri Lanka (BASL) on 20th February 2020, where more than 250 lawyers as well as Judges of the Supreme Court & Court of Appeal were present.

The Attorney General’s observations on the Draft Bill was received on 7th July 2020 and thereafter the Data Protection Drafting Committee met on several occasions, through August 2020, to prepare its response to the Attorney General’s observations. The Drafting Committee Response to AG’s Observations have been reviewed by the Independent Advisory Panel and sent to the Legal Draftsman’s Dept and the Attorney General on 22nd October 2020 to finalize the Legislation.

The Legislation will be implemented in stages. The entire Bill will come into operation within a specified period from the date the Speaker certifies the Bill. This would provide sufficient time for Government and private sector to take adequate steps to implement this legislation. The Data Protection authority is required to be established also within a specified period. However, the implementation time frame may be brought forward in view of the Digital ID and shared KYC initiatives. A high-level Task Force is likely to facilitate the establishment of the Data Protection Authority.

Several obligations have been imposed by this legislation on those who collect and process personal data (“Controllers” and “Processors”) and whole new set of rights have been given to citizens under this new legislation, which are known as “Rights of data subjects”. For instance, personal data could be collected only for a specified purpose and not for any other purpose that is incompatible with the said purposes. However, processing data in public interest, scientific or historical research will not be considered incompatible. Personal Data has to be processed in a manner to ensure appropriate security, including protection against accidental loss, destruction or damage. Data subject (individuals) will have the right to withdraw his or her consent given to Controllers and will also have the right to rectify the data without undue delay.

Further, the Data Subjects have been given the right to object to processing of their data. These rights of data subject can be exercised directly by the individuals with the Controller, who are required to respond within a defined time period and is obliged to give reasons for refusing to meet the request or reasons why the Controller would refrain from further processing the said data. The individual has a right of appeal against the decision of Controller to the Data Protection Authority.

The Draft Bill has also introduced specific and comprehensive transparency and accountability obligations on Controllers, which will be a pre-requisite to comply with. The accountability obligations would require the Controllers to implement internal controls and procedures, known as a “Data Protection management Program”, in order to demonstrate how it implements the data protections obligations imposed under the Act.

The Data Protection Drafting Committee:

Jayantha Fernando (Chair/Convenor)

Yamuna Ranawana and Thushari Vitharana (Legal Draftsman’s Dept)

Kanchana Ambahawita and Niluka Herath (Central Bank of Sri Lanka)

Sanduni Wickramasinghe (Mobitel)

Trinesh Fernando, Shenuka Jayalath and Rashmin De Silva (Dialog PLC) and

Sunali Jayasuriya (ICTA)

The Draft version of the Bill submitted to the Cabinet of Ministers, which was also presented to stakeholders and presently being amended by the Legal Draftsman’s Department