‘Implementation of Personal Data Protection Act likely to be hampered by political interference’

By Hiran H.Senewiratne

The provisions of the Personal Data Protection Act (PDPA) conform to all international standards but when it comes to implementation it may cause some issues stemming from political interference, IT legal expert Dr. Sunil Abeyaratne said.

“The PDPA is the need of the hour but it has to be implemented in good faith, shedding political expediency and other petty political benefits, for the betterment of the country, Abeyaratne told a function organized by the Rotary Club- Colombo South recently, in Colombo.

Abeyaratne who is the chairman, Communication, Data Protection and Technology Law of LAWASIA said that the PDPA, which has been making strides toward full implementation, aims to safeguard personal data held by various entities, including government bodies, banks, telecom operators and hospitals.

“This piece of legislation, the first of its kind in South Asia, was developed transparently. All the provisions in the Act are on par with international standards, but due to the volatility in the social and political situation in Sri Lanka, it will not serve its purpose, Abeyaratne said.

“Establishing the Data Protection Authority is a milestone in data protection in Sri Lanka. However, until it becomes fully functional, organizations in Sri Lanka are required to comply with the Personal Data Protection Act provisions that have already come into effect, he explained.

Abeyaratne added: “The Data Protection Authority is expected to commence full operations in early 2024, with vital responsibilities such as developing guidelines, investigating complaints, imposing penalties and raising awareness of data protection rights among individuals and organizations.

“Appointing members to the Data Protection Authority should be a process free of political bias and affiliations. If not, it would not serve any purpose to protect the best interest of the public.

“The Board of Directors is in the deliberation and planning phase of creating the Data Protection Authority. The first step involves recommending the operationalization of Part VIII (Funds of the Authority) and Part IX of the Act focuses on designing the organizational framework, setting out recruitment procedures and establishing roles of key officers, including those of the Director General.

“The Authority plans to formulate policy frameworks and regulations to meet the Act’s enforcement deadline of 19 March 2025.

“It will hold public consultations and engage with advisory committees representing critical sectors of the economy and other stakeholders to ensure comprehensive and effective data protection measures. The Authority is set to commence public consultations and awareness campaigns once it has the necessary capacity; a process expected to take several months.”