New ‘Personal Data Protection Bill’ in Parliament soon

The government has presented a new ‘Personal Data Protection Bill’ to regulate the processing of personal data and to provide for the designation of a ‘Data Protection Authority’ (DPA).

The Bill states that it has been introduced to facilitate the growth and innovation in the digital economy of Sri Lanka whilst protecting personal data rights.

“It has become necessary to improve interoperability among personal data protection frameworks as well as to strengthen cross-border cooperation among personal data protection enforcement authorities. It has become necessary for the government to provide for a legal framework to provide mechanisms for the protection of personal data of people ensuring consumer trust and safeguarding privacy whilst respecting domestic written laws and applicable international legal instruments,” the Preamble of the Bill states.

The Bill has made it compulsory to obtain the approval of a data subject (the person to whom the personal data relates) if his or her personal data is used in direct marketing and other such purposes.

“A controller may use postal services, telecommunications services, electronic means or any other similar means for the purposes of disseminating messages only if a data subject has given consent to receive such messages. The controller shall, at the time of collecting contact information and each time where a message is sent, provide to the data subject details on how to opt-out of receiving the solicited messages free,” the Bill states.

The Bill also identifies data protection obligations, rights of data subjects, and duties and functions of the Data Protection Authority. The Bill mentions that a penalty not exceeding Rs.10 million could be imposed on an offender for non-compliance with the provisions in the Bill. The Penalties come into effect only two years after the Speaker certifies the Bill following its passage in Parliament.