by Randima Attygalle

The Data Protection Bill which was presented to the Legal Draftsman’s Department for further amendments to some of the provisions in the original Draft Bill has been released.

The Information and Technology Agency of Sri Lanka (ICTA) has announced that several changes have been made to the substantive provisions of the original Draft Bill including re-arrangement of key provisions. The changes were based on the feedback of a number of stakeholders including the Central Bank of Sri Lanka, Attorney General’s Department and the Ministry of Justice.

The Chair of the Data Protection Drafting Committee and the Legal Advisor to ICTA, Jayantha Fernando notes that, further amendments to the Bill are, however, possible once the Draft Bill is presented to the Cabinet and published as a Bill.

The original Draft Bill was reviewed by the Attorney General (AG) for compliance with Article 77 of the Constitution and the preliminary observations of AG received by the Drafting Committee in July last year. The Drafting Committee’s responses to AG’s observations were also reviewed by the Independent Review Panel, Chaired by Justice K. T. Chitrasiri and this response was sent to the AG and the Legal Draftsman in October. This was followed by several consultations between the Legal Draftsman’s Department and the Drafting Committee, through November and December last year.

The draft legislation defines ‘data’ as ‘any data by which an individual is identifiable and this includes name, an identification number, location data and also factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identify of an individual’. Data protection is the right of a person to ensure that their personal data is not used, exchanged or even maintained without their knowledge.

The draft legislation Fernando told the Sunday Island imposes several obligations on those who collect and process personal data (‘Controllers’ and ‘Processors’). A new set of rights is also given to citizens under this new legislation, which are known as ‘Rights of data subjects’.

“For instance, personal data could be collected only for a specified purpose and not for any other purpose that is incompatible with the said purposes. However, processing data in public interest, scientific or historical research will not be considered incompatible. Personal Data has to be processed in a manner to ensure appropriate security, including protection against accidental loss, destruction or damage,” explains Fernando.

Data Subject (individuals) will also have the right to withdraw his or her consent given to Controllers and will also have the right to rectify the data without undue delay. Further, the Data Subjects have been given the right to object to processing of their data. These rights of Data Subjects can be exercised directly by the individuals with the Controller.

In the modern digital era where data is often at risk, both at individual and organizational level, this legislation becomes very relevant in view of certain measures introduced in the latest version of the Bill, points out the senior legal expert.

“Accountability measures for processing of personal data are required by the law to be implemented by government departments, banks, telco’s, companies etc. as forming a self-regulatory mechanism, referred to as ‘Data Protection Management Programme in the Law. There is also the right of appeal by citizens to the Data Protection Authority against the decisions made by entities which refuse their requests under the Law.”

Requirement for ‘Data Protection Impact Assessments’ (DPIA) by those entities doing high risk processing, becomes relevant in the context of digital adoptions in different organizations where individual data is collected. The Bill also defines criteria for cloud hosting of data under the provisions governing cross-border data flows and includes safeguards when data is hosted out of the country. Furthermore, the Data Protection Authority is vested with powers to give directives to the government and the private sector entities processing personal data and impose penalties in the event of non-compliance. There is a right of appeal from these decisions to the Court of Appeal.

Although laws on data protection have been in force in many parts of the world for several years, data protection is still a new concept to us. The drafting Committee, as it Chair explains, has taken into account international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation and laws enacted in other jurisdictions such as the UK, Singapore, Australia and Mauritius. “We have also studied the laws enacted in the State of California as well as the Indian Bill, when formulating the draft legislation,” Fernando remarked.