[Updated] The Data Protection Bill might finally become law

Neville Lahiru
3 Min Read

The much-awaited Data Protection Bill has finally gotten approval from the cabinet and is now gazetted in parliament. The Data Protection bill which was first drafted back in 2019, aims to introduce legislation that would protect the personal data of Sri Lankans.

The announcement is one of the latest efforts at introducing privacy protections for Lankan citizens. Recently, the TRCSL announced guidelines for telecom operators on Value Added Services.

Years in the making

The bill draws inspiration from OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, and EU General Data Protection Regulation among others.

According to the ICTA, the first draft of the bill was published in June 2019. This went through seven rounds of stakeholder consultations and received approval at the policy level from the cabinet by January 2020. Later in the same year ICTA Chairman, Jayantha de Silva stated that the bill was to be “submitted to Parliament soon and subsequently implemented within this year.”

However, the drafted bill was further revised following consultations from the Bar Association, Ceylon Chamber, Ministry of Justice, Attorney General, Central Bank, and TRCSL. By July 2021, the Attorney General had issued the certificate under Article 77 of the Constitution on the bill’s constitutionality. Now, with the cabinet approval, we’re likely to see the Data Protection bill pass as law soon.

For those interested, you can find the final draft that was sent to the cabinet for approval, here.

Increasing need for data protection

The bill comes at a time when the government is pushing ahead with its digitization efforts across multiple sectors. But implementations around existing projects have already caused concern for privacy and security.

Last year, the ICTA introduced the “Stay Safe” contact tracing app as a means of curbing the spread of COVID-19. Though its security vulnerabilities left much to be desired, particularly considering it was a national-level project that dealt with citizen data. Then again, cybersecurity hardly ever took the spotlight.

One of the compromised sites during the LK Domain Registry hack from February 2021

But this concern extends beyond government efforts. Back in February, LK Domain Registry, the country code top-level domain registry for .lk, got hacked. It’s a clear indication that cybersecurity and data protection has often taken the backseat when it comes to digital solutions and their implementation.

Of course, the data protection bill isn’t a fix-all solution to everything. But it’s one that will offer much-needed legislation to help protect Sri Lankans’ personal data from misuse.

Now with the bill in Government Gazette, the next step would be the parliamentary approval submission for the formation of the data protection agency, as per ICTA Chairman Oshada Senanayake.

[Update 27/112021]: Article edited with reference to the recent gazette

TAGGED:
Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings