Proposed Data Protection Legislation In the Works

The past few years have become so important for privacy and data protection. Incidents like Cambridge Analytica and the Aadhaar card fraud makes it all the more reason why data protection is vital. Countries like Sri Lanka are years behind when it comes to policymaking in this regard. But surprisingly, the Sri Lankan government is currently attempting to set the framework for a Personal Data Protection Bill.

A summary of the Data Protection Bill

As the name implies, the legislation aims to protect personal data (or so it says). According to Domo, Over 2.5 quintillion bytes of data is created on a global scale every single day. So policies around data protection play a key role in modern society. Sri Lanka’s proposed bill revolves highlights a few important aspects.

1. Who the legislation applies to

In general, this applies if the data processing takes place wholly or in part, within Sri Lanka. If not, party processing the data should be a legal Sri Lankan resident, incorporated under Sri Lankan law, subjected to Sri Lankan law, a party where goods/services are offered to data subjects in Sri Lanka, or a party “who monitors the behaviour of data subjects in Sri Lanka including profiling in so far as such behavior takes place in Sri Lanka”.

2. The legalities of data processing

This talks about how data processing will be recognized to be lawful. This also briefly defines the scope of storage limitation, integrity, and confidentiality.

3. The rights of data subjects, i.e., you

This area primarily reflects on your rights with regards to access rights, right to withdraw, erasure, rectification, and the exercising of the said rights. Additionally, the document also touches on the exercise of rights via authority.

4. Scope of controllers and processors of the data

This refers to the scope around the registration of controllers and processors of the data processing, along with their defined duties and obligations. This also states the designation of a data protection officer, appointed by the controller and the processor.

5. Establishment of a Data Protection Authority and its scope

The document also talks about the establishment of the Data Protection Authority. Accordingly, this Authority will be the “apex body for all matters relating to Data Protection matters in Sri Lanka and shall be responsible for the implementation of the provisions of this Act”. This includes the scope of the said authority as well.

6. How data protection relates to using personal data on direct marketing

This primarily highlights how the act will affect in situations where personal data is involved in direct marketing.

7. General rules and regulations

Of course, the legislation also specifies the general rules and regulations pertaining to the data protection act.

One of the things that caught my eye was that the act doesn’t apply to the processing of personal data if it’s done “for purely personal or household purposes”. There’s a question of how exactly is a personal purpose defined here. Does that mean one could potentially use another person’s data for anything provided it’s stated for a personal purpose? Even if it means that it could still have a similar impact to that of a business entity. This is where a clearly defined scope is vital.

Speaking of clearly defined scope, the Data Protection Principles section specifies that “Personal data shall be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with the said purposes.” It also states that further processing of personal data is valid if it’s archived in the interest of the public, scientific, historical research, or statistical purposes.

In a situation where the controller (of the data processing) rectifies, erases or restricts the processing of data, the controller must notify recipients “unless this proves impossible or involves disproportionate effort”. Room for being lethargic maybe?

You can actually help make this act better

The 35-page document can be accessed here (archived) and you can actually give feedback with your own suggestions to the ministry. The deadline is 24^th of June. Once the draft is published in the Gazette as a bill, a review opportunity will be given to the public.

So while the proposed legislation isn’t perfect by any means, we, the public could still help make it better. It’s uncertain if whatever feedback is provided will be taken into consideration at all. One can certainly hope they do.

But the bigger question isn’t necessarily the act itself. But rather the implementation of it. The real effectiveness of this bill would be as far as how thoroughly its executed. Take the lane law for example. There’s a clearly defined law. Every driver on the road learns it or should learn it rather. But it’s never properly implemented. So as long as this doesn’t become another lane law situation, the data protection bill could potentially be as impactful, or even more so, as the Rights To Information act.