Sri Lanka has become the first South Asian country to introduce data protection legislation with the enactment of the Personal Data Protection Act, No. 19 of 2022 (“PDPA”), by the Parliament of Sri Lanka on 19 March 2022. The provisions of the PDPA will be brought into operation by way of notification issued by the Minister of Technology (i.e., the Minister assigned the subject of data protection) in the Government gazette, and this will be done 18 and 36 months from the date of enactment. Accordingly, it is anticipated that substantive provisions of the PDPA will be brought into operation between 19 September 2023 and 19 March 2025. The Data Protection Authority has now been set up by the Minister of Technology in order to facilitate this process1.
In layman’s terms, data protection includes the practices, safeguards, and binding rules put in place to protect people’s personal information and ensure that they remain in control of their personal information. Prior to the enactment of the PDPA there was no overreaching piece of legislation to regulate the usage and ensure the protection of personal information. As such, an affected person had to rely on certain limited aspects of the common law of the land and the other statutes that only apply in respect of certain specialised areas2. The judiciary has also referred to the right to privacy in Nadarajah v Obeysekara and Hewamanna v AG. With the introduction of the new law, considerable obligations have been imposed on the government, businesses, and other entities that rely on electronic modes of storing data and operating cross-border data flows.
Scope of PDPA
The PDPA aims to regulate the ‘processing’ of ‘personal data’ of ‘data subjects.’
1. ‘Data subject’ refers to a natural person, whether living or not.
2. ‘Personal data’ means any information that can identify that person, either directly or indirectly, by reference to, their name, identification number, location data or an online identifier, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that person.
3. ‘Processing’ includes a plethora of actions, including the storage, preservation, alteration, retrieval, disclosure, transmission making available, erasure, destruction of personal data in respect of consultation, alignment, combination, or the carrying out of logical or arithmetical operation on personal data.
Additionally, the PDPA refers to a ‘special category of personal data’ which reveals the person’s racial or ethnic origin, political opinion, religious or philosophical beliefs, financial, biometric data for the purposes of uniquely identifying a natural person, data concerning health, data concerning a natural persons sexual orientation, etc.
Further, the PDPA restricts the disclosure of personal data without the relevant person's consent. This prohibition however is not absolute, and is subject to lawful processing requirements. As a result, personal data can be processed for a legitimate interest pursued by the person in possession of that information, where it is necessary to comply with a legal obligation, to respond to an emergency, for the performance of a task carried out in the public interest, or if it concerns the exercise of powers conferred under written law.
Application and Processing of Data
The PDPA applies to the processing of personal information in Sri Lanka, either wholly or partly. It also covers controllers or processors of personal information, who are domiciled in, incorporated in, or offer goods or services to persons in Sri Lanka. The collection, usage, and storage of personal data can happen in the course of business, including those of professionals, such as, doctors or lawyers. The PDPA imposes additional requirements of privacy and of care on the processing of personal data held by professionals who are subject to obligations of professional privilege. Such privilege already requires the non-disclose of personal data and special category of personal data by such professionals without the informed consent of data subjects.
However, personal data processed purely for personal, domestic, or household purposes by an individual is excluded from its scope. Therefore, a contact list stored in one’s phone is outside the scope if used ‘purely’ for personal, domestic, and household purposes.
Obligations of Data Controller
Similar to the General Data Protection Regulation in the European Union, the PDPA heavily relies on principles such as legitimate purpose, proportionality and, transparency, among others. Accordingly, every data controller shall ensure that personal information that is processed shall be adequate, relevant and proportionate, shall be accurate and kept up to date. More importantly, a controller shall ensure the confidentiality and integrity of personal data, and processing of data by the controller including obtaining consent from data subjects.
Rights of Data Subject
Data subjects, the persons who are the actual owners of such personal data, have the right to request access to their personal information, withdraw their consent, require that errors in their personal data be corrected, and have their personal data erased.
In response, processors / controllers shall have 21 working days from the date of the request to accept or reject it. Controllers are required to inform the date subject whether his or her request was accepted or rejects together with reasons for such decision. Where the request has not been granted the data subject shall have the right to appeal.
Additional Obligations
To further data protection and security, the PDPA imposes additional obligations against data controllers and processors.
• Appoint a data protection officer with the relevant qualifications under the mandate of advising the controller or processor on data processing requirements, ensuring compliance with personal processing provisions, etc.
• In the event of a personal data breach, the controller has the obligation of notifying the Data Protection Authority.
• For the purposes of advertising with the use of personal information, the controller or processor is required to obtain the data subject’s consent.
Penalties
After assessing the type of non-compliance and its consequences for data subjects, the Data Protection Authority is empowered to levy fines of up to LKR ten million for each instance of non-compliance.
All professionals, however, should bear in mind that the mere imposition of a penalty under the PDPA does not absolve them from further repercussions from their regulatory body. The relevant regulatory or statutory body, constituted for the regulation of such professionals, is authorized under the PDPA for taking any other regulatory measures. This may include, but not limited to, the suspension of such controller or processor from carrying on of the profession, or the cancellation of a license or authority granted for the carrying on of the profession as permitted in terms of any applicable written law.
Conclusion
While the obligations aimed at safeguarding the right to privacy are essential, implementing regulations in a uniform manner can potentially impede the growth of small-scale enterprises. Nevertheless, this approach compels businesses to revamp their methods of collecting, processing, and utilizing personal data, offering an opportunity for companies to enhance their data privacy and cybersecurity infrastructure. The existence of personal data protection laws serves to stimulate the nascent economy of a country, promoting increased investment in sectors like business process outsourcing and data processing. These laws instill confidence and trust, ensuring that businesses adhere to stringent privacy standards, thereby attracting investment and fostering growth in these industries.
PDPA guarantees that personal data held by diverse entities, encompassing government bodies, banks, telecom operators, and hospitals, are protected by specific safeguards against unauthorised usage and enforces penalties for any breaches. The also PDPA prevents the use of such information for the purposes of sending unsolicited direct marketing efforts.
The implementation of the PDPA signifies Sri Lanka's commitment to establishing a robust framework for safeguarding personal data in the digital era. This step not only fosters trust within the digital ecosystem but also enhances the governance and administration of personal data; this is because, people are more willing to share their personal data online when they know that there is a robust legal framework to protect their interests.
References
1. Gazette Extraordinary No. 2341/59 dated 21 July 2023
2. Computer Crimes Act No. 24 of 2007, Electronic Transactions Act No. 19 of 2006, Right to Information Act No. 12 of 2016, Banking Act No. 30 of 1988, Telecommunications Act No. 25 of 1991, and Intellectual Property Act No. 36 of 2003.
Insight: Navigating Change: Sri Lanka's Tax Reforms for 2025
Insight: An Overview of the Sri Lanka Electricity Act No. 36 of 2024: A Milestone in Energy Regulation
Insight: Penalties For Non-Compliance Under The Foreign Exchange Act, No. 12 Of 2017
Insight: Sri Lanka Amends Labour Law Favourable To IT-BPO Sector And Strengthening Gender Equality
Article: Overview of the Colombo Port City Economic Commission Act 2021