The right to privacy and a data protection act: Need of the hour

Friday, 31 March 2017 04:45 -     - {{hitsCtrl.values.hits}}

By Samantha de Soysa

The right to privacy has been long held to be synonymous with other human rights. However, in Sri Lanka, the absolute need for one has been largely overlooked. In this article I hope to highlight the importance of the right to privacy and a data protection act. Moreover, the dangers of not having both rights as a constitutional provision or in a statutory form, will be detrimental. 

‘Private’ has been defined in the Oxford Dictionary as ‘confidential: not to be disclosed to others/kept or removed from public knowledge or observation’. A more comprehensive and pragmatic view has been offered by Alan Westin, author of ‘Privacy and Freedom’ who defines privacy as “the desire of people to choose freely under what circumstances and to what extent they will expose themselves, their attitudes and their behaviour to others”.1

In this article I will be focussing the discussion on the right to privacy to the digital forum, and thereby the emphasis on a data protection act. 

17-1If the Government of Sri Lanka becomes electronically active, and if the executive and administrative arms of the Government by their actions infringe the right to privacy of a citizen, such action can be questioned by invoking the exclusive jurisdiction by the Supreme Court albeit only if the right to privacy exists as a fundamental right and not otherwise


Every sector and industry (including health, transport, education and insurance to name a few) have been influenced by the IT revolution in the rapid and advanced introduction of computer technology. If computers are the vessels then the information that flows through them is referred to as ‘data’. The world has become a ‘global village’. Sovereignty of states have become blurred and the propensity of international transactions through the internet have given rise to many legal complexities. Thereby the need for extensive laws regulating this information is imperative; now more than ever.

International Treaties have long recognised the importance of these provisions. However, most of the ‘vigilant gatekeeping’ for international human rights does not occur at the international level but in the domestic arena, by holding States accountable to the enforcement of those national laws that codify international obligations.2

The UN General Assembly, in its Resolution on the Right to Privacy in the Digital Age, noted that “the rapid pace of technological development enables individuals all over the world to use new information and communication technologies (ICT) and at the same time enhances the capacities of governments, companies and individuals to undertake surveillance, interception, and data collection, which may violate or abuse human rights, in particular the right to privacy.” Further, both the U.N. General Assembly, in its Resolution 68/167 on Digital Privacy Rights, and the Office of High Commissioner for 

Human Rights, in its Report on The Right to Privacy in the Digital Age to the Human Rights Council, affirmed how “the rights held by people offline must also be protected online.”

The International Treaties themselves support this. Article 17 of the ICCPR3 clearly provides for this right and also Article 6 of the ASEAN Declaration of Human Rights.4

When States ratify treaties or declarations, such as the ones mentioned above, they obligate themselves to respect, protect and fulfil the rights enshrined within those instruments.5 Because the nature of technology is such that it can be used “for both legitimate and impermissibly intrusive ends”, it is the responsibility of States to take measures, such as enacting national legislation, to guarantee the protection of citizens’ rights on the internet and communications networks. 

The challenges of a data protection act

A challenge to any State would be the delicate balancing of the freedom of expression and the right to privacy. Frank LaRue, Special Rapporteur on Freedom of Expression, in his 2013 report to the Human Rights Council, discussed how ICCPR Art. 17 on privacy does not provide for a clear-cut limitation test as Art. 19 does for freedom of expression. Therefore, he asserts that Art. 17 “should be interpreted as containing elements of a permissible limitations test already described in other General Comments of the Human Rights Committee”, such as those contained in the articles on the right to liberty of movement, the right to peaceful assembly, etc. These can be summarised in three main requirements:


  • Any restriction must be provided by law and must represent a legitimate, compelling state interest.

  • The restriction must be necessary for achieving such legitimate aim and the measure must be proportional, meaning it must be appropriate to achieve its protective function; and 

  • The limit must be narrowly tailored to the end sought, thus representing the least restrictive way to achieve the desired result.

Note that the determination of what constitutes a legitimate restriction should be “undertaken by a competent judicial authority or a body which is independent of any political, commercial, or other unwarranted influences….”6

The most recent milestone in Data Protection laws has been the EU General Data Protection Regulation [2016/679]. This will come into effect on 25 March 2018. It builds on existing concepts and strengthens requirements for the collection and use of personal data though it does introduce a number of significant changes. For example, companies that have no physical presence in the EU will also need to comply with the GDPR if they offer goods and services in the EU or monitor a data subject’s behaviour taking place in the EU. Also the GDPR does not require that all personal data has to be kept within the EU. However if the personal data travels outside the EU the controller should ensure a level of protection which is similar to that in the EU for the data.

The Hong Kong ‘Private Data Protection Ordinance’, which was brought into force in three stages in 1997 has been described as an ‘economic selling point, safeguarding the free flow of personal information to Hong Kong”, as much as it was a “human rights related initiative”7. The content of the Ordinance clearly reflected both the OECD Guidelines and EU Directive, but not as any direct pressure from abroad, rather as a long-term protection of the trading position of Hong Kong and as an elite concern to be in keeping with international best practice. 

The laws in Australia are also very contextual. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 includes 13 Australian Privacy Principles guiding the collection, use, storage, and disclosure of personal information, and access to and correction of that information. The new amendment in 2014 will affect all Australia-based organisations that store any personal data about their customers including cloud and communication service providers. 

The Data Privacy Act of 2012 in the Philippines is an Act also to be commended in encompassing the possible complications. That law requires that the collection and processing of personal information be done fairly and legitimately within the bounds of law, subject to “the fundamental rights (including privacy) and freedoms of the data subject” protected under the Filipino Constitution.8

The position in Sri Lanka

Althaf Marsoof, in his article titled ‘The Right to Privacy in the Information Era: a South Asian Perspective’9, has provided a preliminary analysis of this. He explains how in Chapter III of the Sri Lanka Constitution, the Fundamental Rights of the people of Sri Lanka are exhaustively guaranteed. However, on the face of it, it seems that Chapter III guarantees no right to privacy, Article 17 read with Article 126 (1) of the Constitution makes it clear that an application may be made to the Supreme Court in relation to the infringement of an individual’s fundamental right by administrative or executive action. It has been stated that, “A public value of privacy derives not only from its protection of the individual as an individual but also from the usefulness as a restraint on government or on the use of power.”10 

Therefore, if the Government of Sri Lanka becomes electronically active, and if the executive and administrative arms of the Government by their actions infringe the right to privacy of a citizen, such action can be questioned by invoking the exclusive jurisdiction by the Supreme Court albeit only if the right to privacy exists as a fundamental right and not otherwise. 

The Computer Crimes Act 2007 of Sri Lanka, (the primary aim of which is to protect the right to privacy of Sri Lankans through penal sanctions) also gives cause for concern. Section 18 of the CCA 2007 gives the power to an expert or police officer included in an investigation under the Act to tap any ‘wire or electronic communication’ or obtain any information (including any subscriber information or traffic data) from any service provider. Even thought it might seemingly have some parameters surrounding this section, in that a warrant is required from a magistrate, it is nonetheless very concerning. And this concern is compounded in there not being an express guarantee of a fundamental right to privacy.11

Article 14A of the 19th Amendment to the Constitution does touch on privacy, though very minimally. It states that a fundamental right to information can be not complied with if the privacy of an individual is tampered with. However, on the flip side, if the public interest of the people outweighs the right to privacy, that right outweighs the latter. Also it is noteworthy that this sublime right is connected to the right to information and fails to stand on its own. This is clearly not an express provision where the right to privacy is a separate and compounded fundamental right of the citizens in Sri Lanka. Also in order for this right to be exercised against private organisations, a statute is needed where it is encapsulated separately. Hence the absolute necessity for the citizen to have rights against the state and each other.


Laws exist to protect the rights of the members of a society and to ensure that they do not have to protect those rights through their own actions. Philosopher, John Locke, argued that a society without laws would be one in which individual people only had as many rights as they could protect. In other words, you only had the right to life if you could keep others from killing you. According to Locke, societies devised laws and governments as a way to get themselves out of this state of nature. In this purview laws exist in order to protect our most fundamental human rights. Because of the existence of laws and means to enforce them, we all have rights even if we would be too weak to protect those rights in a state of nature.12

In this digital age, the strong connection between the right to privacy and data protection is prevalent, now more than ever before. All information of citizens, confidential and otherwise are held in diverse industries such as the health industry, education and insurance to name but a few, in the form of ‘data’. Thereby, a provision of the right to privacy, I strongly feel, comes in perfect synchrony with provisions for data protection. 

Also due to rapid globalisation taking place, and Sri Lanka, in particular being in an important time of history, where its entrance as a global player in international economics is about to be launched, the importance of its laws being synonymous with international treaties cannot be stressed more. The lure of FDIs is based on many factors, admittedly, and the laws of a country being up-to-date cannot be overemphasised. 

Finally, in pursuing a ‘democracy’, one must ask oneself, is not the right to privacy an integral element of this pursuit? As much as freedom of expression and speech are to be applauded, the parameters by which we as a society and as individuals operate needs protection of the highest order; from the judiciary. Thereby I humbly propose, without further ado, that we as a nation give our people these fundamental rights that they can stand by and I am confident that the democracy and freedom we all want will come by.


1A Westin, Privacy and Freedom, Atheneum 7 (cited in Marsoof, A; The Right to Privacy in the Information Era, a   South Asian Perspective; Volume 5 Issue 3 December 2008)

2 ABA Rule of Law Initiative; George Washington University Law School 2015; p. 5

3 (1) No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

(2) Everyone has the right to the protection of the law against such interference or attacks.

4 ‘The enjoyment of human rights and fundamental freedoms must be balanced with the performance of corresponding duties as every person has responsibilities to all other individuals, the community and society where one lives. It is ultimately the primary responsibility of all ASEAN Member States to promote and protect all human rights and fundamental freedoms.’

5 ABA Rule of Law Initiative; op.cit. 2; p.6

6 Ibid 

7 ‘Comparative Study on Different Approaches to new privacy challenges in particular light in the light of Technological Developments : Hong Kong’ by Graham Greenleaf []

8 ABA Law Initiative Rule; op.cit.2; p 5

9 Marsoof, A; ‘The Right to Privacy in the Information Era, a South Asian Perspective; Volume 5 Issue 3 December 2008’ []

10 D Solove, M Rotenberg & P Shwartz, Information Privacy Law (2nd ed., Aspen), 61 (cited in ibid)

11 Marsoof,A ; op.cit. 9

12 http;//

[The writer, LL.B (Hons.) Warwick; Barrister (of Lincoln’s Inn), is an Attorney-at-Law.