GDPR: Is it for Sri Lanka?

In the preceding few weeks, you may have noticed an influx of notifications from the websites and applications you have subscribed to regarding a change in their data privacy policy. 

The popular misconception is that this is a consequence of the Facebook and Cambridge Analytica data breach. However, on the contrary this is the direct result of GDPR and the Facebook data breach just coincided with the GDPR implementation deadline (25 May).

What is GDPR? The acronym stands for General Data Protection Regulation and it is a European Union (EU) regulation regarding the protection of personal data of individuals residing within the EU. It should be noted that this is not an entirely new body of law or regulation in the EU; it only supersedes the existing laws on data protection. However, it incorporates significant developments to the law and therefore has gained traction.

How does GDPR affect Sri Lanka? One of the significant developments introduced by the new regulation is its application outside the EU. Sri Lankans and more specifically Sri Lankan corporates that deal with personal data of EU residents shall be required to comply with GDPR. 

The perennial question with this and other such laws having extra territorial application is, how does a foreign government or authority have jurisdiction over Sri Lanka and how do they implement such law? GDPR is not directly enforced on persons outside the EU (third countries); instead the EU authorities shall enforce the law on the EU counterparty dealing with such persons. This will result in the EU counterparty severing ties with any GDPR non-compliant counterparties outside of the EU. Therefore, the risk of losing business relationships in the EU shallcompel Sri Lankan corporates to comply with GDPR.

Summary of GDPR

As stated above, GDPR is a law onpersonal data protection and it fortifies this as a fundamental right of individuals. It applies to anyone processing personal data, either manually or through automated means, which form part of a filing system. 

Personal data is defined as information relating to a natural person who can be identified directly or indirectly. Therefore, anyone processing information, which includes a name, home address, email address or IP address, shall be liable to comply with GDPR.

GDPR enshrines the following principles regarding data protection:

• Lawfulness, fairness and transparency – data should be processed in a lawful, fair and transparent manner in relation to the data subject (person to whom the data relates). 
• Purpose limitation – data should be processed for the specified and legitimate purpose and not further processed in manner incompatible with the original purpose
• Data minimisation – data should be limited to what is necessary in relation to the purposefor which the data is processed
• Accuracy – data should be accurate and kept up-to-date having regard to the purposefor which the data is processed
• Storage limitation – data should not be kept in a form permitting the identification of the data subject forlonger than is necessary for the purpose forwhich the data is processed
• Integrity and confidentiality – data should be processed in a manner that ensures appropriate security of the personal data, including the protection against unauthorised processing, accidental loss, destruction or damage
• Accountability – the controller (the person who determines the purpose and means of processing the personal data) shall be responsible for compliance with the above principles 
• GDPR safeguards and provides the data subjects the following important rights:
• Right of access – the data subject has the right to obtain from the controller a confirmation on whether or not personal data is being processed and if so, access to such personal data
• Right to rectification – the data subject has the right to obtain from the controller a rectification of inaccurate data concerning him or her
• Right to erasure (‘right to be forgotten’) – the data subject has the right to obtain from the controller the erasure of personal data concerning him or her
• Right to restriction of processing - the data subject has the right to obtain from the controller restriction of processing i.e. the marking of the personal data to limit its processing in the future
• Right to data portability - the data subject has the right to obtain from the controller the personal data concerning him or her in a commonly used format and have the right to transmit the same data to another controller
• Right to object - the data subject has the right to object at any time to the processing of personal data concerning him or her
• GDPR imposes the following obligations on the controller and processor (person processing personal data on behalf of the controller):
• Data protection by design and default – taking into account the purpose of processing personal data and the risk to the rights of the data subject posed by the processing, the controller shall implement appropriate technical and organisational measures to ensure the aforementioned data protection principles
• Processing under the authority of the controller – the processor shall not process personal data except on the instructions of the controller
• Records of processing activities – the controller shall maintain a record of the processing activities and it shall contain specified information
• Notification of a personal data breach – in the case of a personal data breach, the controller shall without delay notify to the competent supervisory authority and communicate the same to the data subject(s)
• Data protection impact assessment – where a type of processing uses a new technology, the controller shall prior to processing carry out an assessment of the intended processing operation on the protection of personal data
• Data protection officer – the controller and processor shall designate a data protection officer tasked with attending to all issues relating to the protection of personal data

The aforementioned rights accorded to data subjects can be enforced through couple of avenues. 

Firstly, the data subject has the right to lodge a complaint with the supervisory authority in the member state in which he or she resides. Secondly, without prejudice to the former administrative relief, the data subject has the right to seek judicial remedy and receive compensation from the controller or processor for any damage suffered. 

However, it is the first approach that has gainedmuch attention due to the fact that the supervisory authorities are empowered to impose enhanced fines. For serious infringements the fine could be as high as 4% of the annual global turnover or Euro 20 million, whichever is greater.

Data processing outside the EU and relevance to Sri Lanka

There several situations where the processing of EU personal data takes place outside the EU:

• The controller or processor is an establishment in the EU; however the processing of personal data takes place outside the EU. This is relevant to global or multinational companies operating in Sri Lanka that process EU personal data, including global banks. This situation is also relevant to Business Process Outsourcing (BPO)/Knowledge Process Outsourcing (KPO) companies in Sri Lanka, which process EU persona data.
• The controller or processor is not established in the EU, however processes the personal data of EU subjects, which relates to:

a)The offering of goods and services (export) to data subjects in the EU. This makes Sri Lankan exportersprocessing EU personal data liable to comply with GDPR.

b) The monitoring of the behaviour of EU data subjects as far as the behaviour takes place in the EU. This becomes relevant to market research companies and ICT companies that deal with EU personal data. 

• The transfer of EU personal data to third countries in the above situations can only take place if the conditions laid down in the regulations are complied with by the controller and processor. These conditions are outlined below:
• Transfer on the basis of an adequacy decision – a transfer of personal data to a third country may take place where the European Commission has decided that such country ensures an adequate level of data protection. Rest assured you will not find Sri Lanka in this list of countries. At present, Sri Lanka has no dedicated law or regulations addressing personal data protection.
• Transfer subject to appropriate safeguards – in the absence of an adequacy decision in respect of any third country, the controller or processor may transfer personal data to such country only if the controller or processor has provided appropriate safeguards, which includes binding corporate rules, standard data protection clauses, and code of conduct and certification mechanisms together with binding commitments of the controller or processor in the third country to apply those safeguards.
• Derogation for specific situations – other than in the situations outlined above, a transfer of data to a third country may take place in derogation of the general rule where certain conditions are satisfied.

The response strategy for Sri Lankan companies

As stated in the beginning GDPR compliance is ensured in third countries indirectly by enforcing the same on the EU counterparty. Therefore, to avoid the risk of losing EU clients/customers, Sri Lankan companies that deal with EU personal data must comply with GDPR.

What is required by Sri Lankan companies to comply with GDPR? GDPR is literally an alien law/regulation; therefore,to ensure compliance corporates may need to seek external assistance froma qualified professional or firm.It isshould be noted that GDPR is not solely a compliance requirement of a legal nature; it requires the revamp of an organisation’s data processing operations and the inextricable IT systems used in the process.

The companies that are involved in large scale processing of EU personal will have to adopt appropriate safeguards referred to above in order comply with the conditions for transfer of EU personal data to third countries. Whereas, organisations that process EU personal data on an infrequent basis may qualify for exceptions or derogations provided in the regulation; however, again, before deciding on such course of action it is highly advisable to consult a qualified professional in order to avoid any risk of being GDPR non-compliant.

Lessons for Sri Lanka

GDPR is a progressive piece of legislation that elevates the protection of personal data to an inalienable right of an individual. Sri Lanka has no such legalisation addressing data protection and hence the reason for the existence of datapirates (not a typo!). The proof of thisis in the numerous text message advertisements pushed by the mobile operators and not to mention the mobile software solutions promoted by some of these mobile operators, which claim to track the physical movement of the employees of their corporate customers.

It is difficult to surmise when a legislation of this nature will see the light of day in Sri Lanka. Perhaps if it is tied to a future IMF loan tranche, we may see a hasty copy paste of a data protection law enacted somewhere else in the world. Still, it would be welcomed given the lacuna of such law in the country. 

The criticism of any copy paste law is the excesses or shortfall of the law in addressing the specific context of a given jurisdiction. Therefore, the ideal scenario would be an enactment of a data protection law incorporating the views of all relevant stakeholders in the country.

(The writer is Chief Consultant at SGBMC and can be reached via [email protected].)