Data protection

In the aftermath of the Easter Sunday attacks, the Government has proposed to develop and implement a high-tech system that will be able to track people and allow the State to collect sweeping information of their citizens. The fear of such a centralised population information system is that its data can invade people’s privacy, infringe on their rights, and be abused in multiple ways.  

Prime Minister Ranil Wickremesinghe revealed the plan to implement the Centralised and Integrated Population Information System (CIPIS) in Parliament on Wednesday. Addressing the House, he had argued on the need for a sophisticated system to track citizens, insisting that it would be an effective tool to counter terrorism and money laundering, as well as transnational and financial crimes.

Wickremesinghe has already had meetings with the Minister of Internal Affairs, Minister of Telecommunication and Digital infrastructure, officers of the Department of Immigration and Emigration, and officers of the Department of Registration of Persons, to discuss a single window system for CIPIS. The Ministry of Internal Affairs, Provincial Councils and Local Governments has been told to prepare an action plan for this system in two weeks to obtain Cabinet approval. 

To fight terrorism, and more broadly in the name of security, many laws that attack freedom of expression and the right to a private life have been adopted, and given extraordinary surveillance rights to the State. The Government has already started this process by introducing electronic ID cards that were rolled out in 2017. The aim of this latest “big brother” surveillance program is to bring together different biometric programs already under the Government onto one platform. 

The problem with these platforms are threefold. For starters, they can be costly, and the Government has already spent considerable resources to roll out the e-ID system, and this latest platform could also take up a chunk of public funds. Secondly, their effectiveness is debatable, and while engaging with other agencies and countries on security measures is important, what has emerged following the attacks is that a small number of people, perhaps as little as 140 people, are responsible for the attacks. Therefore increasing surveillance on 20 million people and infringing on their rights may be an overreaction.       

Sri Lanka has no privacy/data protection laws, but hitherto privacy has been protected by the fact that most data is held in either manual form, or on isolated computer systems. Information was never shared, and if needed for investigative or other purposes, would have been provided only with a court order.  No longer; wide powers have been granted to the Commissioner-General, his officials and other authorities to collect and record any personal details from all public - and potentially private - databases in the case of the e-ID cards. 

There is no question that people want to feel safe, but the security forces and intelligence agencies in Sri Lanka need support to conduct wide-ranging, systematic, and sustained intelligence gathering. Their efforts also need to be supported by a wide range of efficient legal framing, so that only the people who have committed a crime are caught. These efforts deserve public funds more than digital platforms that have questionable outcomes, and reduce the rights of law-abiding citizens.