Privacy as a right

The Government has outlined plans to gather public data under one centre as a way to increase efficiency of the public sector. However without data protection laws there is fear such a centralised population information system can invade people’s privacy, infringe on their rights, and be abused in multiple ways.  

Many countries have adopted data protection systems. In the European Union, data protection is a fundamental right, and the General Data Protection Regulation (GDPR) is a framework for protecting that right that was introduced in 2018. 

Data protection refers to the practices, safeguards, and binding rules put in place to protect personal information and ensure that a person can remain in control of it, even to the extent of demanding it be erased. In short, the citizen should be able to decide whether or not they want to share some information, who has access to it, for how long, for what reason, and be able to modify some of this information, and more.

The move towards a centralised data centre was not one that appeared recently but it certainly gained more traction after the horrific Easter attacks. To fight terrorism, and more broadly in the name of security, many laws that attack freedom of expression and the right to a private life have been adopted, and given extraordinary surveillance rights to the State. The Government has already started this process by introducing electronic ID cards that were rolled out in 2017. 

The problem with these platforms are threefold. For starters, they can be costly, and the Government has already spent considerable resources to roll out the e-ID system, and additional platforms could also take up a chunk of public funds. 

Secondly, their effectiveness is debatable, and while engaging with other agencies and countries on security measures is important, what has emerged following the attacks is that a small number of people, perhaps as little as 140 people, are responsible for the attacks. Therefore increasing surveillance on 20 million people and infringing on their rights may be an overreaction.       

Sri Lanka has no privacy/data protection laws, but hitherto privacy has been protected by the fact that most data is held in either manual form, or on isolated computer systems. Information was never shared, and if needed for investigative or other purposes, would have been provided only with a court order.  

No longer; wide powers have been granted to the Commissioner-General, his officials and other authorities to collect and record any personal details from all public – and potentially private – databases in the case of the e-ID cards. 

There is no question that people want to feel safe, but the security forces and intelligence agencies in Sri Lanka need support to conduct wide-ranging, systematic, and sustained intelligence gathering. Their efforts also need to be supported by a wide range of efficient legal framing, so that only the people who have committed a crime are caught. These efforts deserve public funds more than digital platforms that have questionable outcomes, and reduce the rights of law-abiding citizens. 

Data protection laws can also assist the IT industry and help draw better investment to Sri Lanka. There is also an existing data protection law that was drafted by the former administration, which could be evaluated and taken forward so there will not be any significant delays to Government plans. But there can be no doubt of the necessity and the need for data protection before data centralisation.