An introduction to the
Proposed Data Protection
Act – Part II
By Samantha de Soysa
The nexus between an individual and data protection is evident. However, where does it begin and where does it end?
Jurisdictional barriers and laws of other countries need to be analysed. Do they have confidence in our laws and us in theirs? Entities overseas that engage in any activity where personal data is collected by local bodies will feel more secure knowing there is appropriate legislature protecting their data.
As citizens of Sri Lanka, we will feel more secure knowing that our personal data is protected. Secure boundaries, which are pronounced as laws, are the best safe guards a nation can be bestowed with by a government.
The ‘Personal Data Protection Act’ stands as a drafted bill today. The urgency of passing this bill cannot be overstated. It will be referred to as the ‘Act’, for ease of reference.
In the article below, I will be giving a more in-depth analysis of the ‘Act’, including the relevance and applicability of it. Who does it apply to? Any individual (“data subject”) that has given their personal data to an entity (“controller” or “processor”). All sections and definitions referred to in this article are from the ‘Act’.
‘Controllers’ and ‘processors’.
‘Controllers’ and ‘processors’ are two different words for entities that collect personal data from people. The ‘Act’ distinguishes between ‘controllers’ and ‘processors’, and it is important to be clear what the differences are, and moreover, to understand which definition one’s entity falls under.
In a simplistic sense, an entity that is directly given data by a person is a controller. Alternatively, a processor is a secondary collector or recipient; one who is given personal data by a controller and not directly by an individual.
Two distinct characteristics define a processor. One, it processes personal data on behalf of the controller and two, it is a separate entity or person from the controller. A processor is an entity to whom personal data is directly not given. It is very much the secondary entity that collects or receives the data.
The processor also has obligations, being a recipient of personal data. Firstly, a controller is only obliged to use processors that provide sufficient guarantees to implement appropriate technical and organisational measures which give effect to the Act and ensure the protection of rights of the data subjects as guaranteed under the Act.
Secondly, a controller must ensure that a processor is bound by a contract or any written law which sets out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of the data subjects and the obligations and rights of the controller (section 20 (2) (a) and (b)).
It would be prudent to evaluate which category one’s entity falls under, in order to ensure compliance with the ‘Act’. It is clear that the personal data is received by the controller and thereby the controller is responsible in ensuring that the other party that receives the data protects it.
However, section 21 (1) outlines the six obligations of processors. They include ensuring the personnel of the processor is bound by contractual obligations on confidentiality and secrecy, and ensuring that processing activities are carried out only on the written instructions of the controller in compliance with the obligations of the controller.
Boundaries of the Act
When does the ‘Act’ become applicable? Section 3(1) states that if any personal data is processed wholly or partly within Sri Lanka, compliance is needed. Furthermore, five conditions are given for ‘controllers’ and ‘processors’ to follow.
Entities domiciled or ordinarily resident in Sri Lanka.
- Entities incorporated or established under any written law of Sri Lanka.
- Entities subject to any written law of Sri Lanka.
- Entities that offer goods or services to data subjects in Sri Lanka.
- Entities that monitor the behaviour of data subjects in Sri Lanka, including profiling.
Section 3(2) states that if personal data is processed for purely personal, domestic or household purposes by an individual, then it does not fall into the purview of the ‘Act’. Secondly, if any data has been anonymised, i.e., the data is non-indicative of the individual, the ‘Act’ does not need to be complied with.
In summary, if personal data is collected for “purely” personal, domestic or household purposes by an individual and if the data is not linked to the individual concerned, the ‘Act’ does not become relevant. However, it is not difficult to envisage conflicting interpretations in certain instances. For example, a housewife buying a commodity for her house. Does the definition of ‘purely household purpose’ or ‘offering goods and services to data subjects in Sri Lanka?’ hold?
Cross border data flows
“Cross-border flows of personal data” is defined in the ‘Act’ as “movement of personal data out of the territory of Sri Lanka”. Section 25 of the Act deals with cross-border data flow. A distinction is made between public authorities and other entities.
Section 25 (1) stipulates that when a public authority acts as a ‘controller’, personal data shall be processed only in Sri Lanka. Only the Data Protection Authority has the power to allow for personal data to be processed at a location outside Sri Lanka. However, the relevant minister has the power to prescribe a third country, a territory or one or more specific sectors within that third country, to be absolved of the authorisation needed. This excludes the controllers that are public authorities.
Nonetheless, the laws are different for entities that are not public bodies. Notwithstanding the above two subsections, Section 25 (3) and (4) does emphasize that ‘controllers’ do need to ensure that a high level of protection is given to data that is sent across borders.
Also, the controller in Sri Lanka, must enter into a ‘legally binding and enforceable instrument’ with the overseas party or a similar instrument determined by the Data Protection Authority.
But, for entities that are not public bodies, the authorisation of the Data Protection Authority is not compulsory. As long as a comprehensive binding contract is signed between the parties in the different jurisdictions, to the satisfaction of the Data Protection Authority, it should be sufficient. It is advisable for a template of such a contract be made available by the Authority, once the ‘Act’ is passed.
Accurate knowledge of the ‘Act’ is needed for efficient exposition and compliance of it. Initially, however, work needs to be done in setting up a ‘Data Protection Authority’ and training ‘Data Protection Officers’. They would act as the ‘police’ of this ‘crime’.
‘Data Protection Officers’ are personnel to be appointed by controllers in order to monitor compliance of the entity to the ‘Act’. The ‘Data Protection Authority’ is the initial supervisory body that deals with breaches of the ‘Act’.
Going forward, as awareness, education and preparation takes place, I urge all Sri Lankans to engage in enhancing their knowledge in data protection. After all, as individuals we are all ‘data’ subjects’ that have rights to be exercised.
[The writer, LL.B (Hons.) (Warwick); LL.M (Lon.), is a Barrister (of Lincoln’s Inn); Attorney-at-Law. ‘Data is the New Oil’: An Introduction to the Proposed Data Protection Act – Part I was published on 6 December 2019. If you need any further information or advice, please contact the writer on email@example.com.]