Data protection legislation now ready

Monday, 7 October 2019 00:57 -     - {{hitsCtrl.values.hits}}

  • Key initiative by Ministry of Digital Infrastructure and Information Technology


Personal data protection legislation defining measures to protect personal data of individuals held by banks, telecom operators, hospitals, and other personal data aggregating and processing entities has now been finalised by the Ministry of Digital Infrastructure and Information Technology. 

The final draft of the Bill, prepared by the Legal Draftsman’s Department and the Data Protection Drafting Committee of the Ministry, will be released through the website by the Ministry of Digital Infrastructure and Information Technology this week.

The drafting of the legislation was initiated by Minister of Digital Infrastructure and Information Technology Ajith P. Perera on 5 February. The latest released version is based on modifications done to the previously released Data Protection Framework, published by the Ministry on 12 June. 

However, substantial modifications were made to the said framework based on consultations held with key stakeholders as well as feedback received from them.

The legislation will be implemented in stages. The entire Bill will come into operation within a period three years from the date the Speaker certifies the Bill. This would provide sufficient time for Government and private sector to take adequate steps to implement this legislation. The Data Protection Authority is required to be established within 18 months.

Several obligations have been imposed by this legislation on those who collect and process personal data (‘controllers’ and ‘processors’) and a whole new set of rights have been given to citizens under this new Legislation, which are known as ‘Rights of Data Subjects’. 

For instance, personal data could be collected only for a specified purpose and not for any other purpose that is incompatible with the said purposes. However, processing data in public interest, or scientific or historical research will not be considered incompatible. Personal data has to be processed in a manner to ensure appropriate security, including protection against accidental loss, destruction, or damage. 

The data subject (individuals) will have the right to withdraw his or her consent given to controllers and will also have the right to rectify the data without undue delay. Further, the data subjects have been given the right to object to processing of their data. These rights of the data subject could be exercised directly by the individuals with the controller, who are required to respond within a defined time period and is obliged to give reasons for refusing to meet the request or reasons why the controller would refrain from further processing said data. The individual has a right of appeal against the decision of the controller to the Data Protection Authority.

Although the original framework had provisions for the mandatory registration of controllers, this requirement has been removed in the latest version. Instead, the Drafting Committee has deliberated and introduced specific and comprehensive transparency and accountability obligations on controllers. The accountability obligations would require the controllers to implement internal controls and procedures, known as a ‘Data Protection Management Program’, in order to demonstrate how it implements the data protections obligations imposed under the Act.

The legislation also prohibits controllers who process personal data from sending unsolicited messages, unless the individuals have given express consent. Provisions have also been included to deal with relationships between controllers and third parties who process personal data on their behalf.

Importantly, administrative penalties have been introduced with a ceiling instead of fines calculated on the global turnover of the controllers. 

The Drafting Committee had also taken into account international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation, and laws enacted in other jurisdictions, such as the United Kingdom, Singapore, Australia, and Mauritius, laws enacted in the State of California as well as the Indian Bill when formulating the said draft Legislation.

The Ministry of Digital Infrastructure and Information Technology, in partnership with other entities, conducted two rounds of stakeholder discussions. In addition, targeted group discussions were held with other stakeholder communities, including bank chief information officers, the Ministry of Health’s Health Informatics Unit, and representatives of the Right to Information Commission. In addition, the proposed legal framework was reviewed by an Independent Review Panel led by former Supreme Court Justice K. T. Chithrasiri and Prof. Savithri Goonesekera.

The Data Protection Drafting Committee was led by Jayantha Fernando (Chair/Convenor), and comprised Yamuna Ranawana and Thushari Vitharana (Legal Draftsman’s Dept.), Kanchana Ambahawita and Niluka Herath (Central Bank), Sunali Jayasuriya (ICTA), Sanduni Wickramasinghe (Mobitel), and Trinesh Fernando and Shenuka Jayalath (Dialog PLC).