Human rights of data subjects: Does Personal Data Protection Act safeguard digital privacy?

Without a statutory requirement to publicly disclose information regarding data breaches, citizens would be totally oblivious to their digital privacy being compromised 

Public institutions enjoy a wide ambit under the PDPA to process personal data for the “benefit of the public”, but there are inadequate mechanisms to ensure that the right balance is being struck between public interests and individual privacy. Sri Lanka’s history illustrates limitless instances of successive Governments using the guise of ‘greater good’ [public protection, national security and public order] to impose draconian restrictions on individual liberties and freedoms. At present, public institutions can effectively operate without accountability as citizens are not aware of how their personal data is being used

On 1 April 2025, Twitter/X user Dinidu de Alwis posted a thread on what he labelled “Sri Lanka’s biggest cybersecurity incident”. Cargills Bank PLC had experienced a cybersecurity incident and hackers reportedly posted thousands of internal files held by the banks on to the internet. Among others, these include personal data of their customers, staff and board of directors, and information on internal processes and human resource systems of the bank. 

Although Cargills Bank had issued notice of an “unauthorised access to a peripheral system” via the Colombo Stock Exchange, no reported steps had been taken to inform the data subjects i.e. the persons whose personal data had been released online, of the breach of the bank’s system and the resulting breach of privacy of its clients. 

The timing of this event is extraordinary, as on 27 March 2025, the Government issued a bill to amend the Personal Data Protection Act (PDPA). The Act, which was passed in 2022, is yet to fully come into force, as public and private institutions require time to expand their capacity and employ requisite expertise to fully comply with their obligations under the Act.

The UN Special Rapporteur on privacy, in a 2024 report stated: “Data subjects find themselves in a position of defencelessness owing to their limited knowledge of the use that third parties make of information concerning them, since in practice they are unable to follow up on or monitor this use. This has repercussions for their ability to control their data – the essence of the fundamental right to personal data protection.” To clarify, personal data is any identifying information of a person (a data subject). A data controller refers to an individual or entity that “determines the purposes for which and the means by which personal data is processed” – this can include both State and non-State entities, such as commercial corporations and non-governmental organisations. 

The enactment of the statute in 2022 received little public attention (perhaps because citizens were facing unprecedented levels of inflation and food/fuel/medicine shortages). Apart from alarm bells being raised by certain organisations and media associations, there was limited resistance to the PDPA – the petition filed by the Young Journalists Association at the Supreme Court was dismissed because the timeframe for filing a petition had lapsed. 

Primary concerns regarding the PDPA highlighted by these entities included the tension between the right to individual data privacy and the Constitutional right to information and the impact on media reporting. Journalists demanded a “journalistic exemption” be included in the Act so that processing of personal data by the media, and therefore the freedom to report on political figures and persons in power, is not restricted by the Act. Whether the Act sufficiently protected individual digital privacy, as it claims to do so, was not adequately scrutinised. Considering the former Government enacted the Online Safety which undermines personal rights and autonomy, their claims of enacting the PDPA to protect individual rights to privacy should have been regarded with wide scepticism. 

Problematic aspects related to DPA

A prima facie reading of the Act casts a spotlight on the problematic aspects related to the Data Protection Authority (DPA). The Act requires that the Board of Directors (the Board) responsible for the administration, management and control of the DPA to comprise persons who have reached eminence in “engineering, medicine, banking and finance, telecommunications, law”. Despite the Government seeking to expand digital privacy rights via the Act (evinced by Namal Rajapaksa’s statement in 2022 that “we need to protect people’s personal data first”) no rights-based expertise within the Board is required. 

Since the Act empowers the President to unilaterally appoint members to the Board, the DPA cannot be considered independent and free of political influence. The mandate of the DPA, as an entity subject to Government control, includes quasi-judicial functions such as imposing fines of up to Rs. 10 million, and investigating and adjudicating on actions of data controllers and processors, as well as entering and inspecting premises to seize records. 

Readers will recall the original version of the Online Safety Bill which contained a similar provision on the appointment of the Online Safety Commission, and following the challenges to the Bill at the Supreme Court, the approval of the Constitutional Council on the appointment of members was included in the Act. The appointment of the DPA without this layer of protection, allows the executive to appoint persons based on loyalty rather than qualification/merit. This concern was raised by members of the Opposition during the debate in Parliament, but the clause was passed without changes. Comparatively, the General Data Protection Regulation (GDPR), the European Union regulation on data protection and privacy, heavily emphasises the need for supervisory authorities appointed by Member States to be independent. 

In light of the Cargills Bank security breach, it must be noted that Section 23 of the Act requires the data controller to notify the DPA of a breach, and the DPA will determine “the circumstances where the affected data subject shall be notified”. The GDPR on the other hand requires that data subjects be informed about the personal data breach without undue delay ‘when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons’. 

The PDPA makes several references to the need for “appropriate safeguards for the rights and freedoms of data subjects”, but what constitutes appropriate safeguards is left open for determination by the DPA via regulations and guidelines that will subsequently be issued. Similarly, the Act mentions “risk of harm” to data subjects and the need to mitigate risks, without stipulating what constitutes harm. This is particularly concerning because members of the Board – whichh is responsible for making these determinations – can be appointed despite the existence of a conflict of interest as long as they do not participate in decisions or deliberations pertaining to that interest. 

One ‘safeguard’ included in the Act is the requirement for data controllers to carry out personal data protection impact assessments under Section 24, especially when conducting ‘a systematic and extensive evaluation of personal data or special categories of personal data including profiling’. A data protection impact assessment is an audit to identify potential risks when processing sensitive data and place mitigating measures in advance to minimise the risk. For instance, where an entity is storing information related to minors, it is crucial to identify how potential risks, such as a data breach that could result in the information being accessed by unauthorised persons, can be averted. 

Under the PDPA, the data controller has to submit the impact assessment to the DPA, only if the DPA requests it. It does not state how data controllers can be compelled to conduct impact assessments, as there is no enforcement mechanism to ensure this. Although data controllers can subsequently be sanctioned by the DPA for not conducting impact assessments, by then it would be too late as a risk may have already materialised. 

A critical shortcoming of the PDPA therefore is the lack of clarity and resultant inaccessibility by the average citizen to fully comprehend the rights and remedies available under the Act. The power imbalance heavily favours data controllers and processors; citizens are largely unaware of how their data is being used, stored and processed, and many users may not be aware of what exactly they have consented to. Where informed consent has not been acquired by data controllers, data subjects cannot take remedial action, being unaware that their personal data is being stored and processed

Special categories of personal data

For clarity, special categories of personal data include sensitive data relating to an individual’s personal life or characteristics, and require stringent protection due to the potential for discrimination, harm, or prejudice. This includes racial or ethnic data, political views, religious and philosophical ideas, sexual orientation and union membership. Thus, a company may store email addresses of their clients for marketing purposes – such data, while private, may not be sensitive as it does not necessarily reveal personal information/characteristics. 

Comparatively, where an entity stores information on a person’s religious or political positions, international data protection standards require added safeguards to be implemented to prevent exploitation of persons through sensitive personal information and violations of fundamental rights. Data protection frameworks of the EU and the UK further classify special categories of data as those “that could create significant risks to the individual’s fundamental rights and freedoms” when processed. 

The Act defines special categories as those: ‘revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, biometric data, data concerning health, a person’s sex life or sexual orientation, and data relating to offences, criminal proceedings and convictions’. Section 25 states that where the impact assessment reveals that processing is likely to result in a risk of harm, data controllers are required to “take measures to mitigate harm”. Despite the vast potential for harm in the case of a data breach where special categories are concerned, the Act does not stipulate what constitutes mitigating measures nor provides for oversight or reporting requirements to ensure they are put in place. 

The Act allows exemptions, restrictions or derogations for data controllers from complying with the requirements in Section 40 for several reasons including ‘the protection of national security, defence, public safety, public health, economic and financial stability, independence of the judiciary, protection of the rights and fundamental freedoms of persons, particularly the freedom of expression and the right to information’, etc. While derogation for the protection of fundamental freedoms is crucial, it is concerning that an entity that is not independent, with no visible expertise in human rights, is responsible for determining whether a derogation falls within these categories. 

The UN Special Rapporteur for privacy stated in 2017:

“The structure of accountability and transparency within governmental organisations carrying out surveillance needs to be clear. It also needs to be clear why a particular set of data is being collected, what purpose the analysis has and which purposes are not legal. Enforcement of those mechanisms needs to be embedded first and foremost within the authorities carrying out surveillance and it needs to be clear who is accountable for compliance after appropriate legal requirements have been defined. If internal mechanisms of accountability and transparency fail, there need to be other checks and balances in place.”

Public institutions enjoy a wide ambit under the PDPA to process personal data for the “benefit of the public”, but there are inadequate mechanisms to ensure that the right balance is being struck between public interests and individual privacy. Sri Lanka’s history illustrates limitless instances of successive Governments using the guise of ‘greater good’ [public protection, national security and public order] to impose draconian restrictions on individual liberties and freedoms. At present, public institutions can effectively operate without accountability as citizens are not aware of how their personal data is being used.

In fact, as demonstrated by the Cargills Bank saga, it would take a cybersecurity breach to bring to light how personal data is being processed by public institutions and the shortcomings of their protective infrastructure. And without a statutory requirement to publicly disclose information regarding data breaches, citizens would be totally oblivious to their digital privacy being compromised. 

The PDPA makes several references to the need for “appropriate safeguards for the rights and freedoms of data subjects”, but what constitutes appropriate safeguards is left open for determination by the DPA via regulations and guidelines that will subsequently be issued. Similarly, the Act mentions “risk of harm” to data subjects and the need to mitigate risks, without stipulating what constitutes harm. This is particularly concerning because members of the Board – whichh is responsible for making these determinations – can be appointed despite the existence of a conflict of interest as long as they do not participate in decisions or deliberations pertaining to that interest

Privacy rights are readily compromised

Examples across the globe have demonstrated that privacy rights are readily compromised by State entities when personal data is processed for the purpose of surveillance and public security. This is especially perturbing in light of encroaching artificial intelligence systems, automated data processing and algorithm-based decision making, which diminishes transparency and therefore State accountability. 

A critical shortcoming of the PDPA therefore is the lack of clarity and resultant inaccessibility by the average citizen to fully comprehend the rights and remedies available under the Act. The power imbalance heavily favours data controllers and processors; citizens are largely unaware of how their data is being used, stored and processed, and many users may not be aware of what exactly they have consented to. Where informed consent has not been acquired by data controllers, data subjects cannot take remedial action, being unaware that their personal data is being stored and processed. Data protection legislation therefore requires robust enforcement mechanisms as well as extensive investment in raising awareness among citizens on their rights and remedies under the Act. 

It is disappointing therefore, that the proposed amendment to the Act barely scratches the surface in alleviating these concerns, particularly since members of the present Government voiced their concerns against the Act in 2022 when they were in the Opposition. As the technology evolves faster and privacy rights become more precarious, the need of the hour is for the Government to ensure protective and oversight mechanisms are able to keep up. 

(The writer is a Researcher, law and human rights).