Data Protection Bill gets Cabinet approval

Wednesday, 17 November 2021 00:27 -     - {{hitsCtrl.values.hits}}

The proposed personal data protection legislation defining measures to protect personal data of individuals held by Government entities, banks, telecom operators, hospitals and other personal data aggregating and processing entities was given approval by the Cabinet of Ministers on Monday to proceed with next steps.

The approved legislation will now be gazetted as a Bill and thereafter presented in Parliament. 

The draft legislation was done by the Legal Draftsman and the Drafting Committee, chaired by ICTA’s General Counsel. 

“This committee had considered international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation and laws enacted in other jurisdictions such as United Kingdom, Singapore, Australia and Mauritius as well as laws enacted in the State of California and the Indian Draft bill, when formulating this legislation,” stated ICTA’s General Counsel Jayantha Fernando.

According to ICTA’s website, the legislation intends to balance the interest of the enterprises who rely on personal data processing and the interests of individuals whose personal data is being processed to ensure transparency and accountability in processing activities. 

Several obligations have been imposed by this legislation on those who collect and process personal data (known as “controllers” and “processors”) and a whole new set of statutory rights have been given to natural persons/individuals (known as “data subjects”) under this new legislation, which are known as “rights of data subjects”. 

These rights of data subject can be exercised directly by the individuals with the controller, who is required to respond within a defined time period and obliged to give reasons for refusing to meet the request of the data subject. The grounds of refusal are set out in the draft bill. The individual has a right of appeal against the decision of controller to the data protection authority. Any decision of the said authority is subject to judicial review by the Court of Appeal.

The legislation has devised its approach towards cross-border data transfers in line with the regional and international procedures. For example, there is no data localisation requirement except for the public authorities who process data in the capacity of a controller or processor. 

Cross-border transfers by controllers or processors who are not public authorities are facilitated by adequacy decisions and other instruments to be prescribed by the Data Protection Authority. However, public authorities can also process or store certain data classified as permissible by the data protection authority and any other relevant supervisory body of that controller in a third country which has received the adequacy decision by the authority.

The proposed law also attempts to govern data breach incidents where the controllers are expected to notify data breaches to the authority and/or to the data subjects in such manner, form and within such time as may be determined by Rules made under this Act. The circumstances under which the data protection authority and/or data subjects must be notified are to be stipulated by way of Rules made by the authority in due course.  

Importantly, provisions have been introduced to enable the Data Protection Authority to issue directives on entities which do not adhere to the provisions of the proposed law and administrative penalties are imposed only on those who do not comply with the said directives. The provisions on penalties are subject to ceiling instead of fines calculated on the global turnover of the controllers, like in some developed jurisdictions. The legislation prescribes personal liability in the event of a penalty. 

Finally, in its effort to balance any competing interests, the legislation recognises that no restriction, exception or derogation can be placed against the provisions of this law unless it is prescribed by law, a proportionate and necessary measure in a democratic society for the protection of national security, public safety and public health, impartiality of Judiciary, investigation and prosecution of criminal offences, execution of criminal penalties or for the protection of the rights and fundamental freedoms of persons, particularly the freedom of expression and the right to information. 

Since the legislation was finalised in July, two key decisions were taken. Firstly, a committee has been appointed by the Technology Ministry, headed by the Monetary Board representative Sanjeeva Jayawardena PC, to come up with a framework to implement this legislation. This Implementation Committee includes the Security Exchanges Commission (SEC) Chairman, the Telecommunications Regulatory Commission of Sri Lanka (TRCSL) Director General, the ICTA Chairman and the Chief Legal Draftsman. The committee is supported by experts from the Drafting Committee. 

The Drafting Committee and ICTA Chairman had also conducted several discussions with key international and local stakeholders, where the Bill's benefits and impediments were further examined. Speaking on this, Fernando said: “We recognised areas of improvement which can be achieved through minor Amendments to the Bill, which can be introduced at the Committee stage in Parliament. These amendments are being formulated based on the feedback we received from the technology and business community and other stakeholders.”