Data protection law will not stifle innovation: ICTA

Tuesday, 8 October 2019 00:00 -     - {{hitsCtrl.values.hits}}

  • Proposed legislation will allow start-ups and other biz to use tech creatively 
  • Draft legislation to be made available on Digital Infrastructure and Information Technology Ministry website this week 
  • Provisions include controlling unsolicited messages and administrative penalties  


By Hiyal Biyagamage

The long overdue personal data protection legislation of Sri Lanka will not compromise the innovation and competitiveness of Sri Lanka’s business and start-up ecosystem, assured the Chair of the Data Protection Drafting Committee.


Information and Communication Technology Agency (ICTA) Legal Director Jayantha Fernando told Daily FT during the drafting process of the data protection framework that the committee has realised a majority of international privacy framework guidelines has an inadvertent push towards stifling innovations of a particular country’s business community as well as the start-up ecosystem. 

“Legislation like the data protection act needs to be looked at from a perspective of citizens’ rights. We are mindful of the fact that the business element of the country has to be proportionately looked after and balanced so that the economic aspect will be balanced with the citizens’ rights,” he said. 

ICTA followed international benchmarks including Organisation for Economic Co-Operation and Development (OECD) Guidelines, Asia-Pacific Economic Cooperation (APEC) Privacy Framework and Council of Europe Data Protection Convention. 

“What the committee realised during the process was that these guidelines create a certain trend where innovations within the business community and the start-up ecosystem get stifled.

“However, what is important to realise is that when you have clear-cut rules defining how information will be processed, how data will be collected and how it will be shared with others, there will be clarity in the ecosystem so that multiple spectrums of activities can be kick-started around that ecosystem; the rules and the parameters have been put down clearly and precisely. That is what our data protection law is going to do,” Fernando added.   

The Personal Data Protection legislation, defining measures to protect personal data of individuals held by banks, telecom operators, hospitals and other personal data aggregating and processing entities, was finalised by the Ministry of Digital Infrastructure and Information Technology last week. 

The final draft of the Bill, prepared by the Legal Draftsman Department and the Data Protection Drafting Committee of the Ministry, will be released through the website by the Ministry of Digital Infrastructure and Information Technology this week.

Fernando pointed out that there is no integral compatibility between innovation and privacy yet, the charge that privacy in s a threat to innovation often appears whenever new regulations are proposed. 

“The Sri Lankan data protection law is not a challenge to innovation and competitiveness. The law has not been designed from an anti-business stance, and I can emphasise that it will not affect the progress of Sri Lanka’s start-up ecosystem as well,” Fernando opined.    

Fernando also highlighted that the law is not going to be a cumbersome, regulatory and high penalty-based approach. 

“Several obligations have been imposed by this legislation on those who collect and process personal data (‘Controllers’ and ‘Processors’) and a whole new set of rights have been given to citizens under this new legislation, which is known as ‘Rights of data subjects’. The legislation prohibits controllers who process personal data from sending unsolicited messages unless the individuals have given express consent. 

“Provisions have also been included to deal with relationships between controllers and third parties who process personal data on their behalf. Importantly, administrative penalties have been introduced with a ceiling instead of fines calculated on the global turnover of the controllers,” Jayantha said.

The legislation will be implemented in stages. The entire Bill will come into operation within a period three years from the date the Speaker ratifies an Act. This would provide sufficient time for the Government and private sector to take adequate steps to implement this legislation. The Data Protection Authority is required to be established within 18 months.

The drafting of the legislation was initiated by Digital Infrastructure and Information Technology Minister Ajith P. Perera on 5 February. This latest version released is based on modifications done to the previously released Data Protection Framework, published by the Ministry on 12 June. However, substantial amendments were made to the said framework, based on consultations held with key stakeholders as well as feedback received from them.

Personal data could be collected only for a specified purpose and not for any other purpose that is incompatible with the said purposes. However, processing data in public interest, scientific or historical research will not be considered incompatible. Personal Data has to be processed in a manner to ensure appropriate security, including protection against accidental loss, destruction or damage. 

The data subject (individuals) will have the right to withdraw his or her consent given to Controllers and will also have the right to rectify the data without undue delay. Further, the Data Subjects have been given the right to object to the processing of their data. 

These rights of data subject can be exercised directly by the individuals with the Controller, who are required to respond within a defined time period and is obliged to give reasons for refusing to meet the request or reasons as to why the Controller would refrain from further processing the said data. The individual has a right of appeal against the decision of Controller to the Data Protection Authority.

Although the original framework had provisions for the mandatory registration of Controllers, this requirement has been removed in the latest version. Instead, the Drafting Committee has deliberated and introduced specific and comprehensive transparency and accountability obligations on Controllers. 

The accountability obligations would require the Controllers to implement internal controls and procedures, known as a ‘Data Protection Management Program’, to demonstrate how it implements the data protection obligations imposed under the Act.

The Ministry of Digital Infrastructure and Information Technology, in partnership with other entities, conducted two rounds of stakeholder discussions. Also, targeted group discussions were held with other stakeholder communities, including Bank Chief Information Officers, Health Informatics Unit of the Ministry of Health and representatives of the Right to Information Commission. 

In addition, the proposed legal framework was reviewed by an Independent Review Panel led by former Supreme Court Justice K.T. Chithrasiri and Prof. Savithri Goonesekera.

The Data Protection Drafting Committee was led by Chair/Convenor Jayantha Fernando and comprised Yamuna Ranawana and Thushari Vitharana (Legal Draftsman’s Department), Kanchana Ambahawita and Niluka Herath (Central Bank of Sri Lanka), Sunali Jayasuriya (ICTA), Sanduni Wickramasinghe (Mobitel), Trinesh Fernando and Shenuka Jayalath (Dialog PLC).