The Personal Data Protection Act of Sri Lanka: its origins and overview of critical information regarding the Act

The primary legislation in Sri Lanka pertaining to the protection of personal data is the Personal Data Protection Act (PDPA). The PDPA aims to secure individual rights and guarantee consumer confidence about information privacy in online transactions and information networks arising from the digital economy's expansion and innovation in Sri Lanka.

Establishment of the PDPA: A Timeline

  • September 24, 2019: 

The Attorney General (AG) examined the PDPA draft bill for constitutional conformity after it was made public via the website of the Ministry of Digital Infrastructure and Information Technology (MDIIT). Following repeated conversations between the Legal Drafting Department ('LDD') and the Drafting Committee, the LDD produced an updated version of the Drafting Committee's response to the AG's criticisms. 

  • November 25, 2021:

Following approval from the Attorney General, the bill authorized by the Cabinet of Ministers was published in the Gazette Supplementary.

  • September 5, 2021:

The AG published these observations following their second examination of the amended version.

  • March 9, 2022:

The Parliament passed the draft law after making several changes. 

  • March 19, 2022:

The Speaker of Parliament approved the draft law on March 19, 2022, and the PDPA went into effect that same day.

  • January 8, 2024:

1 December 2023 as the date on which Part VI, VIII, IX and X come into operation

18 March 2025 as the date on which Part I, II, II & VII shall come into operation

Entities involved in the preparation of PDPA

The government has prioritized PDPA legislation through the Ministry of Technology. The Telecom Regulatory Commission of Sri Lanka (TRCSL), the Securities Exchange Commission (SEC), the Central Bank of Sri Lanka, which assisted in the process's inception, as well as the ICT Agency, Sri Lanka CERT, the Ministry of Technology, and trade chambers like the Ceylon Chamber of Commerce, were working together on this PDPA's implementation aspects.

The PDPA promotes global best practices, which are drawn from documents like the OECD Privacy Guidelines, the APEC Privacy Framework, the EU General Data Protection Regulation (GDPR), the Council of Europe Data Protection Convention (Convention 108+), and laws passed in other countries like the UK, Singapore, Australia, and Mauritius, the State of California, as well as the previous data protection bill in India.

A collaborative public-private sector expert drafting team, led by the ICTA General Counsel and including the Legal Draftsman's Department, prepared this PDPA. In February 2019, the former Ministry of Digital Infrastructure began the project. The framework for proposed data protection legislation was approved by the Committee and initially made public on June 10, 2019. As a result, there were seven rounds of public stakeholder consultations, starting with a conversation between public and business sector stakeholders on June 27, 2019, with support from the ITC and the European Union.

Over 30 written contributions were received by the drafting committee from the Right to Information Commission as well as other domestic and foreign organizations, multinational enterprises, and individual specialists. The Legal Draftsman's Department revised the bill in many ways between September and October 2019 in response to this criticism.

Stakeholder engagements with commerce and other stakeholders were held by the Ceylon Chamber. In 2020, the Central Bank, TRCSL, and the Ministry of Justice all offered feedback on the draft bill, which led to additional changes being made to it. Over 18 months, the Hon. Attorney General and his staff studied the draft bill and made three observations. As a result, the bill underwent many revisions in 2020–21. An Independent Review Panel, co-chaired by former Supreme Court Justice K. T. Chitrasiri and former University of Colombo vice chancellor and law professor Prof. Savithri Goonesekera, examined the drafting committee's work.

Sri Lanka - The First South-Asian country to enact comprehensive Data Protection legislation

The Personal Data Privacy Act, No. 9 of 2022 (PDPA), was passed by Sri Lanka on March 18, 2022, making it the first nation in South Asia to adopt extensive data privacy laws. India's Personal Data Protection Bill has been up for debate since 2019; in 2022, revisions were suggested, and in 2023, India finally passed a comprehensive data protection law, the Digital Personal Data Protection Act, 2023. In Pakistan, there was also considerable momentum in 2020 for a comprehensive privacy bill, but the parliament has not yet approved the data protection laws, which are now in the draft or bill stage.  The Personal Data Protection Bill, 2023 (referred to as "the Bill") is its name. The data privacy movement in South Asia is representative of global trends as more countries propose comprehensive privacy regulations that strongly draw inspiration from the GDPR.

Personal Data Protection Act.

Definition and Key Terms

The goal of the PDPA is to include Sri Lankan controllers and processors who handle personal data of both citizens and non-citizens for either non-commercial or commercial uses. The regulation is also meant to include controllers and processors based outside of Sri Lanka that deliberately target Sri Lankan data subjects and provide products and services, create profiles, or keep an eye on their activity when it occurs there.

  • Personal data is any information that can be used to directly or indirectly identify a data subject. A person's name does not have to be present for data to be considered personal data under the PDPA. Instead, any element that permits tracking down the individual—such as an identification number, financial information, location information, an online identifier, or factors specific to that person's physical, physiological, genetic, psychological, economic, cultural, or social identity—would qualify as personal data.

To safeguard particularly sensitive personal data that might potentially harm an individual if it is misused, the PDPA also designates a category of personal data as "special categories of personal data." Special categories of personal data are those that reveal information about an individual's race or ethnicity, political opinions, religious or philosophical beliefs, genetic information, biometric information, information about their health, sexual orientation, or relationship to another person, as well as information about offenses, criminal proceedings, convictions, or information about a child.

  • A data subject is a live or deceased natural person to whom personal data pertains and who may already be directly or indirectly identified or identifiable by reference to any personal data. Therefore, information on businesses or other legal entities is not included in the definition of a data subject.
  • A controller is a person (natural or legal), which can be a public corporation, non-profit organization, government ministry, department, or private company, that determines the goals and methods for processing personal data.
  • A processor is a person who carries out a controller's orders, whether they are natural or legal, encompassing both public and private organizations. No person working for the controller will be considered a processor. The processor needs to be a third party with a contractual or other legal connection to the controller.
  • Processing includes any actions taken on personal data, including gathering, storing, protecting, modifying, retrieving, disclosing, transmitting, making accessible, erasing, and destroying information, as well as consulting, aligning, combining, and performing mathematical or logical calculations.
  • Consent is defined as a freely provided, explicit, informed, and clear statement of acceptance to processing that is either in writing or by an affirmative action taken by the data subject.

The responsible authority for the enforcement of the PDPA in Sri Lanka

The authority responsible for enforcing the PDPA is the Data Protection Authority of Sri Lanka. The PDPA stipulates that data subjects who are unhappy with controller decisions have the option to appeal to the authority. The Data Protection Authority has the authority to look into complaints and, at its discretion, to approve or reject them. If an appeal is granted, the concerned controller must notify the authority and the relevant data subject of the action taken following the authority's judgment.

The authority can demand that someone appear before it, question someone under oath or affirmation, and demand the provision of information on the processing activities of a controller or processor, among other broad investigative authorities.

Committee stage revisions to the bill significantly changed provisions pertaining to the Data Protection Authority in Part V. The statute specifies the three-tier qualifications needed to serve on the board. The President shall choose a minimum of five and a maximum of seven members to the Board, chosen among those who have proven excellence in the following criteria:

  • professional expertise in the fields of engineering, medicine, banking and finance, telecommunications, and law
  • experience in different sectors such as public utilities, business process outsourcing (BPO), logistics, insurance, banking, and financial sectors, of whom at least two members shall have prior experience in the public sector entities.
  • experience and knowledge in regulatory matters, privacy and data protection, information security, data science, data analytics, economics, finance, information technology, or related fields.

The hiring of the Authority's director general and employees, who would be chosen through a competitive process and given tenure as per rules published in the Gazette.

Phases of the PDPA's implementation are planned, with Part V brought into effect on July 21, 2023, after a gazette announcement. This important step made it possible for the government to choose the Data Protection Authority Board of Directors, which consists of seven people with backgrounds in engineering, law, accounting/finance, and regulatory affairs.

The initial Board is composed of the following individuals: Arjuna Herath is the former consulting leader of Ernst & Young in Sri Lanka and the Maldives and a senior chartered accountant who leads the board of directors. Sulakshana Jayawardana, Additional Secretary to the President; Bimsara Seneviratne, ISO Lead Auditor and Technology Management Specialist; Saumya Amarasekera, President's Counsel; Jayantha Fernando, Chair of the PDPA Drafting Committee; and Shehan Wijetilaka, Electronics Engineer and Digital Strategy Specialist, are among the other notable members.

Data Protection Officers

If the controller is a government ministry, department, or public corporation, Section 20(1) requires the mandatory appointment of a data protection officer, or DPO unless the judiciary is acting in its official capacity or the controller's or processor's primary processing activity comprises a prescribed activity.

The core activities of DPO are processing operations that result in a risk to the rights of the data subjects protected by the PDPA, processing particular categories of personal data on a prescribed scale or magnitude, or processing that requires regular and systematic monitoring of data subjects on a prescribed scale or magnitude.

Principles of processing

The PDPA establishes guidelines for the gathering and use of personal data, identical to what the GDPR does. The following principles, which each controller is required to make sure personal data is treated, are

  • Lawfulness ( sec. 5)
  • Defining a purpose (sec. 6)
  • Accuracy (sec.8)
  • Purpose limitation (sec. 7)
  • Retention limits (sec. 9)
  • Integrity and confidentiality (sec. 10)
  • Transparency (sec. 11)
  • Accountability (sec. 12)

(Source: Sri Lankan Personal Data Protection Legislation – An Overview by Jayantha Fernando and Sanduni Wickramasinghe)

Rights of Data Subjects

Right to be informed : Section 11 of the PDPA requires controllers to give, in writing or electronically, the information mentioned in Schedule V of the PDPA as well as information about any decision made in response to a request made under Part II of the PDPA in a clear, concise, understandable, and readily available manner.

Example:The identity and contact details of the controller and, where applicable, the controller's representative; the contact details of the DPO, etc.

The existence of the right to make a complaint with the Authority, as well as the process for exercising the rights of the data subject as outlined in Part II of the PDPA, etc

Right of access:  According to Section 13 of the PDPA, upon a written request to the controller, the data subject will have the right to access their personal data, as well as a confirmation of whether or not such personal data has been processed and the information listed in Schedule V of the PDPA.  

According to Section 17, if a controller receives a written request, they must notify the data subject in writing within 21 working days of the request's date. This includes telling the data subject whether such request has been granted, whether such request has been refused, and the reasons for it, unless such disclosure is prohibited under any written law, etc.

Right to rectification: Every data subject has the right, under Section 15 of the PDPA, to request that the controller update or correct any incomplete or incorrect personal data. The controller shall, without undue delay, correct or complete the data subject's personal information upon receiving a written request to do so.

Right to erasure:  According to Section 16 of the PDPA, each data subject is entitled to request in writing that their data be deleted under certain conditions and to get a response from the controller within 21 working days of the request date.

Right to object:  Every data subject has the right, at any time, to withdraw their permission if processing is based on it, according to Section 14. However, the right to withdraw consent will not impact the legality of any processing that has already occurred.

Automated individual decision making: Under the PDPA, Section 18, each and every data subject has the right to ask the controller to review decisions made exclusively on the basis of automated processing if such processing has resulted in, or is likely to result in, an irreversible and ongoing impact on the data subject's rights and freedoms as guaranteed by any written law.

Right to appeal to the Authority against certain decisions of the controller: According to Section 19 of the PDPA, a data subject may file an appeal with the Authority in accordance with the format, style, and time frame that may be defined, challenging certain decisions made by the controller listed in the PDPA.

What is ‘Personal Data Breach’ and its Notification?

According to the PDPA, "any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed" is classified as a "personal data breach." A controller is generally required under the PDPA to inform the authority in the event that there is a breach involving personal data.

Rules created under the PDPA, which are probably going to be published once the authority is founded, will specify the format, timing, and mode of notice. Therefore, the PDPA does not yet specify the threshold for a notifiable breach, the period for making such a notice, or the conditions under which notifying the authority and the data subjects is appropriate.

Cross-border data transmission

Subject to the restrictions outlined in the PDPA, cross-border data transmission and processing in third-party countries outside of Sri Lanka are permitted. A public body functioning as a controller or processor shall only transfer data to a third party designated by an adequacy judgment. The applicable written laws and the enforcement procedures available in the third country shall be taken into consideration by the Minister responsible for the case when making an adequate decision, which may be made after consulting with the Authority.

Subject to an adequacy determination, a controller or processor who is not a public body may also process personal data in a foreign country. If an adequacy decision is not made, personal data may only be transferred to a third country if the controller or processor responsible for the transfer can guarantee that the obligations imposed under Part I, II, and Sections 20 to 25 of the PDPA are met by putting in place the necessary safeguards. To guarantee that the transferee complies with the PDPA's obligations, the transferor affecting such a transfer must adopt an instrument that may be defined by the authority.

Solicited Messages

The PDPA's guiding principles for data protection are applicable to any electronic marketing campaign that uses personal information.

Furthermore, prior to sending any direct marketing communications—which the law designates as "solicited messages"—the controller must have the approval of the data subject. This applies to communications delivered by electronic or other means.

Penalties Under the PDPA

Every time an organization is found to be in violation of a provision of the PDPA, it faces fines of up to 10 million rupees (LKR). Repeat offenders will be required to pay an extra penalty equal to double the amount assessed as a penalty for the second and each consecutive non-compliance, in addition to the penalty for the current non-compliance. The Authority shall collect these fines and deposit them in the Consolidated Fund following the necessary compensation provided to the affected data subjects.

If an organization does not pay the fine within the time range that the authority has set, the authority may take legal action against it in the Colombo Magistrate Court. An additional penalty for the offender is that their business operations in Sri Lanka may be suspended.

Furthermore, within twenty-one working days of receiving notice that an administrative penalty is being imposed under the PDPA, a controller or processor who feels wronged by the decision may file an appeal with the Court of Appeal.

The following are some of the criteria that the authority will take into account before issuing a penalty:

  • The nature, severity, and length of the violation
  • The controller's or processor's response to lessen the harm done to data subjects
  • The success of the controller's program for managing data protection
  • The controller's level of cooperation with the Authority in correcting the violation and lessening any negative consequences
  • The categories of personal data that are impacted by the violation
  • If the violation was reported to the Authority by the controller or processor
  • Prior violations committed by the controller or processor
  • The financial gains or losses as a result of the violation

PDPA and GDPR

The PDPA is based on a number of international agreements, such as the GDPR, which establishes EU data protection guidelines for the protection of personal data.

The PDPA contains rules pertaining to lawfulness, purpose specification, purpose restriction, data retention, accuracy, confidentiality, and integrity that are comparable to those of the GDPR. 

In contrast to the GDPR, the PDPA specifically mentions responsibility and transparency as distinct concepts.  While the PDPA acknowledges openness as a concept imputed to the controller of analogous duties, the GDPR attributes transparency's significance to the rights of data subjects. Conversely, accountability entails a comprehensive range of responsibilities that include compliance measures and data protection management processes. 

The PDPA has particularly left out the right to data portability since it is primarily a consumer right rather than a data protection right, and because Sri Lanka is still developing and cannot yet execute such technically demanding legal requirements.  While the GDPR regulations prioritize certain rights of data subjects, with the exception of the right to data portability.

While the PDPA adopts a method where public authorities are required to localize personal data unless certain types of data are allowed to be processed outside of Sri Lanka with the joint consent of the data protection authority and the supervisory entity of such public authority, the GDPR does not specifically mandate data localization requirements in its text. Similarities exist between the adequacy decision-making process and the GDPR, whereby the DPA is authorized to recognize nations that meet the PDPA's requirements for acceptable levels of protection for personal data.

The importance of PDPA in Sri Lanka

The government's and the commercial sector's adoption of digital initiatives made personal data protection legislation imperative. The Act is critical because it will improve the management and regulation of personal data, particularly with regard to contact tracing solutions for health authorities to handle COVID-19 effectively and to advance Sri Lanka's digital identification strategy.

When the pandemic struck Sri Lanka in 2020, the availability of information online and the ability to access services through online portals became even more common, boosting government institutions' efficiency. For example, the Immigration and Emigration Department and the Department of Registration of Persons continue to utilize their e-systems after implementing them due to COVID-19 restrictions. They have even delegated data input labor to officials from other departments, digitizing processes.

There are other projects, such as a digitization program for Grama Niladhari Divisions under the e-Grama Niladhari project. The public, however, expressed concerns on social media regarding the copious amount of data that they must provide to the Grama Niladhari for the e-Grama Niladhari (eGN) project. They questioned how a digitization effort could be trusted when the data was being gathered via printed forms. As a solution, the Personal Data Protection Act permits people to hold the government responsible for the collection of personal data. Though legitimate, the public's worries already have statutory backing in the event of a data breach. In addition, they have the option to transmit their complaints to the institution's appointed data protection officer.

On the other hand, the personal data protection legislation stimulates investment in the BPO/BPM and other data processing sectors. Because of this, the government has prioritized this law through the Ministry of Technology in order to guarantee cross-governmental implementation. As a result, the PDPA is considered as one of the strengths that would boost foreign business contracts.

It has also been observed that innovation may flourish in a market that values data privacy, particularly when privacy-enhancing technology, privacy-by-default, and such design principles are used. Trust is a crucial component of the digital sphere, particularly for government and other private/public organizations undergoing digital changes, as the efficacy of these initiatives depends on the trust of the user (data subject). The PDPA's principles of accountability, data quality, openness, and proportionality can support and enhance the trust factor in any society, which can result in more people using digital services and perhaps promote greater innovation.

Why is PDPA awareness important in Sri Lanka?

According to Statista Market Insights,  ITU - International Telecommunication Union,  by 2024, there will be 15.62 million internet users in Sri Lanka, according to projections. In the upcoming years, there will be a rise in the number of internet users. The necessity for data protection and privacy regulations is increasing as a result of the ongoing development of digitalization and the use of the Internet.

The internet and improvements in communication capabilities allow for the daily transmission, storing, and gathering of enormous amounts of data. The Fourth Industrial Revolution (4IR) has brought forth new challenges for data protection and privacy with the advent of Internet of Things (IoT) devices. 

Emerging trends in Sri Lanka, such as the use of data-gathering digital and cloud services, for e-mail and calendar management, social media, and cloud communication services like Google Calendar, Microsoft Outlook/Teams, Zoom, and Slack, are becoming increasingly popular. These systems serve as the main channels for communication, and free applications that offer this service gather a lot of data, which is subsequently used to target advertising. 

Moreover, concerns about privacy arise while using virtual private networks (VPNs). VPNs enable the capture of any data that a device transmits or receives, allowing for the easy and thorough acquisition of personal information.

Furthermore, with the launch of 5G service in 2020, there is an increased demand for PDPA.  Software and associated information and communication technology (ICT) services have emerged as one of Sri Lanka's top exports from the service industry. The General Data Protection Regulation (GDPR) and other international privacy laws may require certain exporters to comply with them, but PDPA will further lessen risks and enhance security.

Importance of PDPA Awareness for Individuals : 

Being careless about data privacy carries risks and concerns, particularly for children who are too involved in technology and are ready to divulge any information about themselves in order to receive instant satisfaction from social media or online gaming. Another group that is adversely affected is the elderly, who are not too digitally savvy and hence are vulnerable to readily giving out personal information. It is the responsibility of educators, parents, guardians, and policymakers to educate ourselves and others about the potential consequences of internet privacy violations and laws and regulations related to personal data protection. A crucial element is to demystify the broader topics of cyber-hygiene and cybersecurity and make them easy to understand for the majority.

Importance of PDPA Awareness for Businesses and Organizations :

For organizations, including government entities, that handle vast amounts of data and require that data for their operations, PDPA knowledge is essential to their operations and survival, starting at the board and operational levels.  It is a bare minimum to have a publicly visible privacy policy compliant with the PDPA similar to following the GDPR example adopted by many European Union companies. Firms must display competence and ability to act based on these data privacy policies. Companies must safeguard client data, in particular if they want to retain the trust of their customers and avoid legal penalties. When customers bring up cybersecurity issues or raise formal complaints, businesses should address them in an organized fashion and take the necessary actions to validate and resolve them. 

Importance of PDPA Awareness for Educational Institutions :

Educational institutions, both the early stage K-12 and the university level, handle a large volume of personal information in the form of student data over time. This contains data including student names, demographic details, addresses, health information, photos, and more. Furthermore, a school database frequently contains data on volunteers, staff, governors, and job candidates. Data security becomes even more vulnerable as the volume of data grows. The PDPA encourages educational institutions to reconsider how they gather and handle data, which will ultimately result in less data being retained.  This is essential to schools since student data must frequently be retained for years after students graduate and because children's personal information has to be protected more. Compliance with PDPA not only gives data subjects more control over what happens to their information, but it also increases the accountability schools have when processing personal data.

References

  1. Personal Data Protection Act No. 9 of 2022 - The parliament of Sri Lanka
  2. Sri Lankan Personal Data Protection Legislation – An Overview by Jayantha Fernando and Sanduni Wickramasinghe
  3. Data Protection Law by DLA Piper
  4. Overview of Sri Lanka’s Personal Data Protection Act
  5. Article on The Personal Data Protection Act by www.icta.lk
  6. Wilmerhale privacy and cybersecurity law
  7. (Mr. Asela Waidyalankara Interview) Questions abound over data collection for the eGN project by Sarah Hannan, The Morning
A Talos Consulting (PVT) LTD initiative
© 2023, Cybersafe. All Rights Reserved.