Local News from Sri Lanka: The Personal Data Protection Legislation, defining measures to protect personal data of individuals held by banks, telecom operators, hospitals and other personal data aggregating and processing entities, has now been finalized by the Ministry of Digital Infrastructure and Information Technology. The final draft of the Bill, prepared by the Legal Draftsman Department and the Data Protection Drafting Committee of the Ministry, will be released through the website by the Ministry of Digital Infrastructure and Information Technology this week.
The drafting of the Legislation was initiated by Hon. Ajith P. Perera, Minister of Digital Infrastructure and Information Technology on 5th February 2019. This latest version released, is based on modifications done to the previously released Data Protection Framework, published by the Ministry on 12th June 2019. However, substantial modifications were made to the said Framework, based on consultations held with key stakeholders as well as feedback received from them.
The Legislation will be implemented in stages. The entire Bill will come into operation within a period three (03) years from the date the Speaker certifies the Bill. This would provide sufficient time for Government and private sector to take adequate steps to implement this legislation. The Data Protection authority is required to be established within 18 months.
Although the original Framework had provisions for the mandatory registration of Controllers, this requirement has been removed in the latest version. Instead, the Drafting Committee has deliberated and introduced specific and comprehensive transparency and accountability obligations on Controllers. The accountability obligations would require the Controllers to implement internal controls and procedures, known as a “Data Protection management Program”, in order to demonstrate how it implements the data protection obligations imposed under the Act.
The Legislation also prohibits Controllers who process personal data from sending unsolicited messages, unless the individuals have given express consent. Provisions have also been included to deal with relationships between controllers and third parties who process personal data on their behalf.
Importantly, administrative penalties have been introduced with a ceiling instead of fines calculated on the global turnover of the controllers.
The drafting Committee had also taken into account international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation and laws enacted in other jurisdictions such as United Kingdom, Singapore, Australia and Mauritius, Laws enacted in the State of California as well as the Indian Bill, when formulating the said draft Legislation.
The Ministry of Digital Infrastructure and Information Technology, in partnership with other entities, conducted two rounds of stakeholder discussions. In addition, targeted group discussions were held with other stakeholder communities, including Bank Chief Information Officers, Health Informatics Unit of the Ministry of Health and representatives of the Right to Information Commission. In addition, the proposed legal framework was reviewed by an Independent Review Panel led by Hon. K. T. Chithrasiri, former Justice of the Supreme Court of Sri Lanka and Prof. Savithri Goonesekera.
The Data Protection Drafting Committee was led by Jayantha Fernando (Chair/ Convenor), and comprised Yamuna Ranawana and Thushari Vitharana (Legal Draftsman’s Dept), Kanchana Ambahawita & Niluka Herath (Central Bank of Sri Lanka), Sunali Jayasuriya (ICTA), Sanduni Wickramasinghe (Mobitel), Trinesh Fernando and Shenuka Jayalath (Dialog PLC).