The Sri Lankan Ministry of Digital Infrastructure and Information Technology (MDIIT) introduced the final draft of Personal Data Protection Bill on September 24. According to the official press release, the previously released Data Protection Framework (published on June 12), has been modified after consultations with stakeholders. The Bill will come into operation within 3 years from the date of certification of the Bill by the speaker. The Bill, when ratified into Act, will be implemented in stages so that the Government and private sector have enough time to implement it efficiently. Here are the key changes: Objectives specified The objectives of the proposed legislation have been defined in a more specific manner, such that it aims to: Provide for the regulation of the processing of personal data; Identify and strengthen the rights of data subjects; Provide for the designation of the Data Protection Authority; Regulate the dissemination of unsolicited messages using personal data; and Provide legislation for matters incidental to the processing of personal data. What is ‘Personal Data’? Personal Data is “any information that can identify a data subject directly or indirectly, by reference to- an identifier such as a name, an identification number, location data or an online identifier, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual or natural person." In the previous draft, there was no additional reference to an identifier or specific factors. Data Protection Authority Part V of the proposed Act provides for…
