The Sri Lankan Ministry of Digital Infrastructure and Information Technology (MDIIT) introduced the final draft of Personal Data Protection Bill on September 24. According to the official press release, the previously released Data Protection Framework (published on June 12), has been modified after consultations with stakeholders.

The Bill will come into operation within 3 years from the date of certification of the Bill by the speaker. The Bill, when ratified into Act, will be implemented in stages so that the Government and private sector have enough time to implement it efficiently.

Here are the key changes:

Objectives specified

The objectives of the proposed legislation have been defined in a more specific manner, such that it aims to:

  • Provide for the regulation of the processing of personal data;
  • Identify and strengthen the rights of data subjects;
  • Provide for the designation of the Data Protection Authority;
  • Regulate the dissemination of unsolicited messages using personal data; and
  • Provide legislation for matters incidental to the processing of personal data.

What is ‘Personal Data’?

Personal Data is “any information that can identify a data subject directly or indirectly, by reference to-

  1. an identifier such as a name, an identification number, location data or an online identifier, or
  2. one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual or natural person.”

In the previous draft, there was no additional reference to an identifier or specific factors.

Data Protection Authority

Part V of the proposed Act provides for the designation “of Public Corporation, Statutory Body or any other institution controlled by the government or established by or under any written law, as the ‘Data Protection Authority’ (“the Authority) of Sri Lanka”.

In the previous draft, it was provided that the Authority will be the apex body for all matters related to data protection and for implementation of the proposed Act. It will be responsible for maintaining the Register of controllers, and giving directions, issuing guidelines and undertaking training for controllers. In the final draft, the DPA does not need to maintain the Register of Controllers.

Data Protection Officer

The final draft says that every controller, unless exempted from this Act or any written law, has to appoint a ‘Data Protection Officer’ (‘DPO’) to ensure compliance. A DPO will be a senior staff member of the controller with relevant academic or professional qualifications in matters relating to data protection. In the previous draft, there was no such specific criterion that the DPO should be a ‘senior staff member’.

Data Protection Management Programme

The previous draft included provisions for the mandatory registration of Controllers. However, this has been removed in the final draft. Instead, the accountability obligations require Controllers to implement internal controls and procedures, known as a ‘Data Protection Management Programme’.

Rights of data subjects

  • As per the final draft, the data subject shall be entitled to request in writing for rectification or completion of any inaccurate or incomplete personal data,  erasure/deletion of the personal data, or withdrawing its consent for the processing of its personal data that has been processed and the controller has to rectify it without delay. The previous didn’t specify the mode of request.
  • The data subject shall have a right to request a controller to review a decision of controller which is based solely on automated processing and affects the rights and freedoms of the data subject as guaranteed under any written law. The previous draft included broader principles, such as ‘legitimate interests’, ‘rights’ and ‘freedoms’, which have now been removed.
  • The final draft enables data subjects to claim their aforementioned rights by directly approaching the controller of the personal data. The controller now has to inform the data subject about their right of appeal in cases where the controller refuses or restricts the mentioned rights of data subjects. This obligation was not specified in the previous draft.

Data Protection Impact Assessments (‘impact assessment’)

In cases where the processing of personal data is “likely to result in a high risk to the rights and freedoms of data subjects”, a controller has to carry out a privacy impact assessment prior to such processing.

In addition to the three cases specified in the previous draft, this impact assessment is mandatory when there is any other processing activity as may be prescribed taking into consideration the scope and associated risks of that processing.

Provisions related to use of personal data to disseminate unsolicited messages

The final draft of the legislation provides that, subject to certain exceptions as provided in the Act, “no controller shall disseminate unsolicited messages to an identified or identifiable data subject” as used for direct marketing. The final draft, unlike the previous one, defines ‘solicited messages’: the messages to which the dta subject has given his/her consent. The controller will be obligated to inform the data subject how to opt out of such messages.

Imposition of Penalties

The previous draft imposed a penalty that would not exceed 2% of a companies total worldwide turnover, or rupees 25 million, whichever is higher. In the final draft, this has been changed so that the penalty shall not exceed a sum of rupees ten million in any case, and shall be imposed “taking into consideration the nature and extent of relevant non-compliance, its impact on data subjects”.

Further, as a change to the previous Framework, the final draft of the proposed legislation provides the list of matters to consider when imposing the penalty, such that the due regard shall be made to following, inter alia:

  • “the nature, gravity, and duration of the contravention”;
  • any action that was “taken by the controller or processor to mitigate the damage suffered by data subjects”;
  • “the degree of responsibility of the controller or processor”;
  • “the effectiveness of the data protection management programme” as implemented by the controller;
  • “previous contraventions of the provisions of this Act”; and
  • “the categories of personal data affected by any contravention”.