A Study On The Implementation Of Data Protection Laws In Sri Lanka

By Aneeraz Samahon and Vihangi Liyanagamage –MARCH 25, 2021

According to International Bank for Reconstruction and Development (World Bank) statistics, 34.113% of the Sri Lankan population in 2019 have used the internet[1] and it also states that only 328.441 per one million have the accessibility to a secure internet server in Sri Lanka.[2] Whereas, in the European Union 83.932% of their population are internet users while a staggering 50292.421  per one million has access to secure internet servers as per the 2019 World Bank statistics. Which is a comparative advancement of internet users and the availability of secure internet servers in the EU and Sri Lanka. Sri Lanka also falls into the 21% of countries that do not have a properly implemented data protection law out of the 107 countries recognised by the United Nations Conference on Trade and Development (UNCTAD) as of 2019.[3]

This research is focused on the implementation of personal data protection laws in Sri Lanka and the possible extractions to be made from the General Data Protection Regulation(GDPR).  It has been referred to throughout the article as it is evident that the European Union’s(EU) GDPR has had a remarkable impact within the Union. This further emphasizes the importance of the right to privacy and the protection of personal data and the correlation between them.

Data Protection and Personal Data

According to the GDPR, ‘personal data’ means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.[4]”

Big data is a term that is used to describe large volumes of structured and unstructured data gathered by businesses continuously, which is also used as an analytical  tool for better carrying out of the business regularly.[5]

The requirement of data protection arises due to the existence of Personal Data and Big Data.[6] Protection of personal data is derived from the Fundamental Rights[7] of, Right to Privacy[8] and the right to protect personal data of individuals.[9]

Why do we need data protection laws?

As a society that is continuously becoming more open and technology driven, the need to protect the sensitive data that we provide to different individuals, businesses and the government entities are increasingly becoming more valuable and important. From our name, phone number being given to a business app to the photos we share with our friends on social media, they are all data that should be protected according to the owner of them.

However, the data that is being provided are mostly unprotected by the law despite the sensitivity and value they carry. These data are seemingly stripped away from the owner and transferred to the businesses according to company policies.

As we live in a society that is continuously identifying their rights and fighting for them, it is important to identify the right to privacy which is crucial in such a social media driven world and the existence of a solid law to maintain it is vital.

Existing laws related to data protection

Although the constitution has a provision for the accession of information by the general public, the constitution however does not explicitly mention the importance of privacy or the right to privacy in the constitution of Sri Lanka.

Nevertheless there are existing legislations in Sri Lanka in order to govern their respective areas regarding privacy and data protection as, the Intellectual Property Act No. 36 of 2003, Right to Information Act No. 12 of 2016, Computer Crime Act No. 24 of 2007, Banking Act No. 30 of 1988, Telecommunications Act No. 25 of 1991 and Electronic Transactions Act No.19 of 2006.

It is to be said that  none of the above mentioned legislations have not properly defined/addressed the term “data”, which further emphasizes the need of a law related to data protection to secure individuals’ privacy. It also goes without saying, currently the Sri Lankan law does not have a properly implemented branch regarding the protection of the data of individuals. However, Sri Lanka as a country that has continuously increasing internet users, the absence of a separate personal data protection Act has left a huge gap in the law, especially considering the 21st century.

The right to privacy has been undermined in Sri Lanka  currently as a mere delict while it is given much more importance in the European Union countries as a fundamental right. In the case of Nadarajah v Obeysekera[10] the invasion of privacy and the individuals right to personal space were respectively recognised as to be respected and to be secured [11]

Since the arenas of exposure for individuals have now expanded to the cyberspace, invasion of privacy as well as the right to personal space and other matters regarding protection of personal data and privacy should now be included in Sri Lankan law and be addressed with a new interpretation as on with the developments taken place throughout the past few years.

Findings

Throughout the research it was found that the government of Sri Lanka had taken a step forward related to the protection of data of individuals by bringing forth a Bill in 2019. Although the bill did not get to be added into the legal system in Sri Lanka, it should be mentioned that the provisions which had been included in it were quite impressive as the bill itself had the core strength similar to that of the EU’s General Data Protection Regulations.

Sri Lanka has a portal where the general public could complain about the issues they get to face on cyber platforms, namely the Computer Emergency Readiness Team (CERT) being the center for cyber security. It was mentioned in the latest issued activity report that the CERT  team has just 17 members to deal with  the matters reported to them in Sri Lanka, a country with a population over 20 million and over 34% of which are internet users. ‌

However‌ the CERT ‌was‌ ‌established‌ ‌to‌ ‌take‌ ‌measures‌ ‌to‌ ‌the‌ ‌matters‌ ‌related‌ ‌to‌ ‌threats‌ ‌occurring‌ ‌to‌ ‌the‌ ‌network‌ ‌systems of ‌individuals and ‌government‌ ‌via‌ ‌the‌ ‌internet.‌ There is ‌no‌ ‌authority‌ ‌nor‌ ‌a‌ ‌body‌ ‌where‌ ‌the‌ ‌individuals‌ ‌can‌ ‌trust on, about their ‌data‌ and their privacy they have disclosed is being ‌‌protected‌. Therefore a ‌need‌ occurs ‌for‌ ‌an‌ ‌active,‌ ‌an‌ ‌efficient‌ ‌independent‌ ‌criminal‌ ‌investigation‌ ‌authority‌ ‌to‌ ‌investigate‌ ‌crimes‌ ‌related‌ ‌to‌ ‌the inappropriate and unauthorised use‌ ‌of‌ ‌the‌ ‌personal data‌.‌

The current situation in the country is that in order for an individual’s privacy to be protected, through any of the way the processor and the data controllers requires the individual to pay a certain fee which seems absurd considering the fact that privacy is recognised as a basic human right.[12]    

As an example, though the VPN services are provided for the individuals to be protected when using a public network by providing a private network, still the applications do give a free service for a limited time period. And then they ask for the payments to be done restricting most wanted features for the protection of data. A data processor is an organization or an individual who deals with the provided personal data and does offer services and purpose based data provided to the data controller by a process of the data. As such the data controller decides the purposes the data processing should be done. The questions of ‘why’ and ‘how’ is being answered by the data controller.

When moving forward, it was identified; As per the GDPR the following Personal Data Protection Principles[13] make the processing of data lawful and transparent,

Read More