SLASSCOM, Sri Lanka’s national chamber for the IT-BPM industry, FITIS, Federation of Information Technology Industry Sri Lanka and CSSL, the Computer Society of Sri Lanka has congratulated the Government’s decision to pass the new Personal Data Protection bill, as part of the country’s efforts to move towards a modern digital state and economy, and appreciated the role played by the Ministry of Technology and ICTA.
The new Bill defines measures to protect the personal data of individuals held by government entities, banks, telecom operators, hospitals and other public and private personal data aggregating and processing entities. The Bill mandates controllers to process data lawfully, to a specified, explicit and legitimate purpose, and to ensure accurate, adequate and relevant processing that is backed by confidentiality and integrity of the personal data, limit retention of the data until the purpose is fulfilled and comply with the detailed transparency and accountability obligations, according to a report by Daily FT.
Further, “data subjects” are guaranteed a host of rights by this bill as a means of harmonising the interests of data subjects against the interests of the controllers.
These rights can be exercised directly by the individuals with the controller and includes the individual right of appeal against the decision of the controller to the data protection authority.
This legislation became one of the first such laws in South Asia. The timely bill has been a long time in the making and underwent seven rounds of stakeholder consultations and had over thirty written submissions. In drafting this Bill, the drafting committee had considered international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation and laws enacted in other jurisdictions such as United Kingdom, Singapore, Australia and Mauritius, the State of California as well as the Indian data protection bill and other international best practices.
Collaboration with other countries
The report further added that Sri Lanka has also signed the joint declaration on privacy and data protection, along with the EU, Australia, Comoros, India, Japan, Mauritius, New Zealand, South Korea and Singapore in Paris this year at the Ministerial Forum for Cooperation in the Indo-Pacific. The event brought together ministers from 27 EU countries and 30 from the Indo-Pacific region.
This aligns with SLASSCOM’s vision of achieving the goal of $ 5 billion in annual revenue, employing over 200,000 highly skilled professionals, and launching over 1,000 start-ups by 2025 as the Bill showcases Sri Lanka’s commitment to fostering the free flow of data with trust, while ensuring the right to privacy and protection of personal data.
This move also aligns with one of the FITIS mandates which is to lead and drive digital transformation in Sri Lanka moving towards a digital economy and encouraging private sector, public sector, and citizens towards digitisation with the aim of helping Sri Lanka achieve 18 per cent of its GDP through the Digital Economy by 2025, from the current level of 4.37 per cent of its GDP.
“In a world where digitalisation is growing rapidly, and countless people increasingly using online facilities every day, it is becoming more arduous to navigate and interact with the online world, from the collection and dissemination of individual’s personal data to the increasing lack of privacy. As such, this Bill aims to safeguard the rights of individuals and ensure consumer trust in information privacy in online transactions and information networks resulting from growth and innovation in the digital economy. This also stems from the fact that Sri Lanka treats the data generated by its citizens as a national asset,” said Sandra de Zoysa, SLASSCOM Chairperson.
She further added that with data being borderless and accessible, a country often faces the challenge of governing and regulating data and hence, a balanced and internationally aligned regulation is crucial and inevitable. Digital sovereignty is the right of any country to govern its network to serve its national interests, the most important of which are security, privacy, and commerce. Such regulation becomes important to ensure an orderly digital ecosystem which shall lead to a win-win situation for citizens, nations, and multinational corporations. Good data protection legislation, therefore, makes good economic sense.
“FITIS believes that the Personal Data Protection Bill is a positive step and serves as a catalyst to attract investment in BPO and other data processing industries. FITIS would like to request all stakeholders, ICTA and Ministry of Technology to work together to ensure proper implementation of this new legislation in collaboration with industry and professional bodies. For this bill to be fully operational, the Data Protection Authority should be established as soon as possible and professionals who have reached eminence in the fields, as prescribed in the law should be appointed to the Board,” said Prasad Samarasinghe, FITIS Chairman.
He further explained that strategic capacity building initiatives are required to be launched with support from the private sector and there is a need to establish certification programs for privacy professionals. FITIS would join hands with other industry bodies to support these endeavours. FITIS is also confident that this bill would be continuously reviewed, and regular public feedback will also be sought to further refine it.
“To stimulate the digital economy, timely policy initiatives backed by necessary legislation are critical. It is vital for progressive nations to identify necessary policy interventions in advance to reap the benefits of technological advancement as well as to be ahead in this fiercely competitive business environment,” said Damith Hettihewa, CSSL President.
He further added that policy making and legal enactments take time and CSSL, as the apex ICT professional body which facilitated ICTA’s public consultations on Data Protection Act way back in 2019, welcomes the passing of the Personal Data Protection Bill in March 2022. CSSL will fully support its implementation in a speedy manner to reap the benefits of this important piece of legislation for the country.
