Blog Post

Sri Lanka Enacts Its Data Protection Regime

by Ashit Srivastava & Siddarth Chaturvedi

Siddarth Chaturvedi is a student at Dharmashastra National Law University, Jabalpur. Ashit Kumar Srivastava is an Assistant Professor of Law, Dharmashastra National Law University, Jabalpur.

On 10th March 2022, Sri Lanka’s Parliament passed the Personal Data Protection Act. With this, Sri Lanka also became the first country in the South Asian Region which enacted the Data Protection Act. At the same time, the Minister for Technology and Communication has already said that the Data Protection Act is just one of the legislations for promoting digital governance. However , in this piece, the authors restrict themselves to the Personal Data Protection Act.

If one goes through the preamble of the Act, it becomes clear that the main aim of Personal Data Protection is to promote the digital economy of the country through an enabling mechanism. Contrast this with EU GDPR, which is considered to be the template in Data Protection, and uses the words such as fundamental rights, protection of natural rights, principle of proportionality more frequently. The central thrust of EU GDPR, after going through the preamble, appears to be  to protect the fundamental right of privacy of the citizens of the country.

Advantages offered by the Act

 Section 26(2) (a) of the Act provides for the Adequacy Decision in order to transfer the personal data of the citizens of the country to third countries keeping in mind “the application of the provisions of Part I, Part II and sections 20, 21, 22, 23, 24 and 25 of Part III of this Act.” The Act has followed a standard procedure for transfer of personal data across-border, similar to the model of GDPR. However, it is an undeniable fact that the Adequacy mechanism as provided under the European GDPR is a strict mechanism with extensive guidelines for transfer of cross-border data.

Further, another take away from the law is that it provides for a specific provision on the use of personal data on direct marketing which is not present in countries such as India and Pakistan. The act also rightly recognises the right to appoint an heir to exercise a deceased subject’s right within a period of ten years from the date of demise of such subject. By specifying the time limit of appointing legal heir, the act removes vagueness which is present in contrast to  India’s  proposed Joint Parliamentary Committee Report on Personal Data Protection Bill which does not specify the time limit within which legal heir to a deceased data subject’s rights.

Disadvantages offered by the Act

In comparison to EU GDPR and India’s PDP bill, which stipulate time for notifying  personal data breach within 72 hours , Sri Lanka’s PDP Act does not stipulate time for notifying personal data breach. A lot of concerns have also been raised in regard to no exception being provided to journalists for processing of data which has been provided by other jurisdictions such as EU GDPR, India and Pakistan.

Lessons for India’s Data Protection Law

Whereas, the Indian data protection regime has not taken off yet, interestingly, it was in 2018 when the endeavour for a data protection regime had started off in India, under which the first committee under the leadership of Shri B.N. Srikrishna committee had submitted the first draft of the Indian Personal Data Protection Bill, 2018. It was regarded as a landmark step in the privacy jurisprudence of India and seemed like that it will fill the gap between the market needs and individual privacy, however, there were subsequent changes suggested in the Indian PDP bill, most of the controversy revolved around few sections: such as the exemption clause under section 35, which allowed the Government to exempt any agency from the provision of the bill, however, unlike the old bill of 2018, the new bill of 2019 provided for a softer form of data localization and bifurcated data into diverse forms and categorized data which can be transferred cross-border and which cannot.

Interestingly, even this bill has not been able to see the light of the day and was followed by a Joint Parliamentary Committee report, which has suggested some incremental changes within the bill, at the prime objective, the Committee has suggested to change the name of the Personal Data Protection Bill, 2019 to Data Protection Act. As the scope of the bill has been increased to include not only personal data but also non-personal data, capable of being used as a meta-data for profiling of an individual. Further, the report has increased the role of Central Government in the Bill, additionally, keeping data-localization as a part of the ecosystem.

However, all said and done, there are news doing circle that possibly the whole of the Personal Data Protection bill may be scrapped, such news are detrimental to the ambiance of data protection regime, thus, in all expectation it was expected that India would be the first country in South-Asia to come up with its data protection regime, though it is not the first yet the possibility of turning out to be the jurisprudential leader in data protection is still there for India. There is a dire need for a data protection regulation under Indian scenario and it is about time that this void is filled up.

Conclusion

The passage of Sri Lanka’s Data Protection has given a clear leverage to Sri Lankan’s Government to further bring the changes after seeing its implementation on ground. However, the Indian lawmakers have been extremely slow in enacting Data Protection Act which has led to unreasonable delays. It is hoped that with the enactment of law by Sri Lanka, Indian Lawmakers will get an impetus to enact India’s own Data Protection Act.

Siddarth Chaturvedi is a student at Dharmashastra National Law University, Jabalpur. Ashit Kumar Srivastava is an Assistant Professor of Law, Dharmashastra National Law University, Jabalpur.