Data privacy
Presently, Sri Lanka does not have any consolidated and/or specific laws on data protection. There are several data protection-enabled legislation that are industry-specific. Such legislation does not however provide a definition for the term ‚data‘ nor specific provisions for implementation.
Notably, the Ministry of Digital Infrastructure and Information Technology (‚MDIIT‘) and the Legal Draftsman’s Department (‚LDD‘) launched, in 2019, a draft for an Act to Provide for the Regulation of Processing Personal Data (2019), which provides fundamental principles of privacy and data protection and is modelled after data protection legislation in place by similar countries.
In March 2021, the LDD released a revised draft version of an Act to Provide for the Regulation of Processing of Personal Data (2021) (‚the Draft Bill‘). This was subject to further review and a final draft of the Act to Provide for the Regulation of Processing of Personal Data (July 2021) (‚the Draft Bill‘) was released on 5 September 2021 and is currently awaiting final approval and thereafter will be submitted to Cabinet of Ministers (‚the Cabinet‘) and published as an official Bill.
The Draft Bill provides measures to protect the personal data of individuals held by banks, telecom operators, hospitals, and other personal data aggregating and processing entities. The LDD considered international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, EU General Data Protection Regulation (Regulation (EU) 2016/679) (‚GDPR‘), and laws enacted in other jurisdictions.
In the context of contact tracing solutions for effective management of COVID-19 by health authorities and the planned digital identity initiative, the Draft Bill is of paramount importance and strengthens the governance and administration of personal data.
This Note provides a brief overview of the Draft Bill as is currently drafted.