A comprehensive data protection regime with a robust institutional framework is not only imperative for protection of fundamental rights but also gives the necessary stimulus to the digital economy. In our second blog we had highlighted the significant provisions of the proposed data protection and cyber security laws in Sri Lanka, Bangladesh, and Nepal. In this blog (the last of the three-part series) we examine the impact of the proposed legislations in greater detail, and probe if ‘regional interoperability’ may be explored as a way forward to address some of the emerging concerns.
I. SRI LANKA
A. Sri Lanka Personal Data Protection Bill
The Sri Lanka Personal Data Protection Bill, 2019[1] (“Sri Lanka PDP Bill”) covers controllers and processors outside the territory of Sri Lanka, as it extends to the processing of personal data by controllers and processors “who are subject to Sri Lankan law”[2]. This means that a processor which is outside Sri Lanka may have multiple (and may be inconsistent) standards applicable to it: one under the Sri Lanka PDP Bill and one under the jurisdiction where it is resident.
Further, the Sri Lanka PDP Bill allows any government department, provincial council or any other regulatory body to prescribe conditions for processing personal data in accordance with their own legal frameworks[3]. This will lead to multiplicity of laws, differing standards on data protection, and contradictory enforcement mechanisms.
Another area of concern is that the Sri Lanka PDP Bill allows for processing of personal data if it is necessary for the “legitimate interests” pursued by controllers or third parties[4]. It is not clear as to what is meant by legitimate interest, and is a potential landmine in terms of conflicting interpretations and enforcement. A more definitive yardstick such as ‘legitimate business purposes’ of data processors and controllers should be evaluated.
Controllers and processors are permitted to process data outside Sri Lanka if they: (i) provide appropriate safeguards; and (ii) ensure that enforceable data subject rights, and effective legal remedies are made available[5]. However, once again what constitutes an effective legal remedy may be subject to several inconsistent interpretations.
Every controller is under an obligation to notify the authority about every data breach[6]. In fact, a controller is required to carry out a personal data protection impact assessment where processing is likely to result in a high risk to the rights and freedoms of data, prior to such processing. This places huge amounts of power in the hands of the controller. Only those data breaches where a material risk or harm is present or imminent should be within the scope of this provision, which will protect against the issuance of immaterial notices of data breaches. Further, clear parameters of what will be considered as a controller becoming aware of a breach” should be provided. For more information on the business and compliance impact of the Sri Lanka PDP Bill, you can check out our blog highlighting its key differences against the European Union’s General Data Protection Regulation (“GDPR”).
B. Cyber Security Act, 2019
The Cyber Security Act, 2019 (“Sri Lanka CS Bill”) creates and designates a number of authorities to identify potential cyber security incidents, monitor the designated critical information infrastructure (“CII”), gather cyber threat intelligence information, and provide cyber threat intelligence information to law enforcement authorities.
The focus is to protect CII which are necessary for the continuous delivery of essential services in Sri Lanka[7]. Once a computer/computer system is designated as CII, the head of the organization is deemed to be the owner of the CII[8]. The owner is responsible for protecting the CII, implementing the protection plan, conducting risk assessments, audits, furnishing necessary information to government agencies, and reporting cyber security incidents to designated authorities[9]. Importantly, failure to fulfil these obligations is punishable with imprisonment and/or fine.
This effectively means that any computer system which is not even located entirely in Sri Lanka can be designated as a CII, making the head of the organisation liable. Therefore, if the CII is constituted by multiple organization or multiple sectors, all the heads of such organizations or sectors shall become jointly and severally responsible for protection of the CII irrespective of whether they may be resident of Sri Lanka or not.
II. BANGLADESH
A. Bangladesh’s Digital Security Act, 2018
The Digital Security Act, 2018 (“Bangladesh DS Act”) has extra territorial application- individuals can be punished for crimes committed outside Bangladesh[10]. Extra territoriality is very onerous as it will subject a person to multiple and inconsistent standards which creates regulatory uncertainty.
The Bangladesh DS Act empowers[11] the director of the Digital Security Agency- Bangladesh’s online cyber-security and intelligence agency- to remove, or request the blocking of any information that threatens digital security, national solidarity, financial activities, security, defence, religious values, public discipline, or causes racism or hatred within Bangladesh. This may adversely affect a number of data intensive business. Remedies against such blocking orders along with interim measures should be clarified in the Bangladesh DS Act to provide relief to affected parties.
The Bangladesh DS Act protects service providers from liability if they successfully prove that they had no relation to the committed or offence, or tried their best to prevent it[12]. This means that a service provider will need to keep a vigilant and proactive diligence of all the content and information that is posted on their website, which seems to be a bit onerous and cumbersome.
The Bangladesh DS Act also empowers any police offer to conduct warrant-less searches and seizures (seize any computer, computer system, computer network, data/information, among other things; physically search any person present, and even take suspects into custody)[13]. It seems that any police officer irrespective of rank, knowledge or appropriate training can exercise the power, which is a cause for concern. Finally, the Bangladesh DS Act has an overriding effect, meaning that any protection or relief available under any other law will not apply if there is a conflict with the Bangladesh DS Act[14].
III. NEPAL
The Technology Bill, 2075 (2018) (“Nepal IT Bill”) in Nepal covers issues of both data protection and cyber security under one umbrella legislation. It also provides for the legal recognition of electronic records, digital signatures, delivery of government services (through electronic means) and the establishment of an information technology court.
At the outset, data protection- inherently is a complex area- should be ideally covered as a separate legislation. This is compounded by the general lack of clarity on the implementation mechanisms for data protection under the Nepal IT Bill.
Under the Nepal IT Bill, personal information can only be collected in accordance with law. Individuals should also be compulsorily informed the purpose of necessity while collecting personal confidential information[15]. Unlike standard global practice, the Nepal IT Bill does not make a distinction between data controllers and processors. For instance, it requires that information in electronic form should not be damaged or obstructed[16] and that there should be no breach of privacy[17]: the same standards cannot be uniformly be applied to data processors, who generally act on the instructions of controllers and have little visibility on the nature of processing. At the same time, it is interesting to note that the government agencies are required to follow security standards prescribed by the Ministry of Information and Communications (“MIC”)[18]. This suggests that there are different obligation standards for the private sector, and for the government agencies.
It is also not clear as to why an information technology (“IT”) business operating in Nepal need to be separately registered[19]. Additionally, a data center operator or cloud service provider cannot operate without license, which shall be issued if entities meet the prescribed standards. The designated authority also has the right to examine the data center at least twice a year [20]. The license must be procured within a year of the Nepal IT Bill coming into force, along with annual renewal. This form of over regulation will prove detrimental to the digital economy and business climate in Nepal.
A pre-approval from the MIC is required before using any software, electronic system or electronic devices designed to protect any electronic system or if it can be used for offensive acts[21]. The scope of this provision is very ambiguous and onerous. This should be restricted to a very limited set of circumstances where prior approval is needed.
Another area of concern under the Nepal IT Bill is intermediary liability. Foremost, an intermediary is defined to only those persons “exchange third party information”[22]. This is a very narrow and limited definition, and as is the general global standard, the scope of intermediaries should include a person who provides any services with respect to third party information. Further, the Nepal IT Bill exempts intermediaries from criminal liability[23]. The scope of ‘safe harbour protection’ is narrow, especially when most global regimes recognise that intermediaries have no actual knowledge or control of information.
Interestingly, the Nepal IT Bill also seeks to regulate social networks, while leaving the term “social network” undefined. It seems that any person wanting to run the social network in Nepal needs to register with the government[24]. However, by its very nature of operations, a social network may originate anywhere in the world, but may be used or accessed in Nepal – does that mean that all such networks and their organisations would be regulated under this regime? Further, the Nepal IT Bill is not clear on the scope of regulation of the social network in relation to: (i) personal information and privacy of individuals; and (ii) illegal and unacceptable content and activity. Most laws around the world look at regulation of the impact of social networks in a separate and distinct legislations. Even if the principles are provided under the Nepal IT Bill, it would be prudent to flesh out the details under a more comprehensive and detailed set of rules – for example, the UK is looking at setting up a specific authority to oversee regulation of social networks[25].
One of the main objectives of the Nepal IT Bill is to “ … provide public welfare by controlling the cybercrime through proper management of cyber security …”[26]. In contrast to the cyber security laws of Sri Lanka and Bangladesh, the Nepal IT Bill does not speak to this issue in sufficient detail[27]. Designation of critical infrastructure, examination of issues related to online harm and cyber security should be provided in greater detail. For instance, the government can declare certain ‘Information and Communication Infrastructure’ as ‘Critical Infrastructure’. However, there is no clarity on what constitutes an ‘Information and Communication Infrastructure’. Also, there is little clarity on the liability of the entity responsible for protecting such infrastructure.
IV. REGIONAL INTEROPERABILITY – MISSING PART OF THE PUZZLE?
Organisations based in multiple jurisdictions get caught in the cross fire of the disparate data protection and cyber security legal regimes. As multinational companies strengthen their presence in South Asia, it is increasingly important that they be aware of new privacy requirements in these countries. The problems become even more complex when countries such as the European Union only allow cross-border transfers of personal data where the destination country has “adequate” data protection laws in place. What does this really mean for an organisation based in Sri Lanka, Nepal and Bangladesh, dealing with data transfers from the European Union? There is no clarity on how this adequacy will be gauged.
The prospect of achieving a global data protection standard any time soon seems low[28]. A practical and more achievable goal in the short term therefore may be to look at “regional interoperability’. The fundamental premise of regional interoperability is that different data protection legal regimes are “…made to work cohesively and together through negotiated code of conduct…”[29]. Based on the common elements from each legal regime, a regional interoperability framework envisages ‘regional blocks’ that would also accommodate industry specific requirements.
The APEC Cross-Border Privacy Rules (CBPRs) are a more recent example of a regional interoperability scheme[30]. Its efficacy is being tested with members such as United States and Mexico becoming members. While still at its early implementation stage, the idea of regional interoperability is gaining momentum.
Provisions of joint certification, cross border data transfers, co-regulatory oversight and a coordinated enforcement mechanism within a regional interoperability framework can address the concerns of multiplicity of laws, differing standards on data protection and contradictory enforcement mechanisms. Regional interoperability should be explored as an effective mechanism to reduce the gap between the world of quickly changing technology and business practices, and evolving legal standards.
This post is authored by Nimisha Dutta, Consultant at Ikigai Law.
For more on the topic, please feel free to reach out to us at contact@ikigailaw.com
[1] For a comparison of the Sri Lankan PDP Bill and the EU’s GDPR from a business and compliance point of view, see: Comparing the Sri Lankan Personal Data Protection Bill, 2019 and the GDPR, available at https://www.ikigailaw.com/comparing-the-srilankan-personal-data-protection-bill-2019-and-the-gdpr/.
[2] Section 1(b)(iii), Sri Lanka PDP Bill.
[3] Section 1(4), Sri Lanka PDP Bill.
[4] Clause f, Schedule 1, Sri Lanka PDP Bill.
[5] Section 31, Sri Lanka PDP Bill.
[6] Section 22, Sri Lanka PDP Bill.
[7] This includes all computers or computer systems located wholly or partly Sri Lanka, necessary for the continuous delivery of essential services for the public health, public safety, privacy, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace necessary for the continuous delivery of essential services in Sri Lanka. It also includes the computer system of which the disruption or destruction would have a serious impact on the functioning of the government
[8] Section 18(6), Sri Lanka CS Bill.
[9] Section 19, Sri Lanka CS Bill
[10] Section 3(1), Bangladesh DS Act.
[11] Section 7, Bangladesh DS Act.
[12] Section 38, Bangladesh DS Act.
[13] Section 44, Bangladesh DS Act.
[14] Section 3, Bangladesh DS Act.
[15] Section 67, Nepal IT Bill.
[16] Section 75, Nepal IT Bill.
[17] Section 76, Nepal IT Bill.
[18] Section 69, Nepal IT Bill.
[19] Section 63, Nepal IT Bill.
[20] Section 73, Nepal IT Bill.
[21] Section 81, Nepal IT Bill.
[22] Section 2(ff), Nepal IT Bill.
[23] Section 89, Nepal IT Bill.
[24] Section 91, Nepal IT Bill.
[25]ComputerWeekly, House of Lords committee calls for creation of a digital authority to oversee regulation, available at: https://www.computerweekly.com/news/252459123/Lords-call-for-new-Digital-Authority-to-oversee-regulation-of-online-services.
[26] Preamble, Nepal IT Bill.
[27] Only Section 79-88 of the Nepal IT Bill are dedicated to cybersecurity.
[28]Markus Heyder, IAPP, Getting Practical and Thinking Ahead: “Interoperability” Is Gaining Momentum, available at: https://iapp.org/news/a/getting-practical-and-thinking-ahead-interoperability-is-gaining-momentum/.
[29] Markus Heyder, IAPP, Getting Practical and Thinking Ahead: “Interoperability” Is Gaining Momentum, available at: https://iapp.org/news/a/getting-practical-and-thinking-ahead-interoperability-is-gaining-momentum/.
[30] APEC, What is the cross-border privacy rules system?, available at: https://www.apec.org/About-Us/About-APEC/Fact-Sheets/What-is-the-Cross-Border-Privacy-Rules-System.
