There seems to be an explosion of new data protection regulations across the South Asia region in recent years. Although these proposed laws[1] codify a common set of guiding principles, each law is in fact unique. Each of the regions in which these laws are proposed to be enacted has its own social dynamic, geo-political context, and level of economic development. This blog (second in a three-part series[2]) attempts to highlight certain critical aspects of proposed legislations[3] governing issues related to data protection as well as cyber security in Sri Lanka, Bangladesh, and Nepal at a macro level.
I. Sri Lanka
Sri Lanka has two independent legislations governing issues related to data protection on one hand, and cyber security on the other.
A. Data protection
The Sri Lanka Personal Data Protection Bill, 2019 (“Sri Lanka PDP Bill”)[4] in its preamble outlines the need for introducing a data protection legislation to[5]: (a) safeguard the rights of individuals and to ensure consumer trust in information privacy in relation to online transactions and information networks; (b) improve interoperability among personal data protection frameworks; and (c) strengthen cross-border co-operation among personal data protection enforcement authorities.
Authority
The main regulating authority created under the Sri Lanka DP Bill is the Data Protection Authority.[6] The authority has contractual, investigative, prosecutorial and advisory powers in relation to the Sri Lanka PDP Bill.[7]
The Authority has the power to investigate into a complaint received by it and for the following purposes[8]: (a) requiring any person to appear before it; (b) examining such person under oath and requiring such person where necessary to produce any information related to processing; and (c) inspecting any information strictly related to the processing in question by an officer authorised on behalf of the Authority.
Controller and processor
The Sri Lanka PDP Bill is applicable to the processing of personal data when the processing takes place wholly or partly within Sri Lanka, or by a controller or processor, as they are defined under the bill[9] where such controller or processor is[10]:
- domiciled or ordinarily resident in Sri Lanka;
- incorporated or established under the laws of Sri Lanka;
- subject to Sri Lankan law;
- specifically or systematically offers goods or services to data subjects in Sri Lanka or
- monitors the behaviour of data subjects in Sri Lanka including profiling in so far as such behaviour takes place in Sri Lanka.
Every controller must process personal data in compliance with the conditions set out in schedules 1-4 of the Sri Lanka PDP Bill as applicable.[11] Further, a controller (or a third party) can only process the data if the purpose is for specified, explicit and legitimate purposes.[12]
Types of personal data
The Sri Lanka PDP Bill differentiates between processing of personal data and processing of special categories of personal data.[13]
Rights of data subjects:
Under the Sri Lanka DP Bill, a data subject has the right to:
- Withdraw consent and object to processing;[14]
- Access personal data;[15]
- Secure confirmation as to whether or not personal data concerning him is being processed by that controller or any processor of that controller;[16]
- Rectify inaccurate or incomplete personal data;[17] and
- Get personal data erased[18].
Subject to the exceptions provided such as consent of the data subject, or applicable law, a data subject has the right to seek a review of the decision of a controller based solely on automated processing.[19]
Processing of data outside Sri Lanka
Controllers and processors are permitted to process data outside Sri Lanka if they: (i) provide appropriate safeguards; and (ii) ensure that enforceable data subject rights, and effective legal remedies are made available[20].
Obligations of controllers
Every controller is under an obligation to notify the authority about every data breach.[21] Further, where processing is likely to result in a high risk to the rights and freedoms of data, a controller is required to carry out a personal data protection impact assessment prior to such processing.[22] Controllers are also under an obligation to implement appropriate technical measures such as encryption, pseudonymization, anonymization and privacy-by-design techniques among others to ensure compliance.[23]
Multiple regulations
The Sri Lanka DP Bill gives the power to any local authority, government department or other regulatory body to prescribe conditions for processing personal data in accordance with their own legal framework, so long as these additional conditions do not contravene the rights, principles and safeguards stipulated under the said Bill.[24]
B. Cyber security
Sri Lanka introduced a Cyber Security Act, 2019[25] (“Sri Lanka CS Bill”) on 22 May 2019. Under the Sri Lanka CS Bill, the term ‘cyber security’ has been defined to mean a set of activities intended to make cyber space safe and secure.[26]
Agencies
The Sri Lanka CS Bill establishes a cyber-security agency (“CSA”) which is entrusted with the function to[27]:
- implement the national cyber security strategy;
- develop cyber security policies and standards for the government of Sri Lanka;
- identify and designate critical information infrastructure (“CII”) (both for government and other sectors in consultation with stakeholders);
- develop strategies and plans for the protection of CII in consultation with the owners of CII;
- act as the central point of contact for cyber security in Sri Lanka; and
- act as the interface for the multi-directional and cross-sector sharing of information related to cyber threat indicators, defensive measures, cyber security risks etc.
The Sri Lanka CS Bill also requires the CSA to appoint (in consultation with head of a government institution or concerned department) of an ‘Information Security Officer’ (“ISO”) for each public institution or department. ISOs are required to ensure the compliance of these institutions and departments with the prescribed standards[28].
There are two other agencies under the Sri Lanka CS Bill: (i) the Sri Lanka Computer Emergency Readiness Team (“CERT”), which is to act as the national point of contact for cyber security incidents in Sri Lanka[29]; and (b) the National Cyber Security Operations Centre (“NCSOC”) which must identify potential cyber security incidents, monitor the designated CIIs, gather cyber threat intelligence information, and provide cyber threat intelligence information to law enforcement authorities, CSA and CERT[30].
Critical information infrastructure
The CSA has the power to identify and recommend to the Minister of Digital Infrastructure and Information Technology the designation of a computer or computer system as CII[31]. It is important to note that any computer or computer system located wholly or partly in Sri Lanka, and which is necessary for the continuous delivery of essential services for the public health, public safety, privacy, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace or for any other criteria as may be prescribed can be designated as a CII.[32]
Once a computer/computer system is designated as CII, the head of the organization is deemed to be the owner of the CII[33] and shall be responsible for[34]:
- protecting the CII;
- implementing protection plan,
- conducting security risk assessments, audits and vulnerability assessments of the CII,
- furnishing necessary information of the agency; and
- reporting any cyber security incident (in relation to the CII) to the CSA and the CERT.
Any person who is an owner of a CII and fails to fulfil the obligations provided under the Sri Lanka CS Act or report cyber security incidents to the CSA and CERT will commit an offence punishable with imprisonment, fine and/or both[35].
The CSA has the power to[36]: (a) enter, inspect and search premises of the designated CIIs; (b) examine and take copies of any document, record or part thereof pertaining to such CIIs; and (c) examine any person whom he has reasonable cause to believe that such person is an owner or employee of such CII.
II. Bangladesh:
Bangladesh is proposing to enact the Digital Security Act, 2018 (“Bangladesh DS Act”),[37]. the focus of which is more on cyber security, data protection is dealt with in a very limited manner.
A. Digital security
The Bangladesh DS Act aims to ensure that there is national digital security in Bangladesh. The term ‘digital security’[38] has been defined under the Bangladesh DS Act to mean security of any digital device[39] or digital system.
Agencies
The Bangladesh DS Act, establishes the following two agencies to fulfill its objectives:
- the Digital Security Agency (“DSA”), which has the power to: (i) remove or block (itself or through the Bangladesh Telecommunication Regulatory Commission) any data-information that threatens digital security, national solidarity, financial activities, security, defence, religious values, public discipline, or causes racism or hatred within Bangladesh;[40] (ii) create an emergency response team;[41] and (iii) create a digital forensic lab[42]; and
- the National Digital Security Council (“NDC”), which is entrusted with the function of implementing the law, providing directives and advising the DSA.[43] The NDC is also required to advise the agency on how to improve the digital security infrastructure, and develop inter-institutional policies with the aim of ensuring digital security.[44]
Critical information infrastructure
The government under the Bangladesh DS Act also has the power to declare any physical or virtual information infrastructure (i.e. systems that are capable of controlling, processing, circulating or preserving any information, electronic information), as critical information infrastructure (“CII”) when such infrastructure is damaged and/or compromised, and may affect public health, safety, financial or national security, national integrity or sovereignty.[45]
The Director General of the DSC is also empowered to take action, or order an investigation against any person whose actions, the Director General has logical reason to believe, may threaten critical information infrastructure[46].The action of any person who (intentionally or knowingly) enters a CII or causes any harm or destroys the CII or renders it ineffective then it will be a crime under the Bangladesh DS Act punishable with imprisonment or fine and/or both[47].
Applicability to companies
In case of companies, the Bangladesh DS Act provides an overarching provision that states that the owner, chief executive, director, manager, secretary, shareholder or any other officer or employee or representative of the company having direct connection with the offence will be considered as an offender unless the said person can prove that the offence took place without his knowledge or he took all possible steps to stop the commission of the offence.[48]
Service provider
A service provider will not be liable for providing access to data-information if they successfully prove that they are not related to the offence being committed, or that they took all possible steps to stop the commission of the offence[49]. However, a service provider is under an obligation to provide information or assistance in an investigation if requested by the investigation officer[50].
A service provider has been defined to mean: (i) any person who through computer or digital process enables any user to communicate, or (ii) any such person, entity or institution who or which preserves or processes data in favour of the service user.[51]
Extra-territoriality
It is also important to note that like many other laws on data security in other jurisdictions, Bangladesh has also adopted an extra-territorial application of the Bangladesh DS Act: therefore the offences committed under the Bangladesh DS Act outside Bangladesh will be punishable as if they were committed in Bangladesh in violation of the Bangladesh DS Act.[52]
Search and seizure
The Bangladesh DS Act has overarching and stringent search and seizure provisions. For instance:
- a judge may issue a search warrant to enable any police officer to seize any traffic data from any service provider, or to restrict any communication or information flow[53].
- any police may conduct warrant-less searches and seizures, and submit a report to the tribunal[54]
- police may seize computer, computer system, computer network or any digital device, any data-information saved in any computer; or take necessary initiative to collect data-information from traffic-data from any person or organization.[55]
Overriding effect
The Bangladesh DS Act has an overriding provision which states that in the event there is any conflict between this legislation and provision of any other legislation, then the provisions of the Bangladesh DS Act have an overriding effect and are applicable to the extent there is any inconsistency[56].
B. Data protection
The issue of data protection has been dealt with in a very limited manner under the Bangladesh DS Act. It provides that if any person[57]:
- collects any data or data storage;
- intentionally inserts or tries to insert any virus or malware;
- hinders authorized persons from gaining access to computers;
- intentionally creates or tries to create spam or undesired emails without the permission of the sender or receiver, for any product or service marketing; or
- interferes unjustly in any computer, system or network or deliberate and falsely enjoys the service of an individual or transfers the charge or tries to transfer of such service into the account of another
then the said person person’s activity will be a punishable offense under the Bangladesh DS Act.
III. Nepal
Nepal aims to govern issues of data protection and cyber security under its proposed Information Technology Bill, 2075 (2018)[58] (“Nepal IT Bill”). This is an umbrella legislation, which provides a comprehensive framework for information technology, cyber security, data protection, and intermediary liability. It will replace Nepal’s existing Electronic Transactions Act, 2063 (2008).
A. Data protection
Personal information
The Nepal IT Bill prohibits the collection of personal information of individuals, unless it is otherwise permitted by law.[59] It categorically states that no personal information can be collected without specifically notifying the concerned person (data subject) of the purpose of collection[60]. It also requires that personal information collected must only be used for the purpose for which it is collected.[61]
A data processor, data warehouse operator or service provider is under a legal obligation to maintain the privacy and integrity of the digital information form during the exchange, processing and storage of personal information[62]. Further, the Bill also requires that government, public, financial and health institutions should secure information by inscription, and the said entities while processing, transferring or storing the information should ensure that the said information is not sent outside Nepal.[63].
In addition to the Nepal IT Bill, numerous safeguards for protection of personal data have been provided under the Nepal IT Bill.[64] For instance, the Bill provides that each person has a right to keep: (i) information related to his property[65]; (ii) his personal documents (such as citizen certificate, educational degree papers, bank accounts, documents related to medical history) related to him[66]; and (iii) his correspondence (including emails)[67] confidential. This includes any information that is kept in electronic formats.[68]
Data centers
The Nepal IT Bill provides that person is not permitted to operate a data center or cloud service without obtaining a license from the Department of Information and Technology (“Department”). [69]
Service providers and social networks
A service provider under the Nepal IT Bill has been defined to mean an any neutral person who performs the act of exchanging third party information[70]. A service provider is under an obligation to preserve the data for specific time and form as prescribed[71].
The Nepal IT Bill provides that a service provider will not be liable for any criminal liability that arises from any fact or particulars only because they provided access to such information or data or link if they:[72]
- are limited to only providing access to information, statistics/data or link;
- have not transmitted the information or played any role in selecting the information or the customer receiving it;
- are complying with an order of a public authority for removal of illegal content; and
- are following relevant directions of regulatory offices.
However, a service provider will not be exempted in the event that it: (i) it aware the information, data or the link that infringes the provision of existing law; or (ii) acts as an abettor of a crime and assists in the commission of such crime.[73]
In addition, to the classification of service providers, the Nepal IT Bill also separately defines social networks. The term ‘social network’ is defined to means an IT system that allows an individual or an institution to have interactive communication and to transmit the contents developed by the originator.[74] The Bill provides that any person desirous to run social networks has to register with the Department[75]. The Department has the power to direct any social network provider to remove the contents immediately when it believes that such content could be declared offensive pursuant to the Bill[76].
It is specifically provided that no content that may incite racial discrimination, untouchability, criminal activities, performing any act that is realized as curse or is disrespectful as per the applicable law with the intention of defaming someone, communicating any message with the intention of teasing, misleading, insulting, discouraging, threatening, creating hatred and enmity, or confusing the receiver shall be published on a social network.[77]
Agencies
The Nepal IT Bill establishes a number of agencies including:
- Information Technology Emergency Response Team (ITERT) to assist in the cyber incidents[78].
- Information Technology Tribunal, as a court of first instance.[79]
- National Information and Technology Center to operate the government data center, government network, government email system and electronic payment system[80].
Search and seizure
Under the Nepal IT Bill an investigating officer[81] has the power, subject to authorization from the court, to search and seize electronic equipment, which may be used as an evidence for proving an offence.[82] Further, a police inspector and higher ranked officers may access traffic data of specific media if it may be necessary for saving the life of a victim.[83]
The court may also grant authority to a service provider[84] or an investigating officer[85] to intercept and record specific specified data based on its satisfaction that the data is reasonably required for a criminal investigation.
B. Cyber security
Issues of Cyber security is dealt with in a limited manner under the Nepal IT Bill. The term is defined as the practice of making any system, network and program based on any information technology secure[86]. Further the Bill prohibits any activity which amount to cyber-bullying[87], cyber-attack[88], sexual misconduct[89], transmission of obscene content[90] or any form of discrimination[91] through electronic means.
The Bill also requires that a prior approval is procured from the government before usage of any:[92] (i) software, electronic system or electronic devices designed to protect the electronic system or can be used for offensive acts; or (ii) kind of passwords, or access codes or data that enable partial or full access upon the electronic system or data.
As seen in legislations of other jurisdiction, the government of Nepal also has the power to declare certain information and communication infrastructure as critical information infrastructure (“CIC”) which serious impact upon the national security, national economy, essential service, emergency service, health and public security.[93]
The Bill provides that an Information Technology Emergency Response Team (“ITERT”) shall be formed to assist in the Cyber incidents[94]. The ITERT shall[95]:
- assist government or public agency, related to national security, national economy, essential service, emergency service, health and public security, to resume the operation of their information technology system when it is obstructed/damaged due to the human or act of god;
- issue pre-information on the possible damage or attack of any computer or computer system within the territory of Nepal;
- perform as focal agency for similar other national or international institutions; and
- carry out any other function as may be required by government of Nepal.
Further, a cyber-forensic entity is also established to regulate investigations and collection of evidence in any offensive activity[96].
IV. Conclusion
The data protection and cyber security legislations proposed by Bangladesh, Nepal and Sri Lanka will have a significant impact on the future of privacy and cross-border data flows in the South Asia region, which in turn will shape the way forward for the region’s digital economy, and effect the ease of doing business in these markets. Therefore, these laws must be critically examined to determine their effects on individual rights and data-based businesses practices. The next blogpost in this series will focus on these issues.
This post is authored by Nimisha S. Dutta, Counsel at Ikigai Law, and Tuhina Joshi, Associate at Ikigai Law with inputs from Rishwin Chandra Jethi, Associate at Ikigai Law
References
[1]All of the laws covered under this blog post laws have yet not been notified, with the exception of the (Bangladesh) Digital Security Act, 2018
[2] A blog post introducing the respective data security bills in Bangladesh, Nepal and Sri Lanka was published on our website on 9 August, 2019.
[3] The final version of the Personal Data Protection Act, 2019 of Sri Lanka was recently released by the Ministry of Digital Infrastructure and Information Technology. The Personal Data Protection Act, 2019 (“Sri Lanka PDP Act”) (available here);
[4] As per the information available (updated as on 24th September 2019) on the official website of Ministry of Digital Infrastructure and Information Technology (http://www.mdiit.gov.lk/index.php/en/mtdi-news/item/68-data-protection-legislation), the draft of the said bill has been finalized post the stakeholder consultation. Important to note that the entire Bill will come into operation within a period three (3) years from the date the Speaker certifies the Bill. This would provide sufficient time for Government and private sector to take adequate steps to implement this legislation.
[5] Preamble of the Sri Lanka PDP Bill.
[6] Section 28 of the Sri Lanka PDP Bill
[7] Section 27 of the Sri Lanka PDP Bill
[8] Section 37 of the Sri Lanka PDP Bill
[9] Section 1 of the Sri Lanka DP Bill. Section 53 of the Sri Lanka PDP Bill defines: (a) ‘controller’ to mean any natural or legal person, public authority or other body which, alone or jointly with others, engages in processing and determines the purposes and means of processing; and (b) a processor to mean a natural or legal person, public authority or other body which processes personal data on behalf of the controller; for the avoidance of doubt, a processor shall be a separate entity/person from the controller and not a person subject to any hierarchical control of the Controller and excludes processing that is done internally such as one department processing for another, or an employee processing data on behalf of their manager.
[10] Id
[11] Section 2(2) of the Sri Lanka PDP Bill.
[12] Section 2(2) read with Clause (f) of Schedule 1 of the Sri Lanka PDP Bill.
[13] Section 53, Sri Lanka DP Bill. The term “personal data” has been defined as ‘personal data’ means any information whether true or not, relating to a data subject and the term ‘special categories of data” has been defined to mean personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, financial data, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, personal data relating to offences, criminal proceedings and convictions, personal data relating to a child
[14] Section 13 of the Sri Lanka PDP Bill
[15] Section 14 of the Sri Lanka PDP Bill
[16] Section 10(1)(a) of the Sri Lanka PDP Bill
[17] Section 15 of the Sri Lanka PDP Bill
[18] Section 16 of the Sri Lanka PDP Bill
[19] Section 19 of the Sri Lanka PDP Bill
[20] Section 31 of the Sri Lanka PDP Bill.
[21] Section 22 of the Sri Lanka PDP Bill
[22] Section 23(1) of the Sri Lanka PDP Bill
[23] Section 23 of the Sri Lanka PDP Bill
[24] Section 1(4) of the Sri Lanka PDP Bill
[25] The Cyber Security Act, 2019 (available here)
[26] Section 33, Sri Lanka CS Bill
[27] Section 4 read with the Statement of Objects & Reasons, Sri Lanka CS Bill
[28] Section 4(3) of the Sri Lanka CS Bill
[29] Section 3(2) read with Section 15 (1) of the Sri Lanka CS Bill
[30]Section 16 of the Sri Lanka CS Bill
[31] Section 18(1) of the Sri Lanka CS Bill
[32] Section 18(1) of the Sri Lanka CS Bill
[33] Section 18(6) of the Sri Lanka CS Bill. It should be noted that if the CII spreads across multiple organizations or multiple sectors, all the heads of such organizations or sectors shall become jointly and severally responsible for protection of the CII.
[34] Section 19 of the Sri Lanka CS Bill
[35] Section 21(1) of the Sri Lanka CS Bill
[36] Section 24 of the Sri Lanka CS Bill
[37]The Bangladesh DS Act has been approved by the Parliament and has received the assent of the President The Digital Security Act, 2018 (available here)
[38] Section 2(1)(k) of the Bangladesh DS Act
[39] The term “digital device” has been defined under Section 2(1)(j) of the Bangladesh DS Act as “ Digital Device” means any electronic, digital, magnetic, optical or information processing device or system which by using electronic, digital, magnetic, optical or information processing device or system, will perform logical, mathematical and memory programming, and any digital or computer device system or computer network connected with it or all kinds of input, output, processing, accumulating digital software device or communication facilities will be included”
[40] Section 7 read with Section 8 of the Bangladesh DS Act
[41] Section 9 of the Bangladesh DS Act
[42] Section 10 of the Bangladesh DS Act
[43] Section 12 read with Section 13 of the Bangladesh DS Act
[44] Section 13(2) of the Bangladesh DS Act
[45] Section 15 of the Bangladesh DS Act
[46] Section 16(2) of the Bangladesh DS Act
[47] Section 17 of the Bangladesh DS Act
[48] Section 36 of the Bangladesh DS Act
[49] Section 38 of the Bangladesh DS Act
[50] Section 46 of the Bangladesh DS Act
[51] Section 2(1)(u) of the Bangladesh DS Act
[52] Section 4 of the Bangladesh DS Act
[53] Section 43, Bangladesh DS Act
[54] Section 2(1)(h) of the Bangladesh DS Act specifies that ‘tribunal’ means the Cyber tribunal created under Section 68 of, information and communication technology Act, 2006 (Act No. 39 of year 2006)
[55] Section 41 of the Bangladesh DS Act
[56] Section 3 of the Bangladesh DS Act
[57] Section 18, Bangladesh DS Act
[58] Act related to Information and Technology, 2019 (translated version as available with Ikigai Law)
[59] Section 67(1) of the Nepal IT Bill
[60] Section 67 (2) of the Nepal IT Bill
[61] Section 67 (3) of the Nepal IT Bill
[62] Section 68 (1) of the Nepal IT Bill
[63] Section 68 (3) of the Nepal IT Bill
[64] Individual Privacy Act, 2075 (2018) (available here)
[65] Section 10 of the Nepal Privacy Act
[66] Section 11 of the Nepal Privacy Act
[67] Section 13 of the Nepal Privacy Act
[68] Section 19 of the Nepal Privacy Act
[69] Section 71 read with section 73 of the Nepal IT Bill. Department means the Department of Information and Technology.
[70] Section 2(lll) of the Nepal IT Bill
[71] Section 90 of the Nepal IT Bill
[72] Section 89 of the Nepal IT Bill
[73] Proviso to Section 89 of the Nepal IT Bill
[74] Section 2(fff) of the Nepal IT Bill
[75] Section 91 of the Nepal IT Bill
[76] Section 92 of the Nepal IT Bill
[77] Section 94 of the Nepal IT Bill
[78] Section 80 of the Nepal IT Bill
[79] Section 115 of the Nepal IT Bill
[80] Section 120 of the Nepal IT Bill
[81] As per Section 105 of the Nepal IT Bill, an investigating officer is a police inspector having the knowledge on information Technology
[82] Section 107 of the Nepal IT Bill
[83] Section 111(2) of the Nepal IT Bill
[84] Section 113(1) of the Nepal IT Bill
[85] Section 113(2) of the Nepal IT Bill
[86] Section 2(y) of the Nepal IT Bill
[87] Section 83 of the Nepal IT Bill. The Nepal IT Bill provides that nnobody shall continuously harass, tease, derogate, discourage, defame or scold anybody using electronic system
[88] Section 84 of the Nepal IT Bill. It has been provided that nobody shall, using information system, undermine the national security, sovereignty, territorial integrity, nationality or national unity, independence, dignity, provincial relationship or obstruct or cause adverse effect to the security of the nation or data system.
[89] Section 85 of the Nepal IT Bill
[90] Section 86 of the Nepal IT Bill
[91] Section 88 of the Nepal IT Bill
[92] Section 81 of the Nepal IT Bill
[93] Section 79 of the Nepal IT Bill
[94] Section 80 (1) of the Nepal IT Bill
[95] Section 80 (2) of the Nepal IT Bill
[96] Section 82 of the Nepal IT Bill
