Ikigai LawIkigai LawIkigai LawIkigai Law
  • About Us
    • About
    • Our Team
    • FinTales
    • Tech Ticker
  • Practice Areas
  • Blog
  • News & Events
    • Ikigai Law in the news
    • Ikigai Law at events
    • Ikigailaw on the social media
  • Careers

Comparing the Sri Lankan Personal Data Protection Bill, 2019 and the GDPR

    Home Data Governance Comparing the Sri Lankan Personal Data Protection Bill, 2019 and the GDPR
    NextPrevious

    Comparing the Sri Lankan Personal Data Protection Bill, 2019 and the GDPR

    By Ikigai Law | Data Governance, Other Jurisdictions | 0 comment | 11 June, 2020 | 5

    The Sri Lankan Ministry of Digital Infrastructure and Information Technology (“MDIIT”) released the latest version of Personal Data Protection Act (“PDP Bill”) on September 24, 2019. Substantial modifications were made to the previous draft of the Bill based on consultations with key stakeholders[1]. To draft the PDP Bill, the Drafting Committee looked at international best practices and existing frameworks, such as the EU’s General Data Protection Regulation (“GDPR”), as well as other laws and frameworks enacted or being discussed in other jurisdictions, including the Indian Personal Data Protection Bill.[2]

    In this post, we shall briefly compare the key differences under important data protection ‘themes’ of Sri Lanka’s PDP Bill and the GDPR. While the underlying principles and structure of the PDP Bill may be similar to the GDPR, some critical differences emerge between both. These differences may be important in developing a compliance and business strategy for businesses operating in Sri Lanka.

    Extra territorial scope

    The PDP Bill and GDPR both have extra-territorial scope, in relation to business taking place in either jurisdiction, or offering of goods and services, or monitoring and profiling of data subjects. The scope of the PDP Bill appears to have expanded from the previous draft. The PDP Bill now applies to such entities who offer goods or services to data subjects in Sri Lanka as against others who ‘specifically or systematically’ offered goods or services under the earlier framework[3]. This could include any service that is accessed through an online platform by a data subject in Sri Lanka even though such service may not necessarily be intended specifically for data subjects in Sri Lanka. This is broader than the GDPR’s territorial scope.

    Data classification

    The PDP Bill and the GDPR classify data into two identical categories of data: personal data and ‘special categories of personal data’ (“sensitive personal data”). Both legal instruments are wide-ranging as they define personal data in the context of identifiability. However, the definition of sensitive personal data under the PDP Bill is broader as it includes data of criminal proceedings and convictions and children’s data[4]. Also, unlike the GDPR, ‘biometric data’ includes ‘facial images’ under the PDP Bill[5]. Treating facial images and children’s data as a sensitive personal data will subject controllers and processors using such information to the strict onerous conditions for processing prescribed under the PDP Bill. Such requirements could impede development of technologies and innovation related to facial recognition and children’s data.

    Further, unlike the GDPR, the PDP Bill does not explain what data would qualify as data revealing racial or ethnic origin and religious or political beliefs. This may result in situations where processing non-sensitive personal data may still result in heightened obligations. For instance, surnames may reveal a person’s ethnic origin, requiring them to be treated as sensitive personal data.

    Grounds of processing

    While the lawful ground for processing personal data are largely similar in both instruments, the GDPR offers greater processing flexibility to businesses in terms of processing sensitive personal data. For instance, unlike the PDP Bill, the GDPR enables processing of sensitive personal data for legitimate activities under specific conditions, along with processing necessary for effecting public health responses[6]. However, the Sri Lankan Government, in consultation with the Data Protection Authority (DPA), may notify any other lawful grounds for processing[7].

    Obligations of controllers

    The previous draft of the PDP Bill required mandatory registration of controllers (and processors). This has now been replaced by an accountability framework termed as the ‘Data Protection Management Programme’[8]. Similar to obligations under the GDPR, this entails that the controller maintain records of its data processing activities, conducts data protection impact assessments (DPIAs), facilitates exercise of user rights and has a grievance redressal mechanism, among others[9].

    Of particular concern is the requirement that controllers conduct DPIAs when the processing is likely to result in high risk to to the ‘rights and freedoms of a data subject under any written law’[10]. DPIAs must also be conducted if the processing is for the purpose of profiling, large scale processing of sensitive personal data, monitoring of telecom networks or public spaces and/or and any other purposes that may be notified[11]. This requirement is particularly broad, as the potential of risks to a data subject under any law is hard to limit- meaning that a controller may be asked to conduct a DPIA under countless situations. Also, unlike the GDPR, the DPIA must be submitted to the DPA[12], who may stop the processing activity if it deems it to be ‘high risk’ after mandatory consultation[13]. Rather than advance the aim of an accountability-based approach, this has the potential to turn DPIAs into a tool of precautionary regulation which can delay the delivery of innovative products and services.

    Obligations of processors

    The single biggest difference between both instruments is that the PDP Bill appears to impose obligations on processors that are on par with those of controllers[14]. As such, processors will have to comply with the conditions of processing set out in four of the five schedules to the PDP Bill. Under the GDPR such obligations are only are reserved for controllers, and not processors. Further, failure to comply with the obligations imposed by PDP Bill would result in data processors being penalized, with a maximum penalty of 10 million Sri Lankan rupees[15]. Data processors under the GDPR are not subject to penalties for failure to comply with such obligations. These requirements, which are not in line with international standards, can increase processors’ regulatory burden and have an adverse impact on investments in data processing and outsourcing industry in Sri Lanka.

    Cross-border data flows

    Unlike the GDPR, personal data processed by a ‘public authority’ as a data controller is to be processed only in Sri Lanka, unless the DPA classifies such categories of personal data that are permitted to be processed outside Sri Lanka[16]. This may require data processors providing services to government entities to localize data in Sri Lanka- resulting in increased costs of such services.

    Similar to the GDPR, the Sri Lankan government can prescribe a third country/territory/specified sectors in a third country with an adequate level of protection, where data can be processed subject to compliance with the other provisions of the PDP Bill[17]. However, to demonstrate compliance with the provisions of the Bill, the controller or processor has to enter into a legally binding and enforceable instrument with the recipient located outside Sri Lanka[18], or it has to adopt or enter into such other instrument that may be determined by the DPA[19]. However, there is no provision under the PDP Bill for conducting transfers with the consent of users- unlike the GDPR which provides derogations in cases where data subjects provide explicit consent.

    Constitution of the DPA

    The Sri Lankan government is empowered to set up or designate anybody- statutory or otherwise- as the DPA.[20] While the PDP Bill does not preclude the government from setting up an ‘independent’ DPA, this power in itself strongly suggests that the Government will have significant control over the DPA, and dilutes its legitimacy  as an independent expert body. Further, the Sri Lankan government can issue directions to the DPA regarding the discharge of its functions, underlining the apparent lack of independence of the DPA[21]. This is in contrast to the GDPR, which mandates that the supervisory authority set up by a member-state must be an independent public body.

    What lies ahead for the PDP Bill?

    In November 2019, Sri Lanka elected Gotabaya Rajapaksa as its new President, who appointed Mahinda Rajapaksa, his brother, as the new Prime Minister.[22] He also appointed a new interim-Cabinet and dissolved the Parliament. The parliamentary elections, which were to take place in April 2020, have been postponed due to COVID-19[23]. While President Rajapaksa promised to introduce “new legislation” to ensure data protection in his election manifesto[24], it remains to be seen if the change in political leadership and a new government will affect the form and substance of the PDP Bill. Due to the unpredictable political climate in Sri Lanka, it is hard to predict the timelines for the introduction of the PDP Bill to Parliament, or if it is introduced at all in its current form.

    This post is authored by Vijayant Singh, Associate, and Saumya Jaju, Associate with inputs from Nimisha Dutta, Consultant, at Ikigai Law.

    For more on the topic, please feel free to reach out to us at contact@ikigailaw.com.


    [1]MDIIT Press Release, dated 24th September, 2019 http://www.mdiit.gov.lk/index.php/en/digital-news/item/73-data-protection-legislation

    [2] Id.

    [3] Section 3(i)(iv), PDP Bill.

    [4] Section 46, PDP Bill.

    [5] Section 46, PDP Bill

    [6] Article 9, GDPR.

    [7] Section 43, PDP Bill.

    [8] Section 13, PDP Bill.

    [9] Section 13, PDP Bill.

    [10] Section 23, PDP Bill.

    [11] Section 23(3), PDP Bill.

    [12] Section 23(5), PDP Bill.

    [13] Section 24, PDP Bill.

    [14] Section 21, PDP Bill.

    [15] Section 32, PDP Bill.

    [16] Section 25(1), PDP Bill.

    [17] Section 25(2), PDP Bill.

    [18] Section 25(3), PDP Bill.

    [19] Section 25(4), PDP Bill.

    [20] Section 27(1), PDP Bill.

    [21] Section 41, PDP Bill.

    [22] ‘Newly elected Sri Lankan President Gotabaya Rajapaksa picks brother as prime minister’, Straits Times, November 21, 2019, available at https://www.straitstimes.com/asia/south-asia/rajapaksa-picks-brother-as-prime-minister

    [23] ‘Elections needed for a stable Government’,  Daily News, May 04, 2020, available at http://www.dailynews.lk/2020/05/04/political/217822/elections-needed-stable-government

    [24] Page 51, Gotabaya Rajapaksha, Election Manifesto, 2019, available at https://gota.lk/sri-lanka-podujana-peramuna-manifesto-english.pdf.

    #datagovernance, #SouthAsia, #TechPolicy, data, DataLocalization, GDPR, Ikigai Law, Privacy, Sri Lanka

    Ikigai Law

    More posts by Ikigai Law

    Related Post

    • Comments of certain start-ups on the Personal Data Protection Bill, 2018: Consolidated views

      By Ikigai Law | 0 comment

      Context: In response to the Ministry of Electronics and Information Technology’s (“MeITY”) call for comments on the Personal Data Protection Bill, 2018 (“Bill”), Ikigai Law and Inc42 submitted a consolidated set of comments reflecting theRead more

    • Clause-wise mapping of the JPC’s recommendations on India’ data protection law

      By Ikigai Law | 0 comment

      A detailed clause-wise analysis of the Parliamentary committee’s report on India’s data protection law. On 16 December 2021, the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019 tabled its report in Parliament. TheRead more

    • Clause by Clause Redline: 2018 and 2019 Personal Data Protection Bills

      By Ikigai Law | 0 comment

      The Indian government’s endeavour to regulate the collection and use of personal data dates back to 2012 when the A.P. Shah led committee released its report on privacy[1]. Seven years hence, the much awaited PersonalRead more

    • Draft Personal Data Protection Bill, 2018: what are the practical concerns?

      By Ikigai Law | 0 comment

      The draft Personal Data Protection Bill, 2018 (“Bill”) raises many concerns for businesses – start-ups and established companies alike. Companies will be required to revamp several of their operational practices once the Bill becomes anRead more

    • TRAI recommendations on privacy, security and ownership of data in the telecom sector: Mapping of stakeholders’ opinions

      By Ikigai Law | 0 comment

      This note maps the position of all the stakeholders in relation to the Recommendations on Privacy, Security, and Ownership of the Data in the Telecom Sector (“Recommendations”) published by the Telecom Regulatory Authority of IndiaRead more

    Leave a Comment

    Cancel reply

    Your email address will not be published. Required fields are marked *

    NextPrevious

    Tags

    #DataProtection #Fintales bitcoin Blockchain Budget Consent Consultation Consultation Paper cryptocurrency data Data Controllers data governance Data localisation Data Protection Data Subjects digital economy Digital India Digital Lending Drones E-Commerce Facebook Fintech Government healthtech Ikigai Law India Indian government Innovation MeITY Notice Payments Personal Data policy Privacy RBI Recommendation Regulation Srikrishna Committee Stakeholders Startups Surveillance Technology Tech Policy TechTicker TRAI

    Connect with Ikigai Law

    Copyright 2018 Ikigai Law | All Rights Reserved             

    Information

    • Practice Areas
    • Blog
    • Careers
    • Contact Us
    • Privacy Policy

    Contact us

    Office
    2nd Floor, 44 Regal Building,
    Outer Circle, Connaught Place, New Delhi, Delhi - 110001

    Email Address

    contact@ikigailaw.com

    • About Us
      • About
      • Our Team
      • FinTales
      • Tech Ticker
    • Practice Areas
    • Blog
    • News & Events
      • Ikigai Law in the news
      • Ikigai Law at events
      • Ikigailaw on the social media
    • Careers
    Ikigai Law