The average Sri Lankan is bombarded with over a dozen SMS messages, emails, and automated and non-automated calls from various businesses daily, ranging from promotions and deals to updates on bank card transactions.
However, in most cases, the consumer has not given permission for these companies to communicate with them in such a manner, raising eyebrows on the Sri Lankan citizen’s right or the lack of right to privacy, and the massive loopholes in the country’s legislation in the current digital age.
Without going into a discourse into renaissance and enlightenment era philosophy and the social contract which form the fundamentals of modern democracy, a simple explanation of the social contract is that humans concede a part of their rights to be a part of a well-governed, civilized and logical society. While governments today oft quote the supremacy of the sovereignty of a state—which technically is the collective sovereignty of the citizens of a state—as supreme in face of foreign intervention, the social contract stipulates that except for the rights surrendered to the government through laws, the individual sovereignty of a citizen is supreme, giving humans their liberty and freedom. This is why good governments are always playing catch up on creating laws to curb liberties that harm the society.
The supremacy of a citizen’s sovereignty is expressed through natural inalienable fundamental rights, and legal rights. Whether a citizen is actually able to exercise their rights or whether rights are an illusion created by governments to keep citizens in check is up for debate.
The Sri Lankan constitution, like many other constitutions list the natural, inalienable rights of its citizens, such as the freedom to choose a religion or belief, and the freedom of speech and expression. However, Sri Lankans are not offered a constitutional right to privacy, and the Penal Code only seeks to protect the physical privacy of a citizen up to a certain degree, with laws completely ignoring emotional and mental privacy.
Arguments in political science are split in such situations, where some argue that the constitutional rights are the only inalienable rights a country’s citizens are entitled to—in favour of limiting liberty and freedom—while others argue that unless suppressed legally, citizens have universal freedom to choose and stand up to their rights.
However, the right to privacy for Sri Lankans is even more complex than this, because as a member of the United Nations (UN), Sri Lanka is also expected to follow the UN International Bill of Human Rights, where the Universal Declaration of Human Rights declare the right to privacy as an inalienable right. Some would argue that sovereign states are not bound to follow international law if they so wish despite the lack of such manoeuvring space in a globalized world. Even during the xenophobic regime of Rajapaksa when the United Nations and Western society was scorned, when pressured on lesbian, gay, bisexual and transgender (LGBT) rights—listed as criminal under the Penal Code of Sri Lanka—that are protected under the International Bill of Human Rights, the government scrambled to issue a statement stipulating that LGBT rights are protected constitutionally, despite the contrary.
Sri Lanka probably would have had to acquiesce to the demands of the United Nations Human Rights Council with regards to allegations on war crimes even if the regime had not changed, since there would have been trade embargos and diplomatic penalties far worse than just removing preferential access to European Union markets, which in itself had contributed with nearly US$ 2 billion in direct customs costs, without considering the loss of market share due to declined competitiveness.
Right to privacy in the digital age
Considering these reasons, Sri Lankans should have a reasonable expectation of privacy, though they had not fought for a constitutional right to privacy despite decades of oppression, possibly due to the lack of independence in the judicial system, which dragged out cases for years on end, and the country’s war footing. Even in the US, where privacy is ensured with hundreds of laws in each state, the US Patriot Act brought in after 9/11 had cut across these laws and infringed its citizen’s privacy as revealed by Edward Snowden.
While Sri Lankans had put up with any overt or covert violations of their privacy during the age of traditional business, the digital age has brought on a whole new dimension of privacy violations, which many are now complaining about. Giving the phone number to a pizza delivery service expecting the call when the pizza is delivered instead results in daily SMS messages about various deals, while one of the country’s largest electronic retail platforms sends e-mails and SMS messages daily as well, despite customers not checking the box that allows the company to contact a customer.
An explanation sought from the CEO of the retail platform had resulted in the reply “We have the highest respect for the privacy of our customers”. The retail platform’s parent, a telecommunications giant, launched a joint venture electronic healthcare services platform recently. Customers of the telecommunications company had received multiple messages and automated calls enticing them to use the healthcare service.
Sri Lankan companies are exchanging or selling consumer information to each other in an attempt to push their products to potential customers. Even in the US with its strict privacy laws, companies such as Facebook and Google are accused of selling private consumer data, but the large companies settle these suits out of courts and find even more devious ways of trading information until the next lawsuit arrives.
The lack of privacy laws, coupled with the weakness in the Computer Crimes Act where only information not obtained legally being traded being found as an offense, and the Electronic Transactions Act where transmission of electronic data is covered without consideration as to where the data was initially taken from, has resulted in a prime environment for Sri Lankan companies to trade consumer information freely, as they had obtained the information legally from the consumer, without assuring the consumer as to what purposes the information will be used.
Even the government is exploiting the lack of laws, with Presidential SMS messages during certain cultural and religious festivals and the New Year becoming the norm.
Sri Lanka’s Information Communication Technology Agency (ICTA) is seeking to reach the legal standards of the EU with regard to digital matters. Legislation in the EU that was enacted in 1995 is currently being phased out seeks its member countries to regulate a wide variety of data privacy violations. Under this the UK had implemented regulations where the first offense of sending automated messages to a recipient without consent would result in a notice, the breach of which is considered a criminal offense with fines up to £500,000. Under the law, the Brexit Campaign had been fined £50,000 for sending e-mails
However, the EU earlier this year passed the General Data Protection Regulation which would have a uniform effect across its member states, and is set to come into full effect in May 2018 after a transitional period. Under the new regulations, first and non-intentional breaches would result in a warning, and repeated breaches would subject parties to regular data protection audits and fines up to 10 million euros or 2 percent of their annual worldwide turnover in the preceding year, whichever is higher, while intentional breaches could result in fines up to 20 million euros and 4 percent of the total worldwide annual turnover.
Most countries in the world have now enacted laws which stipulate that a consumer must opt in favour of each method a company will use his or her personal information, in addition to the core business of the company for which the data is needed. This is usually represented with check boxes in a sales agreement, which a customer can use to indicate the preference for their data to be used in various ways.
The opt in theory won a small victory recently when a top commercial bank CEO in the country agreed with Mirror Business that it is the right of the consumers to choose whether a business they are customers of could contact them.
While tactfully refusing to comment on behalf of the country’s entire private sector, he said that the banking sector has realized that some customers do not wish to be disturbed, and that such customers could contact the bank asking to be left out of the messaging system. However, this still raises concerns as to why the banks started unauthorized communication in
the first place.
Dangers of going digital
This CEO said that he would like to see more people using credit/debit cards and online transactions because that would benefit the banks and retailers in marketing products to the consumer, while the consumer would benefit from companies tailor making marketing efforts so that the consumer will be informed of the products best
suited for them.
Arguing to limit personal liberty and freedom, he argued that cash transactions make citizens anonymous, and create space for corruption and tax evasion, but what if there are citizens that are not corrupt, pay their taxes, but still want to remain anonymous? Perhaps those in positions of power should entertain the possibility that the problem lies with corrupt officials and inefficient tax collection mechanisms.
The Central Bank too is pushing for more cashless transactions for these reasons, while the government is also aiming to introduce an electronic identity card, seeking to become omniscient about its citizens, which may convert to using information gained from such instruments for sinister purposes unless regulations are brought in to limit the government’s reach into a person’s privacy, since the government is only barred from sharing private information with other citizens in the Sri Lankan Constitution.
However, even rights provided in the Sri Lankan Constitution are being repealed with recent laws under the guise of strengthening them, as seen when the right to information in the Constitution was “expanded” in the Right to Information Bill passed this year, but instead further restricted a citizen’s right to demand access to information related to the
country’s economy. At a time when the country’s parliament is hammering out a new constitution, the new government, which is starting to face opposition from its citizens due to unfulfilled promises of prosperity, could perhaps increase the confidence among the people by including the right to privacy in the new constitution and bringing in new laws to protect consumer data during the digital age.
Data Privacy Act: Better late than never!
The ICT implementation arm of the government, the Information Communication Technology Agency (ICTA) has nearly completed a Data Privacy Act which could serve to reign in businesses which have so far infringed on the citizen’s right to privacy with impunity.
“A Data Privacy Act will be brought in. That is crucial and has to happen. We have worked with the Justice Ministry, the Telecommunications Ministry and our legal team,” ICTA Managing Director Muhunthan Canagey said.
He said that Sri Lankan digital laws need to be in line with the European counterparts. This is because the European Union’s policy that it will not have substantial digital interaction with a country that has lesser digital laws than its own.
Canagey agreed that consumers should have the right to choose when they should be contacted with opt in regulations, as well as the privacy they deserve with restrictions to how other parties sell or trade customer information.
He also noted with interest the right to forget that Europeans have started enjoying recently.
However, he noted that many websites and mobile apps have lengthy user agreements which if the customer clicks as ‘Agree’, will forfeit many rights. “We usually don’t read these agreements. When you click a button, you have agreed to let contact you,” Canagey said.
Despite the danger that Sri Lankan consumers are in, Canagey was not willing to give a timeline as to when the act would be presented in parliament. “We will send it to the cabinet soon. Then it will go to the legal draftsman and back to the cabinet, and then it will go to parliament. I don’t want to give a timeline and get people’s hopes up, because it’s a democratic process, and there may be delays,” he said.
When inquired if the act would cover all forms of data privacy violations observed in the world today, and if the private sector has started lobbying it, Canagey said that ICTA is focused on getting the first act—which may be simple—in.
“Let’s get the first one in. All these (other regulations) have to happen and we have to push it and others have to review. We want the act to be continuously gazetted and improved and for people to say ‘this is not acceptable’,” Canagey said. He added that along with the new act, ICTA will also increase education among the populace on the dangers of violations of data privacy.