- To strengthen our international trade and commerce, we have to have a data protection law. A data protection policy is not sufficient; we need a law that complies with the GDPR
- COVID- 19 pandemic, contact tracing has become vital to control the pandemic. However, it is understandable that people have privacy concerns. Without any legislation in place, how is the government or authorities accountable for the storage and usage of data?
- Sri Lanka became a state party to the Budapest Convention (The Cyber Crimes Convention). This is historical because Sri Lanka was the first South Asian country to accede to this convention
- Recently the media reported that drones were flying close to windows of the houses. This is not right. Drones were used to track external movements. When such an incident occurs, it leads to people wondering about their privacy
Contact tracing due to the COVID- 19 pandemic has led to privacy concerns. While this has become a global concern, unlike other countries, Sri Lanka has no law in place to protect privacy. The Data Protection Bill was presented to the parliament in September 2019 but no move has been made to pass the bill yet. Speaking to
Daily Mirror, Co-Chair of Communications, Technology and Data Protection Subcommittee of the Law Association for Asia and the Pacific (LAWASIA),
Sunil Abeyaratne, shared his views.
Q Why do we need a law regarding data protection?
In an international context, Sri Lanka has business ties with the European Union (EU) and many of our shipping lines are from London to Colombo. The countries that follow the EU’s General Data Protection Regulation (GDPR) have strict laws about sending their data to a country with no data protection laws. Countries that they send their personal data to, must have laws that cover the seven principles of the GDPR.
The seven principles of the GDPR are: Lawful, fair and transparent processing of data.Purpose limitation- where the data is collected only for the specific purpose and cannot be used for any other purpose.Data minimization- collect only the relevant data needed.Accurate and up-to-date data processing.Storage limitation- storage of data in a manner that it cannot be identified.Confidentiality and security- ensure the security of the data.Accountability and liability- the assurance that the data will not be shared to a third party and no data will be kept beyond the specified period.
The Data Protection Bill does cover these aspects however it hasn’t come into effect yet. Currently, we have no law that covers these principles. If Sri Lanka does require data from an EU member country or the even UK (since the GDPR came into effect before Brexit was finalized), then we must prepare a contract that would assure them that we would comply with these principles. However, it is up to the countries to accept the contract or not.
Therefore, I believe that to strengthen our international trade and commerce, we have to have a data protection law. A data protection policy is not sufficient, we need a law that complies with the GDPR.
QThe Data Protection Bill was presented to the parliament in September 2019, but since then no action has been taken yet. Why has there been a delay in implementing the Data Protection Bill?
I am not sure of the exact reason however in my view, there is a drafting problem in the Bill. While the Bill has followed the principles of the GDPR, the drafting is not satisfactory. This might lead to confusion during implementation. Hence, I request that the lawmakers rearrange the Bill in a way that does not cause confusion during implementation. It would be better if assistance is sought from the Attorney General’s department, unofficial bar (practising lawyers), jurists, law researchers from universities and other institutions and also assistance from all sectors. This would ensure that there won’t be practical problems when implementing this bill and that the bill covers all sectors.
There are also certain aspects that are not covered in the Data Protection Bill, especially the technical aspects to mitigate the risks. According to the Computer Crimes Act, hacking done with a criminal intention is considered as a crime. Officials can hack through digital contact tracing applications. They could claim that they hacked due to some legitimate purpose and will not be charged. If a Sri Lankan goes abroad, and if officials in Sri Lanka are still collecting that person’s data (outside Sri Lankan borders)- it could be a crime according to that country’s laws. We have no provision for this purpose. Lawmakers should consider these aspects, rearrange the bill and pass it.
QWithout data protection laws, Sri Lanka already has a contact tracing app. People have privacy concerns regarding the storage and usage of data even though authorities have assured that data will be stored for a limited time period and will only be used for this purpose. What are your views on this?
With the COVID- 19 pandemic, contact tracing has become vital to control the pandemic. However, it is understandable that people have privacy concerns. Without any legislation in place, how is the government or authorities accountable for the storage and usage of data? Other than just believing what the authorities say, what assurance do the people have regarding the protection of data? Who will be held accountable if there is a data breach? These are the questions that have to be asked. This is why people are hesitant to give out their personal data. This has led to intelligence officers being deployed to conduct contact tracing. To avoid this, lawmakers should come up with a data protection law soon and add in the modifications that cover contact tracing. This would lead to the public being confident to reveal their data as their data is protected by law.
The GDPR has been virtually modified due to the COVID- 19 pandemic. Guideline 4/2020 on the use of location data and contact tracing tools in the context of COVID- 19 outbreak was created to protect people’s data during the pandemic. Sri Lankan lawmakers can go through it and modify the Data Protection Bill accordingly.
QCan all the GDPR regulations be applied in Sri Lanka? Are there certain areas which might not apply to
In Article 4 of the GDPR, it allows public authorities to process personal data as long as it is in accordance with the government’s legal framework. Concerns were raised in India regarding this. Their concern was that the ruling party could misuse their power and use public authorities to collect personal data of people involved in the opposition. This political culture is not present in the EU but is present in Asian countries. Therefore, when preparing our data protection laws, certain modifications have to be done in accordance with the socio-economic, political and cultural context of Sri Lanka. The modifications have to give more rights to the data subjects and still comply with the GDPR principles.
QOther than developing international trade and commerce, what other benefits does Sri Lanka gain from implementing a data protection law? And how does Sri Lanka have an international obligation to implement such a law?
In September 2015, Sri Lanka became a state party to the Budapest Convention (The Cyber Crimes Convention). This is historical because Sri Lanka was the first South Asian country to accede to this convention. A part of that convention is data protection, so Sri Lanka does have an international obligation to implement a data protection law. And currently, with the pandemic, it has become the need of the hour to implement such a law- so that the spread can be controlled with people’s willingness to give out their personal data.
Gaining access to personal data can help better international trade and commerce. The importers would gain insight as to how to better the products and supply according to the demand. Access to data can be very crucial for academic research purposes. It can also be helpful in litigation matters. For example, if there was a divorce case and one person lives in the EU, there might be a need for some personal data of the person. Having a data protection law complying with the GDPR principles would lead to EU authorities giving us access to that data. Access to data is also very crucial in investigation matters, especially if the person who committed the crime or is a suspect is living abroad. In such an instance, we’d need international cooperation in getting the person’s data. Countries wouldn’t give out such data unless they have the assurance we will only be using that data for investigation purpose and nothing else. For trans-border data exchange, we need proper legislation for data protection.
Without going into the further debate, I believe we need to implement the data protection law very soon especially considering the current situation in the country. Technology-wise, the implementation of the drone regiment to track movements in the isolated area is an excellent decision. However, there are other aspects we need to think about. Recently the media reported that drones were flying close to windows of the houses. This is not right. Drones were used to track external movements. When such an incident occurs, it leads to people wondering about their privacy. We aren’t in North Korea. We live in the Democratic Socialist Republic of Sri Lanka. Where is the democracy if people cannot be assured of their privacy and protection of their personal data?