Can Sri Lanka uphold the requirements to successfully implement the Personal Data Privacy Act?

Panel discussion on 'Impact of Data Protection Act in Digital Services' at Internet Day 2022

By Aarthi Aryasinha

Will Sri Lanka be able to keep up with the Personal Data Privacy Act (PDPA) requirements in order to sustain foreign direct investment? Data protection laws are a key source of attraction for large global companies, as they are pivotal for the success of any digital economy. The further Sri Lanka regulates its data protection, the more likely it would be that inward investment will flow into the economy.

The Federation of Information Technology Industry Sri Lanka (FITIS) hosted a discussion between 3 panellists to assess the impacts and difficulties that surround the implementing of the PDPA and explore how data privacy has been implemented in other countries. Several aspects of the general rollout of implicating this act towards the domestic population were addressed. Concerns regarding the lack of knowledge from both a general but also cultural point of view regarding basic data privacy issues was a key element to the discussion. 

Potential challenges to be faced by SMEs

For global firms, cyber security, especially data privacy, is a key component of trust between the client and the business. If a business chooses to invest into a new country, it will need to be certain that its data including that of global customers is protected. Investments will only take place if businesses are convinced that the risk to reward ratio is on the favourable side. In order for the PDPA to be effective, there are a variety of hurdles domestic business will have to jump over. And in Sri Lanka, local businesses, especially small and medium enterprises (SMEs) will be faced with the challenge of scaling up their digital capacity. Dr Jayantha Fernando, General Counsel of ICTA/Director Sri Lanka CERT said they must be educated so as to ensure the ability to “housekeep,” and provide a form of management regarding data issues. This will be from reporting data problems to actually addressing or telling consumers about potential breaches that may occur. The main theme around what needs to be done in order for the act to be effective is to build trust between how technology is being used, and build awareness amongst the public on what aspects of data protection they need to adhere to. If this is done accordingly, companies from abroad will be more incentivised and feel secure to invest in the country. In order for Sri Lanka to use this act as a stepping stone to a digitally fluent economy, both forgein and domestic companies must adhere to a minimum standard. Jayantha Fernando says, the law is not only applicable to Sri Lankan domestic businesses. “It would apply to even a foreign entity where our Sri Lankans or data subjects have registered, giving the country a wider range of protection from foreign threats as well.”  

He says, personal data, such as mobile numbers, addresses, even details given to school admissions will be regulated through a layered process. “The law was drafted by a community of people from the public and private sectors, including the Computer Society of Sri Lanka, FITIS, the Ceylon Chamber of Commerce, and SMEs. Sri Lanka has gone a step further by introducing something called a Public Consultation Process to be carried out before the rules are finally adopted and gazetted. In addition to that, 32 written submissions were filed during the drafting process and a lot of them were global tech companies who wanted clarifications from us because they were going to be regulated under this law.” 

This shows the potential of global interest in the Sri Lankan digital economy and the fact that a properly managed data protection legislation could have a make or break impact on the economy and carries heavy weight.  

What the government can do to aid Sri Lanka go up in the World Bank Government Maturity Index 

Dr. Jasmin Begum Director of Legal, Corporate & Government Affairs, SEA & New Markets, Microsoft says, grants and subsidies are not a feasible nor realistic option for Sri Lanka right now. Instead, governments can aid MSE’s (medium sized enterprises) with the digitization of their businesses through educating the population and taking the opportunity to transform people's mindsets and the way they work. “It is clear that the only way to properly utilise the benefits of the PDPA is to create a cultural shift to data privacy in the country. In accordance with the World Bank Government Maturity Index, Sri Lanka is seen to be under group B which holds ‘High Significant focus on GovTech,’ which focuses on ‘Citizen- centric public services that are universally accessible’ and a ‘whole government approach to digital transformation.’ This recognition demonstrates the importance of developing the data protection law, as it gives Sri Lanka global recognition, and will further entice forgein direct investment.”

She adds that without an updated method of data protection, Sri Lanka's ability to actually acquire data outside its borders will be limited as the law clearly states,  “the regime of the receiving country has to be at the same level or better.” However, she says it is encouraging to see Sri Lanka amongst countries listed as moving from analog to e-gov. to digital gov. In the index.  

What businesses will have to do to adjust

For the Act to create a significant impact on the digital economy of Sri Lanka, businesses will need to be more focused on what data is critical for their operations. This may mean foregoing the collection of unnecessary data that they use.  As Sujit Christy President (ISC) Colombo Chapter says, it is a matter of ‘productizing as a market of products,’ i.e. taking a skill or service that has been used internally and developing it into a fully-tested, packaged, and marketed product.  He added that businesses needed to be aware and responsible for the personally identifiable information they acquire about their clients/customers, and focus on looking after individual rights. He identified a method in which businesses could process certain data, by ascertaining whether the consumer could be either identified, located, or communicated with, and dividing the respective data into ‘3 buckets’ in order to minimise the threat of breaches. Breaches of privacy must be considered an urgent and serious issue. 

There are instances in other countries where such breaches have occurred.  As Jayantha Fernando points out, “In Finland, one of the clinics dealing with medical health records, faced a situation where their patient records were breached, and in an Australian case, a private insurance company went through a similar case. Emphasising the importance of good housekeeping, and the vital role a regulator has to play.

The progress being made regarding the Personal Data Privacy Act 

Sri Lanka’s data protection act which was passed as law in March 2022 is not wholly enacted as a regulator is yet to be appointed.  Jayantha Fernando says they have an 18 - 36 months window for operationalising the law from the date it was passed, and expectations have to be managed until the government appoints a new regulator.  Since the appointed regulator will be entirely new, Fernando says a soft law approach using some administrative law tools will be taken to enable the regulator to gradually implement it through sectoral guidelines.  Further, the sectoral guidelines and grooves will not be drafted in isolation but via advisory committees that will be appointed by the regulator.  “The need to adhere to minimum standards is going to be one of the biggest challenges for the regulator. We have gone one step further beyond any other regimes, by introducing something called a Public Consultation Process to be carried out before the rules are finally adopted and gazetted.” 

Cross-Border data flow is inevitable in a digital economy and therefore governments are building a lot of personal data protection laws to attract the right kind of investments.  These laws may come in different permutations depending on which country it originates from i.e. Malaysia, Singapore, Thailand, Indonesia or other.  But data protection is the gold standard to operate in a digital world and Sri Lanka needs to seize the opportunity in appointing the right regulatory body to make our laws wholly operational.

Moderator: Shamindra Kulamannage (Echelon Media)

Panellists: Dr. Jayantha Fernando  (General Counsel of ICTA/Director Sri Lanka CERT), Mr. Sujit Christy (President (ISC)² Colombo Chapter), Dr. Jasmin Begum (Director of Legal, Corporate & Government Affairs, SEA & New Markets, Microsoft)

(The writer is a student of Media Communications and is exploring the new world of social media communication against traditional media.)