Sri Lanka: Data is new Oil

Is data the new oil? You and I stand as judge and jury. However, considering the large penalties that have been imposed for data protection violations, we might already have a verdict.

by Samantha de Zoysa

Data protection is not a concept we, in Sri Lanka, are familiar with. Globally, the laws surrounding data protection have been around for about 20 years. And we are only just about getting started. The proposed ‘Data Protection Act’ (hereinafter referred to as the ‘Act’ for ease of reference), was drawn in 2019 and is expected to be passed in Parliament. My exposition below of the ‘Act’ is without knowledge of the regulations and directives that should follow. All sections and definitions referred to in this article are from the ‘Act’.



What is data protection? As the word itself denotes, it is the right of a person (i.e., data subject), to ensure that their personal data is not used, exchanged or even maintained without their knowledge. What sort of data would this cover? Any data, by which an individual is identifiable. The definition in the ‘Act’ includes name, an identification number, location data and also factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of an individual.

In the past, it was the authorities that maintained privacy. However, in recent times, the responsibility of data protection seems to be on the individual. If you and I need to ensure that our data is not being misused, we need to know our rights under the ‘Act’ in order to recognise and address an offence. Who does it apply to? Any individual (‘data subject’) that has given their personal data to an entity (‘controller’ or ‘processor’). Data subjects have rights and the controllers and processors have obligations.

The rights of a ‘data subject’ and obligations of a ‘controller’

What is this ‘Act’ really trying to achieve? It is ensuring that personal data given to entities is protected, so that individuals’ privacy is not compromised. Alternatively, it is giving data subjects rights regarding their data. An entity could either be a ‘controller’ or ‘processor’.

The concept of data processing is given the definition of ‘any operation performed on personal data including but not limited to collection, storage, preservation, alteration, retrieval, disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination, or the carrying out of logical or arithmetical operations on personal data’.

In short, anything that is done or not done with personal data that has been collected by an entity. A ‘data subject’ is defined as an identifiable natural person, alive or deceased, to whom the personal data relates. Basically, any person who is or has been alive.

What are the rights under the ‘Act’? What level of responsibility can we expect from entities (public, private and others) that take our data? The protection of personal data has to be done to the satisfaction of the data subject, though in subjection to the ‘Act’.

The rights of data subjects are identified as follows:

(1) Section 13 – Right of withdrawal of consent and right to object processing
(2) Section 14 – Right of access to personal data
(3) Section 15 – Right to rectification or completion
(4) Section 16 – Right to erasure

If these rights of an individual are denied by an entity, an offence has arisen. As much as one can give access to one’s data, at any time after, one has the freedom to deny access, to rectify, to erase and even to withdraw consent.

The rights of a data subject should be understood in parallel with the obligations of a controller. A ‘controller’ is defined as ‘any natural or legal person, public authority, non-governmental organisation, agency or any other body or entity which alone or jointly with others determines the purposes and means of the processing of personal data’.

In Part II of the ‘Act’, the obligations of a controller can be outlined as follows:

(1) Section 5 – Obligation to process personal data in a lawful manner
(2) Section 6 – Obligation to define a purpose for processing
(3) Section 7 – Obligation to confine processing to the defined purpose
(4) Section 8 – Obligation to ensure accuracy
(5) Section 9 – Obligation to limit the period of retention
(6) Section 10 – Obligation to maintain integrity and confidentiality
(7) Section 11 – Obligation to process personal data in a transparent manner
(8) Section 12 – Accountability in the processing of personal data

Processing data in a lawful manner is paramount to abiding by the ‘Act’. Section 5 is important as a controller needs to understand how to process personal data. Section 5 (2) (a), (b) and (d) will not be explored in this article. However, section 5 (2) (c) states that all the conditions in Schedule III need to be present. They are as below:

A data subject has to give their consent for the processing of their personal data (Schedule I (a) and Schedule II (a)).

The data subject has to be informed that consent can be withdrawn anytime and also consent has to be given in a very clear manner. A written declaration is highly advisable. The less ambiguity there is as to whether consent has been given, the better it is for all parties concerned.

When consent is freely given, utmost account shall be taken whether, inter alia, the performance of a contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. In other words, a ‘data subject’ should be aware that consent has been given to the processing of their data in order for a contract to be fulfilled, even though, strictly speaking that data was not needed.

Processing data should be for a specific purpose and the processing should be confined to that purpose (section 6). The purpose should be specific, explicit and legitimate. Every controller must also ensure that processing of personal data is adequate, relevant, proportionate and not excessive (section 7). The other obligations listed above are self-explanatory.

Section 12 explains what is expected of controllers having accountability in the processing of personal data. Section 12 (2) states that it is the duty of every controller to implement internal controls and procedures (‘data protection management programme’). There are eight provisions including, establishing and maintaining duly catalogued records to demonstrate the manner in which the implementation of the data protection obligations are carried out by the controller and having a mechanism to receive complaints, conduct of inquiries and to identify personal data breaches.

Penalties

Part VI outlines the penalties under the ‘Act’. Any controller or processor who has not complied with the ‘Act’ will be charged a penalty by the Data Protection Authority (‘Authority’) which is yet to be appointed.

Initially, a warning in writing is given by the Authority. A specified period of time is given to conform to such requirements or show cause as to why such requirements are not fulfilled.

The Authority also can charge a penalty, taking into consideration the nature and extent of relevant non-compliance and its impact on data subjects. However, the penalty shall not exceed Rs. 10 million. If an entity was charged a penalty, and it was not complied with, the Authority can charge an additional penalty, up to double the amount of the initial penalty and for each non-compliance. Section 33 outlines factors to be taken into consideration when imposing a penalty. A person who is aggrieved by an administrative penalty can appeal to the Court of Appeal.

Conclusion

A question that arises is how did we manage all this time without such laws in Sri Lanka? Do we need to further complicate corporate administration? The short answer to that question is yes, compliance to such laws are necessary and will only benefit an organisation. After all, we do not operate in isolation and as we increase our global presence, adequate protection of personal data is going to be paramount.

Laws such as the GDPR in Europe are very detailed and seem borderless. They extend to any entity, irrespective of their jurisdiction, as long as they take data from Europe. Is this fair? Is this practical? I don’t know. But the law still stands.

A corporate culture embracing strict privacy and data protection principles will win the confidence of their customers and partners locally and overseas. This can only be positive.

As we await the bill to be passed, I urge all entities that collect data to start getting ready to be in compliance with the ‘Act’.

Is data the new oil? You and I stand as judge and jury. However, considering the large penalties that have been imposed for data protection violations, we might already have a verdict.

This article has only touched the bare minimum on the proposed Act. In my next article, I will be writing on the boundaries of the law, the differences between a ‘controller’ and ‘processor’ and also cross border data flow.

(The writer holds an LL.B (Hons.) (Warwick); LL.M (Lon.); Barrister (of Lincoln’s Inn); Attorney-at-Law and could be reached via email at samanthadesoysa@yahoo.co.uk.)