Transparency International Sri Lanka (TISL) calls on Members of Parliament to not rush through enacting the law until concerns are addressed.
On the 9th of March 2022, the Personal Data Protection Bill is scheduled for the second reading in Parliament. This Bill aims to regulate the processing of personal data by identifying and strengthening the rights of data subjects – persons whose data is held by a processor or controller.
However, Transparency International Sri Lanka (TISL) is deeply concerned about three key areas in this Bill including the impact on certain rights and freedoms, if enacted in its current form.
The creation of a legal framework on personal data protection can be viewed as an important step in safeguarding human rights, especially at a time when information has become both a tool to be used by the people and against them.
However, TISL’s three key concerns on this Bill are as follows.:
- Severe impact on journalism – The Bill does not recognize ‘Journalistic Purpose’ or data processing in the exercise of freedom of the press or freedom of expression as a condition for processing data. This means that media, including broadcast media, will be restricted from using personal data when reporting, as they become data controllers and processors in the use of personal information of others for journalistic activities. TISL recommends that ‘journalistic purpose’ should be identified as a legitimate condition to process data, in order to ensure that access and publication of information for journalistic purposes is not unduly restricted.
- Data Protection Authority has wide powers, and is not independent – The Bill designates a ‘government controlled’ body as the Data Protection Authority. The Authority does not have sufficient safeguards against political interference or attempts at diluting its powers and functions. Further, the Data Protection Authority, being a non-judicial and non-independent body, is given the power to investigate into sources of obtaining data and to impose penalties of up to Rs. 10 million per non-compliance on data controllers and data processors who fail to comply with the directives of the Authority. This has implications on the rights of persons in general and could also lead to the Authority seeking information regarding sources from journalists and media. TISL recommends that an independent Data Protection Authority is set up for the purposes of the Act.
- Impact on the Right to Information – In its current form, the provisions of the Bill prevail over the provisions of any other written law, including the Right to Information Act, in case of any inconsistency. This can lead to derogation from the fundamental right to information, especially in practice. Therefore, TISL recommends including a specific exception to ensure that the Right to Information Act is not overridden in case of inconsistency.
Earlier in 2022 and in 2021, TISL officially raised these concerns with the Ministerial Consultative Committee on Technology and with all 225 Members of Parliament.
The draft framework on personal data protection which was produced in 2019 has two crucial points that could improve the current bill. The preamble of the 2019 framework specifically refers to Sri Lanka’s constitutional Right to Information as a crucial right, recognizing the need for the public interest to be balanced with the protection of personal data. The 2019 draft also called for the appointment of three members to the Government Controlled authority enforcing the bill, through a public application process. This step could be crucial to ensure that the authority remains independent.
Since it is critically important that there is a harmonious formulation of the Personal Data Protection law with other existing rights and protections in the best public interest, TISL calls on all Members of Parliament and the Ministerial Consultative Committee on Technology to not rush through the process of enacting this important law, without ensuring that these concerns are addressed.
TISL Executive Director Nadishani Perera commenting on the matter noted that “If enacted in its current form, the Data Protection Bill could become a well-meaning law which could yet be abused. The Bill could be used to create a chilling effect in the media and among whistleblowers which would be a blow to Sri Lanka’s democracy.”