On March 18, Sri Lanka enacted the Personal Data Protection Act, No. 9 of 2022 (PDPA) and became the first South Asian Country to enact comprehensive data protection legislation. The PDPA is modeled after the EU’s General Data Protection Regulation (GDPR), establishes a new Data Protection Authority (DPA) in Sri Lanka, and requires covered entities to create a Data Protection Officer (DPO) role.
The bill was passed without a vote, after multiple amendments were made to the original text. In a statement made prior to PDPA’s enactment, Justice Minister Ali Sabry stated “[t]here is nothing called perfect legislation. Today’s perfect legislation may not be perfect for tomorrow. Therefore, we can’t sit and wait for tomorrow to do the legislation[.]” Read more for a guide to PDPA’s provisions and what it means for your organization:
The PDPA is designed to safeguard the privacy rights of data subjects whose personal data is processed wholly or partly in Sri Lanka, or by a controller or processor (“covered entity”) that:
- Is domiciled or ordinarily resides in in Sri Lanka;
- Is incorporated or established under the laws of Sri Lanka;
- Provides good or services to, or specifically targets, Sri Lankan data subjects; or
- Monitors Sri Lanka data subjects for their benefit, including profiling the subject with the intention of using their personal data and decision making processes to their benefit.
Notably, the PDPA does not apply to personal data that is “processed purely for personal, domestic or household purposes by an individual,” or to data which is not deemed “personal.”
Processing of Personal Data
Covered data processors and controllers must comply with the following principles before and during data processing:
- Personal data must be processed only for a specific, explicit, and legitimate business purpose;
- Personal data must be “adequate, relevant, and proportionate” and only to the extent necessary for a legitimate business purpose;
- Processors must ensure that data being processed is “accurate and kept up to date,” by taking all available and reasonable steps to erase or correct inaccurate or outdated data;
- Controllers must ensure that personal data is kept only as long as necessary or required for the processing purpose;
- Controllers must take “appropriate technical and organizational measures” to ensure that the personal data is processed in a manner that ensures its integrity and confidentiality, and prevents the unauthorized or unlawful processing, loss, destruction, or damage of personal data;
- Controllers must provide data subjects with information about their personal data in a “concise, transparent, intelligible and easily accessible form”; and
- Controllers must implement a data protection management program that outlines internal controls and procedures for maintaining adequate data processing records, and demonstrates appropriate internal oversight of processing activities.
Rights of Data Subjects
Data subjects have the right to submit written requests to obtain information about their data and how it has been processed. Covered entities must act within 21 business days after receiving such a request, and provide data subjects with:
- Access to their personal data and information about how it has been processed;
- The option to withdraw previously-given consent for processing;
- The ability to correct or rectify inaccurate information collected or processed by a covered entity; and
- The option to have their personal information erased upon the withdrawal of consent, or if data controllers have exceeded the scope of previously-granted permissions, including if the controller has retained data longer than permitted.
Additional Obligations for Covered Entities
- Each covered entity shall designate or appoint a Data Protection Officer to ensure compliance with the provisions of the PDPA;
- Covered entities may only send messages to promote goods or services, if the data subject has given consent to receive such messages; and
- In the event of a personal data breach, the controller must notify the DPA.
The DPA will assess penalties for non-compliance or violations of the PDPA of up to ten million rupees—which is the equivalent of $130,000—for each violation. If the covered entity fails to pay this fee, they may be liable for twice the initial amount.
Additionally, when a penalty is imposed under the PDPA, every director or officer responsible for “management and control” of the entity can be held liable for payment of the penalty, unless they can prove that they had no knowledge of the violation, and that they “exercised all due care and diligence to ensure the compliance.”
Impact of the Law
According to this report, Transparency International Sri Lanka (TISL) and seven media groups under Sri Lanka Press Institute have raised “serious concerns” over the implications and potential infringement upon professional journalists and media professionals.
According to the TISL, the PDPL’s broad definition of “data controller” and “personal data” implicates those engaged in journalism, and a failure to carve out certain exceptions for use of personal data by journalists results in a lack of recognition for “Journalistic Purpose.”
In response, Sabry made clear that the Act is intended to prevent any infringement on an individual’s privacy rights, and journalists will not be granted any “special rights beyond freedom of expression.” According to Sabry, “[t]here is nothing called journalist rights. In the country, journalist rights and people’s right—freedom of expressions—are one and the same[.]”
Covered entities under the PDPA should coordinate with their board to review current personal data governance policies and procedures, and to amend their policies or adopt new policies that will reflect the requirements of the Act, including instituting a sufficient data privacy compliance program, updating internal controls and processes, and training employees of the organization to comply with these changes.
Considering the substantial penalties that can be assessed upon detection of a violation, these reviews and policy changes should be a top priority for covered organizations.
* * * * *
Don’ forget to check back next week as our articles are posted every week.
To read our coverage on the new Privacy Shield Agreement announced just last week, click here.
For more news updates discussing: a Russian lawsuits highlight flaws in the UK Data Privacy Law; EHI releases guidance for protecting health data; hackers employing “Vishing” in Morgan Stanley Breach; and EU’s ban on anonymous crypto transaction, click here.