The Sri Lankan Ministry of Digital Infrastructure and Information Technology (“MDIIT”) released the latest version of Personal Data Protection Act (“PDP Bill”) on September 24, 2019. Substantial modifications were made to the previous draft of the Bill based on consultations with key stakeholders[1]. To draft the PDP Bill, the Drafting Committee looked at international best practices and existing frameworks, such as the EU’s General Data Protection Regulation (“GDPR”), as well as other laws and frameworks enacted or being discussed in other jurisdictions, including the Indian Personal Data Protection Bill.[2]
In this post, we shall briefly compare the key differences under important data protection ‘themes’ of Sri Lanka’s PDP Bill and the GDPR. While the underlying principles and structure of the PDP Bill may be similar to the GDPR, some critical differences emerge between both. These differences may be important in developing a compliance and business strategy for businesses operating in Sri Lanka.
Extra territorial scope
The PDP Bill and GDPR both have extra-territorial scope, in relation to business taking place in either jurisdiction, or offering of goods and services, or monitoring and profiling of data subjects. The scope of the PDP Bill appears to have expanded from the previous draft. The PDP Bill now applies to such entities who offer goods or services to data subjects in Sri Lanka as against others who ‘specifically or systematically’ offered goods or services under the earlier framework[3]. This could include any service that is accessed through an online platform by a data subject in Sri Lanka even though such service may not necessarily be intended specifically for data subjects in Sri Lanka. This is broader than the GDPR’s territorial scope.
Data classification
The PDP Bill and the GDPR classify data into two identical categories of data: personal data and ‘special categories of personal data’ (“sensitive personal data”). Both legal instruments are wide-ranging as they define personal data in the context of identifiability. However, the definition of sensitive personal data under the PDP Bill is broader as it includes data of criminal proceedings and convictions and children’s data[4]. Also, unlike the GDPR, ‘biometric data’ includes ‘facial images’ under the PDP Bill[5]. Treating facial images and children’s data as a sensitive personal data will subject controllers and processors using such information to the strict onerous conditions for processing prescribed under the PDP Bill. Such requirements could impede development of technologies and innovation related to facial recognition and children’s data.
Further, unlike the GDPR, the PDP Bill does not explain what data would qualify as data revealing racial or ethnic origin and religious or political beliefs. This may result in situations where processing non-sensitive personal data may still result in heightened obligations. For instance, surnames may reveal a person’s ethnic origin, requiring them to be treated as sensitive personal data.
Grounds of processing
While the lawful ground for processing personal data are largely similar in both instruments, the GDPR offers greater processing flexibility to businesses in terms of processing sensitive personal data. For instance, unlike the PDP Bill, the GDPR enables processing of sensitive personal data for legitimate activities under specific conditions, along with processing necessary for effecting public health responses[6]. However, the Sri Lankan Government, in consultation with the Data Protection Authority (DPA), may notify any other lawful grounds for processing[7].
Obligations of controllers
The previous draft of the PDP Bill required mandatory registration of controllers (and processors). This has now been replaced by an accountability framework termed as the ‘Data Protection Management Programme’[8]. Similar to obligations under the GDPR, this entails that the controller maintain records of its data processing activities, conducts data protection impact assessments (DPIAs), facilitates exercise of user rights and has a grievance redressal mechanism, among others[9].
Of particular concern is the requirement that controllers conduct DPIAs when the processing is likely to result in high risk to to the ‘rights and freedoms of a data subject under any written law’[10]. DPIAs must also be conducted if the processing is for the purpose of profiling, large scale processing of sensitive personal data, monitoring of telecom networks or public spaces and/or and any other purposes that may be notified[11]. This requirement is particularly broad, as the potential of risks to a data subject under any law is hard to limit- meaning that a controller may be asked to conduct a DPIA under countless situations. Also, unlike the GDPR, the DPIA must be submitted to the DPA[12], who may stop the processing activity if it deems it to be ‘high risk’ after mandatory consultation[13]. Rather than advance the aim of an accountability-based approach, this has the potential to turn DPIAs into a tool of precautionary regulation which can delay the delivery of innovative products and services.
Obligations of processors
The single biggest difference between both instruments is that the PDP Bill appears to impose obligations on processors that are on par with those of controllers[14]. As such, processors will have to comply with the conditions of processing set out in four of the five schedules to the PDP Bill. Under the GDPR such obligations are only are reserved for controllers, and not processors. Further, failure to comply with the obligations imposed by PDP Bill would result in data processors being penalized, with a maximum penalty of 10 million Sri Lankan rupees[15]. Data processors under the GDPR are not subject to penalties for failure to comply with such obligations. These requirements, which are not in line with international standards, can increase processors’ regulatory burden and have an adverse impact on investments in data processing and outsourcing industry in Sri Lanka.
Cross-border data flows
Unlike the GDPR, personal data processed by a ‘public authority’ as a data controller is to be processed only in Sri Lanka, unless the DPA classifies such categories of personal data that are permitted to be processed outside Sri Lanka[16]. This may require data processors providing services to government entities to localize data in Sri Lanka- resulting in increased costs of such services.
Similar to the GDPR, the Sri Lankan government can prescribe a third country/territory/specified sectors in a third country with an adequate level of protection, where data can be processed subject to compliance with the other provisions of the PDP Bill[17]. However, to demonstrate compliance with the provisions of the Bill, the controller or processor has to enter into a legally binding and enforceable instrument with the recipient located outside Sri Lanka[18], or it has to adopt or enter into such other instrument that may be determined by the DPA[19]. However, there is no provision under the PDP Bill for conducting transfers with the consent of users- unlike the GDPR which provides derogations in cases where data subjects provide explicit consent.
Constitution of the DPA
The Sri Lankan government is empowered to set up or designate anybody- statutory or otherwise- as the DPA.[20] While the PDP Bill does not preclude the government from setting up an ‘independent’ DPA, this power in itself strongly suggests that the Government will have significant control over the DPA, and dilutes its legitimacy as an independent expert body. Further, the Sri Lankan government can issue directions to the DPA regarding the discharge of its functions, underlining the apparent lack of independence of the DPA[21]. This is in contrast to the GDPR, which mandates that the supervisory authority set up by a member-state must be an independent public body.
What lies ahead for the PDP Bill?
In November 2019, Sri Lanka elected Gotabaya Rajapaksa as its new President, who appointed Mahinda Rajapaksa, his brother, as the new Prime Minister.[22] He also appointed a new interim-Cabinet and dissolved the Parliament. The parliamentary elections, which were to take place in April 2020, have been postponed due to COVID-19[23]. While President Rajapaksa promised to introduce “new legislation” to ensure data protection in his election manifesto[24], it remains to be seen if the change in political leadership and a new government will affect the form and substance of the PDP Bill. Due to the unpredictable political climate in Sri Lanka, it is hard to predict the timelines for the introduction of the PDP Bill to Parliament, or if it is introduced at all in its current form.
This post is authored by Vijayant Singh, Associate, and Saumya Jaju, Associate with inputs from Nimisha Dutta, Consultant, at Ikigai Law.
For more on the topic, please feel free to reach out to us at contact@ikigailaw.com.
[1]MDIIT Press Release, dated 24th September, 2019 http://www.mdiit.gov.lk/index.php/en/digital-news/item/73-data-protection-legislation
[2] Id.
[3] Section 3(i)(iv), PDP Bill.
[4] Section 46, PDP Bill.
[5] Section 46, PDP Bill
[6] Article 9, GDPR.
[7] Section 43, PDP Bill.
[8] Section 13, PDP Bill.
[9] Section 13, PDP Bill.
[10] Section 23, PDP Bill.
[11] Section 23(3), PDP Bill.
[12] Section 23(5), PDP Bill.
[13] Section 24, PDP Bill.
[14] Section 21, PDP Bill.
[15] Section 32, PDP Bill.
[16] Section 25(1), PDP Bill.
[17] Section 25(2), PDP Bill.
[18] Section 25(3), PDP Bill.
[19] Section 25(4), PDP Bill.
[20] Section 27(1), PDP Bill.
[21] Section 41, PDP Bill.
[22] ‘Newly elected Sri Lankan President Gotabaya Rajapaksa picks brother as prime minister’, Straits Times, November 21, 2019, available at https://www.straitstimes.com/asia/south-asia/rajapaksa-picks-brother-as-prime-minister
[23] ‘Elections needed for a stable Government’, Daily News, May 04, 2020, available at http://www.dailynews.lk/2020/05/04/political/217822/elections-needed-stable-government
[24] Page 51, Gotabaya Rajapaksha, Election Manifesto, 2019, available at https://gota.lk/sri-lanka-podujana-peramuna-manifesto-english.pdf.