Background

Sri Lanka until recently did not have legislation pertaining to protection of data and privacy, although different sector specific laws such as the Computer Crimes Act No. 24 of 2007, the Banking Act No. 30 of 1988, the Electronic Transactions Act No. 19 of 2006, the Right to Information Act No. 12 of 2016 and the Telecommunications Act No. 25 of 1991 recognize the need for privacy and confidentiality. Identifying this lacuna, the Personal Data Protection Bill was first published as a draft bill in 2019. It was subject to several rounds of revisions, and subsequently was passed by the Parliament of Sri Lanka on 19 March, 2022 as the Personal Data Act No. 9 of 2022 (“PDPA”).

Although certified by the Speaker of Parliament, except for Part V of the PDPA which deals with provisions relating to the regulator under the law, i.e. the Data Protection Authority, the PDPA is yet to become operative as it provides for different time periods within which certain parts of the law would come into force, allowing controllers and processors a much-needed grace period. The majority of the law will come into operation within 18 to 36 months from the 19 March, 2022, while the part governing the sending of marketing messages using personal data would become operative within 24 to 48 months from the 19 March, 2022. With regard to Part V, it should be noted that an order has been issued by the Minister of Technology which provides that the said Part V of the PDPA has been brought into operation on 17 July, 2023. Accordingly, the Data Protection Authority is now in the process of being established, upon the completion of which the other parts of the PDPA are expected to follow suit.

The PDPA is primarily inspired by the European Union's General Data Protection Regulation (“GDPR”) and, therefore, shares many similarities with the GDPR.

The PDPA applies both territorially to the processing of personal data where such processing takes place wholly or partly within Sri Lanka, or by a person or entity within Sri Lanka; and extraterritorially, in so far as a person or entity outside Sri Lanka provides goods or services to individuals within Sri Lanka or monitors the behaviour of individuals within Sri Lanka.

The PDPA requires controllers and processors which are not public authorities to appoint a Data Protection Officer (“DPO”) where their core activities consist of:

• processing operations that require regular and systematic monitoring of data subjects on a prescribed scale or magnitude;
• processing special categories of personal data on a prescribed scale or magnitude; or
• processing which results in a risk of harm to the rights of the data subjects protected under the PDPA.

The PDPA permits a group of entities to appoint a single DPO provided, however, such DPO is easily accessible by all of the group entities.

Such DPO is required to be a competent individual possessing academic and professional qualifications in matters relating to data protection.

The specific responsibilities of the DPO as per the PDPA includes:

• advising controllers or processers on data processing requirements;
• ensuring on behalf of the controller or processor that the requirements of the PDPA are met;
• enabling capacity building of staff engaging in data processing operations;
• advice on personal data protection impact assessments; and
• co-operation and compliance with all directives and instructions issued by the Authority.

Similar to the GDPR, the PDPA enshrines certain principles governing the collection and processing of personal data. Each controller must ensure that personal data is processed in compliance with such principles, which are as follows.

• process lawfully;
• process for specified, explicit and legitimate purposes and not further process in a manner that is incompatible with those purposes;
• process personal data which is adequate, relevant and limited to the purpose;
• ensure that personal data is accurate and where necessary kept up to date;
• keep personal data in a form which permits identification of data subjects for no longer than is necessary, for the purpose(s) for which the data are processed;
• process in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures;
• process in a transparent manner, providing information on such processing to data subjects; and
• ensure accountability in processing by the implementation of internal controls and procedures that are able to demonstrate compliance with the PDPA, identified as the “Data Protection Management Programme”.

In order to ensure that processing is ‘lawful’ whenever personal data is processed, such processing should be based on the most appropriate legal basis out of the following grounds provided under the PDPA:

• consent of the data subject (consent should be freely given, specific, informed and unambiguous indication in writing or by affirmative action and capable of being withdrawn at any time);
• necessary for the performance of a contract with the data subject in order to take steps at the request of a data subject to enter into a contract with such data subject;
• necessary for compliance with a legal obligation to which the controller / processor is subject to under Sri Lanka law;
• necessary to respond to an emergency that threatens the life, health or safety of the data subject or another natural person;
• necessary for the performance of a task carried out in the public interest or in the exercise of powers, functions or duties imposed under Sri Lanka law; or
• necessary for the purposes of legitimate interests of the controller or a third party (subject to an assessment where the interests of the controller should be balanced against the rights of the data subjects and accordingly, must not override the interests of the data subject, especially when the data subject is a child).

In addition to the aforesaid lawful grounds, if processing special categories of personal data, a controller is required to satisfy one of the following additional conditions, on the objective basis of being most appropriate:

• consent of the data subject, which in the case of a child will mean the consent of the parent or legal guardian;
• processing is necessary for the purposes of carrying out the obligations of the controller and exercising of the rights of the data subject, in the field of employment, social security including pension and for public health purposes in so far as it is provided for in Sri Lanka Law, providing for appropriate safeguards for rights of the data subject;
• processing is necessary to respond to an emergency that threatens the life, health or safety of the data subject or another natural person who is incapable of giving consent;
• relates to personal data which is manifestly made public by the data subject;
• processing is necessary for the establishment, exercise or defence of legal claims;
• processing is necessary for any purpose as provided for under any written law in Sri Lanka or public interest;
• processing is necessary for medical purposes and where such data is processed by a health professional licensed under or authorized by any written law in Sri Lanka; or
• processing is necessary for archiving purposes in the public interest, scientific, historical research or statistical purposes in accordance with law.

In addition to the aforesaid lawful grounds, if processing special categories of personal data, a controller is required to satisfy one of the following additional conditions, on the objective basis of being most appropriate:

Transparency is an important principle enshrined in the PDPA and, as stated above, it aims to ensure that data subjects are aware of how their personal data is processed and understand their rights pertaining to such data.

Accordingly, the PDPA requires controllers to provide detailed information to data subjects in a concise, transparent, intelligible and easily accessible form. Therefore, providing the following information to data subjects at the point of collection of their personal data is imperative, which can be fulfilled by the provision of a privacy notice:

• identity and contact details of the controller;
• contact details of the data protection officer (where there is a DPO);
• intended purpose for collecting personal data and the legal basis for the processing;
• legitimate interest pursued by the controller (where applicable);
• categories of personal data collected;
• right of data subjects to withdraw consent for processing and method of withdrawing such consent (if processing is based on consent);
• recipients and third parties with whom personal data will be shared;
• details of cross border data transfer;
• period of data retention;
• rights of data subjects with regard to their personal data and how such rights may be exercised;
• right to file a complaint with the Data Protection Authority (“Authority”);
• whether the provision of personal data is a statutory or contractual requirement and the consequences of failing to provide such personal data;
• the existence of automated individual decision-making including profiling and the consequences for the data subject.

In addition, when a controller intends to process personal data for a new purpose, a data subject must be informed of such further processing, providing them with the information set out above.

If in any event personal data is collected via means other than direct collection from the data subject, the above information should be provided to the data subject within one month or at the time of the first communication to that data subject or when the personal data is first disclosed to another recipient, whichever event occurs first.

The PDPA provides a series of rights for data subjects, largely similar to that of the GDPR. A controller must respond to any written request made by a data subject pertaining to his rights within 21 working days of receiving the request.

Right to access personal data: data subjects have the right to access their personal data, be provided with confirmation as to whether such personal data has been processed and be provided a copy of such personal data by submitting a written request.

Right to withdraw consent: if processing is based on consent, the data subject has the right to withdraw such consent at any time and the right to request a controller to refrain from further processing of the data subject’s personal data, provided the processing was based on the data subject’s consent.

Right to object to processing: data subjects have the right to object to further processing beyond the original purpose for which it was collected where such processing is based on the grounds of legitimate interests or public interest.

Right to rectification or completion: data subjects have the right to request a controller to rectify or complete any personal data that is inaccurate or incomplete.

Right to request a review of automated decisions: a data subject has the right to request for a review of a decision made by a controller based solely on automated processing which is likely to create “an irreversible and continuous impact on the rights and freedoms of the data subject” under Sri Lankan law, unless such automated processing is:

• authorized by Sri Lanka law;
• authorized in a manner determined by the Authority;
• based on the data subject’s consent; or
• necessary for entering into a performance of a contract between the data subject and the controller.

A controller is permitted to refuse to a request of a data subject based on the above rights only in limited instances, having regard to the following:

• national security;
• public order;
• any inquiry, investigation or procedure carried out under Sri Lanka law;
• the prevention, investigation and prosecution of criminal offences;
• the execution of criminal penalties;
• the protection of the rights and fundamental freedoms of persons under Sri Lanka law;
• where the controller is unable to establish the identity of a data subject;
• the requirement to process personal data under any other law in Sri Lanka

he PDPA allows for cross-border data flow and the processing of data in a third country outside Sri Lanka, subject to the parameters set out in the PDPA.

In case of a public authority acting as a controller or a processor, such transfer should only be made to a third country prescribed pursuant to an adequacy decision. The Minister in charge of the subject matter has the power to make an adequacy decision in consultation with the Authority, and factors such as the relevant written laws and the enforcement mechanisms available in such third country will be considered in making such an adequacy decision.

A controller or processer that is not a public authority may also process personal data in a third country subject to an adequacy decision. If no adequacy decision has been made, personal data may be transferred to such third country only where the controller or processor effecting such transfer is able to ensure compliance with the obligations imposed under Part I, II and sections 20 to 25 of the PDPA by the imposition of appropriate safeguards. The transferor effecting such transfer is required to adopt an instrument that may be specified by the Authority in order to ensure compliance with the provisions of the PDPA by the transferee.

It is noteworthy that no such adequacy decisions have been made yet, considering the fact that the majority of the law is yet to become operative.

In the absence of an adequacy decision or appropriate safeguards, the PDPA provides the following limited instances where personal data could still be transferred to a third country (provided that the transferor in such instance is not a public authority):

• the data subject has explicitly consented, upon having been informed of the risks of such processing;
• the transfer is necessary for the performance of a contract between the data subject and the controller, or the implementation of any pre-contractual measures taken by the controller at the request of the data subject;
• the transfer is necessary for the establishment, exercise or defence of legal claims relating to the data subject;
• the transfer is necessary for reasons of public interest;
• the transfer is necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another person and where the data subject is incapable of giving consent; or
• any other condition that may be prescribed under the PDPA in the future.