DLA Piper Intelligence

Data Protection
Laws of the World

Law

Sri Lanka
Sri Lanka

At present, Sri Lanka does not have legislation in place that exclusively addresses data protection. However, there are existing legislation, such as the Banking Act No. 30 of 1988 (as amended) which provide for the protection of data on a sectoral specific basis. 

Sri Lanka is however currently in the process of enacting legislation for the purpose of protecting personal data. The Ministry of Digital Infrastructure and Information Technology of Sri Lanka initially introduced the first draft for the Personal Data Protection Bill (hereinafter referred to as the “bill”) in 2019. 

On the 15th of November 2021, the bill was approved by the Cabinet of Ministers of Sri Lanka and subsequently published in the Government Gazette on the 19th of November 2021. 

It is currently awaiting approval by the Parliament of Sri Lanka. No exact time frame has been announced as to when this will take place. 

The bill is concerned with regulating the processing of personal data, with processing being given a wide definition to include “any operation performed on personal data” which includes but is not limited to the “collection, storage, preservation, alteration, retrieval, disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination or the carrying out of logical or arithmetical operations on personal data”.   

The types of processing that falls under the ambit of the bill are: 

  • the processing of personal data which takes place wholly or partly within Sri Lanka; or
  • the processing of personal data which is carried out by a controller or processor who:
    • is domiciled or ordinarily resident in Sri Lanka
    • is incorporated or established under any written laws of Sri Lanka
    • is subject to any written law of Sri Lanka
    • offers goods or services to data subjects in Sri Lanka including the offering of goods or services to specific targeting of data subjects in Sri Lanka
    • specifically monitors the behaviour of data subjects in Sri Lanka, including profiling with the intention of making decisions in relation to the behaviour of such data subjects insofar as such behaviour takes place in Sri Lanka. 

The provisions of the bill will not extend to data which falls outside the confines of personal data, and personal data which is processed purely for private, domestic or household purposes by an individual.

Last modified 21 Dec 2021
Law
Sri Lanka

At present, Sri Lanka does not have legislation in place that exclusively addresses data protection. However, there are existing legislation, such as the Banking Act No. 30 of 1988 (as amended) which provide for the protection of data on a sectoral specific basis. 

Sri Lanka is however currently in the process of enacting legislation for the purpose of protecting personal data. The Ministry of Digital Infrastructure and Information Technology of Sri Lanka initially introduced the first draft for the Personal Data Protection Bill (hereinafter referred to as the “bill”) in 2019. 

On the 15th of November 2021, the bill was approved by the Cabinet of Ministers of Sri Lanka and subsequently published in the Government Gazette on the 19th of November 2021. 

It is currently awaiting approval by the Parliament of Sri Lanka. No exact time frame has been announced as to when this will take place. 

The bill is concerned with regulating the processing of personal data, with processing being given a wide definition to include “any operation performed on personal data” which includes but is not limited to the “collection, storage, preservation, alteration, retrieval, disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination or the carrying out of logical or arithmetical operations on personal data”.   

The types of processing that falls under the ambit of the bill are: 

  • the processing of personal data which takes place wholly or partly within Sri Lanka; or
  • the processing of personal data which is carried out by a controller or processor who:
    • is domiciled or ordinarily resident in Sri Lanka
    • is incorporated or established under any written laws of Sri Lanka
    • is subject to any written law of Sri Lanka
    • offers goods or services to data subjects in Sri Lanka including the offering of goods or services to specific targeting of data subjects in Sri Lanka
    • specifically monitors the behaviour of data subjects in Sri Lanka, including profiling with the intention of making decisions in relation to the behaviour of such data subjects insofar as such behaviour takes place in Sri Lanka. 

The provisions of the bill will not extend to data which falls outside the confines of personal data, and personal data which is processed purely for private, domestic or household purposes by an individual.

Last modified 21 Dec 2021
Definitions

Definition of Personal Data

Personal data is defined to mean “any information that can identify a data subject directly or indirectly, by reference to either an identifier such as a name, an identification number, location data or an online identifier, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that individual or natural person”. 

A ‘data subject’ is defined as “an identified or identifiable natural person, alive or deceased, to whom the personal data relates” and an ‘identifiable natural person’ is further qualified to be “a natural person who can be identified, directly or indirectly, by reference to any personal data”.

Definition of Sensitive Personal Data

Sensitive personal data, referred to as ‘special categories of personal data’ in the bill, involves personal data which reveals: 

  • racial or ethnic origin, which is defined as any personal data including photographs that may indicate or be related to the race or ethnicity of a natural person
  • political opinions
  • religious or philosophical beliefs
  • financial data, which is defined to mean an alpha-numeric identifier or other personal data which can identify an account opened by a data subject, or card or payment instrument issued by a financial institution to a data subject or any personal data regarding the relationship between a financial institution and a data subject, financial status and credit history relating to such data subjects, including data relating to remuneration
  • processing of genetic data, which is defined to mean personal data relating to the genetic characteristics of a natural person which gives unique information about the physiology or the health of that natural person which results from an analysis of a biological sample or bodily fluid of that natural person 
  • biometric data for the purpose of uniquely identifying a natural person. Biometric data is defined to mean personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, including facial images, dactyloscopy data or iris related data
  • data concerning health, which is defined as personal data related to the physical or psychological health of a natural person, which includes any information that indicates his health situation or status
  • data concerning a natural person’s sex life or sexual orientation
  • personal data relating to offences, criminal proceedings and convictions
  • personal data relating to a child, defined as a natural person who is below the age of 18 years.
Last modified 21 Dec 2021
Authority

A Data Protection Authority is yet to be established in Sri Lanka as the bill has not yet been enacted by the Parliament.

However, as per the provisions of the bill, the Minister who will be assigned the subject of data protection has the prerogative to designate a public corporation, statutory body or any other institution established and controlled by the government to be the Data Protection Authority in Sri Lanka (hereinafter referred to as the “Authority”). 

The objectives of the Authority upon its establishment shall be: 

  • regulating the processing of personal data.
  • safeguarding the privacy of the individuals from whom data will be collected from any adverse impacts of “digitalization of procedures and services”, both in the public and private sector.
  • providing mechanisms to guarantee the protection of personal data of individuals engaged in digital transactions and communications.
  • ensuring compliance with the provisions of the legislation. 

The bill also contains powers that will be vested with the Authority, duties and functions of the Authority and directives to be issued by the Authority in the event a controller or processor acts in contravention of the legislation.

Last modified 21 Dec 2021
Registration

The bill does not currently include the need for registration.

Last modified 21 Dec 2021
Data Protection Officers

Under the bill, each controller and processor is required to appoint a Data Protection Officer in the following circumstances:   

  • When personal data processing is done by a ministry, government department or public corporation, with the exception of the judiciary acting in their judiciary capacity.
  • Where the core activities carried out by the controller or the processor involve:
    • operations which, due to their nature, scope or purpose, require systematic monitoring of the data subjects on a scale and magnitude as may be prescribed;
    • processing of special categories of personal data (i.e. sensitive personal data) on a scale and magnitude to as may be prescribed; or
    • processing which results in a risk of harm, affecting the rights of the data subjects protected under the bill, based on the nature of processing and its impact on data subjects. 

The controller or processor has the responsibility to publish the contact details of the Data Protection Officer and communicate the details to the Authority. 

In the event the controller is a group of entities, the controller has the option to appoint a single Data Protection Officer, provided that the Officer is easily accessible to each entity. If the controller or processor is a public authority, a single Data Protection Officer can be designated for several such public authorities, after taking into consideration their organizational structure. 

As per the provisions of the bill the Data Protection Officer is required to possess the requisite academic and professional qualifications including “academic background, knowledge and technical skills in matters relating to data protection’’ and the ability to “implement strategies and mechanisms to respond to inquiries and incidents related to processing of personal data”. 

The responsibilities of the Data Protection Office as stipulated in the bill will be as follows: 

  • advising the controller or processor and their employees on the data protection requirements laid down by the proposed legislation or any other relevant law.
  • ensuring the controller or processor complies with the legislation.
  • facilitating capacity building of staff involved in processing of data.
  • providing advice on personal data protection impact assessments.
  • co-operating and complying with all instructions and directives issued by the Authority which relate to data protection.
Last modified 21 Dec 2021
Collection & Processing

Every controller must ensure that personal data is being processed for a “specific, explicit and legitimate purpose”, and that the personal data collected is not further processed in a manner which is incompatible with that purpose. 

The controller must confine processing to the defined purpose, by ensuring that personal data processed is “adequate, relevant and proportionate” to the extent necessary to achieve the purpose for which the data was collected or processed. 

The following information must be provided at the time the data is being collected from the data subject: 

  • identity and contact details of the controller
  • contact details of the data protection officer
  • the purpose for which the data will be processed and the legal basis for processing
  • the legitimate interest pursued by the controller or the third party
  • the categories of personal data being collected
  • recipients or third parties with whom their data will be shared
  • information on cross-border transfers
  • the time period for retention of the data
  • the rights of data subjects, such as the right to withdraw consent and the procedure to enforce these rights
  • the ability to file a complaint with the Authority
  • whether the provision of personal data is a statutory or contractual obligation or requirement and the consequences of failing to provide such data
  • the existence of automated individual decision-making, including profiling, information about the logic involved and potential consequences of processing for the data subject. 

When a controller intends to further process personal data for a purpose other than for which it was originally collected, the controller must provide the data subject with detailed information on the further processing and the purpose for it. 

When personal data has been obtained through means other than through a direct interaction with the data subject, the controller must provide the data subject with the source from which the personal data originates, and whether or not it came from a publicly accessible source where applicable, in addition to the information that would be required to be provided to a data subject had there been a direct interaction. 

This controller must provide the requisite information to the data subject: 

  • within a reasonable period of time after obtaining the personal data, but at least within one month, having regard to the specific circumstances in which the personal data is processed;
  • if the personal data is to be used for communication with the data subject, at least at the time of the first communication with the data subject; or
  • if a disclosure to another receipt is envisaged, at least when the personal data is first disclosed. 

Personal data may be lawfully processed under any one of the following grounds:

  • with the consent of the data subject to process his personal data
  • where the processing of personal data is necessary for the performance of a contract which the data subject is a party to, or take steps at the request of the data subject prior to entering into a contract
  • where the processing of personal data is necessary to comply with a legal obligation to which the controller or the processor is subject to
  • where processing of personal data is necessary to respond to an emergency that threatens the life, health or safety of the data subject or another natural person
  • Where processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercises of authority conferred on the controller or processor
  • where processing of personal data is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where this interest is overridden by the interests of the data subject (in particular when the data subject is a child). To this end, a “legitimate interest” would include:
    • where the data subject is a client or in the service of the controller
    • where a data subject reasonably expects at the time, given the context of the collection of the personal data, that processing for that purpose may take place
    • where processing of personal data is strictly necessary for the purpose of preventing fraud
    • processing of personal data to the extent strictly necessary and proportionate for the purpose of ensuring network and information security. 

Special categories of personal data

Special categories of personal data may be lawfully processed under any one of the following grounds: 

  • The data subject has given consent to the processing of special categories of personal data, unless processing of such personal data is prohibited by another written law, in which case, the data subject’s consent is not a consideration. If the data subject is a child, consent must be obtained from the parent or legal guardian of the child.
  • Processing is necessary for the purpose of carrying out the obligations of the controller and exercising of the rights of the data subject, in the field of employment, social security and for public health purposes (including ensuring public safety, preventing and controlling communicable diseases and other serious threats to public health).
  • Processing is necessary to respond to an emergency that threatens, the life, health and safety of the data subject or another natural person where the data subject is physically or legally incapable of giving consent.
  • Processing relates to personal data which is manifestly made public by the data subject.
  • Processing is required for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  • Processing is necessary for a purpose mandated by written law, which should be “necessary and proportionate” to the aim pursued, while providing suitable and specific measures to safeguard the rights and freedoms of the data subject.
  • Where necessary for preventative or occupational medicine, medical diagnosis, the provision of care or treatment and the management of health care services. In this instance the data should be processed by a health professional licensed under and authorised by Sri Lankan law.
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with the law, provided suitable and specific measures are taken to safeguard the rights and freedoms of the data subjects.

A controller has the following obligations: 

  • Ensuring that personal data that is processed is accurate and kept up to date, with every reasonable step being taken to erase or rectify any inaccurate or outdated personal data, without overdue delay.
  • Ensuring that personal data is kept in a form which permits identification of data subjects only for such period which is necessary or required to achieve the purpose for which the data was processed. A controller may store personal data for longer periods if the personal data is being processed further for archiving purposes in the public interest, scientific research, historical research or statistical purposes.
  • Ensuring integrity and confidentiality by using measures such as encryption, pseudonymisation, anonymisation or access controls in order to prevent the unauthorised or unlawful processing of personal data or loss, destruction or damage of personal data.
  • Processing personal data in a transparent manner, by providing data subjects with information relating to the collection of data and information regarding any decisions made in relation to requests made by data subjects, in writing or by electronic means and “in a concise, transparent, intelligible and easily accessible form”.
  • Ensuring that the processor (who is carrying out processing on behalf of the controller) is bound by a contract setting out the parameters of such processing, and is using appropriate technical and organizational measures to protect the rights of the data subjects. 

Two or more controllers may jointly determine the purposes and means of processing. Such controllers will be referred to as “joint controllers” who will be jointly responsible to honour these obligations. 

Rights of Data Subjects 

The proposed legislation has highlighted the rights of data subjects to a significant extent. A controller must respond to any written request made by a data subject, pertaining to his rights, within twenty-one working days of receiving the request.   

The right to access personal data

Every data subject has the right, to access their personal data and be provided with confirmation as to whether such personal data has been processed, by submitting a written request. 

Right to withdraw consent and object to processing

Every data subject has the right to withdraw consent at any time and the right to request a controller to refrain from further processing of the data subject’s personal data, provided the processing was based on the data subject’s consent. 

Right to rectification or completion

Every data subject has the right to request a controller to rectify or complete any personal data that is inaccurate or incomplete. 

Right to erasure

The data subject may, under a limited set of circumstances, request the controller to erase his personal data. This includes when a controller is in contravention of his obligations and when the erasure is mandated by a written law or order of a competent court. 

The right to appeal

A data subject has the right to appeal to the Data Protection Authority when a controller: 

  • fails to refrain from further processing of the data subject’s personal data
  • refuses to rectify or complete personal data
  • refuses to erase personal data
  • refuses a data subject’s request based on reasons such as national security interests or public order
  • refuses the request to review a decision made by the controller which is based solely on automated processing. 

Automated individual decision making

Every data subject has the right to request a controller to review a decision made by the controller which is based solely on automated processing, which has or has the potential to create an “irreversible and continuous impact on the rights and freedoms of the data subjects under any written law”. 

However, this is not an absolute right and will not be enforceable if the controller’s decision, based on automated processing, is: 

  • authorized by a written law
  • authorised in a manner determined by the Authority
  • based on the consent of the data subject
  • necessary for entering into or the performance of a contract between the data subject and the controller (this will not apply to special categories of personal data). 

Processing of personal information for criminal investigations 

Processing of personal data relating to lawful investigations of offences or related to security measures is lawful, contingent on being in line with applicable written laws and providing appropriate safeguards for the rights and freedoms of data subjects.

Last modified 21 Dec 2021
Transfer

When a public authority processes personal data as a controller or processor, personal data may only be processed in Sri Lanka, and shall not be processed in a third country unless the Authority in consultation with the controller or processor and the relevant regulatory or statutory body, classifies the categories of personal data which may be permitted to be processed in a third country, prescribed by the Minister pursuant to an adequacy decision.

In making an “adequacy decision” the relevant written law and enforcement mechanisms in the specific country relating to the protection of personal data is taken into consideration, along with the processing criteria in that country and such other prescribed criteria relating to the processing of personal data in a third country. 

Any such “adequacy decision” made by the Minister will be subject to periodic monitoring of any developments in the third country that may affect the decision, and the decision may be reviewed by the Minister at least every two years. Such adequacy decision will remain in force until amended or revoked by the Minister in consultation with the Authority.

A controller or processor, who is not a public authority, may process personal data: 

  • in a third country pursuant to an adequacy decision; or
  • in a country, which is not a “third country prescribed pursuant to an adequacy decision”, only when the controller or processor can ensure compliance with the obligations imposed under the bill. 

In doing so, in order to ensure compliance, a controller or processor must adopt an instrument, which may be specified by the Authority, to ensure binding and enforceable commitments of the recipient in the third country to ensure the rights of the data subjects are protected and the remedies offered by the legislation are followed.

Last modified 21 Dec 2021
Security

The bill has put in place procedures and measures to ensure the protection of personal data. 

Every controller must ensure integrity and confidentiality of the personal data that is being processed by using appropriate technical and organisational measures including encryption, pseudonymisation, anonymisation or access controls or such other measures as may be prescribed so as to prevent unauthorised or unlawful processing of personal data or loss, destruction or damage of personal data.

In addition, every controller has a duty to implement internal controls and procedures by way of a “Data Protection Management Programme” that: 

  • establishes and maintains duly catalogued records to demonstrate the manner in which the implementation of the data protection obligations stipulated in the bill are being carried out by the controller
  • is designed on the basis of structure, scale, volume and sensitivity of the processing activities of the controller
  • provides for appropriate safeguards based on data protection impact assessments (elaborated on hereinbelow)
  • is integrated into the governance structure of the controller. 

A “personal data protection impact assessment” will have to be carried out by a controller where processing involves: 

  • systematic and extensive evaluation of personal data or special categories of data, including profiling
  • systematic monitoring of publicly accessible areas or telecommunication networks
  • a processing activity, taking into consideration the scope and risks associated with the processing        

A fresh personal data protection impact assessment must be conducted by the controller whenever there is any change in the methodology, technology or process adopted in processing the personal data. 

Where a personal data protection impact assessment indicates that the processing of certain personal data could result in a risk of harm to the rights of the data subjects, the controller must take necessary measure to mitigate the risk, prior to the processing of the personal data. If, after taking measures to mitigate the risk, the controller is still unable to do so, a consultation with the Authority will be required prior to the processing of such data.

Last modified 21 Dec 2021
Breach Notification

In the event of a data breach, a controller must notify the Authority of the breach, within a time limit that will be determined by rules made under the bill, upon its enactment.

A personal data breach per the bill is defined to include any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. 

After the bill comes into force, the Authority will stipulate by way of rules, the circumstances when the Authority must be notified of any data breaches, when an affected data subject should be notified of a breach, the form the notification of the breach should take and the information that should be provided in the notification.

Last modified 21 Dec 2021
Enforcement

The Authority may conduct an inquiry on receipt of a complaint or where the Authority has reason to believe that a controller or processor has acted in contravention of the legislation or has failed to comply with the provision of the bill.

Upon having an inquiry, the Authority may issue a directive requiring the controller or processor to either rectify the situation or to cease and refrain from the conduct in question. 

A controller or processor who fails to comply with the directive may be subject to a penalty, which may not exceed rupees ten million (Rs. 10,000,000) for each non-compliance. 

In addition, if after being subject to a penalty on a previous occasion, a controller or processor fails to conform to a directive, an additional penalty may be levied.                                                                                           

A controller or processor may appeal to the Court of Appeal within twenty-one working days, from the date of notification of the penalty, where the burden of proof will be with the controller or processor, to prove compliance with the legislation. 

When imposing a penalty, the Authority would have to take the following into consideration: 

  • the nature, gravity, and the duration of the contravention and the nature, scope and purpose of the processing in question, along with the number of data subjects affected and the level of damage suffered by them
  • any action taken by the controller or processor to mitigate the damage suffered by the data subjects
  • the effectiveness of the controller’s “data protection management programme”
  • the degree of cooperation with the Authority, in order to remedy the contravention and mitigate the adverse effects caused by the contravention
  • the categories of personal data affected by the contravention
  • the manner by which the Authority came to know of the contravention, in particular if the controller or processor notified the Authority of the contravention
  • any previous non-compliance by the controller or processor
  • any other aggravating or mitigating factors including any financial benefits gained or losses avoided as a result, either directly or indirectly, of the contravention.
Last modified 21 Dec 2021
Electronic Marketing

A controller may use electronic means for the purpose of disseminating marketing messages only if the data subject has consented to receiving such messages (referred to as “solicited messages”). 

A data subject has the ability to opt-out of receiving solicited messages free of charge. A controller must provide information to the data subject on how to opt-out of the solicited messages, both at the time of collecting contact information and each time a message is sent to the data subject. 

Last modified 21 Dec 2021
Online Privacy

Whilst the bill safeguards online privacy, special provisions are not set out for online cookies etc.

Location data falls within the definition of personal data, as such all rights of a data subject in relation to personal data will extend to location data.

Last modified 21 Dec 2021
Contacts
Shanaka Gunasekara
Shanaka Gunasekara
Partner
T +94773741097
Last modified 21 Dec 2021