PERSONAL DATA PROTECTION ACT IN SRI LANKA



In March 2022,Sri Lanka welcomed the Personal Data Protection Act No.09 of 2022 (the "Act"), which provides mechanisms for protecting personal data while also facilitating growth and innovation in Sri Lanka's digital economy, with due protection provided to those identified as data subjects. The Act also aims to improve cross-border cooperation by ensuring interoperability among personal data protection frameworks. The law is modeled after the EU's General Data Protection Regulations (GDPR) and places significant responsibilities on controllers.The Act establishes safeguards for individuals' personal data held by government entities, telecom operators, hospitals, banks, and other public and private personal data aggregating and processing entities.

Importance of Personal Data Protection Act in Sri Lanka

A personal data protection law became necessary in light of the government's and private sector's digital strategies. The Act aims to strike a balance between the interests of businesses and organizations and the rights of individuals. It also seeks to ensure transparency and accountability in data processing operations.

Application

The Act applies to any personal information processing that occurs in Sri Lanka. It also applies to controllers or processors who are based in Sri Lanka, are incorporated there, or provide goods or services to Sri Lankans. Notably,the Act only applies to businesses and excludes personal information processed "solely for personal,domestic,or household purposes" by an individual. The PDPA, like the GDPR, applies to all businesses, large and small.Smaller businesses that are subject to the law should carefully consider the compliance costs,which can be significant and potentially onerous.

To whom does this Act apply?

The Act is intended to apply to entities both within and outside of Sri Lanka, including those that provide goods or services to Sri Lankans, and it specifically targets data subjects in Sri Lanka. This could include digital platforms that provide services to Sri Lankans living outside of the country. The Act now, among other things, provides a legal framework for mechanisms to protect Data Subjects' personal data (as defined in the Act under Section 56). The Act requires Controllers to process data lawfully and in accordance with the processing obligations outlined in Part I of the Act (see Section 5 to 12). Controllers who implement "a data protection management program" in accordance with Section 12 would be in compliance with Sections 5, 6, 7, 8, 9, 10, and 11. The Act also grants Data Subjects a variety of rights, referred to as "data subject rights" in Part II. Data Subjects are guaranteed the right to withdraw consent if data processing is based on consent, the right to object to data processing, the right of access and rectification, the right to erasure, and the right to request review of automated decision-making under certain conditions. However, it should be noted that Controllers have the authority to grant or deny requests based on the criteria outlined in the Act.

Penalties

If, upon receipt of a complaint or otherwise, the Authority has reason to believe that any controller is engaged or about to engage in any processing activity in violation of the PDPA or has contravened or failed to comply with the provisions of the PDPA or any rule, guideline, regulation, or order made under the PDPA or any other written law, the Authority may, after giving the controller or processor an opportunity to be heard, and after such inquisition (Section 35 of the PDP Act). A directive may direct that such entity:

  • Stop and refrain from engaging in any processing-related act, course of conduct or omission;
  • perform such acts as the Authority deems necessary to remedy the situation; and to pay a sum of money as compensation to an aggrieved person who has suffered harm, damage or loss, as a result of any contravention by a controller or processor, as determined by the Authority.
  • PDPA imposes a penalty of up to LKR 10 million as per Section 38 and it failing to comply with a directive issued under Section 35 of the PDPA, taking into account the nature and extent of noncompliance, as well as the impact on data subjects.
  • If a controller or processor who has previously been penalized fails to comply with a directive on a subsequent occasion, they will be subject to an additional penalty consisting of twice the amount imposed as a penalty on the second and subsequent non-compliance, in addition to the penalty imposed on the first and subsequent non-compliance.

Conclusion

The passage of Sri Lanka's Data Protection Act has given the Sri Lankan government clear leverage to further bring about changes after seeing its implementation on the ground. It is hoped that the passage of the Sri Lankan Data Protection Act will provide impetus for Indian legislators to pass their own Data Protection Act.

Reference

sri-lanka-becomes-the-first-south-asian-country-to-pass-comprehensive-privacy-legislation"

sri-lanka-data-protection-overview

Personal-Data-Protection-Act-Updates-April-2022-1.pdf

figure 01

Comments

Post a Comment

Popular posts from this blog

Image
THE PREVENTION OF SOFTWARE PROJECT FAILURES In companies that are not in the top 25% of technology producers, three out of every ten IT projects fail. More than half of the successful projects end up costing nearly 200% of their original estimate. The IT sector is thriving, and IT projects are plentiful, but up to one-third of these projects are abandoned before they are completed. Failure of a software project is costly, damaging to company morale, and can cause some businesses to fail completely. IT companies face numerous challenges, and the reasons that software projects fail are diverse. Understanding the causes of these issues can help your company succeed and may propel it to the top of the tech world. The content that follows attempts to explain why software projects fail and some solutions to these failures. Lack of goals and planning A lack of goals and planning is one of the most common reasons for software project failure. Witho
Read more