SLASSCOM, Sri Lanka’s national chamber for the IT-BPM industry, FITIS, Federation of Information Technology Industry Sri Lanka, and CSSL, the Computer Society of Sri Lanka, congratulated the Government’s recent move to pass the new Personal Data Protection bill, as part of the country’s efforts to move towards a modern digital state and economy, and was appreciative of the role played by the Ministry of Technology and ICTA. The Bill is the first of its kind to be passed in the South Asian region.

The new Bill defines measures to protect the personal data of individuals held by government entities, banks, telecom operators, hospitals and other public and private personal data aggregating and processing entities. The Bill mandates controllers to process data lawfully, to a specified, explicit, and legitimate purpose, and to ensure accurate, adequate and relevant processing that is backed by confidentiality and integrity of the personal data, limit retention of the data until the purpose is fulfilled and comply with the detailed transparency and accountability obligations.

Additionally, “data subjects” are guaranteed a host of rights by this bill as a means of harmonizing the interests of data subjects against the interests of the controllers. These rights can be exercised directly by the individuals with the controller and includes individuals right of appeal against the decision of controller to the data protection authority.

This legislation becomes one of the first such laws in South Asia. In drafting this Bill, the drafting committee had considered international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation and laws enacted in other jurisdictions such as United Kingdom, Singapore, Australia and Mauritius, the State of California as well as the Indian data protection bill and other international best practices.

Sri Lanka also recently signed the joint declaration on privacy and data protection, along with the EU, Australia, Comoros, India, Japan, Mauritius, New Zealand, South Korea and Singapore in Paris this year at the Ministerial Forum for Cooperation in the Indo-Pacific. The event brought together ministers from 27 EU countries and 30 from the Indo-Pacific region.

This aligns with SLASSCOM’s vision of achieving the goal of USD 5 billion in annual revenue, employing over 200,000 highly skilled professionals, and launching over 1,000 startups by 2025 as the Bill showcases Sri Lanka’s strong commitment to fostering the free flow of data with trust, while ensuring the right to privacy and protection of personal data.

This move also aligns with one of the FITIS mandates which is to lead and drive digital transformation in Sri Lanka moving towards a digital economy and encouraging private sector, public sector, and citizens towards digitization with the aim of helping Sri Lanka achieve 18% of its GDP through the Digital Economy by 2025, from the current level of 4.37% of its GDP.

SLASSCOM Chairperson Sandra de Zoysa, speaking on the pertinence of the Bill stated: “In a world where digitalization is growing rapidly, and countless people increasingly using online facilities every day, it is becoming more arduous to navigate and interact with the online world, from the collection and dissemination of individual’s personal data to the increasing lack of privacy. As such, this Bill aims to safeguard the rights of individuals and ensure consumer trust in information privacy in online transactions and information networks resulting from growth and innovation in the digital economy. This also stems from the fact that Sri Lanka treats the data generated by its citizens as a national asset.”

She also added: “With data being borderless and accessible, a country often faces the challenge of governing and regulating data and hence, a balanced and internationally aligned regulation is crucial and inevitable. Such regulation becomes important to ensure an orderly digital ecosystem which shall lead to a win-win situation for citizens, nations, and multinational corporations. Good data protection legislation, therefore, makes good economic sense.”

FITIS Chairman Prasad Samarasinghe stated “FITIS believes that the Personal Data Protection Bill is a positive step and serves as a catalyst to attract investment in BPO and other data processing industries.

FITIS would like to request all stakeholders, ICTA and Ministry of Technology to work together to ensure proper implementation of this new Legislation in collaboration with industry and professional bodies. For this bill to be fully operational, the Data Protection Authority should be established as soon as possible and professionals who have reached eminence in the fields, as prescribed in the law should be appointed to the Board. Strategic capacity building initiatives are required to be launched with support from private sector and there is a need to establish certification programs for privacy professionals. FITIS would join hands with other industry bodies to support these endeavors. FITIS is also confident that this bill would be continuously reviewed, and regular public feedback will also be sought to further refine it.”

CSSL President Damith Hettihewa commenting said “to stimulate the digital economy, timely policy initiatives backed by necessary legislation are critical. It is vital for progressive nations to identify necessary policy interventions in advance to reap the benefits of technological advancement as well as to be ahead in this fiercely competitive business environment. CSSL, welcomes the passing of the Personal Data Protection Bill and will fully support its implementation in a speedy manner to reap the benefits of this important piece of legislation for the country”.

Photo Caption - Left to right - SLASSCOM Chairperson Sandra de Zoysa, FITIS Chairman Prasad Samarasinghe, and CSSL President Damith Hettihewa