S-E Asia gearing up for Data Protection: Sri Lankan Framework on Data Protection Legislation

The Sri Lankan Ministry of Digital Infrastructure and Information Technology introduced the framework for the proposed Personal Data Protection Bill on June 12, 2019. ‘Data Protection Legislation’ is an important public policy consideration for the Sri Lankan government in the context of “digital transformation taking place in Sri Lanka with government agencies, Banks, Telco’s, ISPs and private sector collecting personal data via the Internet,” according to the official press release. It is also important as “the Right to Information Act (2016) is currently being implemented in Sri Lanka, pursuant to Article 14A of the Constitution, where the right to privacy is an exception”.

To draft the legislation, the Drafting Committee looked at international best practices, such as the EU General Data Protection Regulation as well as the laws enacted in other jurisdictions, “such as Australia, Singapore and the Indian Draft Legislation”.

The Framework has been introduced for the stakeholder comments and will now be subjected to an Independent Review Committee.

The objective of the Framework

As per the Preamble, the Framework aims to:

  1. Protect the personal information while ensuring the rights of natural persons with regard to the processing of such information
  2. Improve consumer confidence and ensure the growth of digital democracy and innovation and promote both the protection of personal data and its use in Sri Lanka while respecting domestic laws and regulations and international standards
  3. Enable the Government to regulate the processing of personal data and to ensure confidence in the privacy and security of online transactions and information networks and actively participate in an information-driven global economy
  4. Improve interoperability among privacy frameworks as well as strengthen cross-border co-operation among enforcement authorities and provide clear guidance and direction to entities located or operational in Sri Lanka on generic data protection issues and their impact.

What is ‘Personal Data’?

‘Personal Data’ means any information whether true or not, relating to an identified or identifiable natural person, that is, data subject.

‘Personal Data Breach’ means any act or omission that consequently results in accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data of the data subject.

What are ‘Special Categories of Data’?

Any personal data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, financial data, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning natural person’s sex life or sexual orientation, personal data relating to offence, criminal proceedings and convictions, personal data relating to a child” and any other personal data that the Minister may determine upon the recommendation of the Data Protection Authority (DPA) as established  from time to time by Regulation in accordance with the proposed Framework.

What is the ‘Data Protection Authority’ (DPA)?

Part VII of the Framework provides for the establishment of the Data Protection Authority (the “Authority”)  of Sri Lanka. It will be the apex body for all matters related to data protection and for implementation of the proposed Act. It will be responsible for maintaining the Register of controllers, and giving directions, issuing guidelines and undertaking training for controllers.

Following are certain significant powers vested with the Authority, inter alia:

  1. To enforce its orders or determinations made under this Act against a controller
    or processor through prosecution;
  2. Data Protection Authority has power and has a duty to prosecute for the offences
    under this Act;
  3. The Authority may carry out periodic audits in relation to any processing activity carried out by a controller or processor to ensure compliance with this Act.

“For the purpose of investigating into a complaint received by the Authority,

holding an inquiry in relation to an appeal or making an order under section 38:

  1. require any person to appear before it;

  2. examine such person under oath or affirmation and require such person where necessary to produce any information related to processing

  3. to inspect any information strictly related to the processing in question that is held or controlled by a controller or processor by an officer authorized on that behalf by the Authority. In any event, such officer shall be a senior staff member of the Authority having relevant expertise to conduct such inspection.

  4. make a determination in accordance with the provisions of this act with due consideration of the information available to it.”

Application of the proposed legislation

Part I says that the proposed legislation applies to the processing of data that will take place:

  1. wholly or partly within Sri Lanka; or
  2. by a controller or processor which is resident, incorporated or subjected under Sri Lankan law, or a controller or processor which is offering “goods/services to data subjects in Sri Lanka”, or “who monitors the behaviour of data subjects in Sri Lanka including profiling in so far as such behaviour takes place in Sri Lanka”.

However, the provisions will not apply to the processing of data that is for “purely personal or household purposes” or when the data is anonymised. Also, it will not apply to the processing of data which is done by any government department, provincial council or any other regulatory body for lawful purposes.

Data Protection Principles

Part II of the proposed legislation provides that processing and controlling of data will be lawful only when it is done in accordance with the following principles:

  1. Personal data shall be processed lawfully, fairly and in a transparent manner;
  2. Personal data shall be collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with the said purposes;
  3. Processing shall be adequate, relevant, necessary, proportionate to the purposes for which the personal data is processed;
  4. The controller shall ensure that personal data that is processed is accurate and, where necessary, kept up to date with every reasonable step being taken to ensure that any inaccurate personal data are rectified or erased without delay;
  5. Personal data may be kept in a form which permits the identification of data subjects for such period as may be necessary for the purposes for which the personal data is processed; and
  6. Personal data shall be processed in a manner that ensures appropriate security of personal data using appropriate technical or organisational measures.

Rights of Data Subjects

Part III lays out the following rights of Data Subject, inter alia:

  1. Data Subject shall have the right to withdraw its consent for the processing of its personal data. Data Subject can request the controller for the withdrawal of consent in writing.
  2. The Framework entitles Data Subjects to obtain access to their personal data and information at any time they request. Data subjects shall also have the right to request for rectification of any inaccurate personal data that has been processed.
  3. The Data Subject can also request from the controller for erasure/deletion of the personal data which has been unlawfully processed, or processed pursuant to a legal obligation, or processed when such processing is no longer necessary or processed when such processing is no longer legitimate.
  4. The Framework enables Data Subjects to claim their aforementioned rights by way of directly approaching controller of the personal data and in cases in which controller restricts the request of Data Subject, through the appeal to the Authority.

Scope of Controllers and Processors of the Data

Registration requirements

Part IV of the Framework obligates controllers and processors to register themselves with the Authority. They have to apply for registration in the prescribed form, which will require complete details related to the processing of the personal data and safeguards adopted by them to protect such personal data, within the prescribed time period.  The Authority shall keep and maintain a Register of the registered controllers in such form and manner as may be prescribed.

The Framework also requires the controller and processor to designate a Data Protection Officer. A holding company may appoint a single data protection officer for all its subsidiaries. The Officer will advise on applicable data processing requirements and data protection impact assessment, ensure the compliance with the applicable law, and cooperate with the Authority for controllers and processors.

Duties and obligations

The Framework imposes certain duties and obligations on the controller such that, inter alia:

  1. The controller shall implement appropriate technical and organisational measures such as encryption, pseudonymisation, anonymisation, data minimisation techniques, privacy-by-design techniques, adopt privacy enhancing technologies as applicable, to ensure and to be able to demonstrate that processing is done in accordance with the provisions of this Act;
  2. Conduct privacy impact assessments when required by this Act and in accordance with the provisions of this Act;
  3. Implement internal oversight mechanisms and integrate such mechanisms into its governance structure;

“Where processing is to be carried out by a processor on behalf of a controller:

  1. the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Act and ensure the protection of the rights of the data subject as guaranteed by this Act;
  2. Any processing by a processor on behalf of the controller shall be governed by a contract or any other written law that is binding on the processor that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”

The Framework further provides the duties and obligations of processor such that it can only process the personal data in accordance with the documented instructions from the controller.

The Framework obligates the processor, inter alia:

  1. to ensure that its personnel are bound by contractual obligations on confidentiality and secrecy (personnel means any employee, consultant, agent, affiliate or any person who is contracted by the processor to process personal data);
  2. assists the controller by appropriate technical and organisational measures for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in this Act;
  3. assists the controller in ensuring compliance with the obligations under this Act.
  4. allow for and contribute to audits, including inspections upon the controller’s request.

The processor shall remain liable to the controller for the performance at all times even when the processor appoints the ‘sub-processor’.

Data breach notifications

The controller shall without undue delay and in any event of a personal data breach within the prescribed time and in such manner and form as prescribed by the Authority inform the Authority of becoming aware of a personal data breach.

Data protection impact assessments

The Framework makes it mandatory for the controller to carry out a privacy impact assessment whenever a type of processing is likely to result in a high risk to the rights of the Data Subject. The controller shall seek the advice of the data protection officer, where designated when carrying out a data protection impact assessment. Such an impact assessment is mandatory in cases where there is:

  1. a systematic and extensive evaluation of personal data such as profiling;
  2. processing on a large scale of special categories of data;
  3. monitoring of publicly accessible areas or telecommunication networks or any other processing activity as prescribed under the proposed Act.

The Authority will provide the guidelines through official gazette regarding the form and manner in which the privacy impact assessments are to be carried out by the controller.

Certain exceptions

Part V provides certain exceptions to the protection of personal data as provided by law for “the protection of national security, defence, public safety, economic and financial wellbeing [sic] of Sri Lanka, the impartiality and independence of the judiciary or the prevention, investigation and prosecution of criminal offences and the execution of criminal penalties, and other essential objectives of general public interest”, and for the protection of “rights and fundamental freedom” of Data Subject and others, “notably freedom of expression and right to information”.

Cross-border flow of personal data

Part VI lays out the rules for the cross-border flow of personal data:

  1. A controller and processor can only process the data at a location outside Sri Lanka if the location has been prescribed by the Minister as a place which ensures an adequate level of protection for personal data in accordance with the provisions of this proposed Act.
  2. Otherwise, the controller and processor have to provide safeguards and ensure the effective remedies for Data Subjects in order to process the data at a location outside Sri Lanka.
  3. DPA will by rules prescribe the conditions under which a controller or processor has to take the prior authorization of the Authority in order to process data outside Sri Lanka.

Use of personal data for direct marketing

Part VIII defines how personal data may be used for direct marketing.

 

‘Direct marketing communications’ means any form of advertising, directly or indirectly, whether written or oral, sent to one or more identified or identifiable end-users via electronic or digital communication or telecommunication services or any other means including the use of automated calling and communication systems with or without human interaction, electronic mail, SMS, etc.

 

Any natural or legal person who wants to use electronic or digital communication and any other services for sending direct marketing communications to end-users of such services has to ensure “unambiguous consent” of such end-users. However, with each such direct communication, end-user will be provided with the right to object. If an end-user claims the right to object then the natural or legal person has to ensure that they comply with such request.

 

Imposition of penalty

In Part IX, the Framework prescribes the penalty that will be imposed upon a person who fails to comply with the proposed Act while considering the nature and gravity of relevant non-compliance.

It provides the penalty that will not exceed 2% of its total worldwide turnover or rupees 25 million, whichever is higher. If a person doesn’t conform to the provisions of the proposed Act even after getting penalized once, then he/she will “be liable to the payment of an additional penalty in a sum consisting of double the amount imposed as a penalty on the first occasion”.

Such imposition of penalty will not preclude a supervisory authority from taking any regulatory or disciplinary measures (cancellation of license, suspension, etc.) against such a controller or processor.

“Cyber Security Bill” of Sri Lanka: S-E Asia moving for enhanced Cyber-Security Framework

The Sri Lankan government has drafted a new ‘Cyber Security Bill’ to protect vital information and essential services from cyber attacks.

The Cyber Security Bill vests into Government the powers to establish a ‘Cyber Security Agency’ and to empower the Sri Lanka Computer Emergency Readiness Team and National Cyber Security Operations Centre, which aim to protect “Critical Information Infrastructure”, which is necessary for the continuous delivery of essential services of the country.

The draft bill awaits the cabinet approval and will be presented thereafter to Parliament, according to the non-cabinet minister of Digital Infrastructure and Information Technology Ajith P. Perera. The minister said that the public opinion will be sought on the proposed Bill in a public consultation forum that would be held on June 6. He also informed that the draft of the comprehensive Data Protection is also completed and would be presented to the cabinet and will be legislated in three months.

Understanding the Sri Lanka’s new “Cyber Security Bill”

The objective of “Cyber Security Bill”

The Bill has been proposed with the objective to provide an essential component that will (i) ensure the effective implementation of the National Cyber Security Strategy in Sri Lanka; (ii) prevent, mitigate and respond to cyber security threats and incidents effectively and efficiently; (iii) establish the Cyber Security Agency to strengthen the institutional framework for cyber security and (iv) protect the Critical Information Infrastructure.

In November 2018, the Government of Sri Lanka introduced the Sri Lanka’s first Information and Cyber Security Strategy to be implemented over a period of five years from 2019 to 2023. It is an institutional framework which aims to create a trusted and resilient cyber security ecosystem enabling Sri Lankan citizens to have access to the safe digital benefits and facilitate a better future.

What is ‘Critical Information Infrastructure’?

“Critical Information Infrastructure” (CII) includes all computers or computer systems located wholly or partly Sri Lanka, those are necessary for the continuous delivery of essential services for the public health, public safety, privacy, economic stability, national security, international stability and for the sustainability and restoration of critical cyberspace. It also includes the computer system of which the disruption or destruction would have a serious impact on the functioning of the government.

Cyber Security Agency of Sri Lanka

  1. Establishing a new Cyber Security Agency

The Bill proposes to establish an agency which will be the “Apex and Executive body” for all matters relating to cyber security policy in Sri Lanka. It will be responsible for the implementation of the National Cyber Security Strategy “including preparation and execution of operational strategies, policies, action plans, programs and projects”.

  1. The Management and Administration of the Agency

The management and administration of the affairs of the agency shall vest in a Board of Directors consisting of Secretary to the Ministry of Defence, Secretary to the Ministry of Public Administration, a member nominated by the Board of Sri Lanka Computer Emergency Readiness Team (SL-CERT), Secretary to the Ministry which is responsible for implementation of the proposed Act and three expert members appointed by the responsible Minister.

  1. Powers and Functions of the Agency

One of its main functions is to identify and recommend the responsible Minister to designate a computer or computer system as CII and further develop strategies and plans for the protection of the CII.

It will act as the central point of contact to all government institutions and other relevant sectors of the country in respect of cyber security measures.

The Agency will ensure effective compliance by requesting the submission of compliance reports from designated CIIs and other government institutions which will include cyber security assessment and information relating to the steps taken to protect the CIIs.

The Agency or any other officer authorized by the Agency, on reasonable grounds, has the power of entry, inspection and search the premises of designated CIIs. It can examine any documents, records and person pertaining to such CIIs.

  1. Information Security Officer (“ISO”)

The Bill provides appointment of an “Information Security Officer” to each public institution or department. Every ISO will ensure the compliance of such institution or department with the prescribed standards relating to cyber security.

The institutional framework to assist the agency

The new Bill also proposes to empower the Sri Lanka Computer Emergency Readiness Team (SL-CERT) and National Cyber Security Operations Centre for the proper implementation of the National Cyber Security Strategy of Sri Lanka (NCSOC).

It provides that SL-CERT will be “the national point of contact for handling cyber security incidents in Sri Lanka” and will assist the Agency. It will do so by providing the national level cyber threat intelligence information and conducting reactive cyber security services to prevent and mitigate the damages of cyber security incidents.

Further, the responsible Minister with the concurrence of the Agency will designate the CERT or any institution as the new NCSOC. The NCSOC will monitor the designated CIIs, identify potential cyber security incidents, gather cyber threat intelligence information and provide such information to law enforcement authorities, CERT and to the Agency. It will assist the Agency to facilitate coordinated response to prevent, detect, and investigate cyber security incidents.

The owner of CII

The designated CII may be public institutions (as owned or operated by the government) or other institutions. The head of the organization responsible as the CII will be deemed as “owner” of the CII. It is responsibility of owner of the CII to take all necessary steps to protect CII as prescribed in the Bill. This includes conducting security assessments, implementation of the protection plan and notifying the Agency and CERT of the occurrence of any cyber security incident with respect to the CII. If the CII is constituted by multiple organization or multiple sectors, all the heads of such organizations or sectors shall become jointly and severally responsible for protection of the CII.

Offences and Penalties

Every CII owner, who fails to fulfil obligations as prescribed under the proposed Act, without any reasonable cause, and fails to report cyber security incidents to the Agency and CERT, will commit an offence and shall on conviction be liable to pay a fine not exceeding Rs 200,000 or to imprisonment for a term not exceeding two years or to both such fine and imprisonment.

ISO can be held as guilty of the offence if it fails to perform its duties and responsibilities relating to cyber security incidents under the proposed Act. Further, the Bill also provides that every person, who being a head of an institution, if fails to facilitate ISO, shall commit an offence. However, such ISO or person will not be guilty of the offence if it was committed without his knowledge or that he exercised all due diligence with respect to prevent the commission of such offence.

Prosecution under the proposed Act can only be instituted by the Agency or an officer authorized by the Agency.

Other powers of the Minister

“Minister”, as referred in the proposed Act, means “the Minister assigned the subjects and functions relating to cyber security”. The Minister has the power to give general or special directions to the Agency, from time to time, to ensure the effective compliance to the Government policy. He has the power to make regulations, with the concurrence of the Agency, in respect of the matters prescribed in the Act.