LMDtv 4
Sri Lanka took a pioneering step by becoming the first country in South Asia to enact digital privacy legislation to protect its citizens. That said, comprehensive enforcement of the Personal Data Protection Act has yet to take place.
According to Shanaka Gunasekara, who is a Partner at FJ&G de Saram, Sri Lanka has a reference to data privacy under the right to information clause in the constitution. But that’s different to having a direct fundamental right to privacy provision as in other geographies such as Europe, which have it enshrined in the fundamental rights charter itself.
He noted during a recent airing of LMD’s fortnightly digital TV programme that “Sri Lanka took a good step forward when we introduced the Personal Data Protection Act in 2022; the enactment was to be brought into operation in phases, one of which was the establishment of the Data Protection Authority (DPA).”
Gunasekara continued: “However, although this institution was established, it needs qualified personnel, the appropriate institutional framework and the financial resources to run it. So there are many challenges that the DPA needs to overcome.”
There is a dire need for qualified talent to expedite the enactment of the act. He explained this with an example: “For instance, if I lodge a complaint tomorrow, it needs to be inquired into by a qualified inquiring officer with knowledge of data protection legislation.”
“This is one of the challenges that the members of the Data Protection Authority need to overcome. That’s why they need time to bring the enactment into operation,” he added.
And there’s work to be done by the rest of the stakeholders as they gear up for implementation of the law. Gunasekara acknowledged that “it’s not going to be an easy task because it requires financial and human resources, and stakeholder buy-ins as well.”
He noted: “When the enactment is operationalised, companies needs to be ready to provide all the rights to the data subjects and process personal information in a totally compliant environment.”
“They should have the appropriate organisational and security measures, data management programmes etc. in place, Gunasekara stressed, adding: “Migrating to that particular position is the challenge that organisations are facing.”
These issues are more pronounced for SMEs, he conceded: “Data security measures require a certain amount of capital infusion, and SME’s don’t have that much to invest for the protection of data.”
Another significant challenge that organisations face is talent. He elaborated: “Data privacy is a completely new subject and from what we have seen so far, there is a clear lack of knowledge across the board from SMEs to blue chip companies.”
Gunasekara said: “Organisations will have to train people and even provide them with overseas training if needed. There’s a learning process, which ideally should begin right now; because when the law is implemented, people will immediately start exercising their rights, and qualified people need to be in place to provide advice on relevant aspects.”
Other challenges including the need for infrastructure also prevail. Nevertheless, there is hope that the government will move forward with implementation.
“The government has set up the necessary units and also unveiled the National Cyber Security Operations Centre. It has undertaken steps to conduct security audits at state institutions too. These measures will help those institutions reach the required compliance levels,” he asserted.
Since Sri Lanka’s public sector is large, Gunasekara noted: “Lots of government institutions process personal data and all of them need to migrate to a compliant environment.” However, this might take time given that Sri Lanka is still fresh out of bankruptcy.
“It’s a challenge for Sri Lanka to enact digital privacy legislation – and even though the right initiatives have been taken, the time for implementation is unknown,” he pointed out.
