The Growing Need for Privacy and Data Protection in Sri Lanka

Every day, a vast amount of information is transmitted, stored, and collected across the globe, enabled by the rise of computing and communication power. Technology and innovation have increased the need for privacy regulation, requiring existing privacy regulations to adapt to these new advancements. The emergence of cloud computing, the internet of things (IoT), 5G networks, and big data analytics in the Fourth Industrial Revolution (4IR) present new challenges to the field of data protection and privacy – for individuals whose data is stored and collected, governments, legislators, and businesses.


Thus, data protection is a priority in political agendas globally. It is now included in many trade agreements including the Trans Pacific Partnership (TPP). Data protection is also a key concern in several high-profile court cases in relation to national surveillance issues. One notable case is that of Cambridge Analytica, where allegedly, a large amount of data was harvested without the consent of the subjects, to be used illegally for profiling and campaign targeting purposes.


Why Data Protection is Necessary for Sri Lanka


Data protection is increasingly becoming relevant to Sri Lanka, with the rapid rise in digitalisation and digital connectivity. By early 2017, Sri Lanka had more active mobile phone subscriptions than people, with 124 subscriptions per 100 persons. As of 2017, over 75% of the 6.2 million internet users in Sri Lanka were estimated to access the internet through smartphones. This continued rise in digitalisation generates more and more data and heightens the need for data protection and privacy laws.


Within Sri Lanka, there is also an increasing reliance on digital and cloud services, which collect data. For example, transportation applications such as Uber and PickMe both collect data for offline analysis. Also, there is increased usage of social media platforms and cloud communication platforms for email and calendar management (e.g. Google mail and calendar). These systems, being the primary means of communication, collect large amounts of data daily and then target advertisements based on these collected data.


Furthermore, the use of Virtual Private Networks (VPN) also brings in privacy concerns. In certain cases, applications providing this service for free, sell consumer internet activity data to advertisement targeting agencies. Given the fact that VPNs can capture all data that are being transmitted or received by a device, the information captured can be very detailed (e.g. unencrypted messaging services, location, contact information, app usage) and can easily be personally identifiable.


As Sri Lanka is set to enable 5G transmission in 2020, the need for comprehensive privacy legislation is heightened. A large amount of data sent over current mobile networks is not encrypted or if it is, leverages outdated and easily by-passable encryption methods and are therefore susceptible to interception.


The need for cybersecurity and data protection becomes more urgent with the onset of e-government services in Sri Lanka. The risk of fraud and identity theft increases, along with the risk of cyberattacks.


Meanwhile, Sri Lanka’s e-commerce industry is projected to reach USD 400 million by 2020. As businesses venture on to digital platforms, it is vital for sufficient privacy laws to be in force to secure data as well as to improve business and consumer confidence.


Also, information and communication technology (ICT) related services, including software, have become one of the key service sector exports of Sri Lanka. These service exports include automated application testing, infrastructure outsourcing, high-end research and development (R&D), enterprise resource planning (ERP), cloud technology and mobile applications. While some of the exports will be subject to compliance with foreign privacy legislation such as the General Data Protection Regulation (GDPR), national data protection will further reduce the threat of loss of IP.


Current Data Privacy Legislation in Sri Lanka


Although there is legislation around electronic transactions, consumer protection, and cybercrimes, no specific laws are currently in place for privacy and data protection in Sri Lanka. According to the mapping of data protection and privacy conducted by the United Nations Conference on Trade and Development (UNCTAD) in 2019, out of 107 countries mapped, 21% have no legislation around privacy and data protection, including Sri Lanka.


That said, a Data Protection Bill for Sri Lanka was recently launched with an expert committee set in place by the Ministry of Digital Infrastructure and Information Technology. The legislation is to be implemented in three stages with the entire bill coming into operation within a period of 3 years. This bill has been drafted with the aim of covering the fundamental principles of privacy and data protection modelled after legislation in place by similar countries.


The amendment to the Electronic Transaction Act in 2017 harmonises Sri Lanka’s electronic transaction legislation with the UN Electronic Communications Convention (ECC), the international standard for e-commerce legislation. Although the existing Electronic Transaction Act and the Computer Crimes Act facilitate e-commerce, they do not provide for sufficient privacy and data protection.


Potential Concerns


One key concern is that privacy regulation may unduly restrict business activities by increasing the administrative burden on businesses to comply with multiple stringent data regulation policies. This is a concern especially to small and medium enterprise (SME) businesses, and may even act as a barrier to trade and restrict innovation.


The lack of international compatibility in privacy regulation creates many problems and restricts international trade and investments. Highly-fragmented, diverging global, regional, and national regulatory approaches make adoption cumbersome to most parties and places a high-cost burden. Data protection laws could act as a barrier for developing countries to trade internationally.


The World Trade Organisation’s (WTO) General Agreement on Trade and Services (GATS) permits cross border restrictions that enable “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and protection of confidentiality of individual records and accounts”. However, the mandate specifies that “such measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services”.


Another issue is the balance between surveillance for national security purposes and privacy. The rise of mass surveillance also poses significant threats to data privacy. Currently, many governments collect communication and internet data for analysis, to identify threats to national security. Although these programmes balance privacy needs against security concerns, reservations on these arise from the large amount of personally identifiable data that is collected (often most internet data within a nation). Although this data is generally scanned in aggregate and in an algorithmic manner, there are concerns about data leakage from such screening programmes.


Way Forward


At present, there is no consensus for a single model for data protection laws. However, compatibility is the stated objective of many global and regional data protection initiatives. Sri Lanka’s data protection laws need to be drafted to be internationally accepted, to facilitate the smooth cross border transfer of data. For countries without relevant laws in place, the UNCTAD recommends that governments should aim for greater coverage in data protection, where, gaps in coverage need to addressed while striking a balance between surveillance and privacy.


Data protection laws need to keep up with new advancements in technologies to be effective. Gaps in coverage need to be addressed, while striking a balance between surveillance and privacy. Moreover, while there are lost business opportunities due to the lack of domestic legal protection, overly restrictive protection could act as a barrier to trade. Businesses compliance burden should be managed with assistance provided for businesses to overcome barriers to adoption.