Data protection is considered an esoteric subject, but affects the entirety of the modern economy, ranging from a home-based cake supplier who maintains a list of customers, their preferences and contacts, to a multinational insurance company. Sri Lanka being the first South Asian country to enact data protection legislation and the pervasive effects of data protection, the bill deserved more discussion. It is unfortunate that the scrutiny it received was limited, for the most part, to its co-existence with the Right to Information Act, No. 12 of 2016, another broad-impact law that applies to all State institutions and to those doing business with the State.
The best law is not one that is optimal in a technical sense, but one which is most appropriate for the local conditions. Even with the commendable amendments, this law does not meet that test.
Data protection laws seek to minimise misuse of data stored in computer databases. There has been a worldwide surge in interest in data protection since the General Data Protection Regulation (GDPR) came into effect in May 2018. Those wanting business process outsourcing (BPO) work from Europe successfully lobbied for GDPR like legislation to improve their business prospects by having the country satisfy the EU’s adequacy criteria. Though the drafters have laboured mightily to satisfy multiple, contradictory demands and to avoid harms, the result remains an overly complicated piece of legislation that may still have negative effects on the economy.
Drafting commenced in January 2019, with multiple rounds of consultations. Significant improvements have been made in response to criticism, most recently in the form of significant floor amendments.
Co-existence with RTI
Laws creating rights to access government information originated in Europe. The first such law is said to have been enacted in Sweden in 1766. The first data protection legislation was enacted in the German state of Hesse in 1970, followed by various national laws and then by the GDPR that applies across Europe. Therefore, there is considerable experience in managing their co-existence, especially in Europe.
It is incorrect to have one information law with broad applicability trump the other in all circumstances.
Section 35 of the Bill (likely to be renumbered after the floor amendments have been inserted) is the instrument designed to manage the interactions. An excerpt is given below:
Exemptions, restrictions or derogations to the provisions of this Act shall not be allowed except where:
such an exemption, restriction or derogation is prescribed by regulations and respects the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society for–
. . . . . . . . .
(e) the protection of the rights and fundamental freedoms of persons, particularly the freedom of expression and the right to information.
Section 5 of the RTI Act, which goes on for pages, is also relevant. Again, an excerpt:
(1) Subject to the provisions of subsection (2) a request under this Act for access to information shall be refused, where–
(a) the information relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the larger public interest justifies the disclosure of such information, or the person concerned has consented in writing to such disclosure;
As can be seen, the RTI Act recognised the need to balance openness and privacy. One will have to see how this will play out in decisions by the respective authorities in the context of actual conflicts that arise. But this is the only solution. It is incorrect to have one information law with broad applicability trump the other in all circumstances.
The Minister of Justice has indicated openness to further amendment to appease the journalistic concerns. Before that, it may be advisable to study prior experience.
Scope, principles, and outcomes
Section 2(3) of the bill excludes “personal data processed purely for personal, domestic or household purposes by an individual.” Therefore, the contact list stored in one’s telephone is outside the scope if it is used “purely for person, domestic or household purposes.” However, it may be argued that the use of such a list by a journalist is for business purposes and thus falls within the scope. All journalists would have to fulfil the responsibilities imposed on data controllers (those who determine the purposes and means of the processing of personal data). This obviously unrealistic example is illustrative of how broad ranging the GDPR approach is. In practice, only enterprises above a certain size are likely to be treated as data controllers and processers.
The law impacts citizens in their roles as data subjects. For example, an individual may suffer serious repercussions because of a data breach, wherein sensitive personal data such as bank or credit card information and passwords stored in a government or company database are taken unlawfully by a third party and sold on the dark web or used for extortion. Breaches may also occur accidentally.
Because of damage to reputation or the desire to avoid paying damages, companies may not disclose breaches in a timely manner, causing further harm. Section 23 sets out an obligation to report breaches but leaves the details to rules that are to be formulated under the Act.
Individuals have for long been compelled to give personal data to government and companies to obtain services. Increasingly, data are collected as by-products of transactions. For example, data on one’s locations and movement are recorded as a by-product of providing mobile communication services and billing for them.
The principles of informed consent and purpose specification that are built into our law have been central to data protection regimes since the OECD Guidelines were adopted in 1980. There is a lively academic debate on the continued relevance of these principles in the qualitatively different circumstances of today.
Consent is especially problematic when applied to jointly produced transaction-generated data. Most people do not read the information provided when asking for consent, because doing so would leave them little time for anything else. Broadly worded consent language inserted into customer agreements may satisfy the legal requirements, though there is no substance to the consent so given.
Machine and deep learning, colloquially described as artificial intelligence, are increasingly transforming business processes and offer exciting opportunities for entrepreneurs in countries like ours. In the old days, one had to develop complex models with multiple variables for tasks such as churn analysis or diagnostics. In machine learning, software is trained using massive amounts of data. The exact method by which the results are obtained cannot be reduced to a set of rules. But the catch is that large amounts of data are required, sometimes in real time. The old insistence on the purpose being specified at the moment of data collection is likely to be a barrier to innovation in artificial intelligence.
Costs of compliance
Laws modelled on the GDPR impose considerable costs on controllers, such as ensuring that informed consent is obtained; that purpose is specified; that data subjects are informed about their personal data held by controllers; that data are rectified or completed upon request; that data subjects are permitted to withdraw consent resulting in the erasure of their data; and so on. They are also mandated to appoint data protection officers with academic and professional qualifications to be specified by rules.
Compliance costs are onerous for small businesses and organisations which are engaged in the processing of personal data. It is totally unrealistic to expect a micro entrepreneur delivering gas cylinders who maintains a database of customers to appoint a suitably qualified data protection officer. The likely result is selective disregard of the law, condoned by the Authority.
Jurisdictions that follow the European model of data protection require all entities large and small who fall within the scope of the legislation to register and renew their registrations periodically. This allows the data protection regulator to have a record of all entities subject to its jurisdiction and to allow it to conduct inspections, to serve papers, etc.
Usually, the registration must be accompanied by a fee. In many countries these fees are a source of revenue for the regulator. The scope of those who are required to register is so vast and the transactions costs are so high that many small businesses and organisations do not register. Even in wealthy European countries, data protection authorities do not have the resources to compel registration and compliance.
Commendably, the registration requirement has been excised by the Sri Lankan drafters. Non-registration is not an offense. No registration fees are charged. The data protection authority will be funded (inadequately) by Treasury.
However, organisations large and small who fall within the scope of the law are required to conduct their data processing and related activities as specified in the law. The regulator may experience difficulties in serving papers on small controllers and therefore in regulating them. But locating large controllers in the private and public sectors is unlikely to pose difficulties.
Reducing costs of compliance for the many thousands of micro, small, and medium enterprises is well worth the rare difficulty of locating an entity against which a complaint has been made. Indeed, if the forms used for lodging complaints require the inclusion of location and contact details of the offending controller, most difficulties can be avoided.
Can small countries do what big ones do?
Had the registration requirement been retained, it is doubtful whether a global Internet service company such as Meta could have been compelled to register, let alone establish a physical presence in Sri Lanka. India may succeed. Nepal tried, and was ignored. The elimination of the registration requirement is a creative solution to that problem.
The Act imposes duties and obligations on global entities without a presence in Sri Lanka; it creates rights against such entities that the regulator is bound to safeguard through laid down procedures when citizens seek redressal. Practicalities of enforcement are left for the future.
Section 26 of the Bill restricts the processing of data outside Sri Lankan territory. Sri Lankan controllers who are public authorities will be limited to the cloud services with storage in the few inefficient Tier 3 Data Centres located in Sri Lanka, where the price-quality packages are inferior to those offered by global providers. Public authorities are now defined as ministries, departments, provincial and local government bodies, and corporations, and no longer include companies in which the state holds shares.
Absent competition from the big cloud services, the local data centres will have less incentive to lower prices or enhance quality. Protectionist justifications about creating opportunities for local data centres partially underlie these provisions, even if their supra-normal profits will be repatriated by their foreign owners (e.g., over 40% in the case of SLT).
Restrictions that applied to private entities that are not public authorities have been considerably relaxed by the floor amendments. Appreciating the difficulties of making adequacy a condition for use of cloud services and data centres located outside Sri Lanka, the newly introduced language provides a series of exceptions, including consent to processing abroad and performance of a contract. This will, for example, make it possible for SriLankan Airlines to continue to participate in the One World frequent flyer program, where it is inconceivable that the data processing could be done within Sri Lanka. The drafting team’s receptiveness to input provided on early drafts is praiseworthy.
Capacity of the Authority
The Act focuses on the overall architecture of the regulatory scheme and leaves the details for rules to be made in the future. Commendably, the Government has responded to criticism by inserting provisions for relative autonomy for the Data Protection Authority through the floor amendment. The 20th Amendment to the Constitution concentrates the power to make appointments to “independent” Commissions in the office of the President. This applies to the Data Protection Authority as well, justifying the quotation marks around the word “independent.”
Even in Europe, the heartland of data protection, data protection authorities are under resourced, do not have enough staff with the necessary technical skills, and take inordinately long to respond to complaints. It was reported by the New York Times last year that all but three (Germany, Italy, and the UK) had annual budgets of less than 25 million Euros. The California Privacy Protection Agency that is being set up, an entity with a narrower remit than the GDPR, will have an annual budget of $ 10 million (9 million Euros) in its first year.
The above benchmarks may be interpreted to mean that a sum in the range of $ 10 million a year is required to run an efficient data protection authority. That is approximately 2.5 billion Sri Lanka rupees in operational funds. The likelihood of the Sri Lankan data protection authority being given even a fraction of that by Treasury is small. So, what can be expected is the typical underfunded Government agency with a large remit.
Well-crafted laws that are not implemented satisfactorily may be worse than bad laws. If the regulator is under-resourced, little more will be possible than ticking the boxes so that Sri Lanka will pass the EU’s adequacy test, and even that is uncertain. The best law is not one that is optimal in a technical sense, but one which is most appropriate for the local conditions. Even with the commendable amendments, this law does not meet that test.
( This article was first published in the Daily FT on 22 March 2022)