- 9th March 2022 – second reading of the Bill on Personal Data Protection
- Three key concerns about the Bill in its current form
- Calls on Members of Parliament to not rush through enacting the law until concerns are addressed
On 9th of March 2022, the Personal Data Protection Bill is scheduled for the second reading in Parliament. This Bill aims to regulate the processing of personal data by identifying and strengthening the rights of data subjects – persons whose data is held by a processor or controller. However, Transparency International Sri Lanka (TISL) remains deeply concerned about three key areas in this Bill including the impact on certain rights and freedoms, if enacted in its current form.
“If enacted in its current form, the Data Protection Bill could become a well-meaning law which could yet be abused. The Bill could be used to create a chilling effect in the media and among whistleblowers which would be a blow to Sri Lanka’s democracy.”
The creation of a legal framework on personal data protection can be viewed as an important step in safeguarding human rights, especially at a time when information has become both a tool to be used by the people and against them.
However, TISL’s three key concerns on this Bill are as follows.:
- Severe impact on journalism – The Bill does not recognize ‘Journalistic Purpose’ or data processing in the exercise of freedom of the press or freedom of expression as a condition for processing data. This means that media, including broadcast media, will be restricted from using personal data when reporting, as they become data controllers and processors in the use of personal information of others for journalistic activities. TISL recommends that ‘journalistic purpose’ should be identified as a legitimate condition to process data, in order to ensure that access and publication of information for journalistic purposes is not unduly restricted.
- Data Protection Authority has wide powers, and is not independent – The Bill designates a ‘government controlled’ body as the Data Protection Authority. The Authority does not have sufficient safeguards against political interference or attempts at diluting its powers and functions. Further, the Data Protection Authority, being a non-judicial and non-independent body, is given the power to investigate into sources of obtaining data and to impose penalties of up to Rs. 10 million per non-compliance on data controllers and data processors who fail to comply with the directives of the Authority. This has implications on the rights of persons in general and could also lead to the Authority seeking information regarding sources from journalists and media. TISL recommends that an independent Data Protection Authority is set up for the purposes of the Act.
- Impact on the Right to Information – In its current form, the provisions of the Bill prevail over the provisions of any other written law, including the Right to Information Act, in case of any inconsistency. This can lead to derogation from the fundamental right to information, especially in practice. Therefore, TISL recommends including a specific exception to ensure that the Right to Information Act is not overridden in case of inconsistency.
Earlier in 2022 and in 2021, TISL officially raised these concerns with the Ministerial Consultative Committee on Technology and with all 225 Members of Parliament.
The draft framework on personal data protection which was produced in 2019 has two crucial points that could improve the current bill. The preamble of the 2019 framework specifically refers to Sri Lanka’s constitutional Right to Information as a crucial right, recognizing the need for the public interest to be balanced with the protection of personal data. The 2019 draft also called for the appointment of three members to the Government Controlled authority enforcing the bill, through a public application process. This step could be crucial to ensure that the authority remains independent.
Since it is critically important that there is a harmonious formulation of the Personal Data Protection law with other existing rights and protections in the best public interest, TISL calls on all Members of Parliament and the Ministerial Consultative Committee on Technology to not rush through the process of enacting this important law, without ensuring that these concerns are addressed.
TISL Executive Director Nadishani Perera commenting on the matter noted that “If enacted in its current form, the Data Protection Bill could become a well-meaning law which could yet be abused. The Bill could be used to create a chilling effect in the media and among whistleblowers which would be a blow to Sri Lanka’s democracy.”
The Sri Lanka Press Institute (SLPI), its constituents and affiliated organizations raise concerns over the Personal Data Protection Bill that was tabled in the Parliament on the 20th of January 2022.
A joint letter raising 7key concerns was signed by the Newspaper Society of Sri Lanka (NSSL), Free Media Movement (FMM), Sri Lanka Working Journalists Association (SLWJA), Tamil Media Alliance (TMA), Sri Lanka Muslim Media Forum (SLMMF), Federation of Media Employees’ Trade Unions (FMETU), South Asia Free Media Association (SAFMA) and the SLPI, handed over to the Minister of Mass Media, Minister of Justice and the Secretary of the Ministry of Information Technology.
While the proposed Personal Data Protection Act is being recognized as an important one in the current context, especially in the digital era, serious thoughts should be given to the implication and infringement to the rights of professional journalism and media freedom.
The terms of definition regarding personal data and special categories of personal data remain arbitrary given that special categories also include data related to offenses, criminal proceedings and convictions which do not recognize the journalistic right to exercise free speech in delivering such information. Therefore, it is imperative that the journalists’ rights prevail and provisions are made to ensure that journalists are able to continue their work in the interest of the public and uphold freedom of expression.
The proposed Act with the powers and stipulated clauses would prevail over every other law in any inconsistency, including the Right to Information (RTI) Law. The organizations feel this could also compromise the access to information that the public and journalists have via the prevailing RTI law.
Given that the Editors’ Guild of Sri Lanka (TEGOSL) has provided a detailed report of the concerns on the proposed Personal Data Protection Act, the SLPI and its collective body of media organizations also jointly acknowledge and endorse the concerns raised, and proposed amendments by TEGOSL in regard to this bill to be considered.