The draft Bill is a revised version of the initial Data Protection Bill draft which was made available to the public for viewing last year.
The necessary revisions have been made to the initial draft following a meeting between the members of the CCC and the Drafting Committee that took place during the Covid-19 lock down period, official sources said.
After receiving approval from the Cabinet of Ministers, the Bill would be presented in Parliament. Considering its importance by the present Government sources said.
The initial final draft of the Data Protection Bill that was released in September 2018 provides a new set of rights to citizens under the title “Rights of Data Subjects” while imposing obligations on those who collect personal data.
The Bill allows personal data to be collected only for specified purposes. However, a media release issued by the Ministry highlighted that processing of data in public interest and scientific or historical research would be allowed.
Under the Bill, individuals would have the right to withdraw his or her consent given to controllers and the right to rectify the data without undue delay. In addition to this, the “Data Subjects”, as the people are referred to, have been given the right to object to the processing of their data.
These rights of Data Subjects can be exercised directly by the individuals with the controllers, who are required to respond within a defined time period and are obliged to give reasons for refusing to meet the request or reasons as to why the controllers would refrain from further processing said data.
The individual has a right to appeal against the decision of the controllers to the Data Protection Authority.
The drafting of the legislation was initiated by then Minister of Digital Infrastructure and Information Technology Ajith P. Perera on 5 February 2019. In June last year, the Ministry put out the framework of the Bill for stakeholder comments and following that, substantial modifications were made to the said framework, based on consultations held with key stakeholders.
Sri Lanka is in dire need of data protection and information security laws as they are crucial in attracting foreign direct investment (FDI). Economists have noted that stakeholders complain that foreign investors are deterred by the lack of such a legal setup in Sri Lanka.
The first steps towards a Data Protection Act were made following a request made by the Central Bank of Sri Lanka (CBSL) in 2018 as well as Sri Lanka’s drive towards becoming a digital economy, resulting in an increase in personal data collection by the private sector. The Ministry took steps to formulate data protection legislation during a stakeholder meeting held at the CBSL in September 2018.