Editors Guild expresses grave concerns over Personal Data Protection Bill

While acknowledging the need for a clearly defined and narrowly applicable law concerning the protection of personal data in Sri Lanka, The Editors Guild of Sri Lanka (TEGOSL) has drawn the attention of the Government to grave concerns regarding the over-breadth and over-reach of the Personal Data Protection Bill presented by Prime Minister Mahinda Rajapaksa to Parliament on 20 January.

Comparing the 2019 Draft Framework on Personal Data Protection which had referenced Sri Lanka’s Constitutionally protected Right to Information in Article 14A as part of a balancing exercise between the right to information and expression and data protection, TEGOSL has questioned as to why the Bill, in its current form, does not reflect that balance.

It has emphasised that if the Bill is passed without amendment, it may potentially cripple the efficient functioning of Sri Lanka’s praised Right to Information (RTI) Act and regime as the Bill has been drafted with the specific intent of overriding the RTI Act where the release of personal data is concerned.

It has also pointed to the fact that a proposed Data Protection Authority had earlier, together with six ex-officio members, included three appointed members ‘to be selected through an public application process, from amongst persons who have experience and have demonstrated professional excellence in the fields of Public or Private sector Management, Law, Finance, Science and Technology and Data Sciences, and who have applied personally or through an industry body or a recognised institution…’.

However, the Bill before Parliament has worryingly expressly stipulated that the proposed Authority be a body that is ‘controlled by the Government’ which contravenes well established international principles of data protection.

Moreover, a dire warning has been made that the Bill when implemented as an Act, will have enormous impact on editorial newsrooms. Journalists will be seriously hampered in their day-to-day operations which concerns the routine gathering of data in a context where the ‘processing of data’ has been extended by the Bill to cover all aspects of reportage, including the mere reporting of a ‘name’.

Observing that international and comparative standards have recognised the exemption of ‘journalistic purpose’ to the data processing process, even in neighbouring countries, TEGOSL has questioned as to why the Sri Lankan Bill is significantly absent such a safeguard. It has been recommended that this exemption be reflected in the Bill at all stages, from the first step of processing a complaint on an alleged breach of data protection to the appeal stage before a proposed Data Protection Authority.

This has particular relevance in a context where the Bill expands ‘special categories or personal data’ to include ‘personal data relating to offences, criminal proceedings and convictions’. This, in the opinion of TEGOSL, would have a direct negative impact on the reporting of corruption and/or the release of such information through the RTI process. 

It is noted that all this has particular adverse consequences when the proposed Authority is given powers to fine up to 10 million for alleged ‘non-compliances’.

TEGOSL has called for the Bill to be amended so that the Constitutional right to information and ‘journalistic purpose’ are recognised as specific exemptions to be considered by controllers when processing a data request and has stressed that public information should not be included as ‘personal data’ in the Bill.

It has also stressed the importance of the proposed Authority being independently constituted, pointing out that otherwise, its power to fine 10 million for each alleged ‘non-compliance’ with the new data protection regime may have a “chilling impact” on the Constitutional right to expression and information won through historic struggles in Sri Lanka.