Experts share key insights at inaugural National Data Protection Law Symposium

Panel Discussion 1 ​

Panel Discussion 2 

Concluding Panel Discussion

The Inaugural National Data Protection Law Symposium of the Bar Association of Sri Lanka (BASL) was successfully concluded recently. 

The welcome address of the Inaugural National Data Protection Symposium was delivered by BASL Secretary Rajeev Amarasuriya where he spoke on the importance of this new piece of legislation as well as the infinite opportunities available to the legal profession when the Data Protection Act comes into being. He went on to state that it was particularly timely to have this discourse on an area which will eventually have impact and ramifications across Sri Lanka’s economy. 

BASL President Saliya Pieris, PC thereafter addressed the gathering and emphasised how the Data Protection Law would impact on privacy and in turn the strengthening of rights. Peiris further stressed that Data Protection and Privacy are integral to the Rule of Law and that the BASL will continue to do its best to uphold and strengthen the Rule of Law as it ultimately relates to every aspect of people, including the economy, health and the lives of people. 

Thereafter, the Message of the President Gotabaya Rajapaksa was read out by BASL Assistant Secretary Pasindu Silva. President Rajapaksa in his message highlighted that the Government through action, had demonstrated a steadfast commitment to accelerate the requisite digital transformation in the country. He went on to state that to reap efficient and effective benefits of a digitalised country with a digital economy and a digitalised system of governance, Sri Lanka needs to ensure that the right policies, laws and the regulatory framework are in place to protect the security of data and rights of all, whilst maintaining a fine balance between national security and the right to information which is now a Constitutionally enshrined right in our country. 

The President further noted that the inaugural National Data Protection Law Symposium organised by the Bar Association of Sri Lanka was taking place at a highly pertinent time. 

Keynote Address on “the compelling need to create a futuristic Data Protection Regime in the Digital Economy”

 The Keynote Address was delivered by the Chief Guest, Supreme Court Judge Justice Arjuna Obeyesekere on the topic of “the compelling need to create a futuristic Data Protection Regime in the Digital Economy”. In the Keynote Address, Justice Obeyesekere emphasised on the need for the new data protection regime to be futuristic in form and outlook; the data protection regime not to be too static or prescriptive in form; the need to focus on facilitating true control; the avoidance of ambiguity in the interpretation of the law; the important role played by the Data Protection Authority; investing in improving the overall knowledge and capacity of stakeholders and the currency and relevance of the law in its proposed form. 

Presentation of an overview of the Data Protection Bill, including key features, enforcement, and penalties 

 The first presentation was conducted by ICTA General Counsel/Data Protection Drafting Committee Chair Attorney-at-Law Jayantha Fernando, who provided an overview of the personal data protection bill, including key features, enforcement, and penalties. The presentation included, Data Protection International Standards such as OECD Guidelines, European Data Protection Regulations, Council of Europe Data Protection Convention and their respective impact. The presentation also included the impact of the personal data protection bill. 

In respect of the background and process of the proposed personal data protection bill, Fernando pointed out that there had been seven (07) stakeholder consultations and sectoral reviews including stakeholders, such as FITIS, SLASSCOM, the Ceylon Chamber of Commerce and the Right to Information Commission, before the draft bill was finalised and that four (04) rounds of review had been conducted by the Attorney General’s Department. 

As pointed out by Fernando, the objectives of the proposed personal data protection bill are the regulation of processing of personal data; to identify and strengthen the rights of data subjects in relation to the protection of personal data; to provide for the designation of the data protection authority; to facilitate the growth and innovation in the digital economy in Sri Lanka whilst protecting the personal data rights of the data subjects; to improve interoperability among personal data protection frameworks; to strengthen cross-border cooperation among personal data protection enforcement authorities and the government of Sri Lanka to provide for a legal framework to provide for mechanisms for the protection of personal data of data subjects ensuring consumer trust and safeguarding privacy whilst respecting domestic written laws and applicable international legal instruments. 

Under the salient features, Fernando drew attention to the interpretations provided in the proposed personal data protection bill, its application (section 2), principles of data processing (part 1), rights of data subjects (part 2), obligations of controllers and processors (part 3), direct marketing (part 4of the bill), the data protection authority (part 4) and the penalties and exemptions (part 6). 

Finally, with regards to the implementation strategy, Fernando pointed out the importance of raising stakeholder awareness and capacity building, the phased-out implementation and identifying suitable organisation structure for the Data Protection Authority (DPA). He further stressed that it is pivotal to establish an independent data protection authority to ensure financial and administrative independence within the limits of Sri Lankan legal framework and to ensure coordination between DPA and other sectoral regulators to ensure smooth implementation of Personal Data Protection Act.  

Presentation on rights, obligations, cross border data processing 

 AAL Saduni Wickramasinghe, member of the data protection law drafting committee delivered a presentation on the rights, obligations and cross border data processing. She elaborated on the principles of processing data by emphasising lawfulness, purpose specification, purpose limitation, accuracy, storage limitation, confidentiality, transparency and accountability.  

Under the rights of data subjects, Wickramasinghe further explained the right of access, right of withdrawal of consent, right to object, rectification, erasure, automated individual decision making, including the enforcement procedure stipulated in the bill. 

Under the related obligations of controllers and processors, Wickramasinghe further drew attention to the section 20 of the proposed bill, wherein it is mandated to appoint a data protection officer (DPO) by a controller and processor who engage in prescribed activity under the bill. In respect of processor’s obligations, the appointment of a DPO when engaging in prescribed activity; compliance with written instructions of controller and the principles of processing; personnel to be bound by confidentiality and secrecy obligations; assist controller to meet the obligations under parts 1 and 2 of the bill; erase or return personal data once services are terminated were discussed. 

Wickramasinghe also pointed out the importance of carrying out data protection impact assessments and the mandatory grounds which requires a controller to do so under section 24 of the bill. 

The Intersect between Right to Information Act and the Private Data Protection Bill 

 The next presentation was conducted by AAL Rajeev Amarasuriya, on the intersect between the Right to Information Act (RTI Act) and the personal data protection bill. 

Amarasuriya drew attention to provisions in the Constitution, RTI Act and the personal data protection bill that could be relied upon for guidance. He explained that in Article 14A of the Constitution, it has been provided that every citizen shall have the right to access information as provided for by law, being information that is required for the exercise or protection of a citizen’s right held by persons such as the state, a ministry, or any other government department or statutory body or local authority. However, it was explained that restrictions on the exercise of this right will be placed including, inter alia; rights of others and privacy. Furthermore, he pointed out that Section 05 of the Right to Information Act provides measures to restrict the access to Private Information through Public Authorities. 

Amarasuriya further stated that the RTI and data protection regimes are in essence two sides of the same coin, and stated that with implementation and the differing considerations, there was likelihood for the right balance to be arrived at as they are implemented in full. He went on to state that both the Information Officers and the Data Protection Officers would have an important role to play in this respect. 

Panel discussion on ‘Challenges and Recommendations for an Effective Implementation and Enforcement of Personal Data Protection Law’

 The above sessions were followed up by a panel discussion on ‘Challenges and Recommendations for an Effective Implementation and Enforcement of Personal Data Protection Law’, with LankaClear CEO Channa De Silva, AAL Jayantha Fernando, AAL Rajeev Amarasuriya, AAL Sanduni Wickramasinghe and Dialog Axiata PLC Manager Regulatory AAL Shenuka Jayalath which was focused on Implementation and Business and this session was moderated by AAL Samantha De Soysa. 

Furthermore, the panel discussion included a presentation by Silva on “How digital signatures can be used to ensure security for data”. Silva explained the distinction between electronic signature and digital signatures. He then discussed the features of digital certificates. In respect to the obligation to maintain confidentiality and integrity, he pointed out that data encryption may be used to make data accessible only to the intended receiver and digital signatures provide an assurance to the sender and receiver of a message that the message was not altered during transmission. He further discussed encryption, hash function and non-repudiation of digital signatures, validating digital signatures and adoption of digital signatures. 

Answering a question posed by a participant, it was pointed out by the panel that the foreign embassies located within Sri Lanka may not come under the purview of the proposed data protection bill as such embassies have diplomatic immunity and those are governed by the international treaties. A member of the audience questioned if metadata falls within the scope of the bill and in response it was explained that in a context where metadata can indirectly identify a data subject, particularly when it can be combined with other data, then such metadata may fall within the definition of personal data. 

Virtual Presentation on ‘International Dimensions and Standards Governing Data Protection Law and Cross-Border Data Flows’ 

Thereafter, Queen Mary University of London Visiting Professor Prof. Ulrich Wuermeling connected virtually and delivered a presentation on ‘International dimensions and standards governing data protection law and cross-border data flows.’ 

Under the international framework, Prof. Ulrich drew attention to the Article 12 of the Universal Declaration of Human Rights, Personal Data Protections and Privacy Principles adopted the United Nations High-Level Committee on Management, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, the Convention for the Protection of Individuals with regard to processing of Personal Data, the EU Data Protection Derivative and APEC Privacy Framework. 

He further discussed the territorial scope of GDPR and Sri Lankan Bill; controller and processor; data transfer instruments on adequacy and contract; EU standard contractual clauses on purpose, decisions, content, advantages and new standard contractual clauses; EU-US Privacy Shield and transparency and data subjects' rights. 

Panel discussion conducted on ‘Data Protection by Design or by Regulation and the Future of Innovation, Trust and Competition’ 

Thereafter, an interesting panel discussion was conducted on ‘Data Protection by Design or by Regulation and the Future of Innovation, Trust and Competition’ (including impact on capital markets, block-chain, data analytics, AI and virtual currencies) which included Dialog Axiata General Counsel/VP – Group Legal and Regulatory AAL Trinesh Fernando, Cargills Ceylon DGM Yasith Fernando, CSE Head of Regulatory Policy and Compliance AAL Lankeesha Molligoda, MasterCard Country Manager for Sri Lanka and Maldives Sandun Hapugoda, which was moderated by AAL Sanduni Wickramasinghe. 

In the discussion the moderator explained the seven principles of privacy by design and Trinesh Fernando spoke about the positive sum approach in adopting privacy by design techniques in an organisation. Adding to the conversation, Yasith Fernando explained how privacy should not be viewed in isolation but how it must run parallel to an organisation’s operations. Molligoda illustrated her organisation’s GDPR compliance journey and the benefits it has accrued. Hapugoda opined on the importance of a comprehensive privacy team in an organisation and how laws of this nature must be capable of meeting technological dynamics in the future in open and virtual banking. 

Presentation on ‘Impact of Data Protection on Cyber Crime and Cyber Security’ 

 The Panel discussion was then followed by a presentation by AAL Dr. Sunil Abeyaratne. He spoke on the ‘Impact of data protection on cybercrime and cyber security’ emphasising the provisions of the Computer Crimes Act, Telecommunication Act. He further discussed the General Data Protection Regulations (GDPR) principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality (security) and Accountability. 

Panel Discussion on ‘International Investment, Digital Economy and Benefits to the Country at large’ 

 The concluding panel discussion was on ‘International investment, digital economy and benefits to the country at large’ with a panel comprising of ICTA General Counsel/Data Protection Drafting Committee Chair AAL Jayantha Fernando, Ceylon Chamber of Commerce former Chairman Rajendra Theagarajah, Lanka Bell Ltd., Managing Director and FITIS Chairman Dr. Prasad Samarasinghe, Cargills Bank Assistant General Manager – Card Services Mahesha Amarasuriya, ICTA Chief Digital Economy Officer Anura de Alwis, which was moderated by AAL Thishya Weragoda. 

Amarasuriya explained the relation between the Data Protection and Banking Sector and the Payment Card Industry and Theagarajah emphasised about the futuristic approach and the impact on digital economy by the Data Protection Bill, especially in relation to the Port City and Dr. Samarasinghe demonstrated that a law of this nature can play a vital role in attracting foreign investments in the digital personal data processing sector. 

The panel also emphasised that the effective enforcement of Data Protection Law would be able to position Sri Lanka in the international cross-border data processing space as a secure destination to process information of countries which have stringent data protection regimes. 

Furthermore, the importance of having a digital infrastructure throughout the country and impact on Small and Medium Enterprises (SMEs) by the said Private Data Protection Bill were also discussed in particular by Theagarajah and Amarasuriya. 

The concluding remarks of the Symposium was by BASL Assistant Secretary AAL Pasindu Silva. The official newspaper was Daily FT and the Electronic Media Partner was Newsfirst and the Principal Sponsor was Lanka Pay. 

Pix by Ruwan Walpola