On March 18th, 2022, Sri Lanka enacted the Personal Data Protection Act, No. 9 of 2022 (the “Act” or “PDPA”) thereby becoming the first South Asian country to enact comprehensive data protection legislation. The law is modeled after the General Data Protection Regulations (GDPR) in the EU and imposes considerable responsibilities on controllers. Below we describe selected highlights from the Act and considerations that companies should prepare for as the Act gradually comes into effect in the beginning of 2023.
While Sri Lanka is the first South Asian country to enact comprehensive privacy legislation, it is unlikely to be the last. India has been debating its Personal Data Protection Bill since 2019 (and amendments were proposed earlier in 2022). There was also some traction for a comprehensive privacy bill in Pakistan in 2020. This activity in South Asia on data privacy is emblematic of the rest of the world, as more are proposing comprehensive privacy laws that borrow heavily from the GDPR. These new laws will impose considerable obligations on businesses with international operations, particularly as it pertains to cross-border data transfers. Companies with ties to these regions should be aware of their relevant obligations as these new laws continue to pop up.
The Act applies to any processing of personal information that takes place in Sri Lanka. It also applies to controllers or processors that are domiciled in, incorporated in or offer goods or services to persons in Sri Lanka. Notably, the Act applies to businesses and does not apply to personal information processed “purely for personal, domestic or household purposes” by an individual. Like the GDPR, the PDPA applies to all business, small or large alike. Smaller companies subject to the law should carefully consider compliance costs as those may be significant and potentially onerous.
PROCESSING OF DATA
The PDPA relies heavily on GDPR principles of legitimate purpose, proportionality and transparency, among others. Specifically, under PDPA controllers must ensure that processing of personal information follows the below principles:
- Legitimacy: Processing of personal information must be for a “specified, explicit and legitimate” purpose.
- Proportionality: Processing of personal information must be “adequate, relevant and proportionate” to the extent necessary in relation to the purpose of processing;
- Accuracy: Processing of personal information must be “accurate and kept up to date”;
- Limited Retention: Personal information should be kept only as far and as long as necessary for purpose to which it was processed;
- Integrity: Controllers must ensure integrity and confidentiality of personal information processed by using appropriate technical and organizational measures including encryption, pseudonymization, anonymization, access controls or other such measures;
- Transparency: Controllers have an obligation to process in a transparent manner enabling data subjects to receive information they request regarding the processing of their information;
- Accountability: Controllers must implement internal controls and procedures, a “Data Protection Management Program”, to maintain adequate data processing records and ensure appropriate oversight.
RIGHTS AND CHOICES
Under PDPA, data subjects subject to the Act have the following rights and choices:
- Right of access: Data subjects have the right to request access of their personal information;
- Right to withdrawing consent: Data subjects have the right to withdraw consent and to object to the processing of their personal information;
- Right to rectification: Data subjects have the right to request that their personal information be corrected or rectified when inaccurate;
- Right to erasure: Data subject may request to have their personal information erased.
Controllers shall have twenty-one (21) business days from the request to notify data subjects whether their requests has been granted or denied. Thus, companies subject to the Act should consider the necessary infrastructure and systems support needed in order to comply with a limited response window.
To determine data transfer compliance, the PDPA establishes an adequacy analysis which shall be subject to periodic monitoring by the Minister (the “Adequacy Analysis”). Under the Adequacy Analysis, the Minister in consultation with the Authority, will consider locally privacy laws in the third country, the enforcements regarding the processing of personal information in such countries and the adequacy thereof. Processing of data outside Sri Lankan territory is restricted for Sri Lankan controllers who are public authorities except as made under an Adequacy Analysis. For private businesses, processing of data outside of Sri Lanka will be appropriate if it passes the Adequacy Analysis or falls under a number of exceptions, including consent to processing abroad and performance of a contract.
ADDITIONAL OBLIGATIONS FOR BUSINESSES
Additional regulations under the PDPA include:
- Data privacy officer: Under certain conditions of processing, a processor or controller must appoint a data protection officer (DPO). The DPO will advise the controller or processor on data processing requirements, ensure that personal processing provisions are adequately followed, facilitate capacity building of staff involved in data processing operations and provide advice on personal information protection impact assessments amongst other things. Businesses and especially entrepreneurships will need to prepare to appoint a suitably qualified data protection officer with specified academic and professional qualifications in the event they are subject to this provision.
- Security breaches: In the event of a security breach, businesses must notify the newly established Data Protection Authority and data subjects according to the means to set forth by the Data Protection Authority.
- Solicited messages: Controllers may only send solicited messages or advertising with the data subject’s consent.
The Authority will assess the impact on data subjects and the nature and extent of relevant non-compliances when considering penalties. The Authority will impose penalties up to ten million rupees (approximately $130,000) for each non-compliance.
With its heavy reliance on GDPR principles, its application to businesses of any size processing personal information and the hefty penalties for non-compliance, businesses should start to prepare for compliance if they are subject to the Act, particularly if other South Asian countries (such as India and Pakistan) will follow suit.