Sri Lanka's Need For a Data Privacy Law

In the wake of the Cambridge Analytica scandal and other breaches of data privacy around the world, there has been a move to have stricter data privacy legislations everywhere. Such leakages of data, along with an absence of comprehensive data privacy laws, could make consumers skeptical of online transactions. This skepticism, coupled with a low rate of Internet penetration, can potentially hinder the development of the digital economy. Sri Lanka, a country where only 30 percent of the people have access to Internet, needs to move towards establishing data privacy as a fundamental right of its people if it is to fully integrate with the global digital economy of today.

In Sri Lanka, the constitution guarantees the protection of the fundamental rights of people but it does not explicitly mention the word privacy. That is not very problematic because many countries that have comprehensive data privacy legislations do not explicitly have the right to data privacy included in their constitutions. Data privacy laws are usually introduced through bills that define the right to data privacy as a fundamental right and then outline the steps to protect that right. What is problematic in the case of Sri Lanka is the absence of any such legislation. The computer crimes act of 2007 deals broadly with all types of cybercrimes but not specifically with a person’s right to data privacy. In a conference organized by the Institute of Policy Studies Sri Lanka in 2017, experts pointed out that the Consumers Affair Authority Act of Sri Lanka is inadequate with respect to conflict resolution in the digital era. The participants further noted that there are gaps in laws that regulate consumer rights and data protection in digital platforms. The Information and Communication Technology Agency Legal Advisor Jayantha Fernando pointed out gaps in Sri Lanka’s Electronics Transaction Act No. 19 of 2006, which fails to protect consumers in the digital age. There was a consensus among the attendees of the conference that there is a need to have a “comprehensive data protection regime with an institutional framework.”

Now what could this regime look like? One way for Sri Lanka to implement data privacy measures that are in line with the rest of the world is to adopt the guidelines set out in the European Union’s General Data Protection Regulation (GDPR). The GDPR, adopted by the European Parliament in 2016, came into effect a few months ago. The regulation includes a broad spectrum of personal data ranging from a person’s name to his government ID numbers, location information, IP addresses, cookies and other information that helps companies track users when they are surfing the internet.

By adopting GDPR, or something very similar, Sri Lanka could solve the problem of having comprehensive data privacy legislation while not compromising economic efficiency. In its 2016 report on the New Regulatory Framework for The Digital Ecosystem, GSM Association, a trade body that represents the interests of mobile network operators worldwide, concluded that industry-specific data privacy laws cause distortions. These distortions create barriers to entry and thus reduce economic efficiency. Therefore, a better data privacy legislative framework, like GDPR, is one that is not industry-specific. Such laws apply uniformly to all sectors eliminating any confusion the customers might have regarding the applicability of different laws to different sectors.

If Sri Lanka does not enact a data privacy bill that covers the features covered in GDPR, all the Sri Lankan companies with European consumers will lose business because GDPR applies to all European citizens. Thus, an absence of data privacy law, could act as a non-tariff barrier to trade. Consequently, Sri Lanka’s ability to gain much from its recently acquired EU’s GSP+ (Generalized Scheme of Preferences) status will be severely restricted. Such a non-favorable export climate might also affect foreign investment inflows negatively.

Therefore, it is imperative for Sri Lankan authorities to propose a thorough data privacy law that is line with international standards not just for the sake of protecting data privacy as a fundamental right but also to protect its economic interests as well.