Sri Lankan Ministry of Digital Infrastructure and Information Technology (SLMDIIT) has announced that it has finalized a framework for a Data Protection Bill defining measures to protect personal data of individuals held by Banks,Telecom Operators, Hospitals and other personal data aggregating and processing entities. The ministry has set a 3 year time frame for implementation of the law.
The framework has adopted the populist format of defining the “Data Subject” and “Data Subject’s Rights”, “Data Controller/Processor” and “Transparency and Accountability measures to be followed by the Data Controller/Data Processor”, “Use of Consent”, “Setting up of an appellate authority for Data Protection”. etc.
According to the statement of the ministry, the drafting Committee had also taken into account international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation and laws enacted in other jurisdictions such as United Kingdom, Singapore, Australia and Mauritius, Laws enacted in the State of California as well as the Indian Bill, when formulating the said draft Legislation.
We may note that the Bill is silent on “Right to Forget” which indicates that some original thinking has also gone into the drafting.
However, unfortunately the Sri Lankan drafting committee has failed to understand the key innovation which Justice Srikrishna introduced in the Indian law which many of the observers fail to notice.
World over data protection practitioners are aware that “Consent” is the only instrument that links the “Privacy Choice” of an individual to the way the personal data is processed. However, in the online world, there is no way by which a consent can be fully “Informed” and a legally valid consent can be obtained. Most of the time consent is one step towards availing an online service and the data subject is in a hurry to click “I Accept” without reading the Privacy Statement/Policy offered for his perusal. Most such consents contain excessive permissions and the data subject is not capable of understanding and responding with a calibrated permission.
In other words the system of “Consent as an instrument of expression of Privacy Choice” of an individual has failed. Putting complete faith on Consent is therefore a mistake that GDPR committed, Indian Bill avoided and Sri Lankan Bill failed to take note of.
The PDPB/A ( Draft Bill of -Personal Data Protection Act) presently in discussion in India and drafted by Justice Srikrishna has redefined the relationship between the Data Subject and the Data Controller as one of Data Principal and Data Fiduciary.
I am aware that many observers blinded by the GDPR glare have failed to notice the impact of this subtle change in the terminology which has been supplemented in the Bill elsewhere with the words “Any person processing personal data owes a Duty to the Data Principal to process such personal data in a fair and reasonable manner” and Naavi may at present be the only person in India highlighting this key provision of the Bill. However, we are sure that the import of this difference between PDPB/A and GDPR will be realized by the industry in due course and will be interpreted properly to incorporate the following three principles.
1. “that the Data Fiduciary and the Data Processor will have a responsibility beyond the consent to take such steps as are fair and reasonable to protect the privacy of the individual”
2.”that the Errors and Ommisions as well as the Misrepresentations and Wrong perceptions that can creep into the written consent are not the final binding contractual instructions of the Data subject to the Data Fiduciary”
3. ” that the Data Fiduciary/Processor is bound to exercise due diligence in the interest of the Data Principal to protect his Privacy beyond the apparent expression of desire of the data principal in the consent instrument”.
Sri Lanka had the advantage of adopting a similar posture in its draft bill which it has failed to do. This is a disappointment.
There is however one other element of the Sri Lankan media release which attracts attention and has relevance to India.
The media release states
“The accountability obligations would require the Controllers to implement internal controls and procedures, known as a “Data Protection management Program”, in order to demonstrate how it implements the data protections obligations imposed under the Act.”
I specially note the words “Data Management” used in this sentence either with purpose or otherwise instead of some thing similar to “Information Security Practice” or “Security Safeguards” etc.
In India, having spoken of the “Security Safeguards” under section 32, we are now separately discussing the “Data Governance Framework” for which another committee has been formed by the Government.
The Sri Lankan statement indicates that it has directly jumped from “Information Security Management” halfway to “Data Management” by recognizing the need for “Managerial Approach to Data Security” instead of the “Technical Approach”. I accept that what Sri Lanka means is nothing different from ISMS and not Data Governance.
But the use of the word “Management” draws attention to the need to look at Data Protection as part of an overall Data Governance System of which Data Security is one part. Security of Personal Data Protection is a sub part of Data Security itself which should apply to “All Data”.
“All Data” relates to Corporate Data, Anonymized Data, IoT generated data etc and without managing the Data in general an enterprise cannot get into securing the data.
Further, with more and more countries coming up with their own regulations, an enterprise is likely to be confronted with a need to be compliant with a boquet of data protection laws.
The PDPSI (Personal Data Protection Standard of India) has captured this requirement already by introducing a Data Classification system where the “Applicable Law” will be a parameter of the tag to be associated with a “Personal data set”.
The details of the data classification system recommended under PDPSI can be found here
Naavi has therefore suggested that in order to implement any Data Protection regulation, it is essential to first identify the applicable law and ensure that data is kept in appropriate silos where the relevant law can be applied. Mixing up the data would not be an efficient way of complying with the law.
Along with the Data Classification suggestion as above, PDPSI has also adopted several other measures of “Data Management” such as identifying “Internal Personal Data Gate Keepers and Controllers”, “Grievance Redressal mechanism” etc.
It is for this reason that PDPSI has already recognized the importance of “Data Governance” as the key requirement of Data Protection and is ready for the implementation of the Data Governance Framework.
Sri Lanka could have taken note of such developments and refined its regulation and made it even better than the Indian draft.
Hopefully with the further developments in India when the Bill gets passed into an Act, the Sri Lankan draft Bill will also undergo corresponding changes and be better than what it now is.