Data protection rules have become an increasingly important legal regime in the information age, where personal data has become a significant asset for many companies, especially those operating over the Internet. However, in a connected global economy, national data protection rules can be easily circumvented, leading to the loss of protection granted to data as it is transferred out of the jurisdiction. In an attempt to prevent such circumvention, the EU data protection regime contains provisions controlling the transfer of personal data to non-EU countries, such as Sri Lanka.

The Data Protection Legislation will be implemented in stages. The entire legislation will come into operation within a period of three (03) years from the date the Speaker certifies the Bill. This would provide sufficient time for the government and the private sector to take adequate steps to implement this legislation. The Data Protection Authority is required to be established within 18 months.

This legislation imposes several obligations on those who collect and process personal data (referred to as "Controllers" and "Processors"), and it grants a new set of rights to citizens under this new legislation, known as the "Rights of data subjects."

For instance, personal data could be collected only for a specified purpose and not for any other purpose that is incompatible with the said purposes. However, processing data in the public interest, scientific or historical research will not be considered incompatible. Personal data has to be processed in a manner that ensures appropriate security, including protection against accidental loss, destruction, or damage.

Data subjects (individuals) will have the right to withdraw their consent given to Controllers and will also have the right to rectify the data without undue delay. Further, the Data Subjects have been given the right to object to the processing of their data. These rights of data subjects can be exercised directly by individuals with the Controller, who are required to respond within a defined time period and are obliged to give reasons for refusing to meet the request or reasons why the Controller would refrain from further processing the said data. The individual has the right of appeal against the decision of the Controller to the Data Protection Authority.

Although the original Framework had provisions for the mandatory registration of Controllers, this requirement has been removed in the latest version. Instead, the Drafting Committee has deliberated and introduced specific and comprehensive transparency and accountability obligations on Controllers. The accountability obligations would require the Controllers to implement internal controls and procedures, known as a “Data Protection management Program,” in order to demonstrate how they implement the data protection obligations imposed under the Act.

The Legislation also prohibits Controllers who process personal data from sending unsolicited messages unless individuals have given express consent. Provisions have also been included to deal with relationships between controllers and third parties who process personal data on their behalf.

Importantly, administrative penalties have been introduced with a ceiling instead of fines calculated on the global turnover of the controllers.

The Drafting Committee had also taken into account international best practices, such as the OECD Privacy Guidelines, APEC Privacy Framework, Council of Europe Data Protection Convention, EU General Data Protection Regulation, and laws enacted in other jurisdictions such as the United Kingdom, Singapore, Australia, and Mauritius, as well as laws enacted in the State of California and the Indian Bill, when formulating the said draft Legislation.

The Information and Communication Technology Agency, in partnership with other entities, conducted two rounds of stakeholder discussions. In addition, targeted group discussions were held with other stakeholder communities, including Bank Chief Information Officers, the Health Informatics Unit of the Ministry of Health, and representatives of the Right To Information Commission. Additionally, the proposed legal framework was reviewed by an Independent Review Panel led by Hon. K. T. Chithrasiri, former Justice of the Supreme Court of Sri Lanka, and Prof. Savithri Goonesekera.

The Data Protection Drafting Committee was led by Jayantha Fernando (Chair/Convenor) and comprised Yamuna Ranawana and Thushari Vitharana (Legal Draftsman’s Dept), Kanchana Ambahawita and Niluka Herath (Central Bank of Sri Lanka), Sunali Jayasuriya (ICTA), Sanduni Wickramasinghe (Mobitel), Trinesh Fernando and Shenuka Jayalath (Dialog PLC).

Personal Data Protection Act No: 09 of 2022

English
Sinhala
Tamil


Simplified Note on the Data Protection Act
Versions of the Data Protection Bill

The most relevant legislation for the use of ICT in government and the establishment of e-government services is the Electronic Transactions Act No. 19 of 2006. The drafting of Electronic Transactions legislation was enabled through a joint Cabinet Memorandum of the Prime Minister, the Minister of Trade and Commerce, and the Minister of Science and Technology. Consequently, on 22 September 2004, the Cabinet of Ministers decided that legislation on Electronic Transactions should be prepared through the Legal Draftsman’s Department in conjunction with ICTA. The legislation was prepared by the Legal Draftsman with legal and policy inputs from ICTA and presented to Parliament on 7th March 2006. The Electronic Transactions Act was brought into operation with effect from 1st October 2007 (vide Gazette Extraordinary No. 1516/25 of 27th September 2007).

The Electronic Transactions Act No. 19 of 2006 is based on the standards established by the United Nations Commission on International Trade Law (UNCITRAL) Model Law on Electronic Commerce (1996) and Model Law on Electronic Signatures (2001).

The act was amended in 2017 to harmonize the Sri Lankan Electronic Transactions Legislation in line with the UN Electronic Communication Convention (UN ECC), the only international standard for e-commerce legislation. Sri Lanka became the first country in South Asia and the second country in Asia (after Singapore) to become a state party to the UN ECC. During the drafting of the UN ECC, Sri Lanka was represented by ICTA and the Legal Draftsman’s Dept.

The Amending Act No. 25 of 2017 will ensure greater legal certainty for e-commerce and e-business providers who wish to use Sri Lankan law as the applicable law and ensure international validity for electronic contracts. This will create greater trading opportunities for Sri Lankan SMEs with state parties to the UN ECC. In addition, it would also bring clarity and predictability to the legal value of the use of electronic communications in cross-border trade with other Contracting States.

It will also ensure legal validity for other international legal instruments as well as cross-border funds transfers, including the enforceability of Foreign Arbitration Awards, enhancing the ability of Sri Lanka to fast-track its move towards paperless trade facilitation through a single window platform. In the future Arbitration, awards can be enforced in paperless form with ratification of the UN ECC, creating an opportunity for Sri Lanka to be a hub for electronic commerce and business dispute resolutions and arbitrations. In addition, the new legislation will improve trust, confidence and legal certainty for all types of business transactions using electronic means, thus improving competitiveness and the ability to do business with greater efficiency.

Sri Lanka also has an advanced inter-bank payment and settlement system facilitating immediate bank-to-bank transfers carried out in a secure manner using electronic signatures. This is supplemented by two mobile payment licensed operators (Dialog’s “Ez-cash” and Mobitel’s M-cash), which facilitate mobile commerce and peer-to-peer payment options (persons-to-person transactions). Recently, the Central Bank of Sri Lanka formulated a mechanism for e-commerce payment providers to use multiple payment options for e-commerce/ Business transactions, within the current regulatory framework (e.g.:- recent approval for “Pay-Here”). These payment options can be used to enhance trade, commerce, and business using the new Electronic Transactions Amendment.

Based on the UN ECC, the Amendment Law defines the time and place of dispatch and receipt of electronic communications between contracting parties, tailoring traditional contract rules to transform into the digital era. The Amendment also allows for the enforceability of contracts entered into by automated message systems, formed without human intervention.

The amendment has also improved processes for the delivery of Services by Government entities and Courts. For instance, Section 8 of the Electronic Transaction Act has facilitated many Electronic Government Transactions and helped improve efficiency (e.g.: eVisa at the Department of Immigration and Emigration, e-Revenue Licenses at the Department of Motor Traffic, payment of rates and taxes online at Municipal Councils, etc.).

The new amendment will strengthen the existing provisions to move government transactions to the digital era, through the use of stronger and more secure electronic-based authentication methods for all categories of Government transactions, including electronic tax filings, e-procurement, and other revenue-based transactions. These transformations could be done by formulating Regulations under the Electronic Transactions Act, based on the cross-cutting provisions in the new Amendment.

The 2017 Amendment will also facilitate the use of biometrics-based authentication technologies to ensure the effectiveness of digital certificates and other forms of Digital IDs. The new definition of “Electronic Signatures” in the amending law is broad and futuristic enough to cover all new forms of authentication methods in the digital era. The Amendment also provides a liberalized regime for the use of Electronic Signatures and a governance framework to ensure interoperability between authentication technologies.

Another unique feature of the Amendment is that it facilitates the electronic filing of any application, petition, plaint, answer, written submission, or any other document in any Court. This would enhance the ability to adopt e-filing in original Courts, which are not governed by Supreme Court and Appellate Procedure Rules.

Based on this Act steps could now be taken by government organizations to provide services by electronic means as well as to retain data and information in electronic form.

The Convention aims to enhance legal certainty and commercial predictability where electronic communications are used in relation to international contracts. It addresses the determination of a party’s location in an electronic environment; the time and place of dispatch and receipt of electronic communications; the use of automated message systems for contract formation; and the criteria to be used for establishing functional equivalence between electronic communications and paper documents – including “original” paper documents – as well as between electronic authentication methods and hand-written signatures.

With the rapid adoption of Digital Commerce and the introduction of e-government in the country, it is expected that electronic transactions will grow substantially in the coming years. However, this also raises the probability of identity theft, financial fraud, and other security breaches resulting in the loss of trust and confidence in Digital Transactions.

To address aforesaid it is necessary to establish a national framework that defines legal, administrative, and technical regulations for granting, managing, and enforcing the use of digital certificates to establish the identities of those who originate e-services to minimize fraud. The Electronic Transactions Act No., 19 of 2006 gives provides legal recognition for Electronic Signatures – including Digital certificates.

The use of Electronic Signatures through technologies such as “Digital Certificates” enables users to achieve confidentiality and integrity using the public key cryptosystem and hash function. The issuing of digital certificates is done through duly recognized certificate service providers (or Certifications Service Providers – “CSP”s), as per the provisions of the Electronic Transactions Act No. 19 of 2006 (as Amended).

The National Certification Authority (NCA) is the overall governance as well as the standard-setting body functioning under the aforesaid Act, which is required for the smooth and effective functioning of Certification Service Providers (CSPs). Chapter IV of the Electronic Transactions Act No. 19 of 2006 provides for the establishment of a nationally recognized body to perform the function of the NCA.

By Order published in the Gazette on 24 September 2013 ICT Agency of Sri Lanka was designated as the NCA. ICTA is primarily responsible for the implementation of the Act and the Sri Lanka CERT (which functioned earlier as a subsidiary of ICTA) was authorized by ICTA to carry out the operational functions of NCA. Equipment and software for the establishment of NCA were purchased by ICTA under the “e-Sri Lanka Development Program”.

The NCA Task Force was established in 2011 jointly by ICTA and the Central Bank of Sri Lanka and was Co-chaired by the Director/ Legal Advisor of ICTA and an assistant governor Central Bank.

On 1st August 2018, Sri Lanka CERT was established as a separate Legal entity under the Ministry. Thereafter the operations NCA was transferred from ICTA to Sri Lanka CERT. Consequently, by Gazette Extraordinary, 2147/58, dated 30th October 2019, the Sri Lanka Computer Emergency Readiness Team (Sri Lanka CERT) has been designated as the Certification Authority under section 18 of the above Act to perform the functions of the NCA.

Under the Electronics Transactions (Amendment) Act, No. 25 of 2017 – the Task Force is required to established to manage and administer the National Certification Authority (NCA), having regard to the qualifications and experience as well as the need to represent relevant stakeholders, to ensure its proper administration. This Task Force is independent of the Operations of NCA.

To enhance the operations of NCA and make sure that certificates issued under NCA are recognized internationally, including with web browser vendors (Browser forum), NCA seeking to be WebTrust standard certified and the Root Certificate was launched on 14th February 2020.

Electronic Transaction Act
Electronic Transaction Act Regulations 1
Electronic Transaction Act Regulations 2
More details on National Certification Authority

The Computer Crimes Act No. 24 of 2007 provides for the identification of computer crimes and stipulates the procedure for the investigation and enforcement of such crimes. The Bill was presented in Parliament and debated on 23rd August 2005 and thereafter extensively revised by the Parliamentary Standing Committee “B”. It was enacted as legislation in May 2007 and certified by the Speaker of Parliament on 9th July 2007.

The basis of the Computer Crimes Act No. 24 of 2007 is to criminalize attempts at unauthorized access to a computer, computer programme, data or information. It also contains a provision to deal with unauthorized use of computers regardless of whether the offender had authority to access the computer.

The Act creates offenses for unauthorized modification, alteration or deletion of information and denial of access, which makes it an offense for any person to program the computer in such a manner so as to prevent authorized persons from obtaining access. Other offenses sought to be created under the proposed Act include causing damage or harm to the computer by the introduction of viruses and logic bombs etc, unauthorized copying of information, unauthorized use of computer service and interception of a computer programme, data or information while it is been transmitted from one computer to another.

The Act introduces a new regime for the investigation of offenses. Provisions have been made in the Act to designate a panel of ‘Experts’ to assist the Police in the investigation of computer crime offenses.

On September 1, 2015, the Council of Europe Convention on Cybercrime (ETS 185 of 2001), often referred to as the “Budapest Cybercrime Convention”, or “Cybercrime Convention” in short, entered into force in Sri Lanka. This is a historic achievement, because Sri Lanka becomes the first country in South Asia (and only the second Asian country, after Japan) to become a state party to this Convention. Philippines and Singapore are yet to complete the accession procedure, although they attend the Convention Committee as observer and ad-hoc observers, respectively.

Budapest Cybercrime Convention is the only International Treaty that facilitates international cooperation and gives countries the ability to obtain electronic evidence stored on computer systems and networks in another country. The Convention greatly enhances the gathering of electronic evidence, as well as the investigation of cyber laundering and other serious crimes. Accession to this Convention significantly enhances the ability of Sri Lanka to carry out successful investigations of cybercrime offences, by gathering electronic evidence from state parties to the Convention. It will also help in law enforcement and judicial cooperation at international level, while ensuring adherence to human rights safeguards in the investigation process, a hallmark of this convention, made applicable amongst all parties to this Treaty.

Sri Lanka’s accession to this Convention was the fastest in the Council of Europe. This was possible due to the provisions contained in the Computer Crimes Act No. 24 of 2007 and several policies adopted in recent times, aligned with the Convention. Prior to Sri Lanka’s accession, there was an assessment of our country’s cybercrime legislative framework. The assessments carried out by the Council of Europe focused on the manner in which Computer Crimes offenses were investigated (especially under the Computer Crimes Act and applicable procedural law). One key assessment was the adequacy of safeguards to match the Council of Europe standards. Sri Lanka was found to have safeguards consistent with the Convention standards and the “unanimous approval” of all state parties was obtained before Sri Lanka could be invited to Accede to the Convention.

Computer Crimes Act

The objectives of the proposed Cyber Security Act are to ensure the effective implementation of the National Cyber Security strategies and policies in Sri Lanka, prevent, mitigate, and respond to cyber security threats and incidents effectively and efficiently, to establish the Cyber Security Regulatory Authority of Sri Lanka and to empower the institutional framework to provide a safe and secure cyber security environment while protecting the Critical Information Infrastructure. The cyber security Bill will be submitted to the parliament in this year to establish the Act.

As regards the protection of intellectual property rights (IPR), the Intellectual Property Act no. 36 of 2003 replaced the Code of Intellectual Property Act no. 52 of 1979. The IP Act of 2003 contains several new features for the protection of software, trade secrets, and integrated circuits. (Refer to Sections 0204 and 0205 of this document for details)

Information and Communication Technology Act No.27 of 2003
Intellectual Property Act No. 36 of 2003 (Sections related to Copyright)
Electronic Transactions Act No. 19 of 2006
Computer Crimes Act No. 24 of 2007
Payment And Settlement Systems Act, No. 28 of 2005
Payment Devices Frauds Act No.30 of 2006
Mobile Payment Guidelines – 13_mobile_payment_2011_1e
Mobile Payment Guidelines – 14_mobile_payment_2011_2e
Electronic Payments to Government Institutions PF447E
Electronic Payments by Government Institutions 02_2013E
Use of Electronic Documents and Electronic Communication for Official Use -Circular
Use of E-Mail and ICT in general in Government Business