Photo courtesy of Gowling WLG
With the misuse of laws, such as the International Covenant on Civil and Political Rights (ICCPR), which aim to protect the rights of citizens but are in fact used to stifle them, the government is adding to the list by introducing a new law called Personal Data Protection Act.
The ICCPR was introduced to protect the rights of people all over the world, but in Sri Lanka it has been used to suppress anti-government sentiment and restrict freedom of expression. This is why, when a new law is passed, it has to be reviewed time and time again, no matter how well the government claims it protects public rights.
Selling or leaking citizens’ personal data for commercial and political purposes is a long-standing tradition. While it is necessary to protect the personal data of citizens, the arbitrary and ill-informed adoption of laws with the aim of allowing governments and government agencies to infringe on the rights of citizens makes it a double-edged sword.
Although the drafting of the Personal Data Protection Bill began years ago, the draft was only published last year. The bill was introduced in Parliament by Prime Minister Mahinda Rajapaksa on January 20. However, although the draft was published in the Official Gazette at that time, it was not published on the website until January 25. The project is a technically complex document that is difficult for people to understand. Many civil society organizations remained silent, thinking it was a tool to protect citizens’ rights. Although some organizations wanted to challenge the bill, only two days were given to file challenges. The Young Journalists Association of Sri Lanka filed an online petition with the Supreme Court on the evening of January 27, but it was dismissed without a technical hearing.
Those who drafted this bill from the comfort of their air-conditioned offices and those who have reviewed it and found no flaws in the bill that has been introduced have missed three main areas of concern. The first is the creation of a non-independent data protection authority. If the bill had been introduced with good intentions, at least the provisions to make the Data Protection Authority an independent institution could have been included. Failure to do so raises serious doubts about the goodwill claimed here.
According to the current bill, the minister in charge of the subject has the power to appoint any existing government institution as a data security authority, which means that a new authority will not be established and an existing institution will be transformed into a data protection authority. In this case, it will not be an independent institution. According to the law, the Data Protection Authority will have the power to receive complaints, conduct investigations and impose fines of up to 10 million rupees per charge.
If there are two offences, the agency has the power to impose a fine of up to 20 million rupees. If the same offense is committed twice, the fine may be doubled. And if there were five offenses at first instance, a maximum fine of Rs 50 million could be imposed.
Another serious problem with the law is that if an appeal is made to the Court of Appeal against a fine imposed by the authority, an amount equal to the fine previously imposed must be deposited in cash with the Registrar of the Court of Appeal. ‘call. The Data Protection Authority Bill did not have this condition when it was first introduced last year, but it was in the version that was presented to Parliament. One must ask whether the new additions to the bill in the version presented to Parliament show that the law is presented in good faith.
The next problem with the bill is that some of its provisions undermine the provisions of the Right to Information Act (RTI). In the event of a discrepancy with another law, the prevailing Data Protection Authority law will significantly affect the effectiveness of the RTI law.
The third problem is that this bill seriously hinders the activities of journalists. In other countries, the provisions of data protection laws exempt its use when related to the right to freedom of expression and the work of journalists, but there is no such provision in the law. from Sri Lanka. Although there is a somewhat relevant provision, it obliges the Data Protection Authority to determine its applicability.
If the bill goes into effect without any amendments, it will go beyond ICCRP by allowing government agencies to violate civil rights.