Photo courtesy of Gowling WLG
With the misuse of laws, such as the International Covenant on Civil and Political Rights (ICCPR), which are aimed at protecting the rights of citizens but are actually used to stifle them, the government is adding to the list by bringing in a new law called the Personal Data Protection Act.
The ICCPR was brought in to protect the rights of the people all over the world but in Sri Lanka it has been used to suppress anti-government sentiment and curtail freedom of speech. That is why when a new law is passed, it should be looked at numerous times no matter how much the government claims that it protects public rights.
It has been a long standing tradition to sell or leak citizens’ personal data for commercial and political purposes. While there is a need to protect personal data of citizens, the arbitrary and ill-informed passing of laws with the intention of enabling governments and government agencies to infringe upon citizens’ rights makes this a double edged sword.
Although the drafting of the Personal Data Protection Bill began years ago, the draft was released only last year. The bill was introduced to Parliament by Prime Minister Mahinda Rajapaksa on January 20. However, although the draft was gazetted then, it was published on the website only on January 25. The draft is a technically complex document that is difficult for people to understand. Many civil society organizations remained silent, thinking that this was a tool to protect the rights of citizens. Although some organizations wanted to challenge the bill, only two days were allowed for challenges to be filed. The Sri Lanka Young Journalists’ Association filed an online petition in the Supreme Court on the evening of January 27 but it was dismissed without any hearing on a technicality.
Those who drafted this bill in the comfort of their air conditioned offices and those who examined it and found no fault in the bill that was presented have missed three primary areas of concern. The first is the establishment of a non-independent data protection authority. If the bill had been brought in with good intentions, at least the provisions for bringing in the Data Protection Authority as an independent institution could have been included. The failure to do so raises serious doubts about the goodwill claimed to be here.
According to the current bill, the Minister in charge of the subject has the power to name any existing government institution as the Data Security Authority, meaning that a new authority will not be established and an existing institution will be transformed into a data protection authority. In that case, it will not be an independent institution. According to the Act, the Data Protection Authority will have the power to receive complaints, conduct investigations and have the power to impose fines of up to Rs.10 million per charge.
If there are two offenses, the agency has the power to impose a fine of up to Rs.20 million. If the same offense is committed twice, the fine can be doubled. And if there were five offenses in the first instance, a maximum fine of Rs.50 million could be imposed.
Another serious problem with the act is that if an appeal is made to the Court of Appeal against a fine imposed by the authority, a sum equal to the fine previously imposed must be deposited in cash with the Registrar of the Court of Appeal. The Data Protection Authority Bill did not have this condition when it was first introduced last year yet it appeared in the version that was presented to Parliament. Questions need to be raised whether the new additions to the bill in the version presented to Parliament show the act as something presented in good faith.
The next issue in the bill is that some of its provisions undermine the provisions of the Right to Information (RTI) Act. In the event of a discrepancy with another act, the Data Protection Authority Act having precedence will to a large degree affect the effectiveness of the RTI act.
The third problem is that this bill severely hinders the activities of journalists. In other countries, provisions of the Data Protection Acts exempt its use when related to the right to freedom of expression and the work of journalists but there is no such provision in Sri Lanka’s act. Although there is a somewhat relevant provision, it requires the Data Protection Authority to determine its applicability.
If the bill goes into effect without any amendments, it will go beyond the ICCRP act in allowing government agencies to violate civil rights.