Photo courtesy of Economic Times
Sri Lanka has been forefront in the South Asian region in the battle of technology and innovation. While protecting the privacy and data flow across online, it passed the Personal Data Protection Act No. 9 of 2022 (PDPA) in parliament, which was certified by the speaker on March 19, 2022.
The Act should ensure the trust, reliability and authenticity of the information flow across the digital spaces and influence the growth of electronic commerce and multinational cross border investments by strengthening the sphere.
This article will unpack the issues surrounding digital sovereignty in the application of the PDPA and focus on its practical application, examining how the concept will be contested among the government and private platforms and how this will affect the users who are the data subjects.
Sri Lanka has always been scrupulous in its lawmaking standards. Several laws such as the ICCPR Act, the Computer Crimes Act and the Prevention of Terrorism Act demonstrate this commitment. Although these regulatory frameworks were crafted with genuine objectives, prior consultations and rational inputs, there have been significant issues with the application of these laws. The implementation processes have often been absurd, indefinite and contrary to the rule of law, resulting in the weaponization of the public.
Data is the backbone of the individual. Extensive misuse or abuse of data could lead to severe impacts on human rights, democracy, good governance and the individual’s mental and psychological wellbeing.
The concept of data sovereignty itself is a complex one; sovereignty means the supreme power or authority to control. Digital sovereignty is the application of traditional sovereignty to the digital realm broadly covering areas such as data flow, filtering technologies and online censorship measures. Digital sovereignty involves regulations that extend beyond a country’s citizens to include multiple or foreign jurisdictions and actors, including private platforms, which makes it more complex and challenging to exercise sovereignty online. Data sovereignty is one concept under this broader umbrella. However, digital and data sovereignty are closely connected and influence each other.
China protects digital sovereignty, battling against and boycotting major US based private platforms, by establishing the Great Firewall of China, which blocks access to certain content for users in China. The Chinese approach has been criticized for invading fundamental norms, internet freedom and individual rights, which some argue is contrary to the concept of sovereignty. Digital sovereignty provides China with significant strength in data protection within its sphere.
From a global governance perspective, the concept of sovereignty is crucial in the digital era. Scholars point out that the internet has challenged traditional notions of sovereignty as platforms and internet services operate cross border and function globally. Anupam Chander and Haochen Sun argue that major tech giants like Google, Meta, and X wield enormous power over individuals, surpassing even that of the state. Consequently, state sovereignty is often rendered powerless as it is invaded or sometimes completely overridden without the authority to regulate or control these internet giants.
Ethnic conflict in Sri Lanka arose in the Ampara District on February 26, 2018 and spread to the Kandy District lasting until March 10, 2018. These riots were characterized by violence targeting the minority community throughout the country, exacerbated through the content shared in the social media platforms across the country. Similarly, on April 21, 2019, a series of coordinated bombings on Easter Sunday targeted Roman Catholic churches and luxury hotels, resulting in over 200 deaths and hundreds more injuries. Much of the content disseminated on social media platforms such as Facebook, Twitter, and YouTube promoted violence, defamation, misinformation and extremist ideologies.
A 2018 probe report commissioned by Facebook (Meta) indicated and apologized that a video spreading misinformation may have contributed to the unrest and to physical harm during the ethnic tensions.
During these periods of unrest, the government attempted to exercise its sovereignty by implementing social media shutdowns for users within the country. Unfortunately, this approach primarily targeted users rather than addressing the platforms themselves. This strategy was more of a defensive measure rather than an effective exercise of sovereignty as it failed to address the root causes of the issue and was easily circumvented through Virtual Private Networks (VPNs). These experiences highlight Sri Lanka’s challenges in enforcing digital sovereignty as a developing country and an emerging market. Such measures have faced significant criticism for posing serious threats to human rights, as exemplified by the recent case of Anuradha Bhasin v. Union of India, which underscored the implications of digital restrictions on fundamental rights.
Sri Lanka appears to be strengthening its regulatory framework for digital governance through measures such as the Online Safety Act (OSA) and the PDPA. The new PDPA encompasses a range of provisions aimed at protecting data subjects and the rights of the country’s citizens. Nevertheless, it is crucial that these provisions are implemented with its original intentions, ensuring sovereignty over personal data without using them as a tool for suppressing platforms or data processors from an authoritarian perspective, as seen in India’s approach against X (formerly Twitter) in 2021. While major platforms act as data controllers and processors, regulatory measures should not be weaponized to silence these platforms under the guise of data sovereignty.
The measures aimed at asserting sovereignty in the digital sphere have a dual impact, both protecting and affecting internet users from the perspectives of user experience and rights. While the operations of major platforms have often exceeded the sovereign boundaries of states or governments, there has been a lack of adequate regulations addressing core values. Therefore, if governments are to regulate the digital ecosystem, it must be done with proper checks and balances. Without such oversight, regulatory measures could either safeguard or repress online users. In some cases, this could lead to government interference with internet services, disrupting the free flow of information – an essential component of a democratic society.
One of the examples, countries, particularly from the Global South, often resort to internet shutdowns when platforms do not comply with legal standards, viewing this as a means to extend their sovereignty over the internet space. However, this approach can also serve as a mechanism for censoring information and news disseminated on these platforms. For example, the Russian government banned Facebook and promoted VKontakte as the preferred social platform within its jurisdiction. That is why the US believes that deregulation will effectively facilitate the free flow of information and data across the world.
In advocating for data sovereignty, Western countries and major powers such as China and Russia are increasingly adopting data localization policies, which mandate that data be stored and processed within the borders of the country where it was collected. Data localization reduces complexities related to data sovereignty by eliminating the need for cross border litigation and applications, as data remains within the local jurisdiction. This concept is attracting interest from many developing countries as well. For instance, South Africa introduced its “National Data and Cloud Policy” in 2021, which mandates data localization, announcing, “.. data generated in South Africa shall be the property of South Africa, regardless of where the Technology company is domiciled….”
For Sri Lanka, as a developing market, achieving a similar level of data governance will likely take years.
Sri Lanka has marked a significant milestone with the introduction of the PDPA. However, it is important to remember the country’s historical approach to human rights, both online and offline, often characterized by heavy handed measures, as seen with the PTA and the provisions of the OSA. Given these historical precedents, the application of the PDPA should be carefully managed to ensure that it upholds data protection mechanisms while genuinely supporting data sovereignty.
There should be a robust and comprehensive mechanism to address the extraordinary power wielded by internet platforms, which often operate with minimal oversight. For a country with a small user base, limited revenue generation and less market influence, especially from the Global South, this is crucial. The PDPA has established a strong foundation in this regard. While trade policies and agreements may impact the application of the PDPA to the corporations (platforms), it is essential to ensure that the framework upholds the principles of an open internet without overstepping its bounds. The effectiveness of the PDPA will largely depend on the role of the Data Protection Authority, as it will be pivotal in navigating the balance between safeguarding data and maintaining internet freedoms.