Untitled-12Answering to a question from Daily FT about the progress of the Data Protection Act, ICTA’s Legal Adviser Jayantha Fernando said
that the implementation of the much-talked act looks very positive with the enactment of the Right to Information Act in the Parliament.

“The discussion has been going on for many years. It also weighs on the discussion associated with the Right to Information. In many countries, we have seen data privacy legislation had to be accompanied with the other side of the coin, mainly the right to information as a principal framework. Having said that, bigger issue to be dealt from a policy perspective which is beyond any of us is the need to have an administrative framework to regulate and monitor data protection norms that are followed in government and private sector,” said Fernando.

He said that Sri Lanka didn’t rush to implement the act in the first place because they were progressively examining how other countries made strides to implement it.

“Over the years, traditionally we have seen the lack of resources being a constraint in setting up infrastructure to implement data protection in many countries across the globe. We were behind and in a way it was good for us because it gave us an opportunity to learn lessons of other judicial boards and recently we saw that the entire EU data protection regime was modified and a new set of regulations were adopted in May 2016. If we had rushed several years ago, we would have been changing a set of statutory models now for data protection.”

In 2014, Fernando admitted that the Data Protection Actwas the only stake that had a gap in implementing.

“In the legal gamut of things, data protection is the only pillar we have a gap. At the moment, there is no specific law for data protection but there is protection for information in networks that is specifically addressed under the Computer Crimes Act. Very often, people out there who manage networks and collect information from customers are not aware of the fact that putting information into databases and sharing that information while breaching an internal company policy are constituted to offense under the Computer Crimes Act. Having said that; still there is a gap in the data protection and privacy area which is being addressed right now,” said Fernando at that time.

However, the Right to Information Act has opened the platform again for the Data Protection Act and Fernando believes the right time has come for the implementation.

“I am happy that we waited for a while but now it is the time for us to open the subject again and it is even more relevant because on 5 August, the Right to Information Act (Act No. 12 of 2016) was certified and signed by the speaker. Even that the Right to information Act statute enacted by the Parliament; it also establishes an Information Commissioner’s Office so that there is an opportunity now for us to enter the data protection debate and see what norms and practices in terms of law we should adopt and the institutional frameworks we should bring in. We need to also look whether we could make use of Information Commissioner’s Office to take additional requirements to monitor and implement the act soon,” he said to Daily FT.