Can we afford European privacy standards?

The EU’s new data protection law comes into force in May 2018. It will impact everyone. Are we ready?

On 25 May 2018, a new law will come into effect to strengthen and unify data protection for all residents within the 28 countries of the European Union (EU). It will also affect those outside the EU if they offer goods and services to, or monitor the behaviour of, EU residents. Some Lankan information technology (IT) companies, and those that accept online tourist bookings, will be covered by this scope.

Until now, each EU member country has been enforcing its own data privacy laws under the guidance of the 1995 EU Data Protection Directive. The new law, known as the General Data Protection Regulation (GDPR) 2016/679, supersedes all these. It not only harmonizes laws within the EU, but also broadens their jurisdictional reach worldwide.

The GDPR, approved by the EU Parliament on 14 April 2016, imposes strict new rules on controlling and processing what is known as personally identifiable information (PII). PII is any information related to someone that can be used to directly or indirectly identify the person (name, photo, email address, bank details, posts on social networking websites, medical information or computer IP address).

The GDPR applies to all organisations holding and processing EU residents’ personal data, regardless of these entities’ geographic location. In this sense, all foreign companies doing business with any single, several or all countries of that region come within the purview of this law.

The new law was adopted in response to the need for better privacy and data protection in the digital age. The European Commission says the GDPR is a key enabler of the Digital Single Market and the EU Agenda on Security.

“The reform will allow people to regain control of their personal data. Two-thirds of Europeans, according to a recent Eurobarometer survey, stated that they are concerned about not having complete control over the information they reveal online. Seven Europeans out of ten worry about the potential use that companies may make of the information disclosed. The data protection reform will strengthen the right to data protection, which is a fundamental right in the EU, and allow them to have trust when they give out their personal data,” says a press release issued by the EC.

Sri Lanka needs to address privacy and data protection for the sake of its own citizens, and not simply to remain eligible for trading with EU states. The GDPR adds a new sense of urgency to this gap in our rights

IMPLICATIONS BEYOND THE EU
The new rules give individuals more control over their personal data. They will have more information on how their data is processed, and this information should be available in a clear and understandable way. It will be easier to transfer personal data between service providers. Companies and organisations will be required to inform the national supervisory authority of serious data breaches as soon as possible so users can take precautions.

The GDPR’s harmonization of data protection regulations would make it easier for non-European companies to comply with these regulations (instead of having to deal with a patchwork of national laws). “However, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of [a company’s] worldwide turnover,” says one of the many guides to the new law available online.

Writing on the GDPR, The Economist noted in early April 2018: “At nearly 100 articles long, it is too complex and tries to achieve too many things. The compliance costs for smaller firms, in particular, look burdensome. In addition, parts of the GDPR are out of step with America’s constitutional guarantee of free speech: a ‘right to be forgotten’ of the kind that the new law enshrines will not fly.”

Nevertheless, the law has already been adopted by the most powerful trading bloc in the world, with a GDP nearly as large as that of the United States. Companies have no choice but to comply. Although the enforcement date is imminent, many companies outside the EU are still not sufficiently aware how the GDPR applies to them.

That includes Sri Lanka’s outsourced data processing industry. Jayantha Fernando, a specialist in cyber laws and legal advisor to the ICT Agency of Sri Lanka (ICTA), has been highlighting this for some time. He says: “The GDPR is relevant to Sri Lanka from an outsourcing perspective – we will need to ensure the same level of protection for personal data and information as required by the EU. A lack of (domestic) legislation could become a non-tariff barrier for future outsourcing (to Sri Lanka).”

I T-BPM SECTOR
Information technology and business process management (IT-BPM) has emerged as a significant economic sector during the past decade. According to the Export Development Board (EDB), Sri Lanka’s ICT export revenue grew from $166 million in 2006 to $900 million in 2016 – making it the fourth-largest export earner. In the same year, the ICT-BPM industries provided employment for a skilled workforce of over 85,000.

Of course, not all IT-BPM companies handle outsourced data processing contracts from EU countries involving personal data. But some do, and they will need to comply with the GDPR from May 2018.And the EU’s new regulations can influence similar levels of data protection in other developed countries to which Lankan companies provide data processing services.

Samantha de Soysa, a lawyer who works as a legal consultant in foreign direct investment (FDI), banking and finance and ICT laws, wrote in an article in March 2017: “Companies that have no physical presence in the EU will also need to comply with the GDPR if they offer goods and services in the EU or monitor a data subject’s behaviour taking place in the EU.”

She added: “Also, the GDPR does not require all personal data to be kept within the EU. However, if the personal data travels outside the EU, the controller should ensure a level of protection similar to that in the EU for the data.”

In the context of the GDPR, a ‘data controller’ is the entity that determines the purposes, conditions and means of processing personal data, while the ‘data processor’ is an entity that processes personal data on behalf of the controller.

The new law requires all organisations that engage in large scale processing of sensitive personal data of EU residents to appoint a Data Protection Officer (DPO), says the official EU web portal providing public information and clarifications on this transition. It is located at https://www.eugdpr.org/.

The new law was adopted in response to the need for better privacy and data protection in the digital age. The European Commission says the GDPR is a key enabler of the Digital Single Market and the EU Agenda on Security

LANKAN RESPONSE?
How will the GDPR affect our IT-BPM industry? This is the question that needs urgent attention by both industry leaders and policymakers. ICTA’s Jayantha Fernando points out that the GDPR will usher in the ‘long arm enforcement’ – in this case, the EU region’s laws extending globally. While this may be inevitable in this era of globalization, the question arises: who is going to enforce it, and how? There are longstanding rules and norms of international jurisdiction that need to be satisfied before regulatory agencies and courts can exercise jurisdiction beyond their own territories.

Sri Lanka needs to address privacy and data protection for the sake of its own citizens, and not simply to remain eligible for trading with EU states. The GDPR adds a new sense of urgency to this gap in our rights.

The right to privacy is not specifically protected under our Constitution. We also do not have privacy laws (although under Roman Dutch law, the right to privacy is protected in a few specific instances).

Can the new Constitution include the right to privacy in its enhanced framework of fundamental rights?

Fernando recalls how the right to information (RTI) was first added to the Constitution (via the 19th Amendment, April 2015) before a dedicated new law was passed (RTI Act, June 2016). Can a similar approach work for privacy protection?

Another key decision to make: Which state entity should be tasked with implementing privacy protection laws and regulations, and under what terms?

“There is an ongoing discussion on this, but an issue we need to address (upfront) is who should be the ‘owner’ of data protection and privacy legislation in Sri Lanka? Is it the Justice Ministry, Media Ministry or Digital Ministry – or a combination of all three?” asks Fernando.

Finally, he wonders whether Sri Lanka should consider joining the only binding international treaty in this field – Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, also known as Convention 108? Initially developed by the Council of Europe in the early 1980s, it came into force in 1985 and has been signed by 50 states.