Thanuki Goonesinghe, Technology Lawyer and Founder of the Tech Circle, intrinsically believes Sri Lanka needs more public dialogue on the intersection of law and technology. We sat down with her at a critical juncture in which Sri Lanka is undergoing the gradual implementation of the Personal Data Protection Act (PDPA) of 2022 – the first of its kind in South Asia – and the less revered, nebulous legislation that was passed this year: the Online Safety Act (OSA). The latter was passed despite official warnings against its implementation, made by internet search providers and advertizing services such as Google, Meta, X and eBay over its “unworkable” nature and potential to “undermine” the growth and foreign direct investment coming into Sri Lanka’s digital economy.
A survey conducted in November 2023 found that over 70% of Sri Lankans were unaware of the Online Safety Act, at the stage that it was a bill. At this critical juncture, Sri Lankans must gauge the growing importance of legislation concerning technology use and the potentially wide-ranging effects they may have on their day-to-day lives, in the age in which digital sits front and centre.
In this sit-down, we attempt to dissect the positives of the incoming Personal Data Protection Act, its counterparts in other countries and its odds of existence against the nebulously vague, Online Safety Act.
The Personal Data Protection Act (PDPA) of 2022
The implementation of this Act, which is notably the first of its kind in South Asia, sets a precedent for data protection regulations in the region. Drawing inspiration from the European Union’s General Data Protection Regulation (GDPR), Sri Lanka’s Act underwent extensive public consultations, involving stakeholders from various sectors. Unlike the Online Safety Act, which lacked such inclusivity and consensus, this approach garnered recognition and showcased Sri Lanka’s commitment to establishing legal frameworks for digital innovation.
The Act’s implementation follows a phased approach similar to the GDPR, albeit with a broader scope. While the GDPR primarily focuses on rights-based principles of data protection, Sri Lanka’s Act emphasizes different objectives. The preamble of the Act underscores the country’s aspirations to facilitate growth and innovation in the digital economy while safeguarding personal data rights. This strategic approach aligns with Sri Lanka’s vision to attract investment, facilitate cross-border data flows, and enhance digital innovation.
Comparatively, the drafting process of Sri Lanka’s Act reflects a collaborative effort drawing from various international guidelines and legislation. Sri Lanka’s Act draws inspiration from OECD privacy guidelines, the Asia-Pacific Economic Cooperation Privacy Framework, and other global standards. This localization effort, spearheaded by individuals like Jayantha Fernando, aims to adapt global principles to the Sri Lankan context, fostering a privacy-conscious culture.
Distinct provisions in the Act, such as the mandate for a data protection management programme, set Sri Lanka’s legislation apart. This requirement, absent in the GDPR, demonstrates a proactive approach to data governance, crucial for businesses in a nascent tech market. Moreover, the Act’s consideration of mitigating factors and the resulting leniency in penalties acknowledges the need to balance privacy protections with the realities of the local business landscape.
Lessons in legislature
India’s recent Data Protection Act, introduced last year, stands out as a significant milestone in this regard. Singapore, in particular, has set a precedent with a landmark ruling under its Personal Data Protection Act (PDPA). In the case of Reed v Bellingham in 2022, the Court of Appeal’s guided individuals’ rights to pursue private action for breaches of PDPA obligations, and that emotional distress is adequate to establish the “loss or damage” necessary to initiate such a private action. This progressive stance recognizes anxiety about potential misuse of data, and the subjective nature of emotional harm, acknowledging its significant impact on individuals’ lives, particularly their mental health.
However, despite advancements in data protection laws in Sri Lanka, challenges persist, especially concerning overlaps between legislation such as the PDPA and the Online Safety Act (OSA). Sri Lanka, for instance, grapples with managing these concurrent laws, with the OSA often overshadowing the PDPA, posing potential conflicts in addressing privacy concerns effectively. The main concern lies in the potential coexistence of these two laws, given their stark contrast to each other, especially with the OSA lacking sufficient checks and balances.
On the other hand, the United States offers a unique approach to privacy legislation, with separate Acts addressing specific aspects of privacy, such as the Health Insurance Portability and Accountability Act (HIPAA) for health information protection and the California Consumer Privacy Act (CCPA) for consumer data rights. States like California, known for their tech-forward environments, often lead in developing progressive data protection legislation, influencing national discourse and shaping future federal initiatives.
Priorities for lawmakers, redressing pitfalls
First and foremost, transparency in the operations of internet search and advertisement providers must be mandated by law. This transparency should encompass explainability, ensuring that users understand the technology they interact with. Clear transparency requirements empower both users and companies, fostering accountability and combating misinformation.
Data privacy and protection must also be prioritized, as they form the cornerstone of modern legislation across various domains, including cybersecurity, blockchain, and AI. Content moderation rules are essential to address bias, discrimination, hate speech, disinformation, misinformation and explicit material, safeguarding vulnerable groups like women, children, and marginalized communities.
Moreover, lawmakers should consider providing toolkits and customizable filters to empower users and give them control over their online experiences. Reporting mechanisms, often lacking in Sri Lanka, should be legally mandated to address issues promptly. Education and awareness initiatives must be integrated into the legal framework to ensure continuous learning and understanding among users.
Redress mechanisms, including inquiry procedures and alternative dispute resolution options, need legal backing to provide effective remedies. Soft law measures, such as government directives, can offer guidance in the absence of formal legislation.
Maintaining focus on formulating laws and regulations
Transparency is paramount. The law should outline clear requirements for transparency and explainability, enabling users to understand the technology they interact with, thus empowering them and fostering accountability. This transparency also aids in combating disinformation and misinformation online.
Moreover, prioritizing data privacy and protection is imperative. Given the universal significance of privacy across various technological domains, it’s crucial to uphold these principles to safeguard users’ personal and digital safety. Additionally, rules on content moderation are vital, addressing issues such as bias, discrimination, hate speech, and explicit material. Such policies must extend protection to marginalized groups, including women, children, LGBTQIA+ individuals, and racial minorities.
To further empower users, the law should mandate the provision of toolkits offering information and controls for user experience management, including customizable filters and opt-out mechanisms. Robust reporting mechanisms, mandated by law or directives, are essential for users to report harmful content or activities effectively. Education and awareness initiatives should also be legally mandated, ensuring continuous education and training on online safety.
Furthermore, redress mechanisms, including inquiry procedures and avenues for seeking redress beyond the courts; and looking into alternative dispute resolution routes such as mediation, are crucial for addressing grievances effectively. However, Sri Lankan lawmakers and official bodies seem to lack direction and focus in formulating such laws due to several factors. Firstly, the focus is often diverted to political and economic challenges, relegating tech adoption to a lower priority. Resource constraints, including a lack of expertise and investment, further hinder progress in this area.
Additionally, averse attitudes towards change and a deep-seated comfort with the status quo impede technological advancements. The absence of consensus and collaboration between sectors exacerbates this issue, along with a lack of political will and adaptive governance. These factors contribute to a stagnant approach to policy formulation and hinder the country’s ability to adapt to technological advancements effectively.
To overcome these challenges, Sri Lanka needs to prioritize long-term planning, consensus-building, and collaboration across sectors. Establishing clear policies, investing in expertise and resources, and fostering an environment conducive to innovation are crucial steps towards harnessing the potential of technology for societal advancement.