The Hon. Amila Prasad

¶ 01 Hon. Deputy Speaker, this is an important Bill for Sri Lanka’s future. Our people’s personal information—from fingerprints and blood group to health records—has already been shared widely. This Bill must ensure how such data may be used, prevent misuse, and provide remedies.

¶ 02 However, during digitalization your government has appointed heads to key information exchange institutions, raising concerns about independence. With passage of this Bill, the public must be clearly informed of legal actions available if their data is shared or misused beyond agreed purposes.

¶ 03 While we support a private sector–driven economy where data underpins markets, the State bears responsibility to ensure data collected by private entities is properly used and securely stored. There must be strong safeguards.

¶ 04 We have witnessed serious cyber incidents: breaches at the National Water Supply and Drainage Board, the Pensions Department, and a private bank. Even customers were not notified adequately. What actions has the government taken? Have victims been informed of potential harms and mitigations?

¶ 05 Technical readiness questions: - Does the PDPA Authority have adequate servers, data centres, encryption devices, and 24/7 power and environmental resilience? - Do we have high-grade VPN/MPLS capabilities for secure cross-border transfers? - Is the GovPay system functional? What about the RMV app previously announced? - Are police stations and courts equipped with readers for chips in NICs and driving licences? If not, data ends up being accessed via personal phones, risking leakage.

¶ 06 Human resources: - Do we have sufficient DPOs and cyber security experts? If skills are scarce and costly, will the government partner with the private sector?

¶ 07 On the Act itself: - Full implementation was slated for March 2025 but did not occur. What is the new timeline? - Financial and institutional independence of the Authority is crucial—what are the arrangements? - Public awareness is poor; these topics should be integrated into school curricula. - Health data leakage could cause grave harm; have amendments adequately addressed special safeguards? - Do data-holding institutions receive government-backed compliance assurance to build public confidence? What sanctions apply for non-compliance?

¶ 08 Legacy data: - Large holders (telecoms, utilities, hospitals) already hold substantial data. What timeframes will they have to become compliant?

¶ 09 Enforcement and appeals: - Significant penalties are proposed; what is the appeals process for penalized institutions? - How does this Bill interface with the RTI Act and the Computer Crimes Act—where are conflicts resolved?

¶ 10 Finally, on erasure: - Citizens should be able to delete data they no longer wish to retain, but public-interest or accountability-related records (e.g., public statements by political actors) should not be erasable to evade scrutiny. The framework should distinguish these appropriately and provide practical means for citizens to exercise erasure where legitimate.

¶ 11 Thank you.