The Hon. Chandana Thennakoon

¶ 01 Madam Deputy Chairperson, the Bill to amend the Personal Data Protection Act, No. 9 of 2022, is being debated at a time when information technology in our country is rapidly developing and, likewise, when both public and private spheres are swiftly digitizing. In this era where personal data are collected and used extensively, this Bill is presented.

¶ 02 Through private institutions, business entities, government institutions and social media platforms, data are rapidly collected. Those data are stored, processed, shared and communicated in multiple ways in today’s digital world. Very often we see data of a data subject being disseminated to third parties without proper consent, altered, repurposed, exposed to society, and used in ways that harm the data subject’s feelings and life. Therefore, laws on personal data protection have become necessary worldwide.

¶ 03 In our rural areas many think, “I have nothing to hide.” Consequently there is less public attention to such laws. But moving beyond that myth, over 80 countries have now adopted laws or regulations on personal data protection. Though we acted as the first in South Asia to pass this law, we have not been able to transform it into a robustly used law domestically so far.

¶ 04 This Act places obligations to protect highly sensitive personal information such as a person’s name, NIC number, address, phone number, email, financial and medical information. Hence this is a very important Act.

¶ 05 A key aspect covered by this law is safeguarding privacy. It enables us to prevent use of data without permission. It also creates awareness in data subjects about their rights and obligations: to know what data are held and for what purposes those data are used. Institutions, in turn, receive obligations to protect data. Many institutions are not sufficiently mindful of data subjects’ security. Upon enactment, all public and private institutions will be obligated to protect data, and to establish safeguards and security mechanisms. At the same time, by protecting foreign persons’ and foreign institutions’ data, we can build international trust.

¶ 06 Although the Personal Data Protection Act was passed in 2022, several barriers hindered implementation. First is low public awareness. Many people lack understanding and concern about their data rights and the value of their personal data, which obstructs enforcement.

¶ 07 Past governments squandered public funds while the country’s computer literacy remains below 40%. In rural areas children’s computer knowledge is low; out of five people, only about two have computer skills, and only two out of five households have a computer. Past governments failed to empower people in technology, communications and computer skills; as a result, and due to low awareness, implementing this Act faces major obstacles.

¶ 08 Madam Deputy Chairperson, within our economic system we have little experience implementing such laws. We have not fully organized the resources, trained personnel and technology required. These too hinder proper implementation. However, our National People’s Power government is extensively intervening to advance digitization, making great efforts. Through that, we can implement this law.

¶ 09 An Hon. Member from the Opposition spoke about our nation’s cyber security lapses. Indeed, past governments did not pay adequate attention. Outdated technology is used across government; necessary technology, equipment and tools have not been provided, creating serious threats of cyber-attacks. Past administrations failed to build skilled teams to manage cyber security in the public sector, leading to weaknesses. Our government has understood this and taken measures.

¶ 10 Very soon we will be able to build a strong, cyber-secure country. We believe this government will do it. Aligning with new digital economic policies, Sri Lanka CERT has drafted and finalized the second National Cyber Security Strategy and submitted it to Cabinet, which approved it. Foundations have been laid to build cyber security systems, draft cyber security legislation, and establish a cyber security authority. Through these, we can ensure our country’s cyber security. As an initial step, the call centre has been further activated. By calling “101”, people can report cyber security incidents. Institutions are to appoint Data Protection Officers, and numerous awareness programmes are being conducted. As we develop the digital economy, we must create a trusted digital space. This law is important and helpful for all that. I conclude my speech.

¶ 11 Thank you very much.