The Hon. Thanura Dissanayake

¶ 01 Madam Deputy Chairperson, from morning the Opposition has been spreading misinformation about data. I know there are Opposition Members with sound understanding of IT; it would have been better had others consulted them before debating. For example, the claim that 225 tea factories closed is false; that reflects events over two decades. Such things are misinformation.

¶ 02 We do not have a crisis regarding chairmen or mayors of local authorities. Do not put your problems on us. We do not do politics for posts; we give positions to the suitable.

¶ 03 Today we are debating amendments to the Personal Data Protection Act, No. 9 of 2022. Digitization is advancing rapidly globally; our legal framework must align, or else BPO/BPM companies handling third-party data will not come here, as they assess our data protection environment. Hence these amendments are necessary for our economy and relate to the Digital Economy Ministry. Investors will not wait until we build the background—they will go to jurisdictions with the requisite legal environment. Therefore, if we expect a share of the global IT value chain, these amendments are needed.

¶ 04 These amendments cannot be applied overnight to all public and private entities. The Act is about all data, not only digital, though the focus tends to be on digital data. Hence a phased approach is provided. Otherwise, institutions would have to change structures, hire new technical staff, build capacity and human resources, and sometimes source expertise domestically or internationally; they need time to adapt.

¶ 05 Cyber security was also discussed; it interlocks with this. We need regulations on cyber security too, but here we focus on data protection. We intend to accelerate implementation while considering impacts on startups and small businesses. Therefore, the Bill allows outsourcing necessary services—for example, allowing private entities to outsource the Data Protection Officer function rather than mandating an internal permanent post.

¶ 06 We must build feasibility—technical and infrastructure. The core mechanism is an institution: the Data Protection Authority. I believe it is being established and staffed. We know many sensitive data transactions occur—hospitals, banks, telecoms. We must have the legal framework to protect data and legal recourse for breaches; civil actions may allow compensation up to Rs. 10 million. More important than fines is building the foundational framework and ensuring data handlers meet their obligations.

¶ 07 We also need to guard against security breaches and cyber threats through stronger standards and phase-wise improvements. These amendments seek to remove practical obstacles in the 2022 Act and advance implementation.

¶ 08 Additionally, misinformation has become a serious problem alongside data. Inside and outside this House, data are distorted. As responsible persons, we must behave ethically. With rapid technology, information spreads fast; we must be ready for that journey so the world can transact with us. We were the first in South Asia to bring the law in early 2022; now India too has advanced with digital data protection. These amendments are needed to operationalize the authority, the regulator and subsequent measures.

¶ 09 Digital economy is one of three main thrusts of our government—alongside poverty alleviation and Clean Sri Lanka. This law is vital to move with the world; we must keep improving it. Thank you, Madam Deputy Chairperson, for the opportunity.