The Hon. Kabir Hashim

¶ 01 Hon. Deputy Chairperson of Committees, the Personal Data Protection (Amendment) Bill is of national importance. The Act passed in 2022 aimed to modernize privacy and data governance, aligning Sri Lanka with global best practices, especially the EU GDPR — a forward-looking step. But for three years it has remained dormant; crucially, the Data Protection Authority is yet to be established.

¶ 02 Personal data protection is vital for privacy, guarding against unauthorized access, misuse, and disclosure. The question is whether the current Act and this Amendment Bill address these issues and safeguard individual privacy.

¶ 03 The UN Special Rapporteur on Privacy, in a 2024 report, said: “Data subjects find themselves in a position of defencelessness owing to their limited knowledge of the use that third parties make of information concerning them… This has repercussions for their ability to control their data — the essence of the fundamental right to personal data protection.” The issue is whether your Amendment addresses this.

¶ 04 In April 2025, Sri Lanka suffered a cyber breach at Cargills Bank: hackers infiltrated the system and posted thousands of files — bank accounts, personal data of accountholders, directors, staff. In India, after similar incidents, courts intervened to ensure protection. Here, Cargills reportedly disclosed the unauthorized entry via the Colombo Stock Exchange since they are listed. But no action was taken to inform the data subjects — the customers whose data was exposed — of what happened, what security steps to take, and the potential losses. Does this Act address such breaches? This is key; it is our data.

¶ 05 In 2022, under the Gotabaya Rajapaksa Government, this statute got little attention amidst COVID-19, bankruptcy, inflation, and shortages. A petition by the Young Journalists’ Association was not pursued by the Supreme Court due to a technicality. The tension between the State’s right to information and individual data privacy must be handled with care to preserve civic rights; otherwise, a dictatorship could misuse data. We expected the NPP, as a people’s government, to be sensitive to this, but I do not see it in the Amendment.

¶ 06 A young researcher, Nida Admani, wrote in the DailyFT yesterday: “A critical shortcoming of the PDPA is the lack of clarity and resultant inaccessibility by the average citizen to fully comprehend the rights and remedies… The power imbalance heavily favours data controllers and processors; citizens are largely unaware of how their data is being used….” This leaves people vulnerable; misuse can affect ethnicity, religion, race, and fundamental rights. This Bill is nationally important, but there are glaring deficiencies, and the Government’s Amendment does not address them. The JVP, when in Opposition, condemned the original Bill and demanded amendments; you now have the chance, but have not incorporated them.

¶ 07 Regarding the Data Protection Authority: you would appoint technocrats, business leaders, and industry representatives — but what about a human rights lawyer, an independent person, and a civil society specialist? All appointments are political if left to the Executive. We demanded that the Authority be appointed through the Constitutional Council to ensure independence. Otherwise, where is the safeguard for citizens’ privacy?

¶ 08 Secondly, the Act grants broad exemptions to public entities in the name of national security, enabling collection and misuse without accountability. Even the Ministry of Defence should be subject to rules, including disclosure of breaches. The Act fails here. The Government should be held to the same or higher standards than the private sector.

¶ 09 Thirdly, the Act does not empower data subjects with rights like erasure, portability, or the right to challenge algorithmic decisions — critical in today’s AI-driven world.

¶ 10 Fourthly, there is no tribunal or civil appeal mechanism; citizens must rely solely on a non-independent Authority not appointed via the Constitutional Council. Governments change; an independent Authority protects regardless of who is in power. Principles should not change between Opposition and Government.

¶ 11 We therefore propose: Parliamentary oversight; amend exemptions to include judicial or Parliamentary oversight over government access; establish a Data Protection Tribunal for complaints and appeals; appoint the Authority through the Constitutional Council to ensure independence; and include legal and civil rights specialists in its composition.