The Hon. Kathiravelu Shanmugam Kugathasan

¶ 01 Hon. Presiding Member, during today’s debate I wish to present my views regarding the Personal Data Protection (Amendment) Bill to amend Act No. 9 of 2022.

¶ 02 Act No. 9 of 2022 on Personal Data Protection seeks to regulate and protect the processing of personal data in Sri Lanka, to recognize and strengthen the rights of data subjects, to establish a Data Protection Authority, and to provide for matters connected therewith. The law follows models such as the EU General Data Protection Regulation (GDPR) and Singapore’s Personal Data Protection Act, aiming to introduce a comprehensive data protection regime in Sri Lanka.

¶ 03 To reduce administrative burdens in implementation and to align with international practice, the Minister of Digital Economy proposed significant amendments on 8 May 2025. They include:

¶ 04 1. Timelines: Under section 17 of the 2022 Act, controllers/processors had to respond to data subject requests within 21 working days. This is amended to “within one month,” with a possible extension of a further two months for justified reasons, up to three months in total. Service should be more efficient; thus, time should be reduced, not extended.

¶ 05 2. Request fees: Originally section 17 allowed charging a fee “as prescribed.” This is amended so that requests must be provided free of charge, while the Data Protection Authority (DPA) may prescribe fees only in limited circumstances.

¶ 06 3. Data Protection Officer (DPO): Section 20 made DPO appointments mandatory for ministries, departments and state corporations. The amendment removes the requirement for state corporations and clarifies the DPO’s role as advisory to the controller.

¶ 07 4. Data Protection Impact Assessment (DPIA): Section 24(5) required controllers to mandatorily submit DPIAs to the DPA. Now, submission is required only if the DPA requests it in writing. Previously, where a DPIA indicated high risks to data subject rights, prior consultation with the DPA was mandatory. The amendment removes the need to obtain prior advice without DPA approval, and deletes subsections (2), (3), (4), (5) and (6) of section 25.

¶ 08 Cross-border data transfers: Section 26 previously allowed processing in a recommended third country based on adequacy decisions. The amendment instead allows a controller/processor other than a public authority to transfer data across borders without prior adequacy if they can ensure compliance with this Act in the destination, including through appropriate safeguards identified by the DPA, explicit consent, contract performance, legal claims, public interest, or emergencies.

¶ 09 Guidelines: A new section 51A empowers the DPA to issue guidelines from time to time, including on the data protection management program under section 12 of the 2022 Act.

¶ 10 Public authority definition: Earlier definitions included state corporations, boards and companies incorporated under the Companies Act. The amendment excludes state corporations and companies from “public authority,” but ministries, departments, provincial councils and local authorities remain included.

¶ 11 These amendments aim to ease administrative burdens on public authorities, streamline documentation, strengthen privacy and fundamental rights, restructure response mechanisms for data subject rights, align cross-border transfer rules with international norms, and provide clarity for domestic and foreign investors.

¶ 12 However, several concerns arise: 1. Does the DPA have adequate expertise, technical infrastructure and funding? 2. Will the DPA table its annual report directly in Parliament for transparency? 3. How will Parliament ensure the independence and accountability of the DPA? 4. Do cross-border rules adequately protect national security and citizen privacy? 5. How will sensitive data in national databases, digital identity and welfare systems be handled? 6. Are penalties and redress mechanisms fair, practical and accessible to ordinary citizens? 7. What is the timeline for full implementation of the amended law? 8. Will there be clear coordination among the DPA, ICTA, the Telecommunications Regulatory Commission and other regulators to avoid duplication?

¶ 13 The Minister should clarify these.

¶ 14 Different countries use different constructs for personal identifiers: - Canada: Social Insurance Number (SIN) is used for tax, benefits and 12 categories of identification; law restricts private-sector use unless legally required. - USA: Social Security Number (SSN) is a powerful single identifier used to access financial and personal records, tracking 11 categories such as earnings, taxes, adjusted income and some medical records. - European Union: GDPR broadly defines personal data related to identified/identifiable living persons; extensive protections apply and it is used across about 12 identification categories. - India: Aadhaar is a unique 12-digit number issued by UIDAI to residents, intended to reduce fraud in welfare delivery. It stores nine categories of identity data (name, DOB/age, gender, address, email, fingerprints, iris scans, facial image) and adopts a minimal disclosure and yes/no authentication principle. Centralized encrypted storage enables verification nationwide and reduces data leakage risks. Strict controls apply to the handling organization.

¶ 15 Bringing this Personal Data Protection (Amendment) Bill before Parliament is a significant step to build a safe, innovative digital ecosystem. The final law must balance citizen privacy with national interests and economic opportunity. Studying Canada, the USA, the EU and India, we should adopt best features to collect and safeguard personal data for the country’s advancement. I conclude with that request. Thank you.