Lessons India Can Draw From Sri Lanka’s Efforts With Data Protection Legislation

The best law is not one that is optimal in a technical sense, but one which is most appropriate for the local conditions.

Listen to this article:

Data protection is considered esoteric, but can powerfully impact the emerging digital economy. Depending on the success of digitalisation, every organisation may fall within the scope of data protection regulation. 

India is enacting a data protection legislation. There may be lessons to be drawn here from the Sri Lankan effort.   

The use of insights extracted from data predates computers. Now that computers are involved, a lot more can be done with data, and more easily. Organisations have long maintained records of those they serve. But there is a difference between records in paper files and those in databases: copies can be made and transferred easily; analyses may be conducted rapidly to identify patterns; and records can be combined with data from other sources to gain even deeper insights. This has enormous potential for transforming service delivery. But it also poses dangers of data being misused by unauthorised parties. 

Data protection laws seek to minimise the risks of the misuse of data stored in computer databases of various forms. There has been a worldwide surge in interest in data protection since the General Data Protection Regulation (GDPR), a European legal instrument with extra-territorial impact, came into effect in May 2018. Many in the private sector, especially those engaged in business process outsourcing (BPO), have lobbied for GDPR-like legislation to improve their business prospects by having the country meet the adequacy test that is part of the GDPR. 

Responding to the demands of vocal interests, the drafters have adapted the European model. But even Europeans find the GDPR model with standalone and procedure-focused data protection authorities difficult to implement. Will creative adaptation suffice?

Implications for individuals

Increasingly, individuals maintain databases in computerised form. A family’s invitee list for a wedding is an example. Section 2(3) of the bill excludes “personal data processed purely for private, domestic or household purposes by an individual”. If the list is maintained by an event organiser, it is subject to the provisions. Citizens need not concern themselves about the obligations imposed on data controllers by the proposed law. 

The law impacts them in their roles as data subjects. For example, an individual may suffer serious repercussions because of a data breach, wherein sensitive personal data such as credit card information and passwords stored in a government or company database are taken unlawfully by a third party and used for extortion. 

Because of damage to reputation or the desire to avoid paying damages, companies may not disclose breaches in a timely manner, causing further harm. Section 23 sets out an obligation to report breaches but leaves the details to rules that are to be formulated under the Act.

Also read: Who Are the Forces Shaping India’s Data Push in Healthcare?

Increasingly, data are collected as byproducts of transactions. For example, data on one’s locations and movement are recorded as a by-product of providing mobile communication services and billing for them. Academic debate continues about the relevance of consent in today’s qualitatively different circumstances. Consent is especially problematic re jointly produced transaction-generated data. Most people do not read the information provided when asking for consent, because doing so would leave them little time for anything else. 

Section 27 requires those sending out messages in bulk (spam), usually for marketing purposes, by electronic means or through the post, to have obtained the consent of the addressees and provide them with opt-out facilities. This will also apply to political messaging via bulk SMS and the postal service.

Implications for organisations

Laws modelled on the GDPR impose considerable burdens on controllers (those who determine the purposes and means of the processing of personal data), such as obtaining informed consent; that data subjects are informed about their data held by controllers; that data are rectified or completed upon request; that data subjects should be permitted to withdraw consent; and so on. They are mandated to appoint data protection officers with specified qualifications.

Compliance costs will be onerous for small organisations engaged in the processing of personal data. An example is a cake supplier who has the birthdays, addresses and preferences of regular customers in a spreadsheet and has to appoint a suitably qualified data protection officer to be compliant.

The European model of data protection requires all entities large and small who fall within its scope to register and renew registrations periodically. This allows the regulator to conduct inspections, to serve papers, etc. 

Usually, the registration must be accompanied by a fee. In many countries these fees are a source of revenue for the regulator. Those who are required to register are so many and the transactions costs are so high that many small organisations will not register. Data protection authorities rarely have the personnel to actively compel compliance. 

Under the Sri Lankan Bill, registration is not required. Non-registration is not an offence. No registration fees are charged, and the data protection authority will be reliant on budgetary allocations. 

However, organisations large and small who fall within the scope of the law are bound to conduct their data processing and related activities as specified. The regulator may, in some instances, experience difficulties in serving papers. But locating large controllers in the private and public sectors is unlikely to be difficult. 

The reduction of costs of compliance for the many thousands of micro, small and medium enterprises is well worth the costs of locating an entity against which a complaint has been made. Forms used for lodging complaints may mandate the provision of contact details of the alleged offender.   

Extra-territorial implications

By processing the travel patterns and speeds of millions of persons with map applications installed on their phones, the Google Maps app provides dynamic routing instructions and travel time estimates for travel by various modes. Arguably, these actions fall within the scope of section 2(1)(v): “specifically monitors the behaviour of data subjects in Sri Lanka including profiling with the intention of making decisions in relation to the behavior of such data subjects in so far as such behaviour takes place in Sri Lanka.” This would make Google, which engages in machine learning-based processing of the travel behaviours of millions of Sri Lankans, a controller subject to the law.

Also read: Examining India’s Quest to Regulate, Govern and Exploit Non-Personal Data

Had the registration requirement been retained, it is doubtful whether a global Internet service company could have been compelled to register, let alone establish a physical presence in a small country like Sri Lanka. Nepal tried, and was ignored. The elimination of the registration requirement is a creative solution to that problem. 

The law as drafted imposes duties and obligations on global entities without a presence in Sri Lanka; it creates rights against such entities that the regulator is bound to safeguard. How the law may be enforced against such entities is a problem left for the future.

Section 26 of the Bill restricts the processing of data outside Sri Lankan territory. In the case of public authorities (ministries, departments, corporations, including companies where the state holds more than 50% of shares), the processing cannot be done outside, other than for specific categories of data in countries classified as “adequate” by the minister. 

This means that public authorities cannot use cloud-based services such as those offered by AWS and Google. They will be limited to the cloud services offered by domestic entities whose price-quality packages are inferior to those offered by global providers. Without competition, the local data centres are unlikely to lower prices or enhance quality. The usual protectionist justifications about creating opportunities for local data centres are likely to be made, even if their supra-normal profits do not stay in the country.

Somewhat peculiarly, adequacy provisions have also been extended to private entities. Public authorities may process only specified subsets of data even in countries that pass the adequacy test, while the entirety of the data held by private entities may be so processed. 

The granting of adequacy status has been slow and apparently a political event in Europe. The specified procedures are so complicated that it would be fair to surmise either that no adequacy determinations are likely to be made, or that such decisions will be made for political reasons, bypassing the specified procedures. 

Implications for innovation

Machine learning, colloquially described as artificial intelligence, is one the most exciting innovations today. Instead of developing a complex model with multiple variables, machine learning allows software to be trained using large amounts of data. For example, it is possible to distinguish between cat and dog images if a software has been trained on a large enough set of labelled images. The method by which the results were obtained cannot be reduced to a set of rules. 

Hal Varian, chief economist at Google, questions the requirement of explainability, imported into Sri Lanka through Section 18 of the Bill. He questions the reasonableness of demanding more of a machine learning model than we ask of ourselves. Can an individual explain step-wise how she identifies an image of her spouse from among many photographs? Provisions such as Section 18 suggest inadequate weight has been given to innovation.  

Incorporation of purpose specification and informed consent as core principles is inimical to the development of AI and data analytics. Section 6(2) and the important schedules I and II make some exceptions for research and actions taken in the broader public interest, but the incorporation of the purpose specification principle reduces the scope of the exceptions: “Every controller shall ensure that personal data is processed for … (a) specified; (b) explicit; and (c) legitimate purposes and such personal data shall not be further processed in a manner which is incompatible with such purposes.”

Service providers may satisfy the legal requirements by inserting broadly worded statements on purposes such as improvement of services into the contracts they enter with all customers. Because it will be impossible to specify the kinds of novel research uses that are necessary for innovation, the result will be the shutting down of access to the large data streams essential for AI research. Big companies will be further strengthened because only those who directly work for them or are their contractors will have access to their massive data streams. 

It is no accident that most of the breakthroughs in AI are happening in China and North America. Europe is a laggard, despite having trained data scientists, because access to data is constrained. The drafters of the Sri Lankan law have, unfortunately, been overly responsive to the lobbying of firms wanting to get a piece of the low-tech and low-skill business process outsourcing business. The interests of the AI companies that have yet to come into being have been ignored.   

Capacity of the data protection authority

Even in Europe, the heartland of data protection, data protection authorities are under-resourced, do not have enough staff with the necessary technical skills, and take inordinately long to respond to complaints. It was reported by the New York Times last year that all but three (Germany, Italy, and the UK) had annual budgets below 25 million euros. 

It may be assumed that a minimum of 25 million euros a year is required to run an efficient data protection authority. That is over Rs 25 crore in operational funds. The likelihood of a data protection authority in India or Sri Lanka being given even one fifth of that is small. They will be bound by government-wide rules and may face difficulties in paying the right salaries. The commendable removal of the registration requirement may not be enough of an adaptation. 

Sri Lanka has well-crafted laws but rarely are they implemented satisfactorily. If the regulator is under-resourced, little more than ticking the boxes so that Sri Lanka will pass the EU’s adequacy test is likely to be achieved, and even that is uncertain. The best law is not one that is optimal in a technical sense, but one which is most appropriate for the local conditions.      

Rohan Samarajiva is founding Chair of LIRNEasia, an ICT policy and regulation think tank active across emerging Asia.