[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Republic of Sri Lanka

Constitutional Privacy Framework

The 1978 Constitution[4845] of the Democratic Socialist Republic of Sri Lanka does not explicitly recognize the right to personal privacy as a basic fundamental right. In 1997 and 2000, the proposed versions of the draft Constitution considered the right to privacy and family life as a fundamental right. The proposed October 1997 Constitution's Article 14 (1) specifically stated, "Every person has the right to have his or her private and family life, home, correspondence and communications respected, and shall not be subjected to unlawful attacks on his or her honour and reputation."[4846] However, the latest August 2000 proposed Constitution has no reference to the right of privacy.[4847] The only close reference is incorporated in Article 14 (1)(e), which provides for “[t]he freedom, either by himself or in association with others, and either in public or in private, to manifest his religion or belief in worship, observance, practice or teaching.” Importantly, the Article covers only the private domain of life, mainly in religious matters, although it carries sufficient rationale for the Supreme Court judiciary to employ constitutional doctrinal canons to interpret and carve out the privacy right in other relevant circumstances, like telephone tapping and police surveillance.

In Sri Lanka there are two recent cases related to individual privacy, one related to the interception of communications (Hewamanna v Attorney General)[4848]; the other related to privacy and freedom of the press (Sunday Times defamation case in 2000). In both cases the Supreme Court of Sri Lanka highlighted the importance of the individual's right to privacy.

The common law in Sri Lanka does not recognize any right to the protection of personal information. It only permits "peripheral protection"[4849] or remedial action for invasions of privacy stemming from the inappropriate use of personal data.

Data Protection Framework

The government has not introduced any specific legislation that protects individual privacy or collection of personal information. The only legislation that refers to this area is the Telecommunication Act No. 27 of 1996,[4850] which regulates the interception of communications. According to Sections 53 and 54 (1) of this Act, the interception of telecommunication transmissions and the disclosure of their contents is an offense subject to penalties, including imprisonment.

The rapid developments in information and communications technologies in Sri Lanka have significantly affected the current legal system. Many privacy experts in Sri Lanka state that there is a need for new laws that adequately regulate new technologies. Recently, the Law Commission of Sri Lanka has identified “freedom of information and data protection” as one of the priority issues to be dealt with in their declared “program of work” for the year 2005-2006.[4851]

The absence of a data protection law and a data protection authority in Sri Lanka is a real threat to the recently introduced e-Sri Lanka program.[4852] The e-Sri Lanka program aims to computerize all government departments in the country and facilitate electronic documentary service, as opposed to the traditional government service that still processes everything manually.

The government is currently in the preliminary stages of introducing a new data protection law. Recently, the Sri Lankan government has launched a comprehensive “Re-engineering Government” project with an ambitious goal to “provide citizen services in the most efficient manner by improving the way government works, by re-engineering and technologically empowering government business processes” with targeted government sectors like “eMotoring, ePension, eCitizen ID, eForeign Employment, Ministry of Public Administration and Home Affairs.”[4853]

The Re-engineering project identifies the necessity of security programs “to ensure the privacy of individuals and information, and the confidentiality, availability and integrity of information and the integrity of transactions.”[4854] The two documents, Privacy Related Issues for Outside Entities and Privacy and Citizen Information Protection, outline the details of the personal information protection. The first document, Privacy Related Issues for Outside Entities, recognizes that information is both a valuable asset and an organizational risk management issue. “It is necessary to ensure that government organization information, which is generally accessible (in hard or soft copy), is protected from inappropriate access, disclosure or modification,” according to the policy statement. Section 3.2.3.1.1 of the Policy, “Privacy of Information,” requires that all employees with access to personal or confidential information respect the confidentiality and security of that information.[4855] The second document, Privacy and Citizen Information Protection, recognizes that government organizations must protect, safe-keep and use citizen information in a responsible way. The document declares that “This policy is intended to communicate the extent of the government organization’s commitment to Privacy and Citizens Information Protection.”[4856]

In its Proposed National Communications Policy of 2002, Sri Lanka’s Ministry of Mass Communication mandated the Communications Regulatory Commission (CRC) to take serious note of the issue of consumers’ privacy protection. The proposed policy provides that the CRC “shall establish formal complaint review procedures, and shall require all licensed and authorized telecommunications operators and service providers to establish their own procedures for responding to customer complaints concerning inappropriate behavior and violations of privacy.” It further stressed the responsibility of the CRC to “ensure that it takes all steps to prevent intrusion to individual privacy in communication...”[4857]

Despite the clear mandate enunciated in the National Communications Policy to ensure the protection of consumer privacy rights by telecommunication service providers, the Telecommunication Regulatory Commission of Sri Lanka (TRCSL) failed to mention privacy rights in their declared “consumer protection” rights; moreover, the declaration uses vague language and leaves consumers to determine what rights they have concerning telecommunications service providers.[4858]

In 2003, the Parliament passed the Information and Communication Technology Act No. 27[4859] to provide for the establishment of a national policy on information and communication technology and for the preparation of an action plan. Under this act, the Information and Communication Technology Agency (ICTA) is in charge of the implementation of the national policy in both the public and the private sectors. The agency functions as the single highest body involved in information and communications technology policy to the nation. It also assumes the role of implementing the e-Sri Lanka initiative.

In October 2004, pursuant to a decision of the Cabinet of Ministers, the ICTA has been specifically mandated and authorized to implement the e-Sri Lanka Project and to recommend to the Cabinet the appropriate regulatory and policy framework required for the development of Information and Communication Technologies (ICTs) in Sri Lanka. The Cabinet's decision is consistent with the ICT Act of 2003, which requires the ICTA to provide consultation and formulate policies for ICTs before the government adopts them.[4860] In November 2004, the ICTA set up a working committee to write the first draft of the ICT policy for the government.[4861] The document was circulated amongst members of the ICTA working and focus groups, and to academic members, to obtain their views. ICTA has now made the document public and available for comments.[4862] The emphasis is now on adopting legislation to facilitate electronic transactions and to prepare a Code of Practice for Data Protection, in consultation with the private sector. A committee has been set up for this task with the association of the Ceylon Chamber of Commerce. Likewise, an e-Security Working Group has been established, with the participation of state agencies and other stakeholders, to review legal and technical aspects of e-commerce.[4863]

The Draft ICT Policy would require each government agency to appoint a Chief Innovation Officer (CIO). This CIO would be responsible for the promotion and development of ICTs within the agency, and would be the interface between a government agency and other organizations. The implementation of the ICT policy is likely to promote Sri Lanka's objective of being an information society for all. The policy will not be a static document, as the ICTA will frequently update it as required, taking into account changing trends in the environment, the technology and business processes.[4864]

The Draft Policy requires data protection issues to be addressed in accordance with the government's Information Security Policy. Citizens' e-mail addresses gathered from government web sites[4865] will not be divulged, made available or sold to third parties. Also, personally identifiable information obtained through government web sites shall not be kept for longer than is necessary and only for the purpose for which it was obtained.[4866]

The Telecommunication Regulatory Commission, part of the Ministry of Mass Communications, has set up basic guidelines that should be complied with by individuals who want to set up call centers in Sri Lanka.[4867] According to a recent workplace privacy survey, the majority of employees and executive managers are seriously worried about the privacy of their communications in the workplace.[4868]

The Prevention of Computer Crime Bill of 2003[4869] was approved by the Cabinet of Ministers and presented to the Sri Lanka Parliament, where is it still waiting approval.[4870].This act aims at combating computer crime in Sri Lanka.[4871] This act shall apply where: (a) a person commits an offence under this act while being present in Sri Lanka; (b) the computer program, data or information affected or which was to be affected, by the act which constituted an offence under this act, was at the material time within Sri Lanka; (c) the facility or service, including any computer storage or processing or communication facility, used in the commission of an offence under this act was based in Sri Lanka; or (d) loss or damage is caused by the commission of an offence under this act in Sri Lanka to a person resident in Sri Lanka.[4872] The act also addresses computer misuse;[4873] unlawful obtention of data;[4874] child pornography;[4875] cyber-stalking;[4876] strict liability for offences against national security;[4877] national economy and public safety;[4878] and unauthorized disclosure of confidential information and illegal interception of data.[4879] Part 11 of the act creates a panel of experts from police departments and other persons who possess expertise in the field of information technology for the purposes of investigations under the act.

In March 2006, the Sri Lankan government enacted the Electronic Transactions Act No. 19 of 2006 (Act).[4880] The Act is described as an “important development in the legal jurisprudence in Sri Lanka” and it is in conformity with international standards & practices and the requirements of IT industry. It also facilitates electronic filing of documents with Government so as to promote efficient delivery of services. The Act provides the legal recognition of electronic transactions and other transactions carried out by means of electronic communications commonly referred to as "electronic commerce."[4881] The legislation promotes public confidence in the authenticity, integrity and reliability of electronic communications The act is based on the UNCITRAL Model Law on E-Commerce 1996[4882] and the 2001 UNCITRAL Model Law on Electronic signatures.

As regards the protection of intellectual property rights, the Intellectual Property (IP) Act No. 36 of 2003 replaced the Code of Intellectual Property Act No. 52 of 1979. The new IP Act[4883] contains several new provisions that pertain to the protection of software, trade secrets and integrated circuits.

Open Government

A Freedom of Access to Official Information Bill 2003 is awaiting cabinet approval.[4884]

International Obligations

Sri Lanka became a member of the United Nations Organization on December 14, 1955,[4885] and ratified the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR) in 1980.[4886] Sri Lanka ratified the UN Convention on the Rights of the Child (1991), and the Parliament subsequently enacted the National Child Protection Act No. 50 of 1998.[4887] Sri Lanka also ratified the UN Convention on the Elimination of All Forms of Discrimination Against Women (1981).[4888] Sri Lanka became a member of the International Labour Organization (ILO) in 1948 and has since ratified 39 ILO Conventions.[4889]

[4845] <http://www.loc.gov/law/guide/srilanka.html>; Available also at, lawnet <http://www.lawnet.lk/list_page.php?id=21>.
[4846] Draft Bill (No. 372) to repeal and replace the Constitution of the Democratic Socialist Republic of Sri Lanka, available at <http://www.priu.gov.lk/cons/2000constitutional Bill/Index2000constitutionalBill.html>.
[4847] Available at <http://www.priu.gov.lk/Cons/2000ConstitutionBill/Index2000ConstitutionBill.html>.

[4848] 1999 ICHRL 31:8 March 1999.

[4849] This means that there is no direct common law protection and the law only covers the cases where there is a breach of confidential information or a liability for invasion of privacy. See P. Mahanamahewa, "Internet, e-Business and Privacy Concerns," July 20, 2003 <http://sundaytimes.lk/030720/index.html>.

[4850] Available at <http://www.trc.gov.lk/act2.htm>.

[4851] Available at, law Commission of Sri Lanka <http://www.justiceministry.gov.lk/LAW%20COMMISSION/LAW%20COMMISSION%20OF%20SRI%20LANLKA.htm#REPORTS RELEASED FROM 1995>.

[4852] Available at <http://www.esrilanka.lk>.

[4853] See, Information and Communication Technology Agency of Sri Lanka, available at <http://www.icta.lk/Insidepages/programmes/Re-engineering_Government1.asp>.

[4854] ICT Security Policy for Government, ICTA, available at <http://www.icta.lk/Insidepages/ReGov/ICTPolicy/ICT_SecurityPolicyForGovernment.asp>.
[4855] Id, available at
<http://www.icta.lk/Insidepages/ReGov/ICTPolicy/ICTPolicyDocs/3-Personnel%20Security%20Infrastructure.pdf>.
[4856] ICTA Security Policy, supra, available at
<http://www.icta.lk/Insidepages/ReGov/ICTPolicy/ICTPolicyDocs/15-rivacy%20and%20Citizen%20Information%20Protection.pdf>.

[4857] The Ministry of Mass Communication, Sri Lanka, Proposed National Communications Policy, available at
<http://www.trc.gov.lk/pdf/ncpn.pdf>.

[4858] See Telecommunication Regulatory Commission of Sri Lanka, available at <http://www.trc.gov.lk/consumer.htm>.

[4859] Available at <http://www.icta.lk/InsidePages/downloadDocs/ICTA%20Act(e).pdf>.

[4860] Draft ICT Policy, available at <http://www.icta.lk/Insidepages/downloadDocs/Draft%20ICT%20Policy%20for%20Government.pdf>.
[4861]Available at <http://www.icta.lk/Insidepages/programmes/IctPolicyForGovernment.asp>.
[4862] See Draft ICT Policy for the Government, supra.
[4863]Available at, <http://www.icta.lk/Insidepages/downloadDocs/ICT%20Legal%20Reforms%20-%20Country%20Report.pdf>.

[4864] Id., at 12.

[4865] See e.g., Ministry of Public Administration and Home Affairs, available at <http://www.pubad.gov.lk>, Department of Emigration and Immigration, available at <http://www.immigration.gov.lk/> and Board of Investment, available at <http://www.boi.lk/>.
[4866] See id, 12, Section 0104 and 010401.

[4867] Telecommunication Regulatory Commission, supra.
[4868] See P. Mahanamahewa, "Guidelines for Establishing an E-mail and Internet Monitoring Policy in the Workplace," <http://www.cssl.lk/>.

[4869] Available at <http://www.justiceministry.gov.lk>.
[4870] Id, See Report for the Period January 2005 to September 2005.
[4871] Its most important features are: Section 13, which makes the illegal interception of data an offence; Section 15, which makes the unauthorized disclosure of information enabling access to a service an offence; and Section 23, which provides for the appointment of a panel of experts in the field of information technology for investigation purposes.
[4872] The Prevention of Computer Crime Bill of 2003, Section 2(1), available at
<http://www.justiceministry.gov.lk/NEW%20LEGISLATION/COMCRIME.pdf>.
[4873] Id. at Section 7.
[4874] Id. at Section 11.
[4875] Id. at Section 12.
[4876] Id at Section 14.
[4877] Id. at Section 8(a).
[4878] Id. at Section 8(b), (c).
[4879] Id. at Section 13.

[4880] Available at <http://www.icta.lk/Insidepages/downloadDocs/ElectronicTransactionAct-Parliamentver(E).pdf>.
[4881] See S. Marsoof, Legislation for Commerce and Data Protection in Sri Lanka, Information Technology Conference, Bar Association, Colombo, Sri Lanka (2004).
[4882] Available at,<http://www.uncitral.org/pdf/english/texts/electcom/05-89450_Ebook.pdf>.

[4883] Available at <http://www.dailynews.lk/2005/04/19/fea13.htm>.

[4884] Available at <http://www.humanrightsinitiative.org/programs/ai/rti/international/laws_papers/srilanka/foibill-critique-v2-feb04.pdf>.

[4885] Available at <http://www.un.org/overview/unmember.html>.
[4886] Available at <http://www.law.emory.edu/Ifl/legal/srilanka.htm#text>.
[4887] Available at <http://www.childprotection.gov.lk/>. Under this Act, the National Child Protection Authority (NCPA) has been established to protect and promote children's rights. The National Child Protection Authority is the Central Agency for coordinating and monitoring action on the protection of children. The NCPA can take appropriate steps where necessary for securing the safety and privacy protection of children involved in criminal investigation and criminal proceedings. On September 8, 2000 Sri Lanka signed and ratified the optional protocol to the Convention on the Rights of the Child on the involvement of children in armed conflicts (<http://sim.law.uu.nl>), and on May 8, 2002 the government of Sri Lanka signed the Optional Protocol to the Convention on the Rights of the Child on the Sale of Children, Child Prostitute and Child Pornography <http://www.unhchr.ch/html/mennz/6/crctreaties/status.opsc.htm>. The NCPA recently established the "Cyber Watch" Unit, which monitors websites patronized by paedophiles. Its goals are to prevent the use of Sri Lankan children for the purposes of child pornography and other forms of commercial sexual exploitation, available at NCPA, website. 
[4888] Available at <http://www.un.org/womenwatch/daw/cedaw/>.
[4889] Available at <http://www.ilo.org/global/lang--en/index.htm>.