Case study: Sri Lanka adopts comprehensive data protection legislation
The ‘four Cs’ – COVID, climate, conflict and cost-of-living – greatly tested small businesses around the world and set back the Sustainable Development Goals. This case study, from the ITC Annual Report 2022, highlights how the International Trade Centre helped entrepreneurs find new ways to prosperity through trade.
The challenge
The increased participation of MSMEs in online trade of goods and services is a key driver of job creation and sustainable development. However, striking the right policy balance for an enabling regulatory framework for MSMEs remains one of the most challenging tasks as it must foster a conducive environment for e-commerce, customized to each country’s specific needs.
As part of an enabling regulatory framework, having robust data protection and privacy policies in place is foundational to safeguarding the rights of individuals and ensuring consumer trust in online transactions in developing countries. It helps support growth and innovation in the digital economy.
This is particularly relevant in Sri Lanka, which has seen a significant increase in e-commerce. The digital economy accounted for nearly 5% of gross domestic product in 2022. The country needs a supportive regulatory framework to further leverage opportunities for MSMEs, while at the same time protecting consumers.
The solution
For more than five years, ITC has supported several countries to create and foster a more conducive policy and regulatory environment for MSMEs with respect to e-commerce and digital trade. One of the key beneficiaries has been Sri Lanka.
As part of a trade-related assistance project in Sri Lanka, ITC has conducted numerous trainings, undertaken public–private dialogues and offered advisory services on domestic regulatory reforms and bilateral and multilateral negotiations. A key component of the support involved providing advice and guidance to the Ministry of Digital Infrastructure and Information Technology on the country’s proposed data protection legislation.
The results
ITC provided guidance on how to align the proposed legislation with international best practices, while at the same time customizing it to the specificities of the local context. As part of this work, ITC carried out a regulatory analysis of the future legislation that was shared with the ministry.
Furthermore, ITC supported the ministry to hold a public–private dialogue to receive feedback on the proposed data protection framework. Nearly 100 people attended this meeting, representing 22 government policy institutions, 19 private enterprises and 11 other institutions. ITC also supported the Data Protection Law Drafting Committee to participate in the IAPP Asia Privacy Forum to increase their understanding of regional best practices.
The draft legislation then passed through the legislative processes, which eventually led to the enactment, in March 2022, by the Sri Lankan Parliament of the Personal Data Protection Act, No. 9 of 2022 – the most extensive and up-to-date piece of data protection legislation in South Asia. Among other things, the act contains provisions on the processing of data, data rights, cross-border data transfers, obligations for business and penalties. As such, businesses in Sri Lanka will need to prepare for compliance with the Personal Data Protection Act.
Jayantha Fernando, Chairman of the Data Protection Law Drafting Committee, commended ITC for the technical assistance it had provided:
The future
ITC is ready to support Sri Lanka in the next stage, which is the operationalization of the law and the training of officials when the data protection authority of Sri Lanka is established. ITC will also continue to provide similar assistance to other countries that are enacting or updating e-commerce policies, through increasing technical capacities and supporting legislative revisions.