Towards a Regime of Responsibility

Towards a Regime of Responsibility

Impact of the Data Protection Bill of Sri Lanka

Data is at the center of everything in the modern day. In a digitalized world though data is available in abundance, its value grows in leaps and bounds. Processed data is increasingly used for commercial purposes, including for personalized marketing. Personal data obtained through various platforms has become inextricable today for gathering leads, improving the customer experience and a variety of other marketing activities. Processing personal data may have implications on people’s right to privacy. Therefore, it is necessary to regulate data processing to balance the interests of individuals, with commercial interests.

Why Data Protection in Sri Lanka?

With the enactment of the General Data Protection Regulation in the EU, the transfer of personal data to non-EU countries that do not meet the European “adequacy” standard for data protection is prohibited. This has caused serious implications on several countries whose gross domestic income largely depends on Western markets. For instance, 18.07% of Sri Lanka’s top export market consists of EU countries. Therefore, the inability to transmit personal data may cause a significant impact on Sri Lankan businesses catering to the needs of consumers in EU countries. Accordingly, the country is placed at a huge disadvantage in attracting business opportunities and investors. Hence, to address the need of the hour, the Sri Lankan Government is in the final stages of adopting data protection legislation.


What does the Data Protection Bill1 say and how does it affect digital marketers?

  • Collecting personal data

The Personal Data Protection Bill of Sri Lanka applies to:

  1. the processing of personal data entirely or partially in Sri Lanka; or  
  2. if the processing of data is carried out by a controller or processor who is a resident of Sri Lanka, incorporated under the laws of Sri Lanka, is a subject to any written law in Sri Lanka, offers goods or services to subjects in Sri Lanka, or monitors such subject behavior to make decisions accordingly.

The draft bill defines ‘personal data’ as any information that can identify a ‘data subject2’ directly or indirectly, by reference either to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social identity of that individual.

Data collection is a core marketing activity and without such personal data you can hardly do anything in modern advertising. While the enactment of this bill would not prevent marketers from collecting data, it would instead place certain restrictions on the manner data is processed. In other words, although you were able to use any data in any manner you preferred in the past, you would no longer be allowed to freely collect and analyze data upon your preference after the bill becomes a law. 

  • Controllers and processors

The bill provides conditions for controllers and processors to ensure the lawfulness of the processing of personal data by them. It is important to understand that a ‘controller’ means “any natural or legal person, public authority, non-governmental organization, agency or any other body or entity which alone or jointly with others determines the purposes and means of the processing of personal data”. In contrast, a ‘processor’ is “a natural or legal person, public authority or other entity established by or under written law, which processes personal data on behalf of the controller.” The processor should be a separate entity or person from the controller and not a person subject to any hierarchical control of the controller.

Both controllers and processors are involved in digital marketing. This could be explained by the following example:

Company A is a supermarket that collects and stores data including the basic personal information and purchase records of their customers. Company A needs to develop a personalized digital marketing strategy targeting its customer base. Company A employs Company B to analyze the data possessed by them. Company A has to decide which data to provide Company B for processing. 

Here, Company A would be the ‘controller’, whereas Company B would be the ‘processor’, because analyzing the customers’ data would be a function that falls under the definition of ‘processing’ in the bill; “… the carrying out of logical or arithmetical operations on personal data”.

  • Lawful process of data

According to the bill, it is lawful to process personal data if the data subject has given consent to the processing of his personal data. ‘Consent’ is defined in the bill as “freely given, specific, informed and unambiguous indication by way of a written declaration or an affirmative action signifying a data subject’s agreement to the processing of his personal data”. Further, it is lawful to process personal data under the bill if it is necessary for the performance of a contract with the data subject, to comply with any legal obligation, in the interest of the data subject, public interest, or in the legitimate interest of the data controller. According to the bill, the legitimate interest of a controller would include situations where the data subject is a client or in the service of the controller.  A data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place, where it is strictly necessary for the purposes of preventing fraud or for the purposes of ensuring network and information security.

Consent is one cornerstone of marketing. The ultimate goal of using data is commercial gain. Therefore, such use of data is sometimes seen as an invasion of the right to privacy. To that end, it is important to obtain consent for all data that is collected. Using data for which consent has not been obtained is unlawful under the bill. Among all instances of lawful process of data provided in the bill, “in the legitimate interest of the controller” is one important provision. It provides the window for data to be gathered and processed for a variety of purposes including marketing.

  • Compliance

The bill also provides for the designation of an institution under the control of the Government to discharge a range of duties. One such duty is to ensure effective implementation of the data protection law. This authority can hold inquiries regarding the violation of the law and issue directives to suspend such course of conduct, rectify the situations and impose penalties where necessary. 

Therefore, non-compliance with the law may incur consequences that would be detrimental to the entire marketing operation.


The biggest takeaway here for digital marketers is to be prepared for the upcoming data protection regime and to follow best practices that would ensure transparency in data processing. Marketing cannot be done to people who are unaware or haven’t consented to such marketing. The owners of personal data should know what they consent to. Although not as strict as the regime created by the GDPR, once enacted, the Sri Lankan law would provide for regulating the use of data. Hence, it is worth preparing for a regime of responsible processing of personal data. 


1  A “bill” is a draft legislation that has not been enacted yet. Once it receives the endorsement of the Speaker after being passed by the Parliament, it becomes an “Act”.

 2 A ‘data subject’ is an owner of the data



Written by: Sanishya Ratnayake, Junior Lead – Account Management, Enfection