On May 23rd 2019, the Government of Sri Lanka posted the Draft Cyber Security Bill on the SL CERT website and invited public comments/input. LIRNEasia submitted comments in response to the SL CERT’s request. Our written comments submitted on 5th June 2019 are available through the link below Comments on the Cyber Security Bill – Sri Lanka 2019 Subsequently in August 2023, the Government of Sri Lanka posted an updated version of the Cyber Security Bill and invited public comments. LIRNEasia once again submitted written comments on 18th August 2023, which can be accessed here. Comments on the Cyber Security Bill – Sri Lanka 2023 The report below analyses the extent to which the input submitted by LIRNEasia in 2019 has been taken into account in the updated (August 2023) version of the proposed Bill
In his publication ‘International in scope and interdisciplinary in approach’, LIRNEasia’s chair Rohan Samarajiva addresses new media’s impact on societies bound by it and the policy implications that emerge as a product of the same within the three spheres of data protection, data localization and cybersecurity. He highlights the continuous need for interdisciplinary research and reflection on social implications of new media. The open access journal article can be accessed here
This report is to evaluate the impact of interventions (written comments on the draft bill during the stakeholder consultation) by LIRNEasia on the Personal Data Protection Act, No. 9 of 2022, which was passed by the Parliament of Sri Lanka on 9th of March 2022. The report also provides details of media coverage of LIRNEasia interventions on the Act.
Can nation states, especially those in the Global South effectively regulate Global Tech Companies? Should they try? Why is it important to separate the data localization issue from data protection? GDPR is not fully enforceable even in Europe; should it be the model for countries in the Global South?
LIRNEasia's Ramathi Bandaranayake conducted the research for Sri Lanka as part of the Global Data Barometer Survey, the results of which are now public.
Data protection is considered an esoteric subject, but affects the entirety of the modern economy, ranging from a home-based cake supplier who maintains a list of customers, their preferences and contacts, to a multinational insurance company.
"Data protection is considered an esoteric subject, but it can have powerful effects in the emerging digital economy. Depending on the success of digitalisation efforts, pretty much every organization may fall within the scope of data protection regulation. Few developing countries have enacted data protection legislation. There may be lessons to be drawn from the Sri Lankan effort."
“Sri Lanka has wellcrafted laws but rarely are they implemented satisfactorily. If the regulator is underresourced, little more than ticking the boxes so that Sri Lanka will pass the EU’s adequacy test is likely to be achieved, and even that is uncertain. The best law is not one that is optimal in a technical sense, but one which is most appropriate for the local conditions”
An Expert Round Table discussion on “Data Protection in an Interconnected World” was held on the 28th of June 2021, as the first of a series of discussions under the theme of “Frontiers of Digital Economy”
I have been teaching regulation since the 1980s, using all kinds of text books and articles. Since around 2000, I was deeply engaged in training regulators all over the world. It was thus not a big deal to respond to a request to write an overview or pull together a bibliography. But what I found most useful was a question from a colleague about the one article/book I would say was central to understanding regulation. Not ten, not five, but one.
This document is intended to understand the extant policy context in relation to healthcare data protection, providing international comparisons, and raise important questions for Sri Lanka to consider in relation to data protection, albeit within a narrow sector specific scope.
I was recently listening to some Microsoft officials asserting that they would be fully compliant with the new European General Data Protection Regulation, implying that it could be applied here too. There is no doubt that countries that seek to do business with Europe will have to pay special attention to GDPR. But that does not mean that we should simply do a cut and paste. The GDPR bears the marks of its birth. It may be appropriate for Europe (this article suggests, that too will be a problem).
The second panel was on digital rights and multistakeholderism. I did not think there can be much debate about a Rorschach inkblot so I devoted only one slide to it and made some passing comments, which still managed to elicit some response from the people who live under the protection of the concept. Digital rights was where the robust exchange occurred. Not because of the relatively uncontroversial issue of governments being prevented from arbitrarily shutting down the Internet and the underlying telecom networks that I proposed. But it was because one of the panelists proposed the wholesale importation of the European data protection regime and rights such as the “right to be forgotten.
Europe has been the fount of data protection absolutism. Not a problem for anyone else but countries such as Thailand and Indonesia are well on the way to model their legislation on the European model. But Chancellor Merkel has seen that the absolutist approach poses dangers to European consumers and businesses as well. Europeans are famous for banning things, Merkel said. These bans are put in place for good reason, she said, but can be damaging if taken to excess.