Is the Proposed Data Protection legislation a cause for concern for journalistic expression?


Ashwini Natesan

(The writer is a lecturer, legal researcher and consultant specialising in Technology, Media and Communications Law.)

At the outset it should be said that there is no question as to the need or importance of a data protection legislation. Sri Lanka has long needed a comprehensive legislation to protect individuals’ personal data from breach and unauthorised use. However, a reading of the Personal Data Protection 2021, draft in its present form, (Draft 7 published in February 2021 in ICTA’s official website, hereinafter ‘Proposed Data Protection’) raises certain potential concerns that require attention.

Use of personal data for ‘journalistic purposes’ or for reporting of news by media organisations

In general, ‘personal data’ is understood to include anything from a person’s name, address, picture, direct identifiers to indirect identifiers like physical, economic characteristics.

The definition of ‘personal data’ under the Proposed Data Protection law is wide including all forms of direct or indirect identifiers. Any person or entity that determines the processing (use, disclosure, storage, preservation, etc.) of personal data is the ‘Controller’ in terms of the Proposed Data Protection. Thereby, an entity including a news organisation would, per se, come within the scope of the definition.

As we all know, news organisations use personal data of individuals for reporting on a daily basis. If the law in its present form is passed – with no exemptions for the media – it may mean that media organisations would need to obtain consent from concerned data subjects (person whose personal data is being shared) prior to publication. Importantly, wide rights are granted to the data subject in terms of access, deletion and rectification of their personal data. Would this mean that any person on whom news has been reported can claim for deletion/rectification of their personal data? Are all news organisations required to obtain consent prior to publication of any individual’s personal data? How is it feasible to not reveal any direct or indirect personal data when news is reported?

But these are not issues unheard of; to ensure freedom of expression and the fourth pillar of democracy are not stifled, exemptions from certain applicable provisions of the data protection law are routinely enshrined for ‘journalistic purposes’.

The Proposed Data Protection law in Sri Lanka follows the European Union’s General Data Protection Regulation (GDPR) model. Article 85 GDPR, requires EU Member States to reconcile the right to protection of personal data with inter alia the right to freedom of expression and information, including processing for ‘journalistic purposes’. This is similarly reflected in the legal regimes of Singapore, Malaysia, India (proposed data protection Bill) and China (proposed personal information protection law draft). However, there is no mention of use of personal data for journalistic purposes and the applicable exemption thereof in Sri Lanka’s Proposed Data Protection law.

While it is necessary to ensure that personal data is held responsibly by news agencies including when they are used for ‘journalistic purposes’ it is also important to ensure that some exemptions are carved out to ensure that they are not unduly restricted.

The Proposed Data Protection law includes general exemptions such as ‘public interest’ and ‘legitimate interests’. It can certainly be argued that journalistic purposes would be covered within the scope of these provisions. However, this would leave room for much ambiguity and confusion, particularly since ‘public interest’ and ‘legitimate interests’ are not defined. It is to be noted that even in the examples of what includes ‘public interest’ or ‘legitimate interests,’ there is no mention of ‘journalistic purposes’.

Right to Information (RTI) and the Proposed Data Protection law

The right to information is constitutionally guaranteed under Art 14A of the Constitution of Sri Lanka and statutorily guaranteed through the Right to Information Act No. 12 of 2016 (hereinafter RTI Act). Under Section 5 (1) (a) of the RTI Act, ‘personal information…. that would cause unwarranted invasion of privacy’ is a valid justification for refusing to disclose information if the public interest override in Section 5 (4) does not apply. Since privacy is not defined and due to the difficulty in precisely defining it, the same is decided on a case-by-case basis.

As explained above, the Proposed Data Protection law protects ‘personal data’. On a plain reading of the provisions, it would seem that the RTI Act and the Proposed Data Protection law do not overlap in any way but merely supplement each other. Perhaps this would have been the case had an exclusion/exemption for the RTI Act been mentioned clearly and unambiguously in the Proposed Data Protection law. But that is not the case. Clause 35 (e) refers to ‘the protection of the data subject of the rights and fundamental freedoms of others, particularly the freedom of expression and the right to information’.

The exemption clause has been linked with the rights of the data subject. Would this then mean that the right to information will be considered in light of individual data protection principles for the exemption to apply? Or would this mean that rights of the data subject and fundamental freedoms of others would be balanced on the basis of the law?

The primary principle should be securing the right to information of every citizen with protection of the data subject of an individual, as a limitation to that right. This is reflected in privacy being a narrowly defined limitation under the RTI Act, subject to release of information in the public interest. But the overriding nature of the Proposed Data Protection law, under Clause 3 would mean that such conflicts would be determined with primacy given to data protection. While protection of personal data is not negotiable, it ought not to be used as a tool to refuse disclosure under the RTI.

As it stands, several appeals made to the RTI Commission by citizens stem from refusals by public authorities to divulge information under Section 5 (1) (a) of the RTI Act. This has been particularly so regarding employment/recruitment/promotion schemes of state officials (i.e. criteria for appointments, salaries, etc. which have been released on Order of the RTI Commission when public authorities refuse to do so, citing privacy concerns, (see for example, ‘Airline Pilots Guild of Sri Lanka v. Sri Lankan Airlines Ltd.’, RTIC Appeal Order, 12 June, 2018). This is in line with the thinking of the global RTI regime. Could this trend of information release be negatively impacted using the protection of personal data as an excuse and if so, who would decide the conflict, the RTI Commission or Data Protection Authority, that is required to be Government controlled?

In fact, the Information Officer under the RTI Act and the Data Protection Officer required to be appointed under the Proposed Data Protection law would be required to make crucial decisions necessarily overlapping with each other. The RTI has been at the forefront in bringing to light several important information impacting on the transparency and accountability of public sector officials in Sri Lanka, could those disclosures be caught up in this quagmire? The object of the two enactments is disparate but the absence of explicit and clear exemptions in the proposed law may lead to stunting progress achieved through the RTI process.

These concerns are more relevant in light of Clause 3 of the Proposed Data Protection law, that has an overriding effect over other written laws, where, in the event of inconsistency, the data protection law would be given supremacy over other laws. It is recommended that due consideration be given to these aspects so that a balance is struck between protecting personal data and freedoms of expression and information in line with the Constitution and enacted law, including most importantly, Sri Lanka’s globally ranked RTI Act.

Courtesy;Daily FT