Scribd Logo
Upload

Welcome to Scribd!

  • 5 views

    Privacy Law

    Uploaded by

    nipuishani
    Privacy law Sri Lanka

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Privacy Law

    Uploaded by

    nipuishani
    5 views5 pages
    Privacy law Sri Lanka

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Privacy law Sri Lanka

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    5 views5 pages

    Privacy Law

    Uploaded by

    nipuishani
    Privacy law Sri Lanka

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 5

    PRIVACY LAW IN USA CASE LAW

    Electronic surveillance is addressed in the Fourth Amendment to the


    Constitution of the United States of America- right of the people to be
    secure against unreasonable searches and seizures. The U.S. Supreme
    Court initially ruled in Olmstead v. U.S (1928) that electronic
    eavesdropping is not a search or seizure since the government
    intercepted conversations without entering the defendant's home and
    conversations aren't tangible things to be seized. However,
    the Court later overruled Olmstead in Katz v. U.S. (1967) and held
    that the Fourth Amendment protects any place where an individual
    maintains a reasonable expectation of privacy. Both cases
    involved wiretapping or bugging.

    In Kyllo v. U.S. (2001), the Court addressed the constitutionality of


    using technology to survey the inside of a defendant's home without
    actually entering the home. Here, the Court held that physical
    invasion was not required to constitute a Fourth Amendment search if
    the surveillance reaped information that would not have been
    attainable without entering the home.

    Privacy Laws in SL

    On March 18th, 2022, Sri Lanka enacted the Personal Data Protection
    Act, No. 9 of 2022 (the “Act” or “PDPA”) thereby becoming the first
    South Asian country to enact comprehensive data protection
    legislation. The law is modeled after the General Data Protection
    Regulations (GDPR) in the EU and imposes considerable
    responsibilities on controllers. Below we describe selected highlights
    from the Act and considerations that companies should prepare for as
    the Act gradually comes into effect in the beginning of 2023.

    While Sri Lanka is the first South Asian country to enact


    comprehensive privacy legislation, it is unlikely to be the last. India
    has been debating its Personal Data Protection Bill since 2019 (and
    amendments were proposed earlier in 2022). There was also some
    traction for a comprehensive privacy bill in Pakistan in 2020. This
    activity in South Asia on data privacy is emblematic of the rest of the
    world, as more are proposing comprehensive privacy laws that
    borrow heavily from the GDPR. These new laws will impose
    considerable obligations on businesses with international operations,
    particularly as it pertains to cross-border data transfers. Companies
    with ties to these regions should be aware of their relevant obligations
    as these new laws continue to pop up.

    APPLICATION
    The Act applies to any processing of personal information that takes
    place in Sri Lanka. It also applies to controllers or processors that are
    domiciled in, incorporated in or offer goods or services to persons in
    Sri Lanka. Notably, the Act applies to businesses and does not
    apply to personal information processed “purely for personal,
    domestic or household purposes” by an individual. Like the
    GDPR, the PDPA applies to all business, small or large alike. Smaller
    companies subject to the law should carefully consider compliance
    costs as those may be significant and potentially onerous.

    PROCESSING OF DATA
    The PDPA relies heavily on GDPR principles of legitimate purpose,
    proportionality and transparency, among others. Specifically, under
    PDPA controllers must ensure that processing of personal information
    follows the below principles:

    1. Legitimacy: Processing of personal information must be for a


    “specified, explicit and legitimate” purpose.

    2. Proportionality: Processing of personal information must be


    “adequate, relevant and proportionate” to the extent necessary in
    relation to the purpose of processing;

    3. Accuracy: Processing of personal information must be


    “accurate and kept up to date”;

    4. Limited Retention: Personal information should be kept only as


    far and as long as necessary for purpose to which it was
    processed;

    5. Integrity: Controllers must ensure integrity and confidentiality


    of personal information processed by using appropriate
    technical and organizational measures including encryption,
    pseudonymization, anonymization, access controls or other such
    measures;
    6. Transparency: Controllers have an obligation to process in a
    transparent manner enabling data subjects to receive information
    they request regarding the processing of their information;

    7. Accountability: Controllers must implement internal controls


    and procedures, a “Data Protection Management Program”, to
    maintain adequate data processing records and ensure
    appropriate oversight.

    RIGHTS AND CHOICES


    Under PDPA, data subjects subject to the Act have the following
    rights and choices:

    1. Right of access: Data subjects have the right to request access


    of their personal information;

    2. Right to withdrawing consent: Data subjects have the right to


    withdraw consent and to object to the processing of their
    personal information;

    3. Right to rectification: Data subjects have the right to request


    that their personal information be corrected or rectified when
    inaccurate;

    4. Right to erasure: Data subject may request to have their


    personal information erased.

    Controllers shall have twenty-one (21) business days from the request
    to notify data subjects whether their requests has been granted or
    denied. Thus, companies subject to the Act should consider the
    necessary infrastructure and systems support needed in order to
    comply with a limited response window.

    You might also like