Sri Lanka- Privacy breached

Mar 3, 2020 | News

B. Mohan

Privacy in Sri Lanka has seen a serious breach, especially after the Ranjan Ramanayake and Swiss Embassy incidents.

In a day and age where privacy cannot be viewed as a singular issue in isolation, but rather as one encompassing almost all aspects of life, primarily due to continuous advancements in technology – the extent of which some of us may even be unable to fathom – we in Sri Lanka are unfortunately still in the nascent stages of this battle – that is, those who understand there is a battle to be fought in the first place.

Some of us may be letting issues slip through the cracks, while some of us may be completely oblivious to the goings on and their overall implications, perhaps due in part because we don’t feel any direct impact.

Recent events in the current landscape of Sri Lanka – the leaked Ranjan Ramanayake telephone calls (#RanjanGate) and the Swiss Embassy issue, both involving the revelation of telephone records – have, at the very least, promoted the need for this very pertinent question: Is our privacy protected?

There is widespread consensus that privacy is a fundamental right that needs to be safeguarded, with many agreeing that it needs to be included in the Sri Lankan Constitution as such. Some also claim that merely having constitutional recognition of the right would not suffice.

Meanwhile, the state is of the view that the right to privacy, as things currently stand, is a moral issue and as such should be evaluated from a moral standpoint – which this gives rise to obvious concerns.

But what is more troubling is that it believes that it does not have the right to roll out regulations or laws governing privacy in order to stop privacy violations, when it itself, and all connected units of the state, here and around the world, are engaged in such activities.

Abandoning a fundamental right

Currently, the Sri Lankan Constitution does not include privacy as a fundamental right. However, there have been efforts in the past to include it, although now halted.

The Colombo Gazette spoke to political scientist and constitutional expert Prof. Jayadeva Uyangoda to get his views on the matter.

“No, it’s not yet included. One of the previous constitutional drafts contained a proposal to include it, but there was no consensus amongst political parties, so it was abandoned.

“But my personal view is that it should be included in the Constitution as a fundamental right. It should be a part of right to life and the right to privacy.”

Verité Research (Pvt.) Ltd. Research Director and Attorney-at-Law Gehan Gunatilleke, who specializes in international human rights and public law, confirmed that the process to include privacy in the Sri Lankan Constitution was abandoned along with the constitutional reform process itself.

“The Subcommittee on Fundamental Rights (which was part of the Parliamentary Steering Committee of the Constitutional Assembly) recommended that the right to privacy be explicitly included in the Constitution.

“This proposal included the right to privacy in terms of a person’s ‘correspondence and communications’. Unfortunately, the constitutional reform process has been abandoned.”
Speaking to the Colombo Gazette, the Centre for Policy Alternatives (CPA), a local institution that identifies and develops advocated policy alternatives, also believes that privacy is a fundamental right and should be seen as such.

“However, merely having a constitutional recognition of the right isn’t sufficient. The right to privacy is an extremely complicated right, especially considering modern technological advances,” said CPA Senior Researcher Bhavani Fonseka.

Current legislation in place

This, no doubt, brings to mind the recent events I mentioned above. As such, I thought it pertinent to seek clarification on what actions are allowed, what aren’t, and whether any of this is governed by current regulations or laws, specifically in the case of recording telephone conversations, by both telecommunication companies and on an individual basis.

On the former, Fonseka of the CPA said: “It is an offense for a telecommunication(s) officer or any person having official duties in connection with a telecommunication(s) system to intentionally intercept a message sent by means of that system or its usage information (Section 54 Sri Lanka Telecommunication Act No. 25 of 1991).

She continued: “This will not be an offence only if the Minister in charge of the TRC (Telecommunications Regulation Commission) gives a direction to such an officer to intercept such information.

“As of now, this provision cannot be used as the TRC comes under the Ministry of Defence and there is no minister gazetted. So any officer of a private or state-owned telecommunications provider who provides such information is committing an offence and could be prosecuted.

“However, when there is a minister appointed and if the minister gives a direction, there is absolutely no oversight about the process. There is also no judicial supervision. This is an extremely troubling situation and the Minister can use the power to get information on his political opponents or people who he/she has a personal grudge against.”

This raises serious concerns on the extent of the state’s access to sensitive personal information for use in achieving its own objectives.

On the latter, i.e. on an individual basis, Gunatilleke said: “I think the relevant statutory provisions that apply are Section 10 of the Computer Crimes Act (prohibits disclosure of information in breach of contract) and Section 52 of the TRC (Telecommunications) Act of 1991 (prohibits intrusion into any electronic message with the intention of learning its content).”

Irrespective of these legal provisions, we are all well aware that any information that is required by the state can be requested or even demanded, citing national security concerns, and sometimes even not.

State terms it a “moral issue”

Upon speaking to Chaminda Gamage – the Media Secretary of Speaker of Parliament Karu Jayasuriya – about this, I learned that he was of the opinion that these issues need to be looked at from a moral standpoint.

He said: “With regards to the legality of it in Sri Lanka, we know that it is at the moment a moral issue. These days, even the Speaker (of Parliament) has made inquiries into what the limits are to this sort of conduct.”

Upon querying him on the need to introduce a regulation solely covering the protection of individuals’ right to privacy on all fronts, he said: “From what we know at the moment, doing something of this nature is not possible.”

When questioned as to why, he responded: “The government can’t afford to stop people from doing it because not only the government, but also all connected units of the government, even all over the world, does it. Especially due to modern-day technology as well, people hack and record conversations.”

Based on this logic, one could pose the question of whether Sri Lankans should give up their fight for privacy just because these practices are commonplace the world over.

However, should that be the case, progress on any fight for rights would not see the light of day.

Deeper implications

But he was right on one count – everyone does it.

The world over, individuals’ privacy is being breached in more than one way and to satisfy more than one end; ranging from advertising and promotions to law enforcement and much else, via the use of data collected pertaining to purchasing activities, movement, internet browsing, e-mail, text messaging, etc.

Prof. Uyangoda said: “There are local companies that are doing big data analysis, and they use consumer data. You should actually ask them what they are doing with this information.”

These data sets are being collected by corporates and governments the world over, and even though most of it is anonymized, it is important to realise that, over time, we can be consistently identified.

Prof. Uyangoda continued: “Intelligence agencies – say the National Security Council, National Security Agency (NSA), etc. – reportedly have conversations of everyone in the world.”

Referring to the conversation I was having with him at the time, he said: “Even this conversation is probably recorded by the NSA in the US. The British, American, and Indian intelligence agencies, which are now very sophisticated, record almost all the telephone conversations probably in the entire South Asian region.”

Asked if Sri Lanka was at the stage where it too has the resources to do the same, he responded: “We are, probably. I saw a report recently that the Israeli Government has met with the President, and a delegate, and they have promised to support Sri Lanka to improve its electronic surveillance – for which Israel is very well known in the world.”

On this aspect, Fonseka from CPA shared: “Governments and private entities both collect large amounts of information from the public without their consent and even monetize such data. As such, data security is also an important dimension of the right to privacy and needs to be addressed in a comprehensive manner,” shared CPA’s Fonseka.

Upon querying Speaker’s Media Secretary Gamage on the implications of such invasions of privacy in Sri Lanka, he said: “We know that due to security reasons, a lot of countries are recording conversations.

“I believe that with this revolution of modern technology, we have to really turn back and look and consider what the boundaries of this are from a moral perspective. You can’t consider this a problem that is limited to Sri Lanka only.”

A possible saving grace – not  

Gunatilleke of Verité Research shared: “Sri Lanka has ratified the International Covenant on Civil and Political Rights, which recognizes the right to privacy.

“In an advisory opinion in 2008, the Supreme Court observed that Sri Lanka’s legal framework adequately protects this right. In an annex to the opinion, it referred to the Post Office Ordinance of 1908 (Section 71) and the Computer Crimes Act of 2007 (Sections 3, 8, and 10), and the civil law remedy of suing for the damage of reputation as adequately providing for the right to privacy.

“However, these legal provisions do not adequately oblige the state to protect a person’s right to privacy, and they do not allow a person to sue the state for its failure to protect such a right.”

He then stated that the Data Protection Act which is pending sanction would bridge certain gaps, saying: “There does not appear to be any procedure for the disclosure of information except through a court order. But if there is a court order to disclose information, we may need to look at the terms on which mobile service providers are granted a license.

“If a license condition is that information can be shared with state authorities in the event of a court order, then the contract between the customer and the service provider should specify so, or there should be a general law governing this aspect.

“I do not think such a law exists – which is where the Data Protection Act comes in.”

This Act specifies that it “defines measures to protect personal data of individuals held by banks, telecom operators, hospitals, and other personal data aggregating and processing entities”.

The Act also states, in Schedule 1: Conditions for Lawful Processing, that the data subject (the person whose data is collected/used) has to have “given consent to the processing of his or her personal data” along with six other conditions.

While this in itself may offer some form of protection, we must realise that it does not cover personal data used for “purely personal, domestic, or household purposes by an individual” as specified in the Act; that if the data has been “anonymized”, the Act does not need to be complied with; and lastly – and most importantly – that it has not been ratified yet.

The sources of threat

When speaking to Prof. Uyangoda on his recommendations on how we ought to proceed in the Sri Lankan legal space on this issue, he shared: “In Sri Lanka, there are three sources of threat to privacy – one is the individuals, like Ranjan Ramanayake. And today, phone tapping is a fairly common thing as the equipment can be bought. So here, individuals themselves are a threat and can pose a threat to the privacy of other individuals.

“The second one is private companies. These companies have an enormous amount of personal data. For example, the supermarkets we go to if get our phone numbers and have all the information about our consumer preferences; everything in the hospitals are digitalised and so those computers contain all our personal information; and let’s not forget the banks.

“The third potential source of threat is the state. The state also has enormous amounts of our personal data. The state taps telephones, the state taps our emails, and breaks open our letters. Therefore, the state has enormous amounts of data about individuals.

“I think the law should cover all three potential sources of threat.”

Shedding more light on things to consider when proposing such legislation, CPA’s Fonseka said: “The right to information is recognised in Article 14A of the Constitution, and one of the grounds on which this right can be restricted is based on privacy. As such, the Supreme Court will sooner or later have to deal with the issue of what is meant by privacy when interpreting the scope of the right to information.”

However, the above would only be applicable if victims of privacy abuse stand up for their rights and fight to protect it.

And that might be difficult, considering the fragmented way in which individuals’ privacy is protected through local legislations at present – in this article, we explored three acts already in force and one that is pending ratification.

A layman may not be fully aware of their rights as things stand and this leaves a lot of room for misinterpretation, leaving them vulnerable.

Needless to say, the conversation surrounding privacy needs to be given priority in Sri Lanka, especially in the most basic sense so that it is understood by you and me.

At the same time however, we must not forget the complex ways in which it can and is being violated via more stealthy avenues as technology advances.

At this juncture, the most pertinent question of all is, how do we draw the line between correctly categorizing data that should be protected and considered private, against data that might pose a threat to national security? After all, isn’t this the basis on which the state has granted itself full access?

Original post: Colombo Gazette