A comparative analysis of the cyber security law of Sri Lanka with European Union Directives

Introduction

Although data breaches always make headlines on big-name brand or some developed countries recent year Sri Lanka has faced many threats to national’s critical infrastructure.  To protect both businesses and individual’s government has made numerous legislation measures over the years. 

Few of the many legislations are cited below as examples.

- Intellectual Property Act No. 36 of 2003  

Provides legal protection over the intellectual property as well as provides remedies for the  violations.Though the respective legislature does not explicitly cover cyber-related issues, it attempts to cover certain aspects relating to ICT products such as copyrights of the soft wares. 

 

-Computer Crimes Act No. 24 of 2007 

The Act covers the sphere of crimes and frauds, which are connected to computers and information    technology.

-Information and Communication Technology Act No.27 of 2003

-Electronic Transactions Act No. 19 of 2006 

-Payment And Settlement Systems Act, No. 28 of 2005 

-Payment Devises Frauds Act No.30 of 2006 

But these acts still could not cover the recent security challenges such as taking actions against false information campaigns that divided the society and created public destruction, terrorist events, Social media crimes, etc. So it is important to focus on applying laws directly related to cybersecurity, which can prevent the emerging crimes in the country.  The proposed Act gives clearing forces to state digital offices and organizations and the Digital Infrastructure and Information Ministry regardless of worries from common freedoms activists and PC social orders over legal oversight and potential maltreatment of intensity. The new bill expected to be providing a powerful execution of the National Cyber Security Strategy in Sri Lanka to forestall, relieve and react to digital security dangers and episodes adequately and effectively. Also, the bill seeks to provide parameters for data retention, data processing and cross border flow of data. It also presents a single platform to seek and store data that can be used by government agencies such as police, Customs, Immigration Department. 

COMPARATIVE ANALYSI

       Coverage of the Bill 

When comparing the two statutory bodies, the European Union Cyber Security Act (hereinafter referred as EU Act) covers a wide area of cyber-related issues where the Sri Lankan Bill is more concentrated on developing a structural framework. Much evidence could be provided in order to prove the respective statement.

According to S.7 and S.8 of the EU, Act highlights the importance of developing the awareness of the general public while the Bill has not given due importance to developing awareness factor. With the emerging level of technologically related violations, the importance of public awareness cannot be underestimated.

Businesses, consumers do not have specific protection on the ICT products they use under the general law of Sri Lanka. The Intellectual Property Act makes an impact with the provisions of copyrights but those are not sufficient to protect the consumers per se. Though the proposed Bill has not identified the respective gap, the EU Law from S.10 of the Act has recognized and addressed the problem. They have also addressed the issue of the vulnerability created by ICT products, which was a step ahead with the developing technological advancements.

 ENISA and the Cyber Security Agency

When considering the structural framework EU Act has introduced the European Union Agency for Network and Information Security (hereinafter referred to as ENISA) under the Regulation (EU) No 526/2013 of the European Parliament and of the Council under S. 14. The objective of the ENISA is stated as maintaining high network security within the union and to develop an information and network security culture for the benefit of the public, businesses, administration, and consumers.

Similarly, Sri Lankan cybersecurity bill also states an establishment of a new agency under section 3(3). The powers and responsibilities of the agency are duly cited in the Bill. But when considering the objective of the agency it does not cover a wide spectrum of situations when compared to the EU Act.

S. 20 and S.21 declares that ENISA should be a professional body with expertise and should function as a reference point. Also, it should make sure to develop their capabilities. S.24 of the EU Act gives the main task of ENISA is to “effective implementation of Directive (EU) 2016/1148 and other relevant legal instruments containing cybersecurity aspects, which is essential to increase cyber resilience”. According to S.25, it should assist other related bodies in resolving crimes conducted in the cyber environment.  

S.4 of the bill includes many similar provisions with the above-mentioned EU regulations. The Agency has a responsibility towards developing a better atmosphere to deal with cyber issues. But the Agency does not only consist of professionals as according to S.5 (2) the power of appointment of the chairman lies with Minister which has the possibility of affecting the professional nature of the Agency. 

Interpretation Section

The interpretation section shows another significant problem. The EU Act has interpreted the terminologies accordingly but when one concentrated on the Bill ambiguities are visible. For example, According to S.21 of the Bill the term ‘cybersecurity incidents’ have not been interpreted. Therefore when an incident takes place, there’s no way of assessing the incident under cybersecurity as well as it could make a gap in the law even before the law is enacted. Failure to interpret the necessary terminologies can inevitably lead to different types of legal ambiguities.

However, the EU has a number of interpretation sections for terminologies used. For example with regard to an overview of Cyber Security and related terminologies, version I provides a clear explanation for the ‘Cyber Security incidents’. According to the section it’s defined as “Any occurrence that has an impact on any of the components of the cyberspace or on the functioning of the cyberspace, independent if it’s natural or human-made; malicious or non-malicious intent; deliberate, accidental or due to incompetence; due to development or due to operational interactions…” When one compares the Bill and the Act, the Act seems more informative and easier to use with simplified provisions where the Bill shows the lack of proper coverage of the respective subject. 

    Involvement of the SLCERT 

Both the EU Act and the Sri Lankan Bill on certain instances accept the support of the SLCERT and the Bill has given a significant amount of responsibilities to them including handling cybersecurity issues. But no mechanism has been provided in the Bill to assist SLCERT with this regard. 

According to S.4 (2) of the Bill, the Agency is required to consult the SLCERT when exercising their powers and duties. Even though it is understandable that SLCERT would have much more experience towards incidents due to a long period of active duty, it is unclear why the agency has to consult SLCERT all times. It would rather be acceptable if it specifies the subjects or areas, which needs the consultation

Risk Analysis 

S.38 of the EU Act declares that ENISA should do a cyber risk analysis and assessment to find possible cyber threats to protect the members of the union. The Sri Lankan Bill has not included the risk analysis though it’s of high importance. For example, though Sri Lanka has less traditional cyber incident rates, in order to prevent terrorism cyber risk analysis can be used successfully. But the Bill does not provide for it.

Autonomy of the appointed CII

The Part IX 24 of the Bill states “The Agency or any other officer authorized in writing in that behalf by the Agency, for the purpose of ascertaining whether the provisions of this Act or any regulation made thereunder are being complied with may, on reasonable ground – (a) enter, inspect and search premises of the designated CIIs; (b) examine and take copies of any document, record or part thereof pertaining to such CIIs; (c) examine any person whom he has reasonable cause to believe that such person is an owner or employee of such CII…”This can be identified as a gap in the law. Without proper data protection laws and by not giving the protection of the courts to the section might lead to serious violations and a threat to the autonomy of the functions of the CII. It is better to grant power to enter CII through a warrant issued by the court with reasonable circumstances. The warrant should contain a name of an authorized CSASL officer, specify the document or records which are to be copied or taken and validation period of time.

Conclusion of the comparative analysis

Unarguably, compare to the EU Act, the Sri Lankan Bill does not cover the emerging issues in the area of cybersecurity. But as the first piece of legislature it provides a structural framework where one can develop on a step-by-step process. When analyzing the current provisions of the Bill, the establishment of the Agency and how CERT is used to develop the area of cybersecurity can be identified. But the Bill has not failed to remedy the prevailing issues through enacting specific law nor that it had created a mechanism to prevent them.

 REFERENCE

Statutes

• Computer Crimes Act No. 24 of 2007 

• Electronic Transactions Act No. 19 of 2006

• Cyber Security Bill

• Information and Communication Technology Act No.27 of 2003 

• Intellectual Property Act No. 36 of 2003 

• Payment and Settlement Systems Act, No. 28 of 2005 

• Payment Devises Frauds Act No.30 of 2006 

International Legislations

• EU Cyber security Act (European Parliament legislative resolution of 12 March 2019 on the proposal for a regulation of the European Parliament and of the Council on ENISA)

Online Articles

•Carrapico H and Barrinha A (2107), ‘The EU as a Coherent (Cyber)Security Actor? <https://onlinelibrary.wiley.com/doi/pdf/10.1111/jcms.12575> 

•Feather Neil, ‘How new cyber law can help protect your business’, (Inc, 2019), <https://www.inc.com/neill-feather/how-new-cybersecurity-laws-can-help-protect-your-business.html> Accessed on 23rd September 2019

•Jayasekara D, Rupasinghe W (2015), Cyber crime in Sri Lanka’, < https://www.researchgate.net/publication/294725446>

•Oddermatt J (2018), ‘EU as a cyber security actor’, <https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3144257>

•Senaratna B, ‘Dynamics in Cybersecurity: Challenges to Sri Lanka’s National Security

•’,<http://ir.kdu.ac.lk/bitstream/handle/345/1717/010.pdf?sequence=1&isAllowed=y>

•Vithana Nisa, ‘Decoding Sri Lanka's Cyber Security Bill 2019’, (Meta Defence Labs, 2019), <https://www.metadefencelabs.com/single-post/2019/06/06/Decoding-Sri-Lankas-Cyber-Security-Bill-2019> Accessed on 25th September 2019

    AUTHORS NOTE

This article was written around September 2019. As a cyber security student with a very less knowledge of legal systems I might have made mistakes. Feel free to make some comments on how to improve this article and let me know if there is any wrong information. I had some help from law students when drafting this and my thank goes to them. 

Cyber Bill in Sri Lanka is still awaiting approval of the cabinet as for 20/08/2020

http://www.adaderana.lk/news/66576/bills-for-cyber-security-and-data-protection-drafted