Nalinda Indatissa, President’s Counsel
In today’s digital world, personal data protection is considered sacred because it is no longer just about keeping secrets. Personal data—information that identifies or can reasonably identify a living individual—acts like a digital fingerprint, revealing habits, beliefs, financial status, relationships, and other private aspects of life. If this information is misused, the consequences can be serious, ranging from financial loss to emotional distress, reputational damage, and even manipulation.
For example, if a person’s banking details or NIC number are leaked, a criminal could open accounts or take loans in that person’s name. Similarly, leaked private photos or messages can ruin a person’s career or relationships. Even seemingly harmless information, like a travel pattern or phone number, can be used to stalk, harass, or manipulate someone.
Under Sri Lanka’s Personal Data Protection Act, No. 9 of 2022 (PDPA), personal data includes anything that relates to a living person who is identified or identifiable. This can range from obvious details like names, dates of birth, telephone numbers, email addresses, home addresses, NIC or passport numbers, to less obvious information like physical characteristics, movements, location, financial status, or property ownership. Personal data also includes images, audio recordings, or video recordings. It is considered processed when it is collected, stored, retrieved, consulted, used, disclosed, shared, transferred, or destroyed—whether electronically or as part of an organised filing system.
Even when personal data is pseudonymised—for example, where a person’s name is replaced with a code—it still counts as personal data if it can be traced back to the individual. Only information that is irreversibly anonymised, so that no individual can ever be identified, falls outside the Act. Certain types of data, such as health records, biometric data, genetic information, racial or ethnic origin, religious or political beliefs, trade union membership, or information about sexual orientation or sex life, receive extra protection. Processing this sensitive data generally requires explicit consent or a clear legal basis.
Protecting personal data is not just a legal requirement; it is a matter of human rights and dignity. Individuals gain autonomy and control over what they share and with whom. This allows them to participate in digital life freely without fear of surveillance or misuse. For instance, a person might choose to share health information with a doctor but not with a marketing company. Privacy also enables freedom of expression, association, and thought, because people can interact safely online or in public without constantly fearing that every action is monitored.
Personal data protection is also crucial in preventing harm. Identity theft, fraud, stalking, harassment, and reputational damage are real dangers in today’s world. For example, if someone’s online shopping or social media data is stolen, it can be misused to commit fraud or manipulate personal choices. Similarly, data leaks from medical or financial institutions can cause both personal and financial devastation. Without protection, even seemingly small breaches—like sharing someone’s phone number without consent—can have ripple effects that escalate into serious problems.
Another key reason personal data protection is essential is that it prevents manipulation and exploitation. Organisations and governments often collect large amounts of data to predict behaviour, target marketing, or influence political decisions. Without rules and safeguards, individuals are at a power disadvantage, unable to control who uses their data or for what purpose. This is why trusted systems and regulations are necessary, so that companies cannot abuse the data of users for profit or control.
Trust is the backbone of the digital economy. People will only use online banking, healthcare apps, government portals, and e-commerce platforms if they feel confident that their data is secure. Organisations that respect data protection laws build long-term credibility with users, whereas breaches can result in a rapid loss of trust and customer exodus. For instance, a hospital that mishandles patient records or a bank that leaks financial data will not only face legal penalties but also suffer reputational harm that may take years to repair.
To achieve these goals, countries and organisations need a robust personal data protection regime. This includes creating a strong regulatory framework, building awareness among citizens and businesses, ensuring compliance across both public and private sectors, and implementing internationally recognised standards. Such measures prevent crime, promote confidence in digital services, and allow development and marketing to be data-driven yet ethical. For example, a retail company can conduct targeted marketing without violating privacy if users’ consent is properly managed and their data is stored securely.
In our interconnected world, personal data often crosses borders. National laws alone are insufficient. It is time for countries to cooperate globally, share intelligence, assist in cross-border investigations, and ensure consistent enforcement. Global cooperation can reduce personal data violations, combat cybercrime effectively, build trust in international digital transactions, and ensure organisations adhere to consistent standards.
Modern technologies like blockchain can also support personal data protection. Blockchain allows data to be stored in a tamper-proof, decentralised ledger, making it nearly impossible for hackers or unauthorised users to alter or misuse information. It can also track who accessed data, when, and why, giving users greater transparency and control. For instance, a patient could allow a doctor to access medical records via blockchain without risk of the data being altered or leaked.
Taking care of personal data is therefore much more than a legal obligation. It is a matter of respect, trust, and responsibility. In an increasingly digital world, controlling one’s personal information is key to living connected lives without sacrificing security, freedom, or dignity. Personal data protection is the shield that preserves autonomy, prevents exploitation, enables trust, and supports global development. In short, safeguarding personal data is sacred because it ensures that people remain human beings, not mere data points, in the digital ecosystem.
