EU Data Protection Experts Clarify Transparency Rules Amid Concerns Over Sri Lanka–India Defence MoU

By Amarasri Bandara – News First – In Brussels

Brussels (News 1st); As Sri Lanka implements its new Data Protection Law and debate continues over the Defence Cooperation Memorandum of Understanding (MoU) signed with India, senior officials of the European Data Protection Board (EDPB) in Brussels have outlined how EU transparency and privacy standards apply to sensitive government agreements and public access to information.

Governments Can Withhold Information in Public Interest:

Roberta Muraro, Transparency and Legal Officer at the EDPB, clarified that governments may legitimately restrict disclosure of certain information in the public interest, particularly in matters related to international relations or ongoing diplomatic negotiations.

“In such cases, the Government has the right to protect data and not make it public, in the interest of safeguarding international relations,” Muraro told a group of Sri Lankan journalists on an EU-funded study tour in Belgium, organised by Internews under the Indo-Pacific Media Resilience Program.

Muraro explained that this exemption is often used to protect ongoing negotiations or sensitive agreements — especially those involving non-EU countries or international organisations.
However, she stressed that once negotiations are concluded, the justification for secrecy may no longer apply, depending on assessments made by relevant authorities or courts.

“Normally, the Court of Justice holds that once a process is finalised, it should not remain confidential, unless exceptional circumstances exist,” she added.

Sri Lanka–India Defence MoU Under Scrutiny:

Muraro’s remarks come as scrutiny continues over the Defence Cooperation MoU signed between Sri Lanka and India in April 2025, during Indian Prime Minister Narendra Modi’s official visit to Colombo.

The agreement, which the Foreign Affairs Ministry has so far declined to disclose in full, is reported to formalise existing informal defence arrangements between the two nations.
Officials from both sides have indicated that the MoU includes training exchanges, defence industry collaboration, technology and research partnerships, financial frameworks, and protection of classified information.

(On 22 April, Cabinet Spokesman and Minister Dr. Nalinda Jayatissa said Sri Lanka cannot unilaterally disclose the full contents of the MoU without mutual agreement with India.
On 4 August, the Supreme Court dismissed two Fundamental Rights petitions that sought to invalidate the recent MoUs signed between the two countries.)

Balancing Data Protection and Freedom of Expression:

During the Brussels session, Myriam Gufflet, Head of Sector for Litigation and International Affairs at the EDPB, discussed the complex balance between data protection, transparency, and freedom of expression.

“Freedom of expression and access to information are fundamental rights,” Gufflet said, noting that the General Data Protection Regulation (GDPR) already includes provisions, such as Article 85, that reconcile privacy obligations with journalistic activity.
Gufflet pointed out that Sri Lanka’s new data protection law contains similar provisions allowing exemptions for journalism, academia, and public-interest reporting, though structured differently.

She noted that EU law treats access to documents as the default, with restrictions limited to specific exceptions under Article 4 of Regulation 1049/2001. Each request undergoes a harm test to determine whether releasing a document could undermine a protected interest.

Absolute and Relative Exceptions Explained:

EDPB representatives distinguished between absolute exceptions — covering areas like public security, defence, international relations, and personal data — and relative exceptions, which apply to issues such as commercial interests or ongoing investigations.
Absolute exceptions do not allow balancing with public interest, while relative ones require careful weighing of transparency against potential harm.

When it comes to personal data, disclosure is strictly limited. Under Article 86 of the GDPR, such information can only be released when authorised by EU or national law.
The Court of Justice of the European Union has clarified that both transparency and privacy frameworks operate together to ensure accountability without compromising personal data protection.

EU Transparency in Practice:

Muraro and Gufflet explained that EU institutions proactively publish many documents via public registers, including those of the EDPB.

Unpublished documents can also be requested formally, with institutions required to respond within 15 working days — extendable once if necessary.

However, both acknowledged the practical challenges caused by rising public demand, prompting internal steps to manage excessive or overly broad requests through consultation with applicants.

On international relations, the officials reiterated that sensitive diplomatic material may be withheld under absolute exceptions, particularly if disclosure could harm negotiations. Still, they stressed that such restrictions should be narrow and proportionate, and that once agreements are finalised, transparency should normally prevail.

Lessons for Sri Lanka:

The EDPB delegation’s discussion comes at a crucial time as Sri Lanka rolls out its new data protection framework and faces questions on transparency, accountability, and media freedom in the digital era.

Gufflet noted that Sri Lanka’s law is notable for explicitly regulating government entities, unlike some regional counterparts that exempt state bodies. She urged local institutions to conduct compliance assessments and strengthen data-handling practices, recalling that Europe’s GDPR took years to fully implement.
Both officials emphasised that data protection is not absolute — and that media professionals must uphold accuracy, security, and data minimisation while exercising journalistic freedom.

EU Study Tour and Regional Context:

This EU-funded study tour of Belgium, Slovenia, and Lithuania, organised by Internews, brought Sri Lankan journalists face-to-face with EU officials to discuss transparency, disinformation, and democratic accountability.

As Sri Lanka navigates sensitive questions surrounding the India Defence MoU and digital privacy enforcement, the EDPB’s message was clear:

Transparency and data protection are not opposing forces — they are complementary principles that together strengthen democracy, security, and public trust.

Story By Amarasri Bandara – News First – In Brussels