Personal Data Protection Act (Sri Lanka)

Personal Data Protection Act, No. 9 of 2022
Personal Data Protection Act, No. 9 of 2022
Parliament of Sri Lanka
	Long title An Act to provide for the regulation of processing of personal data; to identify and strengthen the rights of data subjects in relation to the protection of personal data; to provide for the establishment of the Data Protection Authority; and to provide for matters connected therewith or incidental thereto ;
Citation	Personal Data Protection Act, No. 9 of 2022
Territorial extent	Worldwide
Enacted by	Parliament of Sri Lanka
Enacted	March 9, 2022
Signed by	Speaker of the Parliament
Signed	March 19, 2022
Effective	July 17, 2023 (Part V); December 1, 2023 (Parts VI, VIII, IX, X); March 18, 2025 (Parts I, II, III, VII)
Administered by	Data Protection Authority of Sri Lanka
Legislative history
Bill title	Personal Data Protection Bill
Bill citation	Personal Data Protection Bill
Introduced by	Minister of Technology
Introduced	November 25, 2021
First reading	January 20, 2022
Second reading	March 9, 2022
Third reading	March 9, 2022
Keywords
	Data protection, Privacy, Personal data
	Status: Not fully in force

The Personal Data Protection Act, No. 9 of 2022 (abbreviated PDPA) is a comprehensive data protection law enacted to regulate the processing of personal data in Sri Lanka.^[1] The Act aims to protect the privacy of individuals, establish rights for data subjects, and impose obligations on data controllers and processors.

Background

The Act was passed by the Parliament of Sri Lanka in 2022^[2] to address the growing need for data protection in the digital age. It is designed to safeguard personal data while allowing for legitimate data processing activities.

Key features

Scope and application

The Act applies to the processing of personal data:

Wholly or partly within Sri Lanka
By controllers or processors domiciled or established in Sri Lanka
Related to the offering of goods or services to data subjects in Sri Lanka
Involving the monitoring of data subjects' behavior in Sri Lanka

Data Protection Authority

The Act establishes the Data Protection Authority of Sri Lanka as the primary regulatory body responsible for enforcing the law and promoting data protection practices.

Rights of data subjects

The Act grants several rights to data subjects, including:

Right of access to personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to object to processing
Right to withdraw consent
Right to review automated decision-making

Obligations of data controllers and processors

Key obligations include:

Ensuring lawful processing of personal data
Implementing data protection management programs
Conducting data protection impact assessments in certain cases
Appointing Data Protection Officers under specific circumstances
Notifying the Authority and affected individuals of personal data breaches

Cross-border data transfers

The Act regulates the transfer of personal data outside Sri Lanka, requiring adequate protection measures or specific conditions to be met.

Special categories of personal data

The Act provides additional protections for sensitive personal data, including data revealing racial or ethnic origin, political opinions, religious beliefs, health data, and biometric data.

Penalties

The Act empowers the Authority to impose penalties for non-compliance:

For the first instance of non-compliance, a penalty not exceeding ten million rupees may be imposed.
For subsequent non-compliances, an additional penalty of twice the amount imposed for the previous non-compliance may be levied.

The Authority considers several factors when determining penalties, including the nature and duration of the violation, the number of data subjects affected, and any actions taken to mitigate damages.

Implementation timeline

The Act is being implemented in phases:

July 17, 2023: Part V (establishing the Data Protection Authority) came into effect.^[3]
December 1, 2023: Parts VI (Director-General and staff of the Authority), VIII (Fund of the Authority), IX (Miscellaneous), and X (Interpretation) came into effect.^[4]
March 18, 2025: Parts I (Preliminary), II (Rights of Data Subjects), III (Controllers and Processors), and VII (Penalties) will come into effect.^[4]

This phased implementation allows organizations and the government time to prepare for full compliance.

Impact and significance

The Personal Data Protection Act represents a significant step in Sri Lanka's digital governance framework. It aligns Sri Lanka's data protection regime with international standards, potentially facilitating cross-border data flows and digital trade. The Act is expected to enhance trust in digital transactions and services while promoting responsible data handling practices across public and private sectors.

References

^ "Personal Data Protection Act, No. 9 of 2022" (PDF). Parliament of Sri Lanka. 19 March 2022.
^ "Personal Data Protection Bill passed with amendments". News First. 9 March 2022.
^ "Gazette No. 2341/59" (PDF). documents.gov.lk. 19 July 2022.
^ ^a ^b "Gazette No. 2366/08" (PDF). documents.gov.lk. 29 December 2023.

[1] "Personal Data Protection Act, No. 9 of 2022" (PDF). Parliament of Sri Lanka. 19 March 2022.

[2] "Personal Data Protection Bill passed with amendments". News First. 9 March 2022.

[3] "Gazette No. 2341/59" (PDF). documents.gov.lk. 19 July 2022.

[Phase_2_and_3-4] "Gazette No. 2366/08" (PDF). documents.gov.lk. 29 December 2023.

[1]

[2]

[3]

[4]