For insight into the obligations of controllers and processors under the PDPA, see part two here. For insight into the rights of data subjects and the enforcement under the PDPA, see part three here.

Scope of application (Sections 2 and 40)

A defining feature of the PDPA is its extraterritorial application. In short, the PDPA applies to the processing of personal data which (Section 2(2) of the PDPA):

• takes place wholly or partly within Sri Lanka; or
• is carried out by a controller or processor who:
  • is domiciled or ordinarily resident in Sri Lanka;
  • is incorporated or established under any written law of Sri Lanka;
  • offers goods or services to data subjects in Sri Lanka, including the offering of goods or services with specific targeting of data subjects in Sri Lanka; or
  • specifically monitors the behaviour of data subjects in Sri Lanka, including profiling with the intention of making decisions in relation to such behaviour in so far as it takes place in Sri Lanka.

Notwithstanding the above, the PDPA does not apply to any personal data processed purely for personal, domestic, or household purposes by an individual, or to any data other than personal data (Section 2(3) of the PDPA).

Notably, Section 40 of the PDPA also outlines several exemptions, restrictions, and derogations to the PDPA, primarily in relation to national security and public interests.

Key definitions (Section 56)

The PDPA generally refers to similar concepts as seen in other privacy legislation. Some notable definitions include (Section 56 of the PDPA):

Controller: Any natural or legal person, public authority, public corporation, non-governmental organisation, agency, or any other body or entity which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Personal data: Any information that can identify a data subject directly or indirectly, by reference to:

• an identifier, such as a name, an identification number, financial data, location data, or an online identifier; or
• one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural, or social identity of that individual or natural person.

Processor: A natural or legal person, public authority, or other entity established by or under any written law, which processes personal data on behalf of the controller. For the avoidance of doubt, a processor shall be a separate entity or person from the controller and not a person subject to any hierarchical control of the controller, and excludes processing that is done internally, such as one department processing for another or an employee processing data on behalf of their employer.

Special categories of personal data: Personal data revealing racial or ethnic origin, political opinions, or religious or philosophical beliefs; the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person; data concerning health or data concerning a natural person's sex life or sexual orientation; personal data relating to offences, criminal proceedings, and convictions; or personal data relating to a child.

Anonymise: In relation to personal data, permanent removal of any personal identifiers from personal data to render any such personal data from being related to an identified or identifiable natural person.

Consent: Any freely given, specific, informed, and unambiguous indication by way of a written declaration or an affirmative action signifying a data subject's agreement to the processing of their personal data.

Cross-border data flow: The movement of personal data out of the territory of Sri Lanka for the purpose of processing personal data in a third country.

Identifiable natural person: A natural person who can be identified, directly or indirectly, by reference to any personal data.

Legal bases for processing (Section 5 and Schedule I)

Under the PDPA, personal data can only be processed pursuant to the legal bases set out in Schedule I of the PDPA (Section 5 of the PDPA). They are as follows:

• as per the consent of the data subject;
• for the performance of a contract;
• for compliance with a legal obligation;
• to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person;
• for the performance of a task carried out in the public interest, or in the exercise of powers conferred on the controller or processor by law; or
• for the purposes of the legitimate interests pursued by the controller or a third party.

While the conditions for obtaining consent is further elaborated in Schedule III of the PDPA, Schedule I of the PDPA also clarifies the meaning of 'legitimate interests,' which includes:

• where the data subject is a client or in the service of a controller;
• where the data subject reasonably expects that processing for that purpose may take place;
• where strictly necessary for the purposes of preventing fraud; and
• where strictly necessary and proportionate for the purposes of ensuring network and information security.

General principles (Sections 6 to 11)

Controllers must ensure that personal data is processed for a specified, explicit, and legitimate purpose, and that such personal data is not further processed in a manner which is incompatible with such purposes (Section 6 of the PDPA). Furthermore, the controller must also ensure that personal data that is processed is adequate, relevant, and proportionate to the extent as is necessary in relation to the specified purposes (Section 7 of the PDPA).

Other principles also include:

• maintaining accuracy of personal data (Section 8 of the PDPA);
• limiting the form and period of retaining personal data (Section 9 of the PDPA); and
• ensuring integrity and confidentiality of personal data by using appropriate technical and organisational measures (Section 10 of the PDPA).

Special categories of personal data (Schedule II)

Legal bases

Comparable with many data protection laws across the globe, the PDPA affords additional protection to special categories of personal data, or sensitive data, by limiting the opportunities for which such data may be processed.

In this regard, special categories of personal data may be carried out under one of the following conditions (Schedule II of the PDPA):

• where the data subject has given consent;
• where necessary for the purposes of carrying out the obligations of the controller and exercising of the rights of the data subject in relation to, among other things, the field of employment, social security, and public health;
• where necessary to respond to an emergency that threatens the life, health, or safety of the data subject or another natural person, where the data subject is physically or legally incapable of giving consent;
• in relation to personal data which is manifestly made public by the data subject;
• where necessary for the establishment, exercise, or defence of legal claims;
• where necessary for any purpose as provided for in any written law or public interest;
• where necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services; or
• where necessary for archiving purposes in the public interest, or scientific research, historical research, or statistical purposes.

Children

As noted above, personal data relating to a child (i.e. a person below the age of 16) is considered a special category of personal data. In addition to the safeguards applicable to these kinds of personal data, the PDPA also specifies a number of considerations:

• processing based on legitimate interests may not be carried out where such interests are overridden by the interests of the data subject, particularly where the data subject is a child (Schedule I, Item (f) of the PDPA); and
• in relation to consent to processing, consent must be obtained from the parent or legal guardian of the particular child (Schedule II, Item (a) of the PDPA).

What's next?

With the exception of Parts IV and V of the PDPA, the majority of provisions are due to come into operation on a date notified by the relevant Minister. This should be no earlier than 18 months, and no later than 36 months, from the date of certification (Section 1(3) of the PDPA).

Accordingly, the PDPA is expected to come into force sometime between September 2023 and March 2025.

Karan Chao Senior Privacy Analyst
[email protected]
Theo Stylianou Privacy Analyst
[email protected]