Support Centre

Sri Lanka

Summary

Law: Personal Data Protection Act, No. 9 of 2022 ('PDPA')

Regulator: The Data Protection Authority of Sri Lanka ('the Authority') (not yet established)

Summary: The PDPA was introduced as a bill in the Official Gazette on 25 November 2021. Following three readings in the Parliament of Sri Lanka, the PDPA was passed with amendments on March 9, 2022, and subsequently endorsed on March 19, 2022.

The PDPA establishes a comprehensive regulatory framework for the protection of personal data, the first of its kind in Sri Lanka. It seeks to identify and strengthen the rights of data subjects and provide for the designation of the Authority. Other notable provisions under the PDPA include the obligation to develop a data protection management program and the conditions on the use of personal data for direct marketing purposes. The PDPA also includes extensive provisions governing cross-border data transfers, which have data localization implications applicable to all controllers and processors intending to process personal data outside of Sri Lanka.

On January 8, 2024, an Order which designated that confirmed that the Parts VI, VIII, IX, and X of the PDPA entered into effect on December 1, 2023, while Parts I, II, III, and VII of the PDPA will enter into effect March 18, 2025. In addition, Part V of the PDPA entered into force on July 17, 2023 and accordingly, established the Authority. 

Insights

On 19 March 2022, the Parliament of Sri Lanka enacted and endorsed the Personal Data Protection Act, No. 6 of 2022 ('PDPA'), representing the first comprehensive privacy legislation in Sri Lanka. The PDPA seeks to strengthen the rights of individuals in relation to their personal data and, more importantly, provide for the establishment of a data protection authority. In part three of this series, OneTrust DataGuidance considers the key provisions of the PDPA, focusing on the rights of data subjects and the enforcement of the PDPA.

On 19 March 2022, the Parliament of Sri Lanka enacted and endorsed the Personal Data Protection Act, No. 6 of 2022 ('PDPA'), representing the first comprehensive privacy legislation in Sri Lanka. The PDPA seeks to strengthen the rights of individuals in relation to their personal data and, more importantly, provide for the establishment of a data protection authority. In part two of this series, OneTrust DataGuidance considers the key provisions of the PDPA, focusing on the obligations of controllers and processors.

On 19 March 2022, the Parliament of Sri Lanka enacted and endorsed the Personal Data Protection Act, No. 6 of 2022 ('PDPA'), representing the first comprehensive privacy legislation in Sri Lanka. The PDPA seeks to strengthen the rights of individuals in relation to their personal data and, more importantly, provide for the establishment of a data protection authority. In part one of this series, OneTrust DataGuidance considers the key provisions of the PDPA, focusing on the scope of application and the general processing principles.

Countries across the APAC region have been introducing comprehensive data protection laws and/or updating existing legislation to ensure personal data is protected in the digital era. OneTrust DataGuidance provides an overview of the status of current privacy/data protection bills in Australia, Brunei Darussalam, India, Malaysia, Mongolia, Myanmar, Pakistan, Sri Lanka, Thailand, and Vietnam.

Feedback